Browse Source

small update. next will be postex focused

pull/21/head
rmusser01 4 years ago
parent
commit
731a918705
33 changed files with 1030 additions and 586 deletions
  1. +10
    -2
      Draft/ADA.md
  2. +1
    -0
      Draft/ADiOS.md
  3. +12
    -2
      Draft/AOP.md
  4. +10
    -3
      Draft/Basic.md
  5. +31
    -15
      Draft/Building_A_Lab.md
  6. +2
    -0
      Draft/CTFs_Wargames.md
  7. +15
    -0
      Draft/CandE.md
  8. +7
    -2
      Draft/Cars.md
  9. +6
    -1
      Draft/Cheats.md
  10. +35
    -1
      Draft/Defense.md
  11. +2
    -0
      Draft/Docs_and_Reports.md
  12. +20
    -4
      Draft/Embedded.md
  13. +44
    -28
      Draft/Exploit_Dev.md
  14. +3
    -0
      Draft/Fuzzing.md
  15. +5
    -9
      Draft/Games.md
  16. +10
    -0
      Draft/Interesting_Things.md
  17. +24
    -1
      Draft/L-SM-TH.md
  18. +13
    -0
      Draft/Malware.md
  19. +58
    -6
      Draft/Network_Attacks.md
  20. +25
    -5
      Draft/OSI.md
  21. +16
    -0
      Draft/P_C.md
  22. +144
    -15
      Draft/Phishing.md
  23. +13
    -1
      Draft/RE.md
  24. +5
    -1
      Draft/RT.md
  25. +70
    -88
      Draft/Rootkits.md
  26. +312
    -340
      Draft/Things-added.md
  27. +1
    -0
      Draft/UX.md
  28. +93
    -9
      Draft/Web.md
  29. +33
    -33
      Draft/Wireless.md
  30. +2
    -0
      Draft/bios_uefi.md
  31. +2
    -2
      Draft/passwords.md
  32. +6
    -4
      Draft/privesc.md
  33. +0
    -14
      Draft/sysinternals.md

+ 10
- 2
Draft/ADA.md View File

@ -26,12 +26,20 @@
* [Other](#Other)
#### Sort
* Redo formatting
#### Sort
* Redo formatting
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Slava-Makkaveev-and-Avi-Bashan-Unboxing-Android.pdf
https://github.com/ernw/AndroTickler
* [Dynamically Inject a Shared Library Into a Running Process on Android/ARM](https://www.evilsocket.net/2015/05/01/dynamically-inject-a-shared-library-into-a-running-process-on-androidarm/)
* [Android Native API Hooking With Library Injection and ELF Introspection](https://www.evilsocket.net/2015/05/04/android-native-api-hooking-with-library-injecto/)
* [ARM Inject](https://github.com/evilsocket/arminject)


+ 1
- 0
Draft/ADiOS.md View File

@ -18,6 +18,7 @@
#### <a name="cull">Cull</a>
https://geosn0w.github.io/Jailbreaks-Demystified/
| Title | Link |
| -------- | ------------------------ |
| **iOS 678 Security - A Study in Fail** | https://www.syscan.org/index.php/download/get/bec31d45168aa331fc01f84451e11186/SyScan15%20Stefan%20Esser%20-%20iOS%20678%20Security%20-%20A%20Study%20in%20Fail.pdf


+ 12
- 2
Draft/AOP.md View File

@ -33,7 +33,6 @@
--------------
### <a name="general"></a>General
* **101**
@ -47,6 +46,7 @@
* [Mobile Phone Data lookup](https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024)
* [Privacy Online Test And Resource Compendium](https://github.com/CHEF-KOCH/Online-Privacy-Test-Resource-List/blob/master/README.md)
* [Winning and Quitting the Privacy Game What it REALLY takes to have True Privacy in the 21st Century - Derbycon 7](https://www.youtube.com/watch?v=bxQSu06yuZc)
* [We Should All Have Something To Hide - Moxie Marlinspike](https://moxie.org/blog/we-should-all-have-something-to-hide/)
* ['I've Got Nothing to Hide' and Other Misunderstandings of Privacy](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)
* We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.
* [The Gruqgs blog](http://grugq.tumblr.com/)
@ -250,7 +250,10 @@
* [Slides](https://www.portalmasq.com/portal-defcon.pdf)
* [The NSA: Capabilities and Countermeasures** - Bruce Schneier - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
* Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on. I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on.
* [Wagging the Tail:Covert Passive Surveillance - Si, Agent X - DEF CON 26](https://www.youtube.com/watch?v=tYFOXeItRFM)
* This talk will focus on mobile and foot surveillance techniques used by surveillance teams. It will also include tips on identifying if you are under surveillance and how to make their life difficult.
* **Papers**<a name="cpapers"></a>
* [Ghostbuster: Detecting the Presence of Hidden Eavesdroppers](https://synrg.csl.illinois.edu/papers/ghostbuster-mobicom18.pdf)
* [Exploiting Lawful Intercept to Wiretap the Internet](https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)
* This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.
* [Protocol Misidentification Made Easy with Format-Transforming Encryption](https://kpdyer.com/publications/ccs2013-fte.pdf)
@ -266,7 +269,9 @@
* [TapDance: End-to-Middle Anticensorship without Flow Blocking](https://jhalderm.com/pub/papers/tapdance-sec14.pdf)
* In response to increasingly sophisticated state-sponsored Internet censorship, recent work has proposed a new ap- proach to censorship resistance: end-to-middle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of the network, at large ISPs outside the censoring country. In this paper, we focus on two technical obstacles to the deployment of certain end-to-middle schemes: the need to selectively block flows and the need to observe both directions of a connection. We propose a new construction, TapDance, that removes these require- ments. TapDance employs a novel TCP-level technique that allows the anticensorship station at an ISP to function as a passive network tap, without an inline blocking com- ponent. We also apply a novel steganographic encoding to embed control messages in TLS ciphertext, allowing us to operate on HTTPS connections even under asymmetric routing. We implement and evaluate a TapDance proto- type that demonstrates how the system could function with minimal impact on an ISP’s network operations.
* [Of Moles and Molehunters: A Review of Counterintelligence Literature, 1977-92](https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/U-Oct%20%201993-%20Of%20Moles%20-%20Molehunters%20-%20A%20Review%20of%20Counterintelligence%20Literature-%201977-92%20-v2.pdf)
* [Ghostbuster: Detecting the Presence of Hidden Eavesdroppers]()https://synrg.csl.illinois.edu/papers/ghostbuster-mobicom18.pdf)]
* **Misc**
* [Laser Surveillance Defeater - Shomer-Tec](https://www.shomer-tec.com/laser-surveillance-defeater.html)
@ -296,9 +301,14 @@
* This new white paper, entitled “Understanding and Improving Privacy ‘Audits’ under FTC Orders,” carefully parses the third-party audits that Google and Facebook are required to conduct under their 2012 Federal Trade Commission consent orders. Using only publicly available documents, the article contrasts the FTC’s high expectations for the audits with what the FTC actually received (as released to the public in redacted form). These audits, as a practical matter, are often the only “tooth” in FTC orders to protect consumer privacy. They are critically important to accomplishing the agency’s privacy mission. As such, a failure to attend to their robust enforcement can have unintended consequences, and arguably, provide consumers with a false sense of security. The paper shows how the audits are not actually audits as commonly understood. Instead, because the FTC order language only requires third-party “assessments,” the companies submit reports that are termed “attestations.” Attestations fundamentally rely on a few vague privacy program aspects that are self-selected by the companies themselves. While the FTC could reject attestation-type assessments, the agency could also insist the companies bolster certain characteristics of the attestation assessments to make them more effective and replicate audit attributes. For example, the FTC could require a broader and deeper scope for the assessments. The agency could also require that assessors evaluate Fair Information Practices, data flows, notice/consent effectiveness, all company privacy assurances, and known order violations.
* **China**<a name="china"></a>
* [ China's Xinjiang Region A Surveillance State Unlike Any the World Has Ever Seen - Spiegel.de](http://www.spiegel.de/international/world/china-s-xinjiang-province-a-surveillance-state-unlike-any-the-world-has-ever-seen-a-1220174.html)
* [China's 5 Steps for Recruiting Spies - Wired](https://www.wired.com/story/china-spy-recruitment-us/)
* **France**
* **Germany**
* **United States**<a name="usa"></a>
* **Japan**
* [The Untold Story of Japan’s Secret Spy Agency - TheIntercept](https://theintercept.com/2018/05/19/japan-dfs-surveillance-agency/)
* **License Plate Tracking**
* [Private companies know where you've been, thanks to license plate cameras - syracuse.com](https://www.syracuse.com/news/index.ssf/2015/01/private_companies_know_where_youve_been_thanks_to_license_plate_cameras.html)
* **Things**
* [RF-Capture](http://rfcapture.csail.mit.edu/)
* RF-Capture is a device that captures a human figure through walls and occlusions. It transmits wireless signals and reconstructs a human figure by analyzing the signals' reflections. RF-Capture does not require the person to wear any sensor, and its transmitted power is 10,000 times lower than that of a standard cell-phone.


+ 10
- 3
Draft/Basic.md View File

@ -17,12 +17,16 @@
* [Salted Hash Ep 34: Red Team vs. Vulnerability Assessments - CSO Online](https://www.csoonline.com/article/3286604/security/salted-hash-ep-34-red-team-vs-vulnerability-assessments.html#tk.twt_cso)
* Words matter. This week on Salted Hash, we talk to Phil Grimes about the differences between full Red Team engagements and vulnerability assessments
* [Encoding vs. Encryption vs. Hashing vs. Obfuscation - Daniel Messler](https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/)
* [Ask Good Questions: Deep Dive - Yousef Kazerooni](https://medium.com/@YousefKazerooni/ask-good-questions-deep-dive-dacd8dddc247)
* **Security 101**
* [Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/)
* [Access control best practices](https://srlabs.de/acs/)
* **General Good Stuff**
* [Words Have Meanings - Dan Tentler - CircleCityCon 2017]
* [(Deliberate) practice makes perfect: how to become an expert in anything - Aytekin Tank](https://medium.com/swlh/deliberate-practice-makes-perfect-how-to-become-an-expert-in-anything-ec30e0c1314e)
* **Learning the Command Line**
* [explainshell.com](https://github.com/idank/explainshell)
* explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page.
* **Careers in Information Security**
* **Educational/Informational**
* [Navigating Career Choices in InfoSec - Fernando Montenegro - BSides Detroit2017](https://www.youtube.com/watch?v=yM2xCjrQSY4)
@ -66,6 +70,9 @@
### Tools you should probably know exist
* [Introduction To Metasploit – The Basics](http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/)
* [Shodan](http://www.shodanhq.com/help)
### Tools
* **Tools you should probably know exist**
* [Introduction To Metasploit – The Basics](http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/)
* [Shodan](http://www.shodanhq.com/help)
* **Learning New Tools**
* [A little collection of cool unix terminal/console/curses tools](https://kkovacs.eu/cool-but-obscure-unix-tools)

+ 31
- 15
Draft/Building_A_Lab.md View File

@ -13,15 +13,15 @@
-------------------------
### <a name="general"></a> General
* This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your "physical" machine.
* [Detection Lab](https://github.com/clong/DetectionLab)
* Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
* [Set up your own malware analysis lab with VirtualBox, INetSim and Burp - Christophe Tafani-Dereeper](https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/)
-------------------------
@ -41,6 +41,15 @@
* [Windows Server Evaluation ISOs](https://www.microsoft.com/en-us/evalcenter/)
* [Vulnhub](https://www.Vulnhub.com)
* Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
* **Automated Lab/Machine Creation Tools**
* Security Scenario Generator (SecGen)](https://github.com/cliffe/SecGen)
* SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.
* [Detection Lab](https://github.com/clong/DetectionLab)
* Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
* [Set up your own malware analysis lab with VirtualBox, INetSim and Burp - Christophe Tafani-Dereeper](https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/)
* [CyRIS: Cyber Range Instantiation System](https://github.com/crond-jaist/cyris)
* CyRIS is a tool for facilitating cybersecurity training by automating the creation and management of the corresponding training environments (a.k.a, cyber ranges) based on a description in YAML format. CyRIS is being developed by the Cyber Range Organization and Design (CROND) NEC-endowed chair at the Japan Advanced Institute of Science and Technology (JAIST).
* **VMs Designed to be Attacked**
* [List of VMs that are preconfigured virtual machines](http://www.amanhardikar.com/mindmaps/PracticeUrls.html)
* [The Hacker Games - Hack the VM before it hacks you](http://www.scriptjunkie.us/2012/04/the-hacker-games/)
@ -109,18 +118,25 @@
* [Active Directory Domain Services on AWS](https://aws.amazon.com/quickstart/architecture/active-directory-ds/)
* This Quick Start deploys Microsoft Active Directory Domain Services (AD DS) on the AWS Cloud. AD DS and Domain Name Server (DNS) are core Windows services that provide the foundation for many Microsoft-based solutions for the enterprise, including Microsoft SharePoint, Microsoft Exchange, and .NET Framework applications.
* **Tools**
* [AutomatedLab](https://github.com/AutomatedLab/AutomatedLab)
* AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2016 including Nano Server and various products like AD, Exchange, PKI, IIS, etc.
* [Automated-AD-Setup](https://github.com/OneLogicalMyth/Automated-AD-Setup)
* A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening.
* [Invoke-ADLabDeployer](https://github.com/outflanknl/Invoke-ADLabDeployer)
* Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
* [ADImporter](https://github.com/curi0usJack/ADImporter)
* When you need to simulate a real Active Directory with thousands of users you quickly find that creating realistic test accounts is not trivial. Sure enough, you can whip up a quick PowerShell one-liner that creates any number of accounts, but what if you need real first and last names? Real (existing) addresses? Postal codes matching phone area codes? I could go on. The point is that you need two things: input files with names, addresses etc. And script logic that creates user accounts from that data. This blog post provides both.
* [youzer](https://github.com/SpiderLabs/youzer)
* Fake User Generator for Active Directory Environments
* [sheepl](https://github.com/SpiderLabs/sheepl)
* sheepl is a tool that aims to bridge the gap by emulating the behaviour that people normally undertake within a network environment. Using Python3 and AutoIT3 the output can be compiled into a standalone executable without any other dependancies that when executed on an Windows endpoint, executes a set of tasks randomly over a chosen time frame.
* **Lab Generation**
* [AutomatedLab](https://github.com/AutomatedLab/AutomatedLab)
* AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2016 including Nano Server and various products like AD, Exchange, PKI, IIS, etc.
* [Automated-AD-Setup](https://github.com/OneLogicalMyth/Automated-AD-Setup)
* A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening.
* [Invoke-ADLabDeployer](https://github.com/outflanknl/Invoke-ADLabDeployer)
* Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
* **User Generation**
* [ADImporter](https://github.com/curi0usJack/ADImporter)
* When you need to simulate a real Active Directory with thousands of users you quickly find that creating realistic test accounts is not trivial. Sure enough, you can whip up a quick PowerShell one-liner that creates any number of accounts, but what if you need real first and last names? Real (existing) addresses? Postal codes matching phone area codes? I could go on. The point is that you need two things: input files with names, addresses etc. And script logic that creates user accounts from that data. This blog post provides both.
* [youzer](https://github.com/SpiderLabs/youzer)
* Fake User Generator for Active Directory Environments
* **User Simulation**
* [sheepl](https://github.com/SpiderLabs/sheepl)
* sheepl is a tool that aims to bridge the gap by emulating the behaviour that people normally undertake within a network environment. Using Python3 and AutoIT3 the output can be compiled into a standalone executable without any other dependancies that when executed on an Windows endpoint, executes a set of tasks randomly over a chosen time frame.


