Browse Source

Updates to stuff. Part 1/2

pull/13/head
Robert Musser 5 years ago
parent
commit
8e967caf64
37 changed files with 1771 additions and 843 deletions
  1. +5
    -1
      Draft/AnonOpsecPrivacy.md
  2. +12
    -6
      Draft/Building A Pentest Lab.md
  3. +17
    -9
      Draft/Courses_Training.md
  4. +16
    -8
      Draft/Cryptography & Encryption.md
  5. +56
    -0
      Draft/Defense.md
  6. +3
    -2
      Draft/Documentation & Reports -.md
  7. +27
    -1
      Draft/Embedded Device & Hardware Hacking -.md
  8. +2
    -0
      Draft/Exfiltration.md
  9. +36
    -11
      Draft/Exploit Development.md
  10. +115
    -79
      Draft/Forensics Incident Response.md
  11. +16
    -0
      Draft/Fuzzing Bug Hunting.md
  12. +38
    -15
      Draft/Game Hacking.md
  13. +28
    -0
      Draft/Interesting Things Useful stuff.md
  14. +11
    -5
      Draft/Malware.md
  15. +28
    -6
      Draft/Network Attacks & Defenses.md
  16. +13
    -1
      Draft/Network Security Monitoring & Logging.md
  17. +4
    -1
      Draft/Open Source Intelligence.md
  18. +8
    -6
      Draft/Password Bruting and Hashcracking.md
  19. +20
    -6
      Draft/Phishing.md
  20. +4
    -1
      Draft/Policy-Compliance.md
  21. +84
    -28
      Draft/Privilege Escalation & Post-Exploitation.md
  22. +113
    -116
      Draft/Programming - Languages Libs Courses References.md
  23. +4
    -0
      Draft/Rants&Writeups/Writeups/Empire_and_Metasploit_101.md
  24. +93
    -23
      Draft/Red-Teaming.md
  25. +44
    -22
      Draft/Reverse Engineering.md
  26. +2
    -1
      Draft/Rootkits.md
  27. +32
    -2
      Draft/SCADA.md
  28. +27
    -13
      Draft/System Internals Windows and Linux Internals Reference.md
  29. +135
    -63
      Draft/Web & Browsers.md
  30. +66
    -44
      Draft/Wireless Networks & RF.md
  31. +8
    -1
      Draft/help.md
  32. +686
    -372
      Draft/things-added.md
  33. +0
    -0
      Kismet-20180124-15-33-32-1.alert
  34. +8
    -0
      Kismet-20180124-15-33-32-1.gpsxml
  35. +4
    -0
      Kismet-20180124-15-33-32-1.nettxt
  36. +6
    -0
      Kismet-20180124-15-33-32-1.netxml
  37. BIN
      Kismet-20180124-15-33-32-1.pcapdump

+ 5
- 1
Draft/AnonOpsecPrivacy.md View File

@ -35,9 +35,11 @@
* https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-guri-update.pdf
* [A Technical Description of Psiphon](https://psiphon.ca/en/blog/psiphon-a-technical-description)
* [Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
* [Invasion of Privacy - HackerFactor](http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html)
* [What Happens Next Will Amaze You](http://idlewords.com/talks/what_happens_next_will_amaze_you.htm#six_fixes)
* [anonymouth](https://github.com/psal/anonymouth)
* Document Anonymization Tool, Version 0.5
* [Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
#### end Sort
@ -140,6 +142,8 @@
* The Tor network is designed to provide users with low- latency anonymous communications. Tor clients build circuits with publicly listed relays to anonymously reach their destinations. However, since the relays are publicly listed, they can be easily blocked by censoring adversaries. Consequently, the Tor project envisioned the possibility of unlisted entry points to the Tor network, commonly known as bridges. We address the issue of preventing censors from detecting the bridges by observing the communications between them and nodes in their network. We propose a model in which the client obfuscates its messages to the bridge in a widely used protocol over the Inter- net. We investigate using Skype video calls as our target protocol and our goal is to make it difficult for the censor- ing adversary to distinguish between the obfuscated bridge connections and actual Skype calls using statistical compar- isons. We have implemented our model as a proof-of-concept pluggable transport for Tor, which is available under an open-source licence. Using this implementation we observed the obfuscated bridge communications and compared it with those of Skype calls and presented the results.
* [StegoTorus: A Camouflage Proxy for the Tor Anonymity System](https://research.owlfolio.org/pubs/2012-stegotorus.pdf)
* Internet censorship by governments is an increasingly common practice worldwide. Internet users and censors are locked in an arms race: as users find ways to evade censorship schemes, the censors develop countermeasures for the evasion tactics. One of the most popular and effective circumvention tools, Tor, must regularly adjust its network traffic signature to remain usable. We present StegoTorus, a tool that comprehensively disguises Tor from protocol analysis. To foil analysis of packet contents, Tor’s traffic is steganographed to resemble an innocuous cover protocol, such as HTTP. To foil analysis at the transport level, the Tor circuit is distributed over many shorter-lived connections with per-packet characteristics that mimic cover-protocol traffic. Our evaluation demonstrates that StegoTorus improves the resilience of Tor to fingerprinting attacks and delivers usable performance.
* [Spoiled Onions](https://www.cs.kau.se/philwint/spoiled_onions/)
* In this research project, we were monitoring all exit relays for several months in order to expose, document, and thwart malicious or misconfigured relays. In particular, we monitor exit relays with two scanners we developed specifically for that purpose: exitmap and HoneyConnector. Since September 2013, we discovered 65 malicious or misconfigured exit relays which are listed in Table 1 and Table 2 in our research paper. These exit relays engaged in various attacks such as SSH and HTTPS MitM, HTML injection, SSL stripping, and traffic sniffing. We also found exit relays which were unintentionally interfering with network traffic because they were subject to DNS censorship.