+ 2
- 0
Draft/CTFs_Wargames.md View File

@ -66,6 +66,8 @@
* pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs [checksums] and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.
* [pwntools](https://github.com/Gallopsled/pwntools)
* [CTF Scripts and PyInstaller (.py > .exe) ](http://www.primalsecurity.net/ctf-scripts-and-pyinstaller-py-exe/)
* [RSACtfTool](https://github.com/Ganapati/RsaCtfTool)
* RSA tool for ctf - uncipher data from weak public key and try to recover private key Automatic selection of best attack for the given public key
* **Making Your Own CTF**<a name="make"></a>
* [AppJailLauncher](https://github.com/trailofbits/AppJailLauncher)
* CTF Challenge Framework for Windows 8 and above


+ 15
- 0
Draft/CandE.md View File

@ -57,6 +57,16 @@ To Do:
* [Cryptographic Right Answers - Latacora](https://latacora.singles/2018/04/03/cryptographic-right-answers.html)
* [SIGMA: the ‘SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols - Hugo Krawczyk](http://webee.technion.ac.il/~hugo/sigma-pdf.pdf)
* [Generic Attacks against MAC algorithms - Gaëtan Leurent](https://who.rocq.inria.fr/Gaetan.Leurent/files/Generic_SAC15.pdf)
* [Roughtime: Securing Time with Digital Signatures - CloudFlare](https://blog.cloudflare.com/roughtime/)
* [Auditing KRACKs in Wi-Fi - Preventing all attacks is hard in practice By Mathy Vanhoef of imec-DistriNet, KU Leuven, 2018](https://www.krackattacks.com/followup.html)
* [Hash-based Signatures: An illustrated Primer - Matthew Green](https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/)
-----
### <a name="general">General Information</a>
* **101** <a name="101"></a>
@ -127,6 +137,8 @@ To Do:
* **History**<a name="history"></a>
* **Miscellaneous**<a name="misc"></a>
* [SHA2017 Conference Videos](https://www.youtube.com/channel/UCHmPMdU0O9P_W6I1hNyvBIQ/videos)
* **PGP**
* [Want to understand Pretty Good Privacy? Simulate it. - Tejaas Solanki](https://medium.freecodecamp.org/understanding-pgp-by-simulating-it-79248891325f)
* **Secrets Management**<a name="secrets"></a>
* [Secrets and LIE-abilities: The State of Modern Secret Management (2017)](https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d)
* [Toward Robust Hidden Volumes Using Write-Only Oblivious RAM](https://eprint.iacr.org/2014/344.pdf)
@ -218,6 +230,7 @@ From: https://www.reddit.com/r/securityengineering/comments/7o2uzy/a_collection_
* **Articles/Talks/Writeups**<a name="sart"></a>
* [Poor Man's Guide to Troubleshooting TLS Failures](http://blogs.technet.com/b/tspring/archive/2015/02/23/poor-man-s-guide-to-troubleshooting-tls-failures.aspx)
* [TLS 1.3 Implementations](https://github.com/tlswg/tls13-spec/wiki/Implementations)
* [TLS/SSL Vulnerabilities - GracefulSecurity](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)
* [s2n](https://github.com/awslabs/s2n)
* s2n is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority. It is released and licensed under the Apache License 2.0.
* **Papers**<a name="spapers"></a>
@ -380,6 +393,8 @@ From: https://www.reddit.com/r/securityengineering/comments/7o2uzy/a_collection_
* [The Willy Report: proof of massive fraudulent trading activity at Mt. Gox, and how it has affected the price of Bitcoin](https://willyreport.wordpress.com/2014/05/25/the-willy-report-proof-of-massive-fraudulent-trading-activity-at-mt-gox-and-how-it-has-affected-the-price-of-bitcoin/)
* [Coinbase Insider Trading: Litecoin Edition](https://medium.com/@bitfinexed/coinbase-insider-trading-litecoin-edition-be64ead3facc)
* [Best of Bitcoin Maximalist - Scammers, Morons, Clowns, Shills & BagHODLers - Inside The New New Crypto Ponzi Economics (Book Edition) - Trolly McTrollface, et al](https://bitsblocks.github.io/bitcoin-maximalist)
* **Smart Contract Security**
* * [Practical Smart Contract Security Analysis and Exploitation— Part 1 - Bernhard Mueller](https://hackernoon.com/practical-smart-contract-security-analysis-and-exploitation-part-1-6c2f2320b0c)
* **Talks/Presentations**
* [Deanonymisation of Clients in Bitcoin P2P Network](http://orbilu.uni.lu/bitstream/10993/18679/1/Ccsfp614s-biryukovATS.pdf)
* We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or firewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-out by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.

+ 7
- 2
Draft/Cars.md View File

@ -7,7 +7,6 @@
#### Sort
#### End Sort
@ -26,6 +25,8 @@
* [An Introduction to the CAN Bus: How to Programmatically Control a Car: Hacking the Voyage Ford Fusion to Change A/C Temperature](https://news.voyage.auto/an-introduction-to-the-can-bus-how-to-programmatically-control-a-car-f1b18be4f377)
* [CC1101-FSK](https://github.com/trishmapow/CC1101-FSK)
* Jam and replay attack on vehicle keyless entry systems.
* [rf-jam-replay](https://github.com/trishmapow/rf-jam-replay)
* Jam and Replay Attack on Vehicular Keyless Entry Systems
* **DMV**
* [Report of Traffic Collision Involving an Autonomous Vehicle (OL 316) - dmv.ca.gov](https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/autonomousveh_ol316+)
* **Papers**
@ -57,6 +58,10 @@
* Very simple tool for users who need to interface with a device based on CAN (CAN/CANopen/J1939/NMEA2000/DeviceNet) such as motors, sensors and many other devices.
* [CBM - The Bicho](https://github.com/UnaPibaGeek/CBM)
* For the first time, a hardware backdoor tool is presented having several advanced features, such as: remote control via SMS commands, automated launch of attack payloads at a GPS location or when a specific car status is reached; and a configuration interface that allows users to create attack payloads in an easy manner. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Now it's possible :-)
* **QNX**
* [QNX Security Tools - Alex Plaskett & Georgi Geshev](https://github.com/alexplaskett/QNXSecurity)
* Random scripts produced as part of the research into QNX security. For more information please see the following publications:
* [QNX: 99 Problems but a Microkernel ain’t one!](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-qnx-troopers-99-problems-but-a-microkernel-aint-one.pdf)
* [QNX Security Architecture - Alex Plaskett](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-qnx-security-whitepaper-2016-03-14.pdf)

+ 6
- 1
Draft/Cheats.md View File

@ -1,6 +1,8 @@
# Cheat Sheets & Reference Pages
### Cheat Sheets
* **General Cheat Sheets**
* [How to Suck at Information Security](https://zeltser.com/suck-at-security-cheat-sheet/)
@ -11,6 +13,7 @@
* **Communication**
* [Tips for Troubleshooting Human Communications](https://zeltser.com/human-communications-cheat-sheet/)
* **ARM**
* [ARM Assembly Basics Cheatsheet - AzeriaLabs](https://azeria-labs.com/assembly-basics-cheatsheet/)
* [ARMwiki - hehyrick.co.uk](https://www.heyrick.co.uk/armwiki/Category:Introduction)
* ARM processor wiki
* **ASM Cheat Sheets**
@ -68,8 +71,10 @@
* **Tmux**
* [tmux Cheat Sheet](http://tmuxcheatsheet.com/)
* **Web Cheat Sheets**<a name="Web"></a>
* [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist/)
* Checklist of the most important security countermeasures when designing, testing, and releasing your API.
* [Drupal Security Checklist](https://github.com/gfoss/attacking-drupal/blob/master/presentation/drupal-security-checklist.pdf)
* [O-Auth Security Cheat Sheet](http://www.oauthsecurity.com/)
* [OWASP Authentication Cheat Sheet](https://www.owasp.org/index.php/Authentication_Cheat_Sheet)
* [OWASP Testing Checklist](https://www.owasp.org/index.php/Testing_Checklist)
* [Securing Web Application Technologies Checklist](http://www.securingthehuman.org/developer/swat)
* [SSRF Bible Cheatsheet](https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit)


+ 35
- 1
Draft/Defense.md View File

@ -18,6 +18,40 @@
* [New feature in Office 2016 can block macros and help prevent infection](https://web.archive.org/web/20180527161910/https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/?source=mmpc)
* [Defensive Coding Strategies for a High-Security Environment - Matt Graeber - PowerShell Conference EU 2017](https://www.youtube.com/watch?reload=9&v=O1lglnNTM18)
* [What is conditional access in Azure Active Directory? - docs.ms](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview)
* [Windows 10 Security Checklist Starter Kit - itprotoday](https://www.itprotoday.com/industry-perspectives/windows-10-security-checklist-starter-kit)
* [What is Active Directory Red Forest Design? - social.technet.ms](https://social.technet.microsoft.com/wiki/contents/articles/37509.what-is-active-directory-red-forest-design.aspx)
* [Securing Privileged Access Reference Material - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material)
* [Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowsecurity](https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1409)
* [Planting the Red Forest: Improving AD on the Road to ESAE - Jacques Louw and Katie Knowles](https://www.mwrinfosecurity.com/our-thinking/planting-the-red-forest-improving-ad-on-the-road-to-esae/)
* [MongoDB Security Checklist](https://docs.mongodb.com/manual/administration/security-checklist/)
* [kethash](https://github.com/cyberark/ketshash)
* A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
* [How to track down USB flash drive usage with Windows 10's Event Viewer - techrepublic](https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/)
* [How to Analyze USB Device History in Windows - magnetforensics.com](https://www.magnetforensics.com/computer-forensics/how-to-analyze-usb-device-history-in-windows/)
* [ERNW Repository of Hardening Guides](https://github.com/ernw/hardening)
* This repository contains various hardening guides compiled by ERNW for various purposes. Most of those guides strive to provide a baseline level of hardening and may lack certain hardening options which could increase the security posture even more (but may have impact on operations or required operational effort).
* [Planning for Compromise - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise)
* [Application Whitelist Auditor - airlockdigital](https://www.airlockdigital.com/application-whitelisting-auditor/)
* [iconSimple Software-Restriction Policy - iwrconsultancy](https://iwrconsultancy.co.uk/softwarepolicy)
* [Recon by Fire](https://github.com/HewlettPackard/reconbf)
* Recon is a tool for reviewing the security configuration of a local system. It can detect existing issues, known-insecure settings, existing strange behaviour, and options for further hardening. Recon can be used in existing systems to find out which elements can be improved and can provide some information about why the change is recommended. It can also be used to scan prepared system images to verify that they contain the expected protection.
* [How to Allow Non-Admin Users to Start/Stop Windows Service - woshub.com](http://woshub.com/set-permissions-on-windows-service/)
* [Protect your enterprise data using Windows Information Protection (WIP) - docs.ms](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
* [Security WatchLock Up Your Domain Controllers - Steve Riley - docs.ms](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc160936(v=msdn.10))
* [Creating a Secure Environment using PowerShell Desired State Configuration - blogs.ms](https://blogs.msdn.microsoft.com/powershell/2014/07/21/creating-a-secure-environment-using-powershell-desired-state-configuration/)
* [BeyondCorp - Google](https://cloud.google.com/beyondcorp/)
* [Securing Privileged Access Reference Material - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material)
----------------------------
### Defense & Hardening
* **Access Control** <a name="acl"></a>
@ -27,7 +61,7 @@
* **AWS**
* **S3**
* [Amazon S3 Bucket Public Access Considerations](https://aws.amazon.com/articles/5050)
* **Anti-Redteam Tactics** <a name="antired"></a>
* **Blue team Tactics** <a name="antired"></a>
* [So you want to beat the Red Team - sCameron Moore - Bsides Philly 2016](https://www.youtube.com/watch?list=PLNhlcxQZJSm8IHSE1JzvAH2oUty_yXQHT&v=BYazrXR_DFI&index=10&app=desktop)
* [NorkNork - Tool for identifying Empire persistence payloads](https://github.com/n00py/NorkNork)
* [Removing Backdoors – Powershell Empire Edition - n00py](https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/)


+ 2
- 0
Draft/Docs_and_Reports.md View File

@ -51,6 +51,8 @@
* [Offensive Security 2013 Demo report](http://www.offensive-security.com/offsec/penetration-test-report-2013/)
* **Writing a Report**
* [Writing a Penetration Testing Report by SANS](https://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343)
* [I \<3 Reporting - ](https://github.com/leesoh/iheartreporting)
* Reporting Tips for Penetration Testers
* [Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting)
* [Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/)
* [HowTo: Write pentest reports the easy way](http://blog.dornea.nu/2014/05/20/howto-write-pentest-reports-the-easy-way/)


+ 20
- 4
Draft/Embedded.md View File

@ -30,8 +30,9 @@
- [Specific Attacks](#specific)
---------------------
### <a name="general"></a>General
* **To-Do**
* Fingeprint readers
* [Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)
@ -43,6 +44,12 @@
* SD Cards
* TPM
* [Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)
* [From 0 to Infinity - Guy](https://docs.google.com/presentation/d/19A1JWyOTueZvD8AksqCxtxriNJJgj0vPdq3cNTwndf4/mobilepresent#slide=id.g35506ef05e_0_0)
---------------------
### <a name="general"></a>General
* **101**
* [Embedded System - Wikipedia](https://en.wikipedia.org/wiki/Embedded_system)
* [Hardware Security and Trust/ECE 4451/5451: Introduction to Hardware Security and Trust](https://www.engr.uconn.edu/~tehrani/teaching/hst/)
@ -53,6 +60,7 @@
* **Articles/Papers/Talks/Writeups**
* [Infecting the Embedded Supply Chain - somersetrecon](https://www.somersetrecon.com/blog/2018/7/27/infecting-the-embedded-supply-chain)
* [Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals](https://alephsecurity.com/2018/01/22/qualcomm-edl-1/)
* [Using the Shikra to Attack Embedded Systems: Getting Started - xipiter](https://www.xipiter.com/musings/using-the-shikra-to-attack-embedded-systems-getting-started)
* **Circuit Boards**
* [Deconstructing the Circuit Board Sandwich DEF CON 22 - Joe Grand aka Kingpin](https://www.youtube.com/watch?v=O8FQZIPkgZM)
* **Educational/Informative**
@ -89,7 +97,7 @@
* [U-Boot -- the Universal Boot Loader](http://www.denx.de/wiki/U-Boot)
* Very popular on embedded devices open source bootloader for linux
* [Manual/Documentation](http://www.denx.de/wiki/DULG/Manual)
* [Probe comparison - sigrok.org](https://sigrok.org/wiki/Probe_comparison)
---------------------------
### <a name="routers">Attacking Routers(/'s Firmware)</a>
@ -382,6 +390,7 @@ See 'Printers' Section in Network Attacks & Scanning
* [Attacking encrypted USB keys the hard(ware) way - Jean-Michel Picod, Rémi Audebert, Elie Bursztein -BHUSA 17](https://elie.net/talk/attacking-encrypted-usb-keys-the-hardware-way)
* In this talk, we will present our methodology to assess "secure" USB devices both from the software and the hardware perspectives. We will demonstrate how this methodology works in practice via a set of case-studies. We will demonstrate some of the practical attacks we found during our audit so you will learn what type of vulnerability to look for and how to exploit them. Armed with this knowledge and our tools, you will be able to evaluate the security of the USB device of your choice.
* [Here's a List of 29 Different Types of USB Attacks - BleepingComputer](https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/)
* [5 Things to Do Now: the USB/JTAG/IME Exploit - ci.security](https://ci.security/news/article/5-things-to-do-now-the-usb-jtag-ime-exploit)
* **Understanding**
* [USB Device Drivers: A Stepping Stone into your Kernel](https://www.youtube.com/watch?v=HQWFHskIY2)
* [Slides])(www.jodeit.org/research/DeepSec2009_USB_Device_Drivers.pdf)
@ -390,6 +399,8 @@ See 'Printers' Section in Network Attacks & Scanning
* A USB man in the middle device using USB On-The-Go, libUSB and gadgetFS
* [Attacks via physical access to USB (DMA…?)](https://security.stackexchange.com/questions/118854/attacks-via-physical-access-to-usb-dma)
* [Can a connected USB device read all data from the USB bus?](https://security.stackexchange.com/questions/37927/can-a-connected-usb-device-read-all-data-from-the-usb-bus?rq=1)
* [Defending Against Malicious USB Firmware with GoodUSB - Dave Tian, Adam Bates, Kevin Butler](https://cise.ufl.edu/~butler/pubs/acsac15.pdf)
* [Defending Against Malicious USB Firmware with GoodUSB - davejintian.org](https://davejingtian.org/2015/12/03/defending-against-malicious-usb-firmware-with-goodusb/)
* **Tools**
* [WHID Injector: an USB-Rubberducky/BadUSB on Steroids](https://whid-injector.blogspot.lt/2017/04/whid-injector-how-to-bring-hid-attacks.html)
* [umap](https://github.com/nccgroup/umap)
@ -397,15 +408,20 @@ See 'Printers' Section in Network Attacks & Scanning
* [NSA USB Playset - ShmooCon201](https://www.youtube.com/watch?v=eTDBFpLYcGA)
* [Phison PS2303 (PS2251-03) framework](https://bitbucket.org/flowswitch/phison)
* **Miscellaneous**
* [Vendors, Disclosure, and a bit of WebUSB Madness - Markus Vervier](https://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html)
* **BadUSB**
* [Slides](https://srlabs.de/blog/wp-content/uploads/2014/11/SRLabs-BadUSB-Pacsec-v2.pdf)
* [Video](https://www.youtube.com/watch?v=nuruzFqMgIw)
* [Code - Psychson](https://github.com/adamcaudill/Psychson)
* [Media Transfer Protocol and USB device Research](http://nicoleibrahim.com/part-1-mtp-and-ptp-usb-device-research/)
* **USB Class Info**
* **USB Device/Class Info**
* [USB Device Class Specifications - Official Site](http://www.usb.org/developers/docs/devclass_docs/)
* These specifications recommend design targets for classes of devices. For HID related information, please go to the [HID web page.](http://www.usb.org/developers/docs/docs/hidpage/)
* [Universal Serial Bus Device Class Specification for Device Firmware Upgrade Version 1.1 Aug 5, 2004](http://www.usb.org/developers/docs/devclass_docs/DFU_1.1.pdf)
* [Identifiers for USB Devices - docs.ms](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/identifiers-for-usb-devices)


+ 44
- 28
Draft/Exploit_Dev.md View File

@ -2,7 +2,6 @@
## Table of Contents
* [General Stuff/Techniques](#general)
* [General Stuff I can't figure where else to put](#eh)
* [Acquiring Old/Vulnerable Software](#acquire)
* [Practice Exploit Dev/Structured Learning](#practice)
* [Exploit Dev Papers](#expapers)
@ -68,33 +67,7 @@
#### Sort:
* [heapwn](https://github.com/str8outtaheap/heapwn)
* Heap exploitation is a dark art to me. This repo is an attempt to document my findings/notes on the heap pwnables I deal with while learning heap's internals (Linux specific). - str8outtaheap
https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations
https://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
* [Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System - Slides](https://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf)
* [Counterfeit Object-oriented Programming](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf)
* [Modern Binary Attacks and Defences in the Windows Environment: Fighting Against Microsoft EMET in Seven Rounds]()
* [ADI vs ROP](https://lazytyped.blogspot.it/2017/09/adi-vs-rop.html)
* [Low Level Exploits - hugh pearse](https://dl.packetstormsecurity.net/papers/presentations/Low-Level-Exploits.pdf)
* [credssp](https://github.com/preempt/credssp)
* This is a poc code for exploiting CVE-2018-0886.
https://github.com/secretsquirrel/fido
* [Dark Compsition kernel exploitation Case Study ---- Integer Overflow](https://whereisk0shl.top/post/2018-01-17)
* [Code](https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow)
* [Obfuscated String/Shellcode Generator - Online Tool - zerosum0x0](https://zerosum0x0.blogspot.com/2017/08/obfuscatedencrypted-cc-online-string.html?m=1)
* [PSKernel-Primitives](https://github.com/FuzzySecurity/PSKernel-Primitives)
* Exploit primitives for PowerShell
* [Protectors](https://github.com/rootm0s/Protectors)
* Obfuscator, Encryption, Junkcode, Anti-Debug, PE protection/modification
* [When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults - cmu](https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html)
* [Implementing a Custom X86 Encoder](http://uninformed.org/?v=all&a=25&t=sumry)
* This paper describes the process of implementing a custom encoder for the x86 architecture. To help set the stage, the McAfee Subscription Manager ActiveX control vulnerability, which was discovered by eEye, will be used as an example of a vulnerability that requires the implementation of a custom encoder. In particular, this vulnerability does not permit the use of uppercase characters. To help make things more interesting, the encoder described in this paper will also avoid all characters above 0x7f. This will make the encoder both UTF-8 safe and tolower safe.
#### End Sort
@ -1057,4 +1030,47 @@ with following tools installed:
17. Proxifier Edition
18. Echo Mirage
`````
```
#### Sort:
* [heapwn](https://github.com/str8outtaheap/heapwn)
* Heap exploitation is a dark art to me. This repo is an attempt to document my findings/notes on the heap pwnables I deal with while learning heap's internals (Linux specific). - str8outtaheap
https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations
https://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
* [Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System - Slides](https://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf)
* [Counterfeit Object-oriented Programming](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf)
* [Modern Binary Attacks and Defences in the Windows Environment: Fighting Against Microsoft EMET in Seven Rounds]()
* [ADI vs ROP](https://lazytyped.blogspot.it/2017/09/adi-vs-rop.html)
* [Low Level Exploits - hugh pearse](https://dl.packetstormsecurity.net/papers/presentations/Low-Level-Exploits.pdf)
* [credssp](https://github.com/preempt/credssp)
* This is a poc code for exploiting CVE-2018-0886.
https://github.com/secretsquirrel/fido
* [Dark Compsition kernel exploitation Case Study ---- Integer Overflow](https://whereisk0shl.top/post/2018-01-17)
* [Code](https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow)
* [Obfuscated String/Shellcode Generator - Online Tool - zerosum0x0](https://zerosum0x0.blogspot.com/2017/08/obfuscatedencrypted-cc-online-string.html?m=1)
* [PSKernel-Primitives](https://github.com/FuzzySecurity/PSKernel-Primitives)
* Exploit primitives for PowerShell
* [Protectors](https://github.com/rootm0s/Protectors)
* Obfuscator, Encryption, Junkcode, Anti-Debug, PE protection/modification
* [When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults - cmu](https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html)
* [Implementing a Custom X86 Encoder](http://uninformed.org/?v=all&a=25&t=sumry)
* This paper describes the process of implementing a custom encoder for the x86 architecture. To help set the stage, the McAfee Subscription Manager ActiveX control vulnerability, which was discovered by eEye, will be used as an example of a vulnerability that requires the implementation of a custom encoder. In particular, this vulnerability does not permit the use of uppercase characters. To help make things more interesting, the encoder described in this paper will also avoid all characters above 0x7f. This will make the encoder both UTF-8 safe and tolower safe.
* [ Marshalling to SYSTEM - An analysis of CVE-2018-0824 - codewhitesec.blogspot](https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html)
* [windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)
* [ MindshaRE: Walking the Windows Kernel with IDA Python - Jasiel Spelman](https://www.zerodayinitiative.com/blog/2018/5/21/mindshare-walking-the-windows-kernel-with-ida-python)
* [CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 1/4) - blog.lexfo](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html)
* [Executable and Linkable Format 101 - Part 1 Sections and Segments - Ignacio Sanmillan](http://www.intezer.com/executable-linkable-format-101-part1-sections-segments/)
* [Executable and Linkable Format 101. Part 2: Symbols - Ignacio Sanmillan](https://www.intezer.com/executable-linkable-format-101-part-2-symbols/)
* [Executable and Linkable Format 101 Part 3: Relocations - Ignacio Sanmillan](https://www.intezer.com/executable-and-linkable-format-101-part-3-relocations/)
* [Shellab](https://github.com/TheSecondSun/Shellab)
* Shellab is a tool that can be used to improve existing shellcodes and adapt them for personal needs. Developed to provide an alternative to msfvenom with new functionalities. Suitable for both Windows and Linux shellcode (32 and 64 bit).
* [Kernel crash caused by out-of-bounds write in Apple's ICMP packet-handling code (CVE-2018-4407) - lgtm.com](https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407)
* [Yet another memory leak in ImageMagick or how to exploit CVE-2018–16323. - barracud4](https://medium.com/@ilja.bv/yet-another-memory-leak-in-imagemagick-or-how-to-exploit-cve-2018-16323-a60f048a1e12)
* [Flash News - CVE-2018-15981 - Gil Dabah](https://www.ragestorm.net/blogs/?p=421)
#### End Sort