* **Travel**
* [China travel laptop setup](https://mricon.com/i/travel-laptop-setup.html?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&iid=88d246896d384d5292f51df954a2c8ba&uid=150127534&nid=244+272699400)
* **Misc/Unsorted**


+ 12
- 6
Draft/Building A Pentest Lab.md View File

@ -1,4 +1,4 @@
# Building a Pentest Lab
# Building a Lab
## Table of Contents
@ -11,6 +11,8 @@
-----
### <a name="general"></a>General
* [Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
@ -26,8 +28,8 @@
-----
### Resources for VMs
* [Internet Explorer Windows XP and Vista Virtual Machines](https://github.com/mikescott/ie-virtual-machines/blob/master/README.md)
* [Internet Explorer Windows Vista through 10 Virtual Machines](https://github.com/mikescott/ie-virtual-machines/blob/master/README.md)
* [Windows Server Evaluation ISOs](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r)
@ -47,14 +49,18 @@
* [OWASP Juiceshop](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project)
* [OWASP JuiceShop Gitbook walkthrough](https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop/details)
* [Video Walk through by Sunny Wear](https://www.youtube.com/watch?v=zi3yDovd0RY&list=PL-giMT7sGCVI9T4rKhuiTG4EDmUz-arBo)
* [Vulhub - Some Docker-Compose files for vulnerabilities environment](https://github.com/vulhub/vulhub)
* [exploit_me](https://github.com/bkerler/exploit_me)
* Very vulnerable ARM application (CTF style exploitation tutorial for ARM, but portable to other platforms)
-----
### Installing Active Directory
* [Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
* [AutomatedLab](https://github.com/AutomatedLab/AutomatedLab)
* AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2016 including Nano Server and various products like AD, Exchange, PKI, IIS, etc.
* [Automated-AD-Setup](https://github.com/OneLogicalMyth/Automated-AD-Setup)
* A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening.


+ 17
- 9
Draft/Courses_Training.md View File

@ -21,13 +21,6 @@
-------------
#### Sort
DVWA
* [OWASP Broken Web Applications Project](https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project)
* OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
* [OWASP Juiceshop](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project)
* [OWASP JuiceShop Gitbook walkthrough](https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop/details)
* [Video Walk through by Sunny Wear](https://www.youtube.com/watch?v=zi3yDovd0RY&list=PL-giMT7sGCVI9T4rKhuiTG4EDmUz-arBo)
#### End Sort
@ -84,8 +77,10 @@ These classes are all focused on computer/information security. If you're lookin
* [CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)
--------------
### Mobile Application Security
* [Mobile Security Trainings](https://github.com/enovella/androidtrainings)
* Mobile security trainings based on android
@ -179,7 +174,20 @@ These classes are all focused on computer/information security. If you're lookin
### <a name="web"></a>Web Security Focused Training
* [Google Gruyere - Web Application Exploits and Defenses ](http://google-gruyere.appspot.com/)
* [Professionally Evil Web App Pen Testing 101 Course - secureideas](https://blog.secureideas.com/2018/01/professionally-evil-web-app-pen-testing-101-course.html)
* [OWASP Broken Web Applications Project](https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project)
* OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
* [OWASP Juiceshop](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project)
* [OWASP JuiceShop Gitbook walkthrough](https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop/details)
* [Video Walk through by Sunny Wear](https://www.youtube.com/watch?v=zi3yDovd0RY&list=PL-giMT7sGCVI9T4rKhuiTG4EDmUz-arBo)
* [Hacker101](https://github.com/Hacker0x01/hacker101)
* Hacker101 is a free class for web security. Whether you're a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.
### Wireless
* [Dissecting Industrial Wireless Implementations - DEF CON 25](https://github.com/voteblake/DIWI)
* https://github.com/vortessence/vortessence
### <a name="data"></a>Data Science
* [CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)


+ 16
- 8
Draft/Cryptography & Encryption.md View File

@ -11,6 +11,7 @@
To Do:
* Add Books
* Add educational stuff
* Robot Attack Details
* [Toward Robust Hidden Volumes Using Write-Only Oblivious RAM](https://eprint.iacr.org/2014/344.pdf)
* With sensitive data being increasingly stored on mobile devices and laptops, hard disk encryption is more important than ever. In partic- ular, being able to plausibly deny that a hard disk contains certain information is a very useful and interesting research goal. However, it has been known for some time that existing “hidden volume” so- lutions, like TrueCrypt, fail in the face of an adversary who is able to observe the contents of a disk on multiple, separate occasions. In this work, we explore more robust constructions for hidden vol- umes and present HIVE, which is resistant to more powerful ad- versaries with multiple-snapshot capabilities. In pursuit of this, we propose the first security definitions for hidden volumes, and prove HIVE secure under these definitions. At the core of HIVE, we de- sign a new write-only Oblivious RAM. We show that, when only hiding writes, it is possible to achieve ORAM with optimal O (1) communication complexity and only poly-logarithmic user mem- ory. This is a significant improvement over existing work and an independently interesting result. We go on to show that our write- only ORAM is specially equipped to provide hidden volume func- tionality with low overhead and significantly increased security. Fi- nally, we implement HIVE as a Linux kernel block device to show both its practicality and usefulness on existing platforms.
@ -60,11 +61,9 @@ From: https://www.reddit.com/r/securityengineering/comments/7o2uzy/a_collection_
2018-01-04 - "Meltdown" by Lipp et al. https://meltdownattack.com/meltdown.pdf
```
* Monero
* Zcash
https://a16z.com/2018/02/10/crypto-readings-resources/
* crypto101
https://conversations.im/xeps/multi-end.html
@ -86,6 +85,12 @@ https://conversations.im/xeps/multi-end.html
* [Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/amp/)
* [Why does cryptographic software fail? A case study and open problems](http://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf)
* Abstract: Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.