+ 3
- 0
Draft/Fuzzing.md View File

@ -64,6 +64,7 @@
* [ClusterFuzz](http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf)
* [Google VRP and Unicorns](https://sites.google.com/site/bughunteruniversity/behind-the-scenes/presentations/google-vrp-and-unicorns)
* In July 2017 at BountyCraft event we delivered a presentation entitled "Google VRP and Unicorns", featuring a selection of interesting bugs reported to our program, and disclosing some planned updates in store for Google VRP.
* [How to Spot Good Fuzzing Research - trailofbits](https://blog.trailofbits.com/2018/10/05/how-to-spot-good-fuzzing-research/)
* **History**
* [Symbolic execution timeline](https://github.com/enzet/symbolic-execution)
* Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.
@ -102,6 +103,7 @@
* [Differential testing - Wikipedia](https://en.wikipedia.org/wiki/Differential_testing)
* Differential testing, also known as differential fuzzing, is a popular software testing technique that attempts to detect bugs, by providing the same input to a series of similar applications (or to different implementations of the same application), and observing differences in their execution. Differential testing complements traditional software testing, because it is well-suited to find semantic or logic bugs that do not exhibit explicit erroneous behaviors like crashes or assertion failures. Differential testing is sometimes called back-to-back testing.
* **Articles/Blogposts/Writeups**
* [Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing - Fernando Arnaboldi](https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf)
* **Talks and Presentations**
* [Exposing Hidden ExploitableBehaviors in ProgrammingLanguagesUsingDifferential Fuzzing - Fernando Arnaboldi](https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf)
* [Differential Slicing: Identifying Causal Execution Differences for Security Applications](http://bitblaze.cs.berkeley.edu/papers/diffslicing_oakland11.pdf)
@ -195,6 +197,7 @@
* **Tools**
* [boofuzz](https://github.com/jtpereyda/boofuzz)
* Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Besides numerous bug fixes, boofuzz aims for extensibility. The goal: fuzz everything.
* [boofuzz quickstart](https://boofuzz.readthedocs.io/en/latest/user/quickstart.html)
* [rage_fuzzer](https://github.com/deanjerkovich/rage_fuzzer)
* A dumb protocol-unaware packet fuzzer/replayer.
* [Nightmare](https://github.com/joxeankoret/nightmare)


+ 5
- 9
Draft/Games.md View File

@ -12,13 +12,9 @@
#### Sort
Fix ToC
* [OwnedCore](http://www.ownedcore.com/forums/)
* [Cathook Training Software](https://github.com/nullifiedcat/cathook)
* [PortAIO-Loader](https://github.com/PirateEmpire/PortAIO-Loader)
* [Fabien Sanglard's Website](http://fabiensanglard.net/)
* [Hack the Vote 2016 CTF "The Wall" Solution](https://zerosum0x0.blogspot.com/2016/11/hack-vote-wall-solution.html)
https://github.com/dsasmblr/game-hacking
https://github.com/dsasmblr/hacking-online-games
#### End Sort
@ -208,6 +204,7 @@ https://github.com/dsasmblr/hacking-online-games
* **Breaking The Game**
* [Hacking the Source Engine](http://vallentinsource.com/hacking-source-engine)
* **Reverse Engineering**
* [Source SDK Server [Security Research Repo] - pyperanger](https://github.com/pyperanger/sourcengine)
* [+1,000,000 -0: Cloning a Game Using Game Hacking and Terabytes of Data](https://github.com/nickcano/gamehackingpres2016)
* In this talk, I'll provide a window into the warchest my team used to generate over a million lines of code. In particular, we created and used game hacks to process data from tens of millions of hours of in-game data and use the results to generate copies of a game's map, monsters, quests, items, spells, non-playable characters, and more. We also used a wiki crawler to obtain a large amount of data, generate additional code, and guide our cheat scripts in what to look for, clarify, and ignore. After explaining our end-game vision, I'll dive deep into the architecture of the game client, server and protocol. Once that's out of the way, I'll talk about the different types of hacks we used, how they work, and what data they were able to obtain. Once that's out of the way, I'll round out the story by explaining exactly what type of data we gathered and what parts of our toolkit we used to gather it.
* **Miscellaneous**
@ -217,8 +214,7 @@ https://github.com/dsasmblr/hacking-online-games
* A simple base for internal Counter-Strike: Global Offensive cheats.
* [PubgPrivXcode85](https://github.com/TonyZesto/PubgPrivXcode85)
* Simple chams wallhack for Player Unknowns Battlegrounds using a D3D11DrawIndexed hook
* [TruePlay - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/mt808781(v=vs.85).aspx)
* [TruePlay - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/mt808781(v=vs.85).aspx)
* **Game Trainers**
* [ugtrain](https://github.com/ugtrain/ugtrain)
* Universal Elite Game Trainer for CLI(linux game trainer)


Draft/Stuff.md → Draft/Interesting_Things.md View File


+ 24
- 1
Draft/L-SM-TH.md View File

@ -6,6 +6,22 @@
* **Osquery**
* [Using Osquery to Detect Reverse Shells on MacOS - Chris Long](https://www.clo.ng/blog/osquery_reverse_shell/)
* **File Monitoring**
* [Practical PowerShell for IT Security, Part I: File Event Monitoring - varonis.com](https://www.varonis.com/blog/practical-powershell-for-it-security-part-i-file-event-monitoring/)
* [Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK - Part I (Event ID 7) - Roberto Rodriguez](https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html?m=1)
* [Threat Hunting With Python Part 1 - Dan Gunter](https://dragos.com/blog/industry-news/threat-hunting-with-python-part-1/)
* [Windows-Hunting](https://github.com/beahunt3r/Windows-Hunting)
* The Purpose of this repository is to aid windows threat hunters to look for some common artifacts during their day to day operations.
---------------------------
### Network Security Monitoring/Logging/Threat Hunting
* **History**
@ -124,11 +140,15 @@
* [Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.)](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/)
* [Windows Event Forwarding Guidance](https://github.com/palantir/windows-event-forwarding)
* Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
* **Event Log**
* **Event Log**
* [Event Logging Structures - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/eventlog/event-logging-structures)
* [ Windows security audit events - ms.com](https://www.microsoft.com/en-us/download/details.aspx?id=50034)
* This spreadsheet details the security audit events for Windows.
* [Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it-s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What-s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* [Public:Windows Event Log Zero 2 Hero Slides](https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit#slide=id.g21acf94f3f_2_27)
* [Spotting the Adversary with Windows Event Log Monitoring - NSA](https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf)
* [Advanced Audit Policy – which GPO corresponds with which Event ID - girl-germs.com](https://girl-germs.com/?p=363)
* **Parsing**
* [Parsing Text Logs with Message Analyzer - Microsoft](http://blogs.technet.com/b/messageanalyzer/archive/2015/02/23/parsing-text-logs-with-message-analyzer.aspx)
* **PowerShell**
@ -171,6 +191,7 @@
* [License to Kill: Malware Hunting with the Sysinternals Tools](http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
* [Utilizing SysInternal Tools for IT Pros](http://www.microsoftvirtualacademy.com/training-courses/utilizing-sysinternals-tools-for-it-pros#fbid=1IKsqgyvnWp)
* **Tools**
* **OSQuery**
* [ThreatHunting - GossiTheDog](https://github.com/GossiTheDog/ThreatHunting)
* Tools for hunting for threats.)
* [Windows-Hunting](https://github.com/beahunt3r/Windows-Hunting)
@ -264,6 +285,8 @@
* **Tools**
* [ElastAlert](https://github.com/Yelp/elastalert)
* ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
* [dejavu](https://github.com/appbaseio/dejavu)
* The Missing Web UI for Elasticsearch: Import, browse and edit data with rich filters and query views, create search UIs visually.
* **Kibana**
* **101**
* [Kibana](https://github.com/elasticsearch/kibana)


+ 13
- 0
Draft/Malware.md View File

@ -51,6 +51,12 @@ Table of Contents
* [Betabot still alive with multi-stage packing. - Wojciech](https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39)
-----------------------------------
### <a name="general"></a>General Stuff
* **Look Here First**
@ -245,6 +251,10 @@ Table of Contents
* [Mac Malware - Objective-see](https://objective-see.com/malware.html)
* [VirusShare](https://virusshare.com/)
* [ViruSign](http://www.virusign.com/)
* [Javascript Malware Collection](https://github.com/HynekPetrak/javascript-malware-collection)
* A collection of almost 40.000 Javascript malware samples.
* [botnets](https://github.com/maestron/botnets/blob/master/<README class="md"></README>)
* This is a collection of botnet source codes, unorganized. For EDUCATIONAL PURPOSES ONLY. Many projects are duplicates or revisions of each other. Many of them have outdated depedencies. My goal is to collectively put them together so that they are compilable and help people interested in malware research analyze them and learn from these samples.
* **Tools to Obtain Malware**
* [Ragpicker - Malware Crawler](https://code.google.com/p/malware-crawler/)
* Ragpicker is a Plugin based malware crawler with pre-analysis and reporting functionalities. Use this tool if you are testing antivirus products, collecting malware for another analyzer/zoo.
@ -508,6 +518,9 @@ Table of Contents
* **Miscellaneous**
* **Tools**
* **General**
* [Introduction to T-Pot - The all in one honeypot - northsec.tech](https://northsec.tech/introduction-to-t-pot-the-all-in-one-honeypot/)
* [T-Pot ISO Creator](https://github.com/dtag-dev-sec/tpotce)
* T-Pot Universal Installer and ISO Creator
* [Modern Honey Network(MHN)](https://threatstream.github.io/mhn/)
* From the secure deployment to the aggregation of thousands of events MHN provides enteprise grade management of the most current open source honeypot software. MHN is completely free open source software which supports external and internal honeypot deployments at a large and distributed scale. MHN uses the HPFeeds standard and low-interaction honeypots to keep effectiveness and security at enterprise grade levels. MHN provides full REST API out of the box and we are making CEF and STIX support available now for direct SIEM integration through our Commercial platform Optic.
* [Honeypot Farming: Setup Modern Honey Network](https://medium.com/@theroxyd/honeypot-farming-setup-mhn-f07d241fcac6)


+ 58
- 6
Draft/Network_Attacks.md View File

@ -8,6 +8,7 @@
- [Captive Portals](#captive-portal)
- [DNS](#dns)
- [D/DOS](#ddos)
- [Hadoop](#hadoop)
- [HNAP](#hnap)
- [IDS/IPS Evasion](#evasion)
- [ICMP](#icmp)
@ -64,6 +65,11 @@
* BGP
* QUIC
* STUN
* Hadoop
* Fax
@ -200,7 +206,8 @@
* SPScan is a tool written in Ruby that enumerates a SharePoint installation gathering information about the version and installed plugins.
* [SPartan](https://github.com/sensepost/SPartan)
* SPartan is a Frontpage and Sharepoint fingerprinting and attack tool
* [SharePwn](https://github.com/0rigen/SharePwn)
* A tool for auditing SharePoint security settings and identifying common security holes.
@ -230,6 +237,9 @@
* [Management Plugin](https://www.rabbitmq.com/management.html)
* [File and Directory Locations](https://www.rabbitmq.com/relocate.html)
* [Credentials and Passwords](https://www.rabbitmq.com/passwords.html)
* **Attacking**
* **ActiveMQ**
* [A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications - Gursev Singh Kalra](https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-pentesters-guide-hacking-activemq-jms-applications.pdf)
* **Tools**
* [Enteletaor](https://github.com/cr0hn/enteletaor)
* Message Queue & Broker Injection tool that implements attacks to Redis, RabbitMQ and ZeroMQ.
@ -318,6 +328,8 @@
* **Service**
* [DNS Dumpster](https://www.DNSdumpster.com)
* free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process
* [DNS-Trails](https://securitytrails.com/dns-trails)
* The World's Largest Repository of historical DNS data
* **Tools**
* [DNSRecon](https://github.com/darkoperator/dnsrecon)
* [Quick Reference Guide](http://pentestlab.wordpress.com/2012/11/13/dns-reconnaissance-dnsrecon/)
@ -329,7 +341,7 @@
* a tool to enumerate the resource records of a DNS zone using its DNSSEC NSEC or NSEC3 chain
* [passivedns](https://github.com/gamelinux/passivedns)
* A tool to collect DNS records passively
* [DNS Recon](https://github.com/darkoperator/dnsrecon)
* [DNS Recon]DNS(https://github.com/darkoperator/dnsrecon)
* [DNSEnum](https://github.com/fwaeytens/dnsenum)
* Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
* [Bluto](https://github.com/darryllane/Bluto)
@ -364,6 +376,21 @@
---------------------
### <a name="fax"></a> Fax
* [What the Fax?! - Eyal Itkin, Yaniv Balmas - DEF CON 26](https://www.youtube.com/watch?v=qLCE8spVX9Q)
* Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line.
---------------------
### <a name="hadoop"></a>Hadoop
* **101**
* **General/Articles/Writeups/Talks**
* [Hadoop Attack Library](https://github.com/wavestone-cdt/hadoop-attack-library)
* A collection of pentest tools and resources targeting Hadoop environments
---------------------
### <a name="hnap"></a>HNAP
* [Home Network Administration Protocol - Wikipedia](https://en.wikipedia.org/wiki/Home_Network_Administration_Protocol)
@ -656,7 +683,7 @@
* A TTL monitor utility for identifying route changes, port forwards, intrusion responses, and more
* [Saving Polar Bears When Banner Grabbing](http://blog.ioactive.com/2015/07/saving-polar-bears-when-banner-grabbing.html)
* [polarbearscan](http://santarago.org/pbscan.html)
* polarbearscan is an attempt to do faster and more efficient banner grabbing and port scanning. It combines two different ideas which hopefully will make it somewhat worthy of your attention and time. The first of these ideas is to use stateless SYN scanning using cryptographically protected cookies to parse incoming acknowledgements. To the best of the author's knowledge this technique was pioneered by Dan Kaminsky in scanrand. Scanrand was itself part of Paketto Keiretsu, a collection of scanning utilities, and it was released somewhere in 2001-2002. A mirror of this code can be found at Packet Storm. The second idea is use a patched userland TCP/IP stack such that the scanner can restore state immediately upon receiving a cryptographically verified packet with both the SYN and ACK flags set. The userland stack being used here by polarbearscan is called libuinet[2](http://wanproxy.org/libuinet.shtml). Unlike some of the other userland TCP/IP stacks out there this one is very mature as it's simply a port of FreeBSD's TCP/IP stack. By patching the libuinet stack one can then construct a socket and complete the standard TCP 3-way handshake by replying with a proper ACK. Doing it this way a fully functional TCP connection is immediately established. This as opposed to other scanners (such as nmap) who would have to, after noting that a TCP port is open, now perform a full TCP connect via the kernel to do things such as banner grabbing or version scanning. A full TCP connect leads to a whole new TCP 3-way handshake being performed. This completely discards the implicit state which was built up by the initial two packets being exchanged between the hosts. By avoiding this one can reduce bandwidth usage and immediately go from detecting that a port is open to connecting to it. This connection can then simply sit back and receive data in banner grab mode or it could send out an HTTP request.
* polarbearscan is an attempt to do faster and more efficient banner grabbing and port scanning. It combines two different ideas which hopefully will make it somewhat worthy of your attention and time. The first of these ideas is to use stateless SYN scanning using cryptographically protected cookies to parse incoming acknowledgements. To the best of the author's knowledge this technique was pioneered by Dan Kaminsky in scanrand. Scanrand was itself part of Paketto Keiretsu, a collection of scanning utilities, and it was released somewhere in 2001-2002. A mirror of this code can be found at Packet Storm. The second idea is use a patched userland TCP/IP stack such that the scanner can restore state immediately upon receiving a cryptographically verified packet with both the SYN and ACK flags set. The userland stack being used here by polarbearscan is called libuinet[2](http://wanproxy.org/libuinet.shtml). Unlike some of the other userland TCP/IP stacks out there this one is very mature as it's simply a port of FreeBSD's TCP/IP stack. By patching the libuinet stack one can then construct a socket and complete the standard TCP 3-way handshake by replying with a proper ACK. Doing it this way a fully functional TCP connection is immediately established. This as opposed to other scanners (such as nmap) who would have to, after noting that a TCP port is open, now perform a full TCP connect via the kernel to do things such as banner grabbing or version scanning. A full TCP connect leads to a whole new TCP 3-way handshake being performed. This completely discards the implicit state which was built up by the initial two packets being exchanged between the hosts. By avoiding this one can reduce bandwidth usage and immediately go from detecting that a port is open to connecting to it. This connection can then simply sit back and receive data in banner grab mode or it could send out an HTTP request.
* [fragroute](https://www.monkey.org/~dugsong/fragroute/fragroute.8.txt)
* [Ask and you shall receive (Part 2)](https://securityhorror.blogspot.com/2012/07/ask-and-you-shall-receive-part-2.html)
* [Layer Four Traceroute (LFT) and WhoB](http://pwhois.org/lft/)
@ -672,6 +699,8 @@
* **Nmap**
* [Nmap](http://nmap.org/)
* Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
* [WebMap](https://github.com/Rev3rseSecurity/WebMap/blob/v2/master/README.md)
* Nmap Web Dashboard and Reporting
* **Articles/Papers**
* [NMAP - Port-Scanning: A Practical Approach Modified for better](https://www.exploit-db.com/papers/35425/)
* [NSEInfo](https://github.com/christophetd/nmap-nse-info/blob/master/README.md)
@ -921,10 +950,11 @@
* [10 Places to Stick Your UNC Path - NetSPI](https://blog.netspi.com/10-places-to-stick-your-unc-path/)
* **Re(p)lay Attack**
* [Places of Interest in Stealing NetNTLM Hashes - osandamalith.com/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
* [Document Tracking: What You Should Know - justhaifei1](https://justhaifei1.blogspot.com/2013/10/document-tracking-what-you-should-know.html)
* [Microsoft Office – NTLM Hashes via Frameset - pentestlab.blog](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/)
* [ADV170014 NTLM SSO: Exploitation Guide - sysadminjd.com](http://www.sysadminjd.com/adv170014-ntlm-sso-exploitation-guide/)
* [SMB Relay Demystified and NTLMv2 Pwnage with Python](https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python)
* [Stealing Windows Credentials Using Google Chrome - Bosko Stankovic](http://www.defensecode.com/whitepapers/Stealing-Windows-Credentials-Using-Google-Chrome.pdf)
* [Stealing Windows Credentials Using Google Chrome](http://www.defensecode.com/whitepapers/Stealing-Windows-Credentials-Using-Google-Chrome.pdf)
* [Windows: Local WebDAV NTLM Reflection Elevation of Privilege](https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1)
* [Hot Potato](https://foxglovesecurity.com/2016/01/16/hot-potato/)
* Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
@ -1118,14 +1148,36 @@
-----------------------
### <a name="webdav"></a> WebDAV
* [WsgiDAV](https://github.com/mar10/wsgidav)
* WsgiDAV is a generic WebDAV server written in Python and based on WSGI.
* **101**
* **General/Articles/Writeups**
* **Tools**
* [WsgiDAV](https://github.com/mar10/wsgidav)
* WsgiDAV is a generic WebDAV server written in Python and based on WSGI.
-----------------------
### <a name="wmi"></a> Windows Management Instrumentation(WMI)
* **101**
* [Introduction to WMI Basics with PowerShell Part 1 (What it is and exploring it with a GUI) - Carlos Perez](https://www.darkoperator.com/blog/2013/1/31/introduction-to-wmi-basics-with-powershell-part-1-what-it-is.html)
* **General/Articles/Writeups**
* [Post Exploitation Using WMIC (System Command) - hackingarticles.in](https://www.hackingarticles.in/post-exploitation-using-wmic-system-command/)
* **Reference**
* [Connecting to WMI Remotely with C# - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/wmisdk/connecting-to-wmi-remotely-with-c-)
* **Tools**
------------
### <a name="other">Other</a> (Breaking Routers)
* [ASUS Router infosvr UDP Broadcast root Command Execution](https://github.com/jduck/asus-cmd)
------------
#### <a name="misc"></a>MISC:
* [t50 - the fastest packet injector.](https://github.com/fredericopissarra/t50)


+ 25
- 5
Draft/OSI.md View File

@ -10,7 +10,7 @@
- [DNS Stuff/related](#dns)
- [Email Gathering](#email)
- [Fancy Search Engines](#search)
- [Google Hacking](#gh)
- [Search Engine Dorks](#gh)
- [Site Specific Tools](#site)
- [Social Media Search/Enumeration](#social)
- [Company/People Searching](#ppl)
@ -31,9 +31,6 @@
--------------------
### <a name="general"></a>General
* **General**
@ -45,6 +42,7 @@
* [Open Source Intelligence Gathering 101 - appseco.com](https://blog.appsecco.com/open-source-intelligence-gathering-101-d2861d4429e3)
* [Open Source Intelligence Gathering 201 - appseco.com](https://blog.appsecco.com/open-source-intelligence-gathering-201-covering-12-additional-techniques-b76417b5a544)
* [Open Source Intelligence Gathering: Techniques, Automation, and Visualization - Christopher Maddalena](https://posts.specterops.io/gathering-open-source-intelligence-bee58de48e05)
* [The OSINT Connection: Intelligence In Executive Protection - protectioncircle.com](https://protectioncircle.org/2017/03/06/the-osint-connection-intelligence-in-executive-protection/)
* **Alerting**
* [Google Trends](https://trends.google.com/trends/)
* See what are the popular related topics people are searching for. This will help widen your search scope.
@ -93,6 +91,9 @@
* [Glass Reflections in Pictures + OSINT = More Accurate Location](http://blog.ioactive.com/2014/05/glass-reflections-in-pictures-osint.html)
* [Exploring the Github Firehose](http://blog.scalyr.com/2013/10/exploring-the-github-firehose/)
* [OSINT Through Sender Policy Framework (SPF) Records](https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records)
* [Hunting with ꓘamerka 2.0 aka FIST (Flickr, Instagram, Shodan, Twitter)](https://hackernoon.com/hunting-with-%EA%93%98amerka-2-0-aka-fist-flickr-instagram-shodan-twitter-ca363f12562a)
* [ꓘamerka 2.0 aka FIST (Flickr, Instagram, Shodan, Twitter)](https://github.com/woj-ciech/kamerka)
* Build interactive map of cameras, printers, tweets and photos. The script creates a map of cameras, printers, tweets and photos based on your coordinates. Everything is clearly presented in form of interactive map with icons and popups.
* **Talks & Presentations**
* [Cognitive Bias and Critical Thinking in Open Source Intelligence - Defcamp 2014](https://www.youtube.com/watch?v=pVAM21UERLU&index=24&list=PLnwq8gv9MEKgSryzYIFhpmCcqnVzdUWfH)
* [Dark Arts of OSINT Skydogcon](https://www.youtube.com/watch?v=062pLOoZhk8)
@ -200,9 +201,18 @@
* Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
* [typofinder](https://github.com/nccgroup/typofinder)
* Typofinder for domain typo discovery
* **Domain Recon**
* **Tools**
* [Waybackpack](https://github.com/jsvine/waybackpack)
* Waybackpack is a command-line tool that lets you download the entire Wayback Machine archive for a given URL.
* [domain - jhaddix](https://github.com/jhaddix/domain)
* Recon-ng and Alt-DNS are awesome. This script combines the power of these tools with the ability to run multiple domains within the same session. TLDR; I just want to do my subdomain discovery via ONE command and be done with it. Only 1 module needs an api key (/api/google_site) find instructions for that on the recon-ng wiki. Script to enumerate subdomains, leveraging recon-ng. Uses google scraping, bing scraping, baidu scraping, yahoo scraping, netcraft, and bruteforces to find subdomains. Plus resolves to IP
* [check0365](https://github.com/vysecurity/checkO365)
* checkO365 is a tool to check if a target domain is using O365
* **Email Gathering/Reconnaissance** <a name="email"></a>
* **Articles/Writeups**
* [OSINT Through Sender Policy Framework Records](https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records)
* [The most complete guide to finding anyone’s email - Timur Daudpota](https://www.blurbiz.io/blog/the-most-complete-guide-to-finding-anyones-email)
* **Tools**
* [SimplyEmail](https://github.com/killswitch-GUI/SimplyEmail)
* What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.
@ -213,6 +223,8 @@
* For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.
* [Cr3dOv3r](https://github.com/D4Vinci/Cr3dOv3r)
* Cr3dOv3r simply you give it an email then it does two simple jobs (but useful): Search for public leaks for the email and if it any, it returns with all available details about the leak (Using hacked-emails site API). Now you give it this email's old or leaked password then it checks this credentials against 16 websites (ex: facebook, twitter, google...) then it tells you if login successful in any website!
* [Infoga](https://github.com/m4ll0k/Infoga)
* Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet.
* **Facial Mapping Data**
* [Social Mapper](https://github.com/SpiderLabs/social_mapper)
* Social Mapper is a Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s presence, outputting the results into report that a human operator can quickly review.
@ -250,15 +262,18 @@
* Description: The OSINT OPSEC Tool monitors multiple 21st Century OSINT sources real-time for keywords, then analyses the results, generates alerts, and maps trends of the data, finding all sorts of info people probably don't want others to see...
* [Pattern](https://github.com/clips/pattern/blob/master/README.md)
* Pattern is a web mining module for Python. It has tools for: Data Mining: web services (Google,; Twitter, Wikipedia), web crawler, HTML DOM parser; Natural Language Processing: part-of-speech taggers, n-gram search, sentiment analysis, WordNet; Machine Learning: vector space model, clustering, classification (KNN, SVM, Perceptron); Network Analysis: graph centrality and visualization.
* **Google Hacking** <a name="gh"></a>
* **Search Engine Dorks** <a name="gh"></a>
* **101**
* [Google Hacking for Penetration Testers](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)
* [How to Find (Almost) Anything on Google - Barbara Davidson](https://www.netcredit.com/blog/how-to-find-anything-on-google/)
* **Databases/Lists**
* [ExpoitDB archive of the google hacking database](http://www.exploit-db.com/google-dorks/)
* [Google Hacking Database](http://www.hackersforcharity.org/ghdb/)
* We call them 'googledorks': Inept or foolish people as revealed by Google. Whatever you call these fools, you've found the center of the Google Hacking Universe!
* [4500+ Google Dork List 2018 - conzu.de](http://www.conzu.de/en/google-dork-liste-2018-conzu/)
* **Tools**
* [GooHak](https://github.com/1N3/Goohak)
* Automatically launch google hacking queries against a target domain to find vulnerabilities and enumerate a target.
* [Google Hacking - Search Diggity tool](http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/)
* SearchDiggity 3.1 is the primary attack tool of the Google Hacking Diggity Project. It is Bishop Fox’s MS Windows GUI application that serves as a front-end to the most recent versions of our Diggity tools: GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotInMyBackYard Diggity.
* [GoogD0rker](https://github.com/ZephrFish/GoogD0rker)
@ -273,6 +288,7 @@
* **Facebook**
* [pymk-inspector](https://github.com/GMG-Special-Projects-Desk/pymk-inspector/blob/master/README.md)
* The pymk-inspector is a tool built by Gizmodo's Special Projects Desk that we used for our investigation into Facebook's people you may know (pymk) algorithm.
* [Find FB profiles by Email](https://booleanstrings.com/2018/05/06/how-to-identify-facebook-profiles-from-email-addresses/)
* **Github**
* [profile-summary-for-github](https://github.com/tipsy/profile-summary-for-github)
* Tool for visualizing GitHub profiles
@ -297,6 +313,7 @@
* [Gathering Usernames from Google LinkedIn Results Using Burp Suite Pro - BHIS](https://www.blackhillsinfosec.com/gathering-usernames-from-google-linkedin-results-using-burp-suite-pro/)
* [GatherContacts](https://github.com/clr2of8/GatherContacts)
* A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results.
* [linkedin2username](https://github.com/initstring/linkedin2username)
* **Tinder**
* [OSINT: Advanced tinder capture](https://www.learnallthethings.net/osmosis)
* **Twitter**
@ -309,6 +326,9 @@
* Tweets metadata scraper & activity analyzer
* [Tinfoleak](http://vicenteaguileradiaz.com/tools/)
* tinfoleak is a simple Python script that allow to obtain: basic information about a Twitter user (name, picture, location, followers, etc.); devices and operating systems used by the Twitter user; applications and social networks used by the Twitter user; place and geolocation coordinates to generate a tracking map of locations visited; show user tweets in Google Earth!; download all pics from a Twitter user; hashtags used by the Twitter user and when are used (date and time); user mentions by the the Twitter user and when are occurred (date and time); topics used by the Twitter user
* [How to Find the Twitter ID from an Email Address - booleanstrings.com](https://booleanstrings.com/2018/05/02/how-to-find-the-twitter-id-from-an-email-address/)
* [Twint](https://github.com/twintproject/twint)
* Formerly known as Tweep, Twint is an advanced Twitter scraping tool written in Python that allows for scraping Tweets from Twitter profiles without using Twitter's API. Twint utilizes Twitter's search operators to let you scrape Tweets from specific users, scrape Tweets relating to certain topics, hashtags & trends, or sort out sensitive information from Tweets like e-mail and phone numbers. I find this very useful, and you can get really creative with it too. Twint also makes special queries to Twitter allowing you to also scrape a Twitter user's followers, Tweets a user has liked, and who they follow without any authentication, API, Selenium, or browser emulation.
* **Social Media Search/Enumeration** <a name="social"></a>
* [CheckUsernames](http://checkusernames.com/)
* Check the use of your brand or username on 160 Social Networks