* [Deadpool](https://github.com/SideChannelMarvels/Deadpool)
* Repository of various public white-box cryptographic implementations and their practical attacks.
* [RSA-and-LLL-attacks](https://github.com/mimoo/RSA-and-LLL-attacks)
* This repo host implementations and explanations of different RSA attacks using lattice reduction techniques (in particular LLL).\
* [Hunting For Vulnerabilities In Signal - Markus Vervier - HITB 2017 AMS](https://www.youtube.com/watch?v=2n9HmllVftA)
* Signal is the most trusted secure messaging and secure voice application, recommended by Edward Snowden and the Grugq. And indeed Signal uses strong cryptography, relies on a solid system architecture, and you’ve never heard of any vulnerability in its code base. That’s what this talk is about: hunting for vulnerabilities in Signal. We will present vulnerabilities found in the Signal Android client, in the underlying Java libsignal library, and in example usage of the C libsignal library. Our demos will show how these can be used to crash Signal remotely, to bypass the MAC authentication for certain attached files, and to trigger memory corruption bugs. Combined with vulnerabilities in the Android system it is even possible to remotely brick certain Android devices. We will demonstrate how to initiate a permanent boot loop via a single Signal message. We will also describe the general architecture of Signal, its attack surface, the tools you can use to analyze it, and the general threat model for secure mobile communication apps.
* **Books**
* Cryptography Engineering
* Applied Cryptography
@ -118,9 +123,6 @@ https://conversations.im/xeps/multi-end.html
* [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening)
* Best Current Practices regarding secure online communication and configuration of services using cryptography. https://bettercrypto.org
* [cr.yp.to blog](http://blog.cr.yp.to/index.html)
* **Testing/Auditing**
* [Hunting For Vulnerabilities In Signal - Markus Vervier - HITB 2017 AMS](https://www.youtube.com/watch?v=2n9HmllVftA)
* Signal is the most trusted secure messaging and secure voice application, recommended by Edward Snowden and the Grugq. And indeed Signal uses strong cryptography, relies on a solid system architecture, and you’ve never heard of any vulnerability in its code base. That’s what this talk is about: hunting for vulnerabilities in Signal. We will present vulnerabilities found in the Signal Android client, in the underlying Java libsignal library, and in example usage of the C libsignal library. Our demos will show how these can be used to crash Signal remotely, to bypass the MAC authentication for certain attached files, and to trigger memory corruption bugs. Combined with vulnerabilities in the Android system it is even possible to remotely brick certain Android devices. We will demonstrate how to initiate a permanent boot loop via a single Signal message. We will also describe the general architecture of Signal, its attack surface, the tools you can use to analyze it, and the general threat model for secure mobile communication apps.
* **Miscellaneous**
* [SHA2017 Conference Videos](https://www.youtube.com/channel/UCHmPMdU0O9P_W6I1hNyvBIQ/videos)
* **SSH**
@ -176,7 +178,9 @@ https://conversations.im/xeps/multi-end.html
* **Padding Oracle**
* [Automated Padding Oracle Attacks with PadBuster](https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html)
* [PadBuster v0.3 and the .NET Padding Oracle Attack](https://blog.gdssecurity.com/labs/2010/10/4/padbuster-v03-and-the-net-padding-oracle-attack.html)
* **ROBOT Attack**
* [robot-detect](https://github.com/robotattackorg/robot-detect)
* Proof of concept attack and detection for ROBOT (Return Of Bleichenbacher's Oracle Threat).
@ -210,6 +214,8 @@ https://conversations.im/xeps/multi-end.html
* Project HashClash is a Framework for MD5 & SHA-1 Differential Path Construction and Chosen-Prefix Collisions for MD5. It's goal is to further understanding and study of the weaknesses of MD5 and SHA-1.
* [CPC-MD5](https://github.com/dingelish/cpc-md5)
* This project is forked from Marc Steven's Hashclash project hashclash and follows GPL.
* [SHA1Collider](https://github.com/nneonneo/sha1collider)
* Build two PDFs that have different content but identical SHA1 sums.
* **Hash Pump**
* [HashPump](https://github.com/bwall/HashPump)
* A tool to exploit the hash length extension attack in various hashing algorithms. Currently supported algorithms: MD5, SHA1, SHA256, SHA512.
@ -268,6 +274,8 @@ https://conversations.im/xeps/multi-end.html
* [Price Manipulation in the Bitcoin Ecosystem](https://www.sciencedirect.com/science/article/pii/S0304393217301666?via%3Dihub)
* [Meet ‘Spoofy’. How a Single entity dominates the price of Bitcoin.](https://hackernoon.com/meet-spoofy-how-a-single-entity-dominates-the-price-of-bitcoin-39c711d28eb4)
* [The Willy Report: proof of massive fraudulent trading activity at Mt. Gox, and how it has affected the price of Bitcoin](https://willyreport.wordpress.com/2014/05/25/the-willy-report-proof-of-massive-fraudulent-trading-activity-at-mt-gox-and-how-it-has-affected-the-price-of-bitcoin/)
* [Coinbase Insider Trading: Litecoin Edition](https://medium.com/@bitfinexed/coinbase-insider-trading-litecoin-edition-be64ead3facc)
* **Talks/Presentations**
* [Deanonymisation of Clients in Bitcoin P2P Network](http://orbilu.uni.lu/bitstream/10993/18679/1/Ccsfp614s-biryukovATS.pdf)
* We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or rewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-o by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.
* We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or firewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-out by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.