+ 16
- 0
Draft/P_C.md View File

@ -9,6 +9,12 @@
SOX
* [California S.B. 1386 - Wikipedia](https://en.wikipedia.org/wiki/California_S.B._1386)
https://www.auditscripts.com/training/
------------
### <a name="general"></a>General
* **General**
@ -30,6 +36,13 @@
* [The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures](http://web.stanford.edu/class/cs259d/readings/Infrastructure.pdf)
* [An Overview of Threat and Risk Assessment](https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76)
* [The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)
* **ISO**
* [ISO/IEC 27001 - Wikipedia](https://en.wikipedia.org/wiki/ISO/IEC_27001)
* [ISO/IEC 27000 family - Information security management systems](https://www.iso.org/isoiec-27001-information-security.html)
* The ISO/IEC 27000 family of standards helps organizations keep information assets secure.
* **NIST**
* [NIST Special Publication 800-series - General Information](https://www.nist.gov/itl/nist-special-publication-800-series-general-information)
* Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities. SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
* **Notable Malicious Occurances**
* [Moldovan bank fraud scandal - Wikipedia](https://en.wikipedia.org/wiki/Moldovan_bank_fraud_scandal)
* **PCI**
@ -37,6 +50,9 @@
* [PCI SSC Cloud Computing Guidelines - 4/2018](https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Cloud_Guidelines_v3.pdf)
* [PCI DSS Quick Reference Guide - v3.2](https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf)
* [Guidance for PCI DSS Scoping and Network Segmentation - 2016](https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf)
* **PII**
* [EU General Data Protection Regulation(GDPR)](https://gdpr-info.eu/)
* [GDPR - Wikipedia](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)
* **Misellaneous**
* [Goodhart's Law - Wikipedia](https://en.m.wikipedia.org/wiki/Goodhart%27s_law)
* Goodhart's law is an adage named after economist Charles Goodhart, which has been phrased by Marilyn Strathern as: "When a measure becomes a target, it ceases to be a good measure."[1] One way in which this can occur is individuals trying to anticipate the effect of a policy and then taking actions which alter its outcome.


+ 144
- 15
Draft/Phishing.md View File

@ -2,18 +2,18 @@
## Table of Contents
* [General](#general)
- [Articles/Blogposts]
- [Papers]
- [Writeups]
* [Phishing Frameworks](#framework)
* [Tools](#tools)
* [Microsoft Outlook/Exchange Related](#msoutlook)
* [Microsoft Office](#msoffice)
- [Setting up a Server](#settingup)
* [Setting up a Server](#settingup)
* [Talks/Presentations](#talks)
------------------
### <a name="general">General</a>
* **General**
@ -22,6 +22,9 @@
* [Phishing with Maldocs](https://www.n00py.io/2017/04/phishing-with-maldocs/)
* [Post exploitation trick - Phish users for creds on domains, from their own box](https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)
* [iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking](https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking)
* [Phishing for Funds: Understanding Business Email Compromise - Keith Turpin - BH Asia2017](https://www.youtube.com/watch?v=_gk4i33lriY&list=PLH15HpR5qRsWx4qw9ZlgmisHOcKG4ZcRS&index=11)
* Business Email Compromise (aka CEO fraud) is a rapidly expanding cybercrime in which reported cases jumped 1300% from 2015 to 2016. This financial fraud scheme can target any market segment or organization regardless of size. Thousands of organizations from more than 100 countries have reported losses. The reasons for this surge is simple - it makes money.
* [Slides](https://www.blackhat.com/docs/asia-17/materials/asia-17-Turpin-Phishing-For-Funds-Understanding-Business-Email-Compromise.pdf)
* **Articles/Blogposts**
* [Best Time to send email](https://coschedule.com/blog/best-time-to-send-email/)
* [Top 10 Email Subjects for Company Phishing Attacks](http://www.pandasecurity.com/mediacenter/security/top-10-email-subjects-phishing-attacks/)
@ -39,6 +42,7 @@
* [Skeleton in the closet. MS Office vulnerability you didn’t know about](https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about)
* Microsoft Equation Editor Exploit writeup
* [MetaPhish Paper](https://www.blackhat.com/presentations/bh-usa-09/SMITH_VAL/BHUSA09-Smith-MetaPhish-PAPER.pdf)
* [MetaPhish - Defcon17](https://www.defcon.org/images/defcon-17/dc-17-presentations/Valsmith/defcon-17-valsmith-metaphish-wp.pdf)
* **Writeups**
* [How do I phish? – Advanced Email Phishing Tactics - Pentest Geek](https://www.pentestgeek.com/2013/01/30/how-do-i-phish-advanced-email-phishing-tactics/)
* [Real World Phishing Techniques - Honeynet Project](http://www.honeynet.org/book/export/html/89)
@ -51,10 +55,17 @@
* [Spear Phishing 101 - inspired-sec.com](https://blog.inspired-sec.com/archive/2017/05/07/Phishing.html)
* [There is a shell in your lunch-box by Rotimi Akinyele](https://hakin9.org/shell-lunch-box-rotimi-akinyele/)
----------
### <a name="documentation"> Documentation
* **Dynamic Data Exchange(DDE)**
* [About Dynamic Data Exchange](https://msdn.microsoft.com/en-us/library/windows/desktop/ms648774(v=vs.85).aspx)
* [About Dynamic Data Exchange - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/dataxchg/about-dynamic-data-exchange)
* [Dynamic Data Exchange - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/dataxchg/dynamic-data-exchange)
* This section provides guidelines for implementing dynamic data exchange for applications that cannot use the Dynamic Data Exchange Management Library (DDEML).
* [Dynamic Data Exchange - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/dataxchg/dynamic-data-exchange)
* This section provides guidelines for implementing dynamic data exchange for applications that cannot use the Dynamic Data Exchange Management Library (DDEML).
* **DomainKeys Identified Mail**
* [DomainKeys Identified Mail - Wikipedia](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail)
* **Domain Message Authentication, Reporting, and Conformance - DMARC**
@ -67,10 +78,17 @@
* **Object Linking and Embedding**
* [Object Linking and Embedding - Wikipedia](https://en.wikipedia.org/wiki/Object_Linking_and_Embedding)
* [OLE - msdn.ms](https://msdn.microsoft.com/en-us/library/df267wkc.aspx)
* [[MS-OLEDS]: Object Linking and Embedding (OLE) Data Structures - msdn.ms](https://msdn.microsoft.com/en-us/library/dd942265.aspx)
* **Protected View**
* [What is Protected View? - support.office.com](https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653)
* **Sender Policy Framework - SPF**
* [Sender Policy Framework - Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework)
* **SMTP Strict Transport Security**
* [SMTP Strict Transport Security](https://lwn.net/Articles/684462/)
* **Subdocument Reference**
* [SubDocumentReference class - msdn.ms](https://msdn.microsoft.com/en-us/library/office/documentformat.openxml.wordprocessing.subdocumentreference.aspx?cs-save-lang=1&cs-lang=vb#Syntax)
* **Transport Neutral Encapsulation Format**
* [Transport Neutral Encapsulation Format - Wikipedia](https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format)
* **XLL**
* [Welcome to the Excel Software Development Kit - msdn.ms](https://msdn.microsoft.com/en-us/library/office/bb687883.aspx)
* [Accessing XLL code in Excel - docs.ms](https://docs.microsoft.com/en-us/office/client-developer/excel/accessing-xll-code-in-excel)
@ -78,7 +96,12 @@
* [SPF, DKIM, and DMARC Demystified - McAfee](https://jira.sakaiproject.org/secure/attachment/43722/sb-spf-dkim-dmarc-demystified.pdf)
* [Add commands to your presentation with action buttons](https://support.office.com/en-us/article/Add-commands-to-your-presentation-with-action-buttons-7db2c0f8-5424-4780-93cb-8ac2b6b5f6ce)
* Add commands to your presentation with action buttons
* [Variable Object (Word) - msdn.ms](https://msdn.microsoft.com/en-us/VBA/Word-VBA/articles/variable-object-word)
* [Using ScriptControl Methods - docs.ms](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-6.0/aa227637(v=vs.60))
* The ScriptControl contains methods to execute code, add code and objects to the scripting engine, and reset the scripting engine to its initial state.
* [VBA ScriptControl to run Java Script Function](https://www.experts-exchange.com/questions/28190006/VBA-ScriptControl-to-run-Java-Script-Function.html)
* [CallByName Function - msdn.ms](https://msdn.microsoft.com/en-us/VBA/Language-Reference-VBA/articles/callbyname-function)
* Executes a method of an object, or sets or returns a property of an object. SyntaxCallByName( object, procname, calltype,[args()])
@ -119,8 +142,12 @@
* Tool page
* [ReelPhish: A Real-Time Two-Factor Phishing Tool](https://www.fireeye.com/blog/threat-research/2018/02/reelphish-real-time-two-factor-phishing-tool.html)
* [ReelPhish](https://github.com/fireeye/ReelPhish)
* [evilginx2](https://github.com/kgretzky/evilginx2)
* evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
* [Mercure](https://github.com/atexio/mercure)
* Mercure is a tool for security managers who want to teach their colleagues about phishing.
------------------
### <a name="tools"></a>Tools
@ -136,6 +163,11 @@
* [PhishBait](https://github.com/hack1thu7ch/PhishBait)
* Tools for harvesting email addresses for phishing attacks
* [Email Address Harvesting for Phishing](http://www.shortbus.ninja/email-address-harvesting-for-phishing-attacks/)
* **Local Phishing**
* [Ask and ye shall receive - Impersonating everyday applications for profit - FoxIT](https://www.fox-it.com/en/insights/blogs/blog/phishing-ask-and-ye-shall-receive/)
* [Invoke-CredentialPhisher](https://github.com/fox-it/Invoke-CredentialPhisher)
* The first one is a powershell script to send toast notifications on behalf on an (installed) application or the computer itself. The user will be asked to supply credentials once they click on the notification toast. The second one is a Cobalt Strike module to launch the phishing attack on connected beacons.
* [Phishing for Credentials: If you want it, just ask! - enigma0x3](http://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)
* **Payloads**
* [Demiguise](https://github.com/nccgroup/demiguise)
* The aim of this project is to generate .html files that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user.
@ -143,6 +175,11 @@
* [Social-Engineering-Payloads - t3ntman](https://github.com/t3ntman/Social-Engineering-Payloads)
* [backdoorppt](https://github.com/r00t-3xp10it/backdoorppt)
* transform your payload.exe into one fake word doc (.ppt)
* [EmbedInHTML](https://github.com/Arno0x/EmbedInHTML)
* What this tool does is taking a file (any type of file), encrypt it, and embed it into an HTML file as ressource, along with an automatic download routine simulating a user clicking on the embedded ressource. Then, when the user browses the HTML file, the embedded file is decrypted on the fly, saved in a temporary folder, and the file is then presented to the user as if it was being downloaded from the remote site. Depending on the user's browser and the file type presented, the file can be automatically opened by the browser.
* [malicious_file_maker](https://github.com/carnal0wnage/malicious_file_maker)
* malicious file maker/sender to create and send malicious attachments to test your email filter/alerting
* [VBA ScriptControl to run Java Script Function](https://www.experts-exchange.com/questions/28190006/VBA-ScriptControl-to-run-Java-Script-Function.html)
* **Recon**
* [hackability](https://github.com/PortSwigger/hackability)
* Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
@ -184,28 +221,89 @@
------------------
### <a name="msoffice"></a>MS Office
* **General**
* [Phishing against Protected View](https://enigma0x3.net/2017/07/13/phishing-against-protected-view/)
* [Next Gen Office Malware v2.0 - Greg Linares Dagmar Knechtel - Hushcon17](https://prezi.com/view/eZ3CSNMxPMOfIWEHwTje/)
* [office-exploit-case-study](https://github.com/houjingyi233/office-exploit-case-study)
* I collect some office vuln recent years.Many samples are malware used in the real world,please study them in virtual machine.Take responsibility yourself if you use them for illegal purposes.Samples should match hash in corresponding paper if mentioned. * [Next Gen Office Malware v2.0 - Greg Linares Dagmar Knechtel - Hushcon17](https://prezi.com/view/eZ3CSNMxPMOfIWEHwTje/)
* [Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass - Pwndizzle](https://pwndizzle.blogspot.com.es/2017/03/office-document-macros-ole-actions-dde.html)
* [MSWord - Obfuscation with Field Codes - Staaldraad](https://staaldraad.github.io/2017/10/23/msword-field-codes/)
* [Analysis of the Attack Surface of Microsoft Office from a User's Perspective](https://0b3dcaf9-a-62cb3a1a-s-sites.googlegroups.com/site/zerodayresearch/Analysis_of_the_Attack_Surface_of_Microsoft_Office_from_User_Perspective_final.pdf)
* [Document Tracking: What You Should Know - justhaifei1](https://justhaifei1.blogspot.com/2013/10/document-tracking-what-you-should-know.html)
* [ Microsoft Office – NTLM Hashes via Frameset - pentestlab.blog](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/)
* [EXD: An attack surface for Microsoft Office](https://www.fortinet.com/blog/threat-research/exd-an-attack-surface-for-microsoft-office.html)
* [Microsoft Office – Payloads in Document Properties - pentestlab.blog](https://pentestlab.blog/2017/12/15/microsoft-office-payloads-in-document-properties/)
* Fortinet has discovered a potential attack surface for Microsoft office via EXD file. After a malformed or specifically crafted EXD file was placed in an expected location, it could trigger a remote code execution when a document with ActiveX is opened with office applications.
* [Persisting with Microsoft Office: Abusing Extensibility Options - William Knowles](https://labs.mwrinfosecurity.com/assets/BlogFiles/WilliamKnowles-MWR-44con-PersistingWithMicrosoftOffice.pdf)
* [Abusing Microsoft Office Online Video - blog.cymulate](https://blog.cymulate.com/abusing-microsoft-office-online-video)
* Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code
* [Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass - PwnDizzle](https://pwndizzle.blogspot.com/2017/03/office-document-macros-ole-actions-dde.html)
* [Persisting with Microsoft Office: Abusing Extensibility Options - William Knowles](https://labs.mwrinfosecurity.com/assets/BlogFiles/WilliamKnowles-MWR-44con-PersistingWithMicrosoftOffice.pdf)
* [Demonstration of the Windows/Office "Insecure Temporary File Dropping" Vulnerability - justhaifeil](https://justhaifei1.blogspot.com/2014/08/demonstration-of-windowsoffice-insecure.html)
* [Analysis of the Attack Surface of Microsoft Office from a User's Perspective](https://0b3dcaf9-a-62cb3a1a-s-sites.googlegroups.com/site/zerodayresearch/Analysis_of_the_Attack_Surface_of_Microsoft_Office_from_User_Perspective_final.pdf)
* [EXD: An attack surface for Microsoft Office](https://www.fortinet.com/blog/threat-research/exd-an-attack-surface-for-microsoft-office.html)
* Fortinet has discovered a potential attack surface for Microsoft office via EXD file. After a malformed or specifically crafted EXD file was placed in an expected location, it could trigger a remote code execution when a document with ActiveX is opened with office applications.
* **Inbuilt Functions**
* [Variable Object (Word) - msdn.ms](https://msdn.microsoft.com/en-us/VBA/Word-VBA/articles/variable-object-word)
* [Using ScriptControl Methods - docs.ms](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-6.0/aa227637(v=vs.60))
* The ScriptControl contains methods to execute code, add code and objects to the scripting engine, and reset the scripting engine to its initial state.
* **Access**
* [Phishing for “Access” - Changing Phishing Tactics Require Closer User and Defender Attention - Steve Borosh](https://medium.com/rvrsh3ll/phishing-for-access-554105b0901e)
* [MAccess – Bypassing Office macro warnings - kaiosec](https://kaiosec.com/blog/maccess.html)
* [Changing Phishing Tactics Require Closer User and Defender Attention - nuix.com](https://www.nuix.com/blog/changing-phishing-tactics-require-closer-user-and-defender-attention)
* **Excel**
* [When Scriptlets Attack: Excel’s Alternative to DDE Code Execution - David Wells](https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/)
* [Malicious Excel DDE Execution with ML AV Bypass and Persistence - hyperiongray](https://blog.hyperiongray.com/excel-dde-exploitation-and-ml-av-bypass/)
* [Excel-DNA](https://excel-dna.net/)
* Excel-DNA is an independent project to integrate .NET into Excel. With Excel-DNA you can make native (.xll) add-ins for Excel using C#, Visual Basic.NET or F#, providing high-performance user-defined functions (UDFs), custom ribbon interfaces and more. Your entire add-in can be packed into a single .xll file requiring no installation or registration.
* [Tricks to Improve Web App Excel Export Attacks - Jerome Smith(CAMSEC)](https://www.youtube.com/watch?v=3wNvxRCJLQQ)
* This presentation is an embellished version of the second half of a talk originally presented at BSides MCR 2016. It covers more general web app export issues as well as revisions on the DDE content following feedback from BSides.
* [Slides](https://www.slideshare.net/exploresecurity/camsec-sept-2016-tricks-to-improve-web-app-excel-export-attacks)
* [Insert an object in your Excel spreadsheet - support.office](https://support.office.com/en-us/article/Insert-an-object-in-your-Excel-spreadsheet-e73867b2-2988-4116-8d85-f5769ea435ba)
* **PowerPoint**
* [Phishing with PowerPoint - BHIS](https://www.blackhillsinfosec.com/phishing-with-powerpoint/)
* [PowerPoint and Custom Actions](https://phishme.com/powerpoint-and-custom-actions/)
* **OSX**
* [Sylk + XLM = Code execution on Office 2011 for Mac - Pieter Celeen](https://outflank.nl/blog/2018/10/12/sylk-xlm-code-execution-on-office-2011-for-mac/)
* **DDE**
* [Exploiting Office native functionality: Word DDE edition](https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html)
* [Excel DDE Walkthrough](https://github.com/merrillmatt011/Excel_DDE_Walkthrough/blob/master/Excel_DDE_Walkthrough.pdf)
* [Macro-less Code Exec in MSWord - Sensepost](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
* [Macroless DOC malware that avoids detection with Yara rule](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
* [Office-DDE-Payloads](https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads)
* Collection of scripts and templates to generate Office documents embedded with the DDE, macro-less command execution technique.
* **Blogposts/Writeups**
* [Exploiting Office native functionality: Word DDE edition](https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html)
* [Excel DDE Walkthrough](https://github.com/merrillmatt011/Excel_DDE_Walkthrough/blob/master/Excel_DDE_Walkthrough.pdf)
* [Macro-less Code Exec in MSWord - Sensepost](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
* [Macroless DOC malware that avoids detection with Yara rule](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
* [The Current State of DDE - Office DDE Attacks from an Offensive and Defensive Perspective - @0xdeadbeefJERKY](https://medium.com/@0xdeadbeefJERKY/the-current-state-of-dde-a62fd3277e9)
* [ Microsoft Office – DDE Attacks - pentestlab.blog](https://pentestlab.blog/2018/01/16/microsoft-office-dde-attacks/)
* [Abusing Microsoft Office DDE - SecuritySift](https://www.securitysift.com/abusing-microsoft-office-dde/)
* [PowerShell, C-Sharp and DDE The Power Within](https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/)
* aka Exploiting MS16-032 via Excel DDE without macros.
* [Macroless DOC malware that avoids detection with Yara rule - Furoner.CAT](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/)
* [PowerShell, C-Sharp and DDE The Power Within - sensepost](https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/)
* [Microsoft Office – DDE Attacks - pentestlab.blog](https://pentestlab.blog/2018/01/16/microsoft-office-dde-attacks/)
* [Abusing Microsoft Office DDE - SecuritySift](https://www.securitysift.com/abusing-microsoft-office-dde/)
* [Malicious Excel DDE Execution with ML AV Bypass and Persistence - hyperiongray](https://blog.hyperiongray.com/excel-dde-exploitation-and-ml-av-bypass/)
* **Payload Creation/Generation**
* [Office-DDE-Payloads - 0xdeadbeefJERKY](https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads)
* Collection of scripts and templates to generate Word and Excel documents embedded with the DDE, macro-less command execution technique described by @\_staaldraad and @0x5A1F (blog post link in References section below). Intended for use during sanctioned red team engagements and/or phishing campaigns.
* [DDE Payloads - Panagiotis Gkatziroulis](https://medium.com/red-team/dde-payloads-16629f4a2fcd)
* [CACTUSTORCH_DDEAUTO](https://github.com/xillwillx/CACTUSTORCH_DDEAUTO)
* OFFICE DDEAUTO Payload Generation script to automatically create a .vbs/.hta/.js payload for use inside a Microsoft Office document. Will create the DDEAUTO function to download and execute your payload using powershell or mshta that you can paste inside a Word document. That function can also be copy and pasted from Word to trigger in One Note/Outlook email/Outlook Calendar/Outlook Task.
* [Office DDEAUTO attacks - Will Genovese](http://willgenovese.com/office-ddeauto-attacks/)
* **Payload Obfuscation**
* [MSWord - Obfuscation with Field Codes - Staaldraad](https://staaldraad.github.io/2017/10/23/msword-field-codes/)
* **DLL**
* [DLL Tricks with VBA to Improve Offensive Macro Capability](https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/)
* [DLL Execution via Excel.Application RegisterXLL() method](https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52)
* A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
* [ExcelDllLoader](https://github.com/3gstudent/ExcelDllLoader)
* Execute DLL via the Excel.Application object's RegisterXLL() method
* **Exploits**
* [CVE-2017-0199](https://github.com/bhdresh/CVE-2017-0199)
* Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.
* [PowerShell, C-Sharp and DDE The Power Within](https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/)
* aka Exploiting MS16-032 via Excel DDE without macros.
* **HTA**
* [Malicious HTAs - trustedsec](https://www.trustedsec.com/2015/07/malicious-htas/)
* [Exploiting CVE-2017-0199: HTA Handler Vulnerability](https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/)
@ -222,6 +320,11 @@
* [How To: Empire’s Cross Platform Office Macro](https://www.blackhillsinfosec.com/empires-cross-platform-office-macro/)
* [Excel macros with PowerShell](https://4sysops.com/archives/excel-macros-with-powershell/)
* [Multi-Platform Macro Phishing Payloads](https://medium.com/@malcomvetter/multi-platform-macro-phishing-payloads-3b688e8eff68)
* [Running Macros via ActiveX Controls - greyhathacker.net](http://www.greyhathacker.net/?p=948)
* [Abusing native Windows functions for shellcode execution - ropgadget](http://ropgadget.com/posts/abusing_win_functions.html)
* [Microsoft Office – Payloads in Document Properties - pentestlab.blog](https://pentestlab.blog/2017/12/15/microsoft-office-payloads-in-document-properties/)
* [Running Macros via ActiveX Controls - greyhathacker.net](http://www.greyhathacker.net/?p=948)
* [MAccess – Bypassing Office macro warnings - kaiosec](https://kaiosec.com/blog/maccess.html)
* **Tools**
* **Generators**
* [Pafish Macro](https://github.com/joesecurity/pafishmacro)
@ -237,7 +340,11 @@
* WePWNise is a proof-of-concept python script that generates architecture independent VBA code to be used in Office documents or templates. It aims in introducing a certain level of automation and intelligence to dynamically deliver its payload, circumventing defences such as application control and anti-exploitation mitigations that may exist on a target system.
* [Malicious Macro MSBuild Generator](https://github.com/infosecn1nja/MaliciousMacroMSBuild)
* Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.
* [trigen](https://github.com/karttoon/trigen)
* Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode.
* **Samples**
* [RobustPentestMacro](https://github.com/mgeeky/RobustPentestMacro)
* This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques like sandbox evasion, WMI persistence and page substitution. Intended to be able to infect both Windows and Mac OS X Office platforms by implementing platform-detection logic.
* [CVE-2017-8759-Exploit-sample](https://github.com/vysec/CVE-2017-8759-Exploit-sample)
* Flow of the exploit: Word macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe
* **Obfuscation**
@ -245,8 +352,25 @@
* VBad is fully customizable VBA Obfuscation Tool combined with an MS Office document generator. It aims to help Red & Blue team for attack or defense.
* **OLE**
* [Phishing with Empire](https://enigma0x3.net/2016/03/15/phishing-with-empire/)
* [Attacking Interoperability: An OLE Edition](https://www.blackhat.com/docs/us-15/materials/us-15-Li-Attacking-Interoperability-An-OLE-Edition.pdf)
* **Protected View**
* [What is Protected View? - support.office.com](https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653)
* [Phishing against Protected View](https://enigma0x3.net/2017/07/13/phishing-against-protected-view/)
* [Understanding The Microsft Office 2013 Protected-View Sandbox - Yong Chuan, Kho (2015)](https://labs.mwrinfosecurity.com/assets/BlogFiles/UNDERSTANDING-THE-MICROSOFT-OFFICE-2013-PROTECTED-VIEW-SANDBOX-WP3.pdf)
* **Shellcode**
* [CallByName Function - docs.ms](https://docs.microsoft.com/en-us/office/vba/Language/Reference/User-Interface-Help/callbyname-function)
* [CallByName Function - msdn.ms](https://msdn.microsoft.com/en-us/VBA/Language-Reference-VBA/articles/callbyname-function)
* Executes a method of an object, or sets or returns a property of an object. SyntaxCallByName( object, procname, calltype,[args()])
* [Abusing native Windows functions for shellcode execution - ropgadget](http://ropgadget.com/posts/abusing_win_functions.html)
* [trigen](https://github.com/karttoon/trigen)
* Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode.
* **subDoc**
* [Abusing Microsoft Word Features for Phishing: “subDoc”](https://rhinosecuritylabs.com/research/abusing-microsoft-word-features-phishing-subdoc/)
* [SubDocumentReference class - msdn.ms](https://msdn.microsoft.com/en-us/library/office/documentformat.openxml.wordprocessing.subdocumentreference.aspx?cs-save-lang=1&cs-lang=vb#Syntax)
* **Temporary File Drop**
* [Demonstration of the Windows/Office "Insecure Temporary File Dropping" Vulnerability - justhaifeil](https://justhaifei1.blogspot.com/2014/08/demonstration-of-windowsoffice-insecure.html)
* **TNEF**
* [Transport Neutral Encapsulation Format - Wikipedia](https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format)
* **VBA**
* [RobustPentestMacro](https://github.com/mgeeky/RobustPentestMacro)
* This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
@ -275,6 +399,11 @@
* [Phishing Like The Pros - Luis “Connection” Santana - Derbycon 2013](https://www.irongeek.com/i.php?page=videos/derbycon3/1305-phishing-like-the-pros-luis-connection-santana)
* This talk will discuss phishing techniques used by professionals during phishing campaigns and introduce “PhishPoll”, a PHP-based phishing framework for creating, managing, and tracking phishing campaigns.
* [MetaPhish - Valsmith, Colin Ames, and David Kerb - DEF CON 17](https://www.youtube.com/watch?v=3DYOMkkTK4A)
* [Phishing for Funds: Understanding Business Email Compromise - Keith Turpin - BH Asia2017](https://www.youtube.com/watch?v=_gk4i33lriY&list=PLH15HpR5qRsWx4qw9ZlgmisHOcKG4ZcRS&index=11)
* Business Email Compromise (aka CEO fraud) is a rapidly expanding cybercrime in which reported cases jumped 1300% from 2015 to 2016. This financial fraud scheme can target any market segment or organization regardless of size. Thousands of organizations from more than 100 countries have reported losses. The reasons for this surge is simple - it makes money.
------------------