+ 56
- 0
Draft/Defense.md View File

@ -46,6 +46,62 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
* [Certificate Transparency](https://www.certificate-transparency.org/)
* [What is Certificate Transparency?](https://www.certificate-transparency.org/what-is-ct)
* [Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2](https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877)
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
* [ketshash](https://github.com/cyberark/ketshash)
* A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
* [So you want to beat the Red Team - sCameron Moore - Bsides Philly 2016](https://www.youtube.com/watch?list=PLNhlcxQZJSm8IHSE1JzvAH2oUty_yXQHT&v=BYazrXR_DFI&index=10&app=desktop)
* [Grouper](https://github.com/l0ss/Grouper)
* A PowerShell script for helping to find vulnerable settings in AD Group Policy.
* [NorkNork - Tool for identifying Empire persistence payloads](https://github.com/n00py/NorkNork)
* [Removing Backdoors – Powershell Empire Edition - n00py](https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/)
* [Grouper](https://github.com/l0ss/Grouper)
* Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
* [Detecting and Preventing PowerShell Downgrade Attacks - leeholmes](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)
* [AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester](http://www.labofapenetrationtester.com/2016/09/amsi.html)
* [NtdsAudit](https://github.com/Dionach/NtdsAudit)
* NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
* [CERT-NZ SSH Hardening](https://github.com/certnz/ssh_hardening)
* CERT NZ documentation for hardening SSH server and client configuration, and using hardware tokens to protect private keys
* [Windows Event Forwarding Guidance](https://github.com/palantir/windows-event-forwarding)
* Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* [CIRClean](http://circl.lu/projects/CIRCLean/#technical-details)
* CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
* [Github](https://github.com/CIRCL/Circlean)
* [Capirca](https://github.com/google/capirca)
* Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.
* [Block or unblock external content in Office documents - support.office](https://support.office.com/en-us/article/block-or-unblock-external-content-in-office-documents-10204ae0-0621-411f-b0d6-575b0847a795)
* [Enable Attack surface reduction - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction)
* Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
* [Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/?source=mmpc)
* [Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)](https://www.youtube.com/watch?v=WOC8vC2KoNs&index=12&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB)
* There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.
* [PhishingKitHunter](https://github.com/t4d/PhishingKitHunter)
* PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
* Add User Awareness Training


+ 3
- 2
Draft/Documentation & Reports -.md View File

@ -35,8 +35,9 @@ Other Materials:
* [Learn Technical Writing in Two Hours per Week - Norman Ramsey](http://www.cs.tufts.edu/~nr/pubs/learn-two.pdf)
* [Politics and the English Language - George Orwell](http://www.npr.org/blogs/ombudsman/Politics_and_the_English_Language-1.pdf)
* [Tips for Writing Better Infosec Job Descriptions](https://www.darkreading.com/cloud/tips-for-writing-better-infosec-job-descriptions/d/d-id/1330534?piddl_msgid=330184#msg_330184)
* **Tools**
* [Ronn](https://github.com/rtomayko/ronn)
* Ronn builds manuals. It converts simple, human readable textfiles to roff for terminal display, and also to HTML for the web. The source format includes all of Markdown but has a more rigid structure and syntax extensions for features commonly found in manpages (definition lists, link notation, etc.). The ronn-format(7) manual page defines the format in detail.
-----


+ 27
- 1
Draft/Embedded Device & Hardware Hacking -.md View File

@ -16,6 +16,8 @@ http://greatscottgadgets.com/infiltrate2013/
* On every intel chip core2duo and newer
* [Adapting Software Fault Isolation to Contemporary CPU Architectures](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf)
* Software Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for work- loads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.
* [nexmon](https://github.com/seemoo-lab/nexmon)
* Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.
#### end sort
@ -109,6 +111,10 @@ http://greatscottgadgets.com/infiltrate2013/
---------------
### esp8266 H/W related
* [esp8266 wiki](https://github.com/esp8266/esp8266-wiki)
---------------------------
### <a name="flash">Flash Memory</a>
* **101**
@ -130,7 +136,11 @@ http://greatscottgadgets.com/infiltrate2013/
* [Lost your "secure" HDD PIN? We can help!](https://syscall.eu/pdf/2016-Lenoir_Rigo-HDD_PIN-paper.pdf)
* [Analyzing and Running binaries from Firmware Images - Part 1](http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html)
* **General**
* [Damn Vulnerable Router Firmware (DVRF) v0.5](https://github.com/b1ack0wl/DVRF)
* The goal of this project is to simulate a real world environment to help people learn about other CPU architectures outside of the x86_64 space. This project is also for those who are curious about embedded research, but don't want to invest a lot of money.
* **Tools**
* [Firmware Analysis Toolkit](https://github.com/attify/firmware-analysis-toolkit)
* FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware.
* **Miscellaneous**
* [Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)
* [Firmwalker](https://github.com/craigz28/firmwalker
@ -176,6 +186,17 @@ http://greatscottgadgets.com/infiltrate2013/
------------------------
### Miscellaneous Devices
* [dustcloud](https://github.com/dgiese/dustcloud)
* Xiaomi Vacuum Robot Reverse Engineering and Hacking
* [Xiaomi Dafang hacks](https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks)
* This repository is a collection of information & software for the Xiaomi Dafang Camera
* [xiaomi-sensors-hacks](https://github.com/PischeDev/xiaomi-sensors-hacks)
* collection of xiaomi/aqara sensors hacks/modifications
---------------------------
### Lightning/Thunderbolt
@ -214,11 +235,13 @@ See 'Printers' Section in Network Attacks & Scanning
------------------
### Smart TVs
### Smart TVs/Monitors
* **101**
* **Articles/Papers/Talks/Writeups**
* [Smart TV Security - #1984 in 21 st century](https://cansecwest.com/slides/2013/SmartTV%20Security.pdf)
* This talk is more about security bugs and rootkits than about firmware for TVs. This talk more covers rootkits than security bugs and exploitation thereof, as they’re not different to traditional techniques. This talk is about general security issues of all Smart TV vendors.