+ 13
- 1
Draft/RE.md View File

@ -33,7 +33,6 @@
--------------
### General
* **101**
@ -317,6 +316,8 @@
* IDA Pro Full Instruction Reference Plugin - It's like auto-comments but useful.
* [YaCo])(https://github.com/DGA-MI-SSI/YaCo)
* YaCo is an Hex-Rays IDA plugin. When enabled, multiple users can work simultaneously on the same binary. Any modification done by any user is synchronized through git version control.
* [HexRaysPyTools](https://github.com/igogo-x86/HexRaysPyTools/blob/master/readme.md)
* The plugin assists in the creation of classes/structures and detection of virtual tables. It also facilitates transforming decompiler output faster and allows to do some stuff which is otherwise impossible.
* **IDA Tutorials/Help**
* [TiGa's Video Tutorial Series on IDA Pro](http://woodmann.com/TiGa/idaseries.html)
* [IDA PLUG-IN WRITING IN C/C++](http://www.binarypool.com/idapluginwriting/idapw.pdf)
@ -538,6 +539,17 @@
* [Taking a Snapshot and Viewing Processes - msdn.ms](https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx)
* **QEMU**
* [PyREBox](https://github.com/Cisco-Talos/pyrebox)
* PyREBox is a Python scriptable Reverse Engineering sandbox. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. PyREBox allows to inspect a running QEMU VM, modify its memory or registers, and to instrument its execution, by creating simple scripts in python to automate any kind of analysis. QEMU (when working as a whole-system-emulator) emulates a complete system (CPU, memory, devices...). By using VMI techniques, it does not require to perform any modification into the guest operating system, as it transparently retrieves information from its memory at run-time.
* **Binary Instrumentation**
* [Dynamic Binary Instrumentation Primer - rui - deniable.org ](http://deniable.org/reversing/binary-instrumentation)
* "Dynamic Binary Instrumentation (DBI) is a method of analyzing the behavior of a binary application at runtime through the injection of instrumentation code" - Uninformed 2007
* [Etnaviv](https://github.com/etnaviv/etna_viv)
* Project Etnaviv is an open source user-space driver for the Vivante GCxxx series of embedded GPUs. This repository contains reverse-engineering and debugging tools, and rnndb register documentation. It is not necessary to use this repository when building the driver.


+ 5
- 1
Draft/RT.md View File

@ -29,7 +29,6 @@
* add usb/hw related stuff
--------------
### <a name="general"></a>General
* **101**
@ -41,6 +40,9 @@
* [A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis - USGov 2009](https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/Tradecraft%20Primer-apr09.pdf)
* [The Black Team](http://www.penzba.co.uk/GreybeardStories/TheBlackTeam.html)
* [IBM Black Team](http://www.t3.org/tangledwebs/07/tw0706.html)
* **APT Simulation**
* [Unit42 Playbook Viewer](https://pan-unit42.github.io/playbook_viewer/)
* [Introducing the Adversary Playbook: First up, OilRig - Ryan Olson](https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/)
* **Courses**
* [Advanced Threat Tactics – Course and Notes - CobaltStrike](https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/)
* **General Informative Information**
@ -132,6 +134,7 @@
* Long gone are the days of easy command shells through PowerShell. Defenders are catching more than ever, forcing red teamers to up their game in new and innovative ways. This presentation will explore several new OSINT sources, techniques, and tools developed to accelerate and assist in target asset discovery and profiling. We will discover how some new advances in EDR has changed the general landscape of more mature organisations, and how red team tactics and procedures have been modified to bypass certain obstacles faced. Relevant techniques will be revised, modified and made great again.
* [Skills for a Red Teamer - Brent White & Tim Roberts - NolaCon 2018](https://www.youtube.com/watch?reload=9&v=Abr4HgSV9pc)
* Want to incorporate hybrid security assessments into your testing methodology? What does going above and beyond look like for these types of assessments? How do you provide the best value with the resources and scope provided? What do some of these toolkits encompass? If you’re interested in what skills are needed for a Red-Teamer, or taking your red teaming assessments to the next level, here’s the basic info to get you started. We’ll discuss items of importance, methodology, gear, stories and even some tactics used to help give you an edge.
* [You’re Probably Not Red Teaming... And Usually I’m Not, Either [SANS ICS 2018] - Deviant Ollam](https://www.youtube.com/watch?v=mj2iSdBw4-0&feature=youtu.be)
* **Phishing**
* [Hacking Corporate Em@il Systems - Nate Power](http://www.irongeek.com/i.php?page=videos/bsidescolumbus2016/offense04-hacking-corporate-emil-systems-nate-power)
* In this talk we will discuss current email system attack vectors and how these systems can be abused and leveraged to break into corporate networks. A penetration testing methodology will be discussed and technical demonstrations of attacks will be shown. Phases of this methodology include information gathering, network mapping, vulnerability identification, penetration, privilege escalation, and maintaining access. Methods for organizations to better protect systems will also be discussed.
@ -331,6 +334,7 @@
* [Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike](https://www.cyberark.com/threat-research-blog/red-team-insights-https-domain-fronting-google-hosts-using-cobalt-strike/)
* [DomainFrontingLists](https://github.com/vysec/DomainFrontingLists)
* A list of Domain Frontable Domains by CDN
* [Metasploit Domain Fronting With Microsoft Azure - Chris Higgins](https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/)
* **Talks & Videos**
* **Tools**
* **Finding Vulnerable Domains**


+ 70
- 88
Draft/Rootkits.md View File

@ -1,9 +1,4 @@
# Rootkits
## Table of Contents
* [Cull](#cull)
@ -15,77 +10,17 @@
* [Tools](#tools)
### Sort
[Homesite](https://trmm.net/EFI)
* [Komodia Rootkit Writeupn](https://gist.github.com/Wack0/f865ef369eb8c23ee028)
* Komodia rootkit findings by @TheWack0lian
[Talk at CCC31](https://www.youtube.com/watch?v=5BrdX7VdOr0)
* [BoutiqueKit: Playing WarGames with Expensive Rootkits and Malware- Defcon 21](https://www.youtube.com/watch?v=gKUleWyfut0)
* [Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [30c3]](https://www.youtube.com/watch?v=Ck8bIjAUJgE)
* [KernelMode Rootkits: Part 1, SSDT hooks - adlice](https://www.adlice.com/kernelmode-rootkits-part-1-ssdt-hooks/)
* [KernelMode Rootkits: Part 2, IRP hooks - adlice](https://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/)
* [KernelMode Rootkits: Part 3, kernel filters- adlice](https://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/)
* [HookPasswordChange](https://github.com/clymb3r/Misc-Windows-Hacking/tree/master/HookPasswordChange/HookPasswordChange)
* [Hypervisor](https://github.com/ainfosec/more)
* [Suterusu](https://github.com/mncoppola/suterusu)
* [Concepts for the Steal the Windows Rootkit (The Chameleon Project)Joanna Rutkowska2003](http://repo.hackerzvoice.net/depot_madchat/vxdevl/avtech/Concepts%20for%20the%20Stealth%20Windows%20Rootkit%20%28The%20Chameleon%20Project%29.pdf)\
* [DragonKing Rootkit](https://github.com/mgrube/DragonKing)
* This is an open source rootkit created for a class taught on Rootkit Design. This rootkit hides by hooking the system call table and using an agent to do interactive manipulation in userland.
* [Rise of the dual architecture usermode rootkit](http://www.malwaretech.com/2013/06/rise-of-dual-architecture-usermode.html)
* [Measurement of Running Executables](http://vimeo.com/81335517)
* [Shadow Walker - Raising the Bar for Rootkit detection - BH 2005](https://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf)
* [TLB Synchronization (Split TLB)](http://uninformed.org/index.cgi?v=6&a=1&p=21)
* [MoRE Shadow Walker : TLB - splitting on Modern x86](https://www.blackhat.com/docs/us-14/materials/us-14-Torrey-MoRE-Shadow-Walker-The-Progression-Of-TLB-Splitting-On-x86-WP.pdf)
* MoRE, or Measurement of Running Executables, was a DARPA Cyber Fast Track effort to study the feasibility of utilizi ng x86 translation look - aside buffer (TLB) splitting techniques for realizing periodic measurements of running and dynamically changing applications. It built upon PaX, which used TLB splitting to emulate the no - execute bit and Shadow Walker, a memory hidi ng rootkit ; both designed for earlier processor architectures. MoRE and MoRE Shadow Walker are a defensive TLB splitting system and a prototype memory hiding rootkit for the current Intel i - series processors respectively – demonstrating the evolution of th e x86 architecture and how its complexity allows software to effect the apparent hardware architecture.
* [MoRE Shadow Walker : TLB - splitting on Modern x86](https://www.youtube.com/watch?v=XU1uNGZ7HnY)
* This presentation provides a cohesive overview of the work performed by AIS, Inc. on the DARPA CFT MoRE effort. MoRE was a 4-month effort which examined the feasibility of utilizing TLB splitting as a mechanism for periodic measurement of dynamically changing binaries. The effort created a proof-of-concept system to split the TLB for target applications, allowing dynamic applications to be measured and can detect code corruption with low performance overhead.
* [Pitfalls of virtual machine introspection on modern hardware](https://www.acsac.org/2014/workshops/mmf/Tamas%20Lengyel-Pitfalls%20of%20virtual%20machine%20introspection%20on%20modern%20hardware.pdf)