* [MonitorDarkly](https://github.com/RedBalloonShenanigans/MonitorDarkly)
* This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in "modern" on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.
* **General**
* **Tools**
* **Miscellaneous**
@ -246,6 +269,9 @@ See 'Printers' Section in Network Attacks & Scanning
* **Tools**
* **Miscellaneous**
-------------
### PCB Related
* [PCB-RE: Tools & Techniques](https://www.amazon.com/dp/1979331383)
------------------------------
### Point-of-Sale


+ 2
- 0
Draft/Exfiltration.md View File

@ -97,6 +97,8 @@
* [Egress-Assess in Action via Powershell](https://www.christophertruncer.com/egress-assess-action-via-powershell/)
* [QRXfer](https://github.com/leonjza/qrxfer)
* Transfer files from Air gapped machines using QR codes
* [icmptunnel](https://github.com/DhavalKapil/icmptunnel)
* 'icmptunnel' works by encapsulating your IP traffic in ICMP echo packets and sending them to your own proxy server. The proxy server decapsulates the packet and forwards the IP traffic. The incoming IP packets which are destined for the client are again encapsulated in ICMP reply packets and sent back to the client. The IP traffic is sent in the 'data' field of ICMP packets. [RFC 792](http://www.ietf.org/rfc/rfc792.txt), which is IETF's rules governing ICMP packets, allows for an arbitrary data length for any type 0 (echo reply) or 8 (echo message) ICMP packets. So basically the client machine uses only the ICMP protocol to communicate with the proxy server. Applications running on the client machine are oblivious to this fact and work seamlessly.
* **Articles/Papers/Writeups**
* [Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)
* Abstract —Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.


+ 36
- 11
Draft/Exploit Development.md View File

@ -102,6 +102,29 @@ https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* [Automating VMware RPC Request Sniffing - Abdul-Aziz Hariri - ZDI](https://www.zerodayinitiative.com/blog/2018/1/19/automating-vmware-rpc-request-sniffing)
* In this blog, I will discuss how I was able to write a PyKD script to sniff RPC requests that helped me tremendously while writing VMware RPC exploits.
* [MorphAES](https://github.com/cryptolok/MorphAES)
* IDPS & SandBox & AntiVirus STEALTH KILLER. MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.
* [OWASP ZSC](https://github.com/viraintel/OWASP-ZSC)
* OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python.
* [Meltdown PoC for Reading Google Chrome Passwords](https://github.com/RealJTG/Meltdown)
* [kernelpop](https://github.com/spencerdodd/kernelpop)
* kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on OSX and Linux
* [Vulnserver - my KSTET exploit (delivering the final stage shellcode through the active server socket) - ewilded.blogspot](https://ewilded.blogspot.com/2018/01/vulnserver-my-kstet-exploit-delivering.html)
* [IOHIDeous](https://github.com/Siguza/IOHIDeous)
* A macOS kernel exploit based on an IOHIDFamily 0day.
* [Writeup](https://siguza.github.io/IOHIDeous/)
#### End Sort
@ -126,10 +149,10 @@ https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* Testing Payloads
* [pop-nedry](https://github.com/zznop/pop-nedry)
* Why pop calc, when you can pop Nedry!? This repository contains an x86-64 payload that recreates the Jurassic Park scene in which Dennis Nedry locks Ray Arnold out of his terminal.
* [Vivisect](https://github.com/vivisect/vivisect)
* Fairly un-documented static analysis / emulation / symbolic analysis framework for PE/Elf/Mach-O/Blob binary formats on various architectures.
* [Dr. Memory](https://github.com/DynamoRIO/drmemory)
* Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors such as accesses of uninitialized memory, accesses to unaddressable memory (including outside of allocated heap units and heap underflow and overflow), accesses to freed memory, double frees, memory leaks, and (on Windows) handle leaks, GDI API usage errors, and accesses to un-reserved thread local storage slots. Dr. Memory operates on unmodified application binaries running on Windows, Linux, Mac, or Android on commodity IA-32, AMD64, and ARM hardware.
* [Vivisect](https://github.com/vivisect/vivisect)
* Fairly un-documented static analysis / emulation / symbolic analysis framework for PE/Elf/Mach-O/Blob binary formats on various architectures.
* [Dr. Memory](https://github.com/DynamoRIO/drmemory)
* Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors such as accesses of uninitialized memory, accesses to unaddressable memory (including outside of allocated heap units and heap underflow and overflow), accesses to freed memory, double frees, memory leaks, and (on Windows) handle leaks, GDI API usage errors, and accesses to un-reserved thread local storage slots. Dr. Memory operates on unmodified application binaries running on Windows, Linux, Mac, or Android on commodity IA-32, AMD64, and ARM hardware.
* **Miscellaneous**
* [OneRNG](http://moonbaseotago.com/onerng/theory.html)
@ -385,7 +408,7 @@ Other:
* [Writing Manual Shellcode by Hand](https://www.exploit-db.com/docs/17065.pdf)
* **Linux Specific**
* [Writing my first shellcode - iptables -P INPUT ACCEPT](https://0day.work/writing-my-first-shellcode-iptables-p-input-accept/)
* <a name="winspec"></a>Windows Specific
* **<a name="winspec"></a>Windows Specific**
* [WinAPI for Hackers](https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf)
* [History and Advances in Windows Shellcode - Phrack 2004](http://phrack.org/issues/62/7.html)
* [Writing Win32 Shellcode with VisualStudio](http://winternl.com/2016/05/02/hello-world/)
@ -397,7 +420,7 @@ Other:
* [Playing with canaries](https://www.elttam.com.au/blog/playing-with-canaries/)
* **Code Trampolines**
* [Trampolines in x64](http://www.ragestorm.net/blogs/?p=107)
Finding Opcodes:
* Finding Opcodes:
* metasploit opcode DB;
* memdump;
* pvefindaddr - mona.py
@ -406,10 +429,9 @@ Other:
* Explanation of egghunters, how they work and a working demonstration on windows.
* [jmp2it](https://github.com/adamkramer/jmp2it)
* This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader Patches / self modifications are dynamically written to jmp2it-flypaper.out
* **Misc Techniques**
* [Resolving the Base Pointer of the Linux Program Interpreter with Shellcode](https://web-beta.archive.org/web/20160720084253/http://howto.hackallthethings.com:80/2015/03/resolving-base-pointer-of-linux-program.html)
* [Art of Picking Intel Registers](http://www.swansontec.com/sregisters.html)
* [Using ARM Inline Assembly and Naked Functions to fool Disassemblers](http://www.evilsocket.net/2015/05/02/using-inline-assembly-and-naked-functions-to-fool-disassemblers/#sthash.Gt6f7f7y.4pLres53.sfju)
* [Resolving the Base Pointer of the Linux Program Interpreter with Shellcode](https://web-beta.archive.org/web/20160720084253/http://howto.hackallthethings.com:80/2015/03/resolving-base-pointer-of-linux-program.html)
* [Art of Picking Intel Registers](http://www.swansontec.com/sregisters.html)
* [Using ARM Inline Assembly and Naked Functions to fool Disassemblers](http://www.evilsocket.net/2015/05/02/using-inline-assembly-and-naked-functions-to-fool-disassemblers/#sthash.Gt6f7f7y.4pLres53.sfju)
* [Shellcode without Sockets](https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440)
* [English Shellcode](http://web.cs.jhu.edu/~sam/ccs243-mason.pdf)
* History indicates that the security community commonly takes a divide-and-conquer approach to battling malware threats: identify the essential and inalienable components of an attack, then develop detection and prevention techniques that directly target one or more of the essential components. This abstraction is evident in much of the literature for buffer overflow attacks including, for instance, stack protection and NOP sled detection. It comes as no surprise then that we approach shellcode detection and prevention in a similar fashion. However, the common belief that components of polymorphic shellcode (e.g., the decoder) cannot reliably be hidden suggests a more implicit and broader assumption that continues to drive contemporary research: namely, that valid and complete representations of shellcode are fundamentally different in structure than benign payloads. While the first tenet of this assumption is philosoph- ically undeniable (i.e., a string of bytes is either shellcode or it is not), truth of the latter claim is less obvious if there exist encoding techniques capable of producing shellcode with features nearly indistinguishable from non-executable content. In this paper, we challenge the assumption that shellcode must conform to superficial and discernible representations. Specifically, we demonstrate a technique for automatically producing English Shellcode, transforming arbitrary shellcode into a representation that is superficially similar to English prose. The shellcode is completely self-contained - i.e., it does not require an external loader and executes as valid IA32 code)—and can typically be generated in under an hour on commodity hardware. Our primary objective in this paper is to promote discussion and stimulate new ideas for thinking ahead about preventive measures for tackling evolutions in code-injection attacks
@ -795,7 +817,10 @@ Check out the 'Reverse Engineering" Section's Tools list for a lot of useful too
* [All AIX exploits written by Hector Monsegur](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/exploits/IBM)
* [The Exploit Database Git Repository](https://github.com/offensive-security/exploit-database)
* The official Exploit Database repository
* [CVE-2017-10271](https://github.com/kkirsche/CVE-2017-10271)
* Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271)
* [CVE-2018-0802](https://github.com/rxwx/CVE-2018-0802)
* This repo contains a Proof of Concept exploit for CVE-2018-0802. To get round the limited command length allowed, the exploit uses the Packager OLE object to drop an embedded payload into the %TMP% directory, and then executes the file using a short command via a WinExec call, such as: cmd.exe /c%TMP%\file.exe.


+ 115
- 79
Draft/Forensics Incident Response.md View File

@ -23,12 +23,9 @@
#### Sort
* Sort sections alphabetically
* Update ToC
https://forensiccontrol.com/resources/free-software/
* [usbkill](https://github.com/hephaest0s/usbkill)
* usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
#### End Sort
@ -160,14 +157,29 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
--------------
### <a name="browser"></a>Browser Forensics
* [Firefox private browsing forensics](http://www.magnetforensics.com/forensic-implications-of-a-person-using-firefoxs-private-browsing/)
* [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
* [Google Chrome Forensics-SANS](https://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics#)
* [Extension Finder](https://github.com/brad-anton/extension_finder)
* Python and PowerShell utilities for finding installed browser extensions, plug-ins and add-ons. Attempts to find installed browser extensions (sometimes called add-ons or plug-ins, depending on the browser).
* [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
* **101**
* **Articles/Papers/Talks/Writeups**
* [Firefox private browsing forensics](http://www.magnetforensics.com/forensic-implications-of-a-person-using-firefoxs-private-browsing/)
* [Google Chrome Forensics-SANS](https://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics#)
* **General**
* **Tools**
* [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
* [Extension Finder](https://github.com/brad-anton/extension_finder)
* Python and PowerShell utilities for finding installed browser extensions, plug-ins and add-ons. Attempts to find installed browser extensions (sometimes called add-ons or plug-ins, depending on the browser).
* [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
* [Chrome Ragamuffin](https://github.com/cube0x8/chrome_ragamuffin)
* Volatility plugin designed to extract useful information from Google Chrome's address space. The goal of this plugin is to make possible the analysis of a Google Chrome running instance. Starting from a memory dump, Chrome Ragamuffin can list which page was open on which tab and it is able to extract the DOM Tree in order to analyze the full page structure.
* [firefox_decrypt](https://github.com/unode/firefox_decrypt)
* Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox/Thunderbird/Seabird) profiles
* **Miscellaneous**
--------------
@ -177,22 +189,35 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
--------------
### <a name="memory"></a>Memory Forensics
* [Detekt](https://github.com/botherder/detekt)
* Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit). Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer.
* [Dshell](https://github.com/USArmyResearchLab/Dshell)
* An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
* [Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)
* [LiME - Linux Memory Extractor](https://github.com/504ensicsLabs/LiME)
* A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
* [Volatility](https://github.com/volatilityfoundation/volatility)
* An advanced memory forensics framework
* **101**
* **Articles/Papers/Talks/Writeups**
* [How to Pull passwords from a memory dump](https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/)
* [Unmasking Careto through Memory Analysis - Andrew Case](http://2014.video.sector.ca/video/110388398)
* **General**
* [Windows Memory Analysis Checklist](http://www.dumpanalysis.org/windows-memory-analysis-checklist)
* [Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)
* **Tools**
* [Detekt](https://github.com/botherder/detekt)
* Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit). Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer.
* [Dshell](https://github.com/USArmyResearchLab/Dshell)
* An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
* [LiME - Linux Memory Extractor](https://github.com/504ensicsLabs/LiME)
* A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
* [Volatility](https://github.com/volatilityfoundation/volatility)
* An advanced memory forensics framework
* [VolUtility](https://github.com/kevthehermit/VolUtility)
* Web Interface for Volatility Memory Analysis framework
* [evolve](https://github.com/JamesHabben/evolve)
* Web interface for the Volatility Memory Forensics Framework
* [How to Pull passwords from a memory dump](https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/)
* [Unmasking Careto through Memory Analysis - Andrew Case](http://2014.video.sector.ca/video/110388398)
* [Windows Memory Analysis Checklist](http://www.dumpanalysis.org/windows-memory-analysis-checklist)
* [evolve](https://github.com/JamesHabben/evolve)
* Web interface for the Volatility Memory Forensics Framework
* [Vortessence](https://github.com/vortessence/vortessence)
* Vortessence is a tool, whose aim is to partially automate memory forensics analysis. Vortessence is a project of the Security Engineering Lab of the Bern University of Applied Sciences.
* **Miscellaneous**
@ -330,62 +355,73 @@ Ghiro
--------------
### <a name="linux">Linux Forensics</a>
* **General**
* **101**
* **Articles/Papers/Talks/Writeups**
* **General**
* **Tools**
* **Miscellaneous**
* [Santoku Linux How-Tos'](https://santoku-linux.com/howtos)
### <a name="windows">Windows Forensics</a>
* [SANS CHEAT SHEET- Windows Artifact Analysis](https://uk.sans.org/posters/windows_artifact_analysis.pdf)
* [How to parse Windows Eventlog](http://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/)
* [Know your Windows' Processes](https://sysforensics.org/2014/01/know-your-windows-processes.html)
#### Windows Forensics Tools
* [NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)
* Description from the page: This framework was developed by the author in order to provide the community
with a solution to extract forensically important information from the main
database of Microsoft Active Directory (NTDS.DIT).
* [Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
* [Get-InjectedThread.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
* [HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
* [Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
* [License to Kill: Malware Hunting with the Sysinternals Tools](http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
* [Windows Program Automatic Startup Locations](http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/)
* [Collection of Windows Autostart locations](http://gladiator-antivirus.com/forum/index.php?showtopic=24610)
* [Spotting the Adversary with Windows Event Log Monitoring - NSA](http://cryptome.org/2014/01/nsa-windows-event.pdf)
* NSA 70-page writeup on windows event log monitoring
* [DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
* [Techniques for fast windows forensics investigations](https://www.youtube.com/watch?v=eI4ceLgO_CE)
* Look at sniper forensics, skip around, 18min has resources you want to grab for snapshots
* [Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
* [WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
* [BTA - AD Security Audit Framework](https://bitbucket.org/iwseclabs/bta)
* BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:
* Who has rights over a given object (computer, user account, etc.) ?
* Who can read a given mailbox ?
* Which are the accounts with domain admin rights ?
* Who has extended rights (userForceChangePassword, SendAs, etc.) ?
* What are the changes done on an AD between two points in time ?
* [Claimsman]()
* Claimsman logs all file handle creation on Windows systems, and logs to both a local file and centralized log management system.
* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector)
* This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
* [FastIR Collector on advanced threats](http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf)
* [Windows Attribute changer](http://www.petges.lu/home/)
* [Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer)
* Investigate malicious Windows logon by visualizing and analyzing Windows event log
* **General**
* **101**
* **Articles/Papers/Talks/Writeups**
* [How to parse Windows Eventlog](http://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/)
* [Techniques for fast windows forensics investigations](https://www.youtube.com/watch?v=eI4ceLgO_CE)
* Look at sniper forensics, skip around, 18min has resources you want to grab for snapshots
* [Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* **Educational**
* [Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
* [License to Kill: Malware Hunting with the Sysinternals Tools](http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
* [Windows Program Automatic Startup Locations](http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/)
* [Collection of Windows Autostart locations](http://gladiator-antivirus.com/forum/index.php?showtopic=24610)
* [Spotting the Adversary with Windows Event Log Monitoring - NSA](http://cryptome.org/2014/01/nsa-windows-event.pdf)
* NSA 70-page writeup on windows event log monitoring
* **General**
* [SANS CHEAT SHEET- Windows Artifact Analysis](https://uk.sans.org/posters/windows_artifact_analysis.pdf)
* **Tools**
* [WMI_Forensics](https://github.com/davidpany/WMI_Forensics)
* This repository contains scripts used to find evidence in WMI repositories
* [NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)
* Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
* [Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
* [Get-InjectedThread.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
* [HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
* [Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
* [DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
* [WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
* [BTA - AD Security Audit Framework](https://bitbucket.org/iwseclabs/bta)
* BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:
* Who has rights over a given object (computer, user account, etc.) ?
* Who can read a given mailbox ?
* Which are the accounts with domain admin rights ?
* Who has extended rights (userForceChangePassword, SendAs, etc.) ?
* What are the changes done on an AD between two points in time ?
* [Claimsman]()
* Claimsman logs all file handle creation on Windows systems, and logs to both a local file and centralized log management system.
* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector)
* This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
* [FastIR Collector on advanced threats](http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf)
* [Windows Attribute changer](http://www.petges.lu/home/)
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer)
* Investigate malicious Windows logon by visualizing and analyzing Windows event log
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* **Miscellaneous**
--------------
### <a name="osx">OS X Forensics Tools</a>


+ 16
- 0
Draft/Fuzzing Bug Hunting.md View File

@ -35,6 +35,11 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* [Fuzzing 101 (Part 2)](https://vimeo.com/5237484)
* [0-day streams: pdfcrack](https://www.youtube.com/watch?v=8VLNPIIgKbQ&app=desktop)
* [pcrappyfuzzer](https://github.com/blazeinfosec/pcrappyfuzzer)
* Script to perform quick 'n dirty fuzzing of PCAPs with radamsa and Scapy.
#### end sort
@ -118,6 +123,8 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* [Fuzzing Object s d’ART Digging Into the New Android L Runtime Internals](http://census-labs.com/media/Fuzzing_Objects_d_ART_hitbsecconf2015ams_WP.pdf)
* **Tools**
* [MFFA - Media Fuzzing Framework for Android](https://github.com/fuzzing/MFFA)
* [android-afl](https://github.com/ele7enxxh/android-afl)
* Fuzzing Android program with american fuzzy lop (AFL)
* **Browser Bug Hunting/Fuzzing**
* [Browser Bug Hunting and Mobile](http://slides.com/revskills/fzbrowsers#/)
* [Grinder - Fuzzer](https://github.com/stephenfewer/grinder)
@ -125,12 +132,21 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* [browserfuzz](https://bitbucket.org/blackaura/browserfuzz)
* A very simple browser fuzzer based on tornado.
* [Browser bug hunting - Memoirs of a last man standing, Atte Kettunen](https://vimeo.com/109380793)
* [morph](https://github.com/walkerfuz/morph)
* an open source browser fuzzing framework for fun.
* **C/C++ Fuzzing**
* [ansvif](https://oxagast.github.io/ansvif/) - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
* [libFuzzer](http://libfuzzer.info) - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
* **Cellular Related Technologies Bug Hunting/Fuzzing**
* [Binary SMS - The old backdoor to your new thing](https://www.contextis.com/resources/blog/binary-sms-old-backdoor-your-new-thing/)
* [Fuzzing the Phone in your Phone](https://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf)
* **Cisco**
* [asadbg](https://github.com/nccgroup/asadbg)
* asadbg is a framework of tools to aid in automating live debugging of Cisco ASA devices, as well as automating interaction with the Cisco CLI over serial/ssh to quickly perform repetitive tasks.
* [asatools - NCCGroup](https://github.com/nccgroup/asatools)
* Main repository to pull all Cisco ASA-related projects.
* [asafw](https://github.com/nccgroup/asafw)
* Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
* **File Formats Bug Hunting/Fuzzing**
* [Practical File Format Fuzzing](http://www.irongeek.com/i.php?page=videos/derbycon3/3301-practical-file-format-fuzzing-jared-allar)
* File format fuzzing has been very fruitful at discovering exploitable vulnerabilities. Adversaries take advantage of these vulnerabilities to conduct spear-phishing attacks. This talk will cover the basics of file format fuzzing and show you how to use CERT’s fuzzing frameworks to discovery vulnerabilities in file parsers.


+ 38
- 15
Draft/Game Hacking.md View File

@ -17,6 +17,9 @@ Fix ToC
* [PortAIO-Loader](https://github.com/PirateEmpire/PortAIO-Loader)
* [Awesome Gamedev](https://github.com/Calinou/awesome-gamedev)
* A collection of free software and free culture resources for making amazing games.
#### End Sort
@ -71,31 +74,42 @@ Fix ToC
* **Nintendo 3DS**
* **Articles/Writeups**
* [Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain](https://github.com/Plailect/keyshuffling)
* We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistant exploit of the system.
* [ARM9Loader Technical Details - GBAtemp](https://gbatemp.net/threads/arm9loader-technical-details-and-discussion.408537/)
* [Throwback: K9Lhax by Bruteforce](http://douevenknow.us/post/151129092928/throwback-k9lhax-by-bruteforce)
* We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistant exploit of the system.
* [ARM9Loader Technical Details - GBAtemp](https://gbatemp.net/threads/arm9loader-technical-details-and-discussion.408537/)
* [Throwback: K9Lhax by Bruteforce](http://douevenknow.us/post/151129092928/throwback-k9lhax-by-bruteforce)
* [soundhax](https://github.com/nedwill/soundhax)
* A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound. This bug is particularly good, because as far as I can tell it is the first ever homebrew exploit that is free, offline, and works on every version of the firmware for which the sound app is available.
* **Emulator**
* [Citra](https://citra-emu.org/)
* **Nintendo**
* [Citra](https://citra-emu.org/)
* **Nintendo Entertainment System**
* **Nintendo Super Nintendo**
* **Nintendo64**
* **Articles/Writeups**
* [Reversing the Nintendo 64 CIC - Mike Ryan, marshallh, and John McMaster - REcon 2015](https://www.youtube.com/watch?v=HwEdqAb2l50)
* This presentation covers our successful efforts to reverse engineer and clone the Nintendo 64's copy protection chip: the N64 CIC. We describe the processes and techniques we used to finally conquer this chip, nearly 20 years after its introduction.
* **Tools**
* [libdragon](https://dragonminded.com/n64dev/libdragon/)
* libdragon is meant to be a one stop library providing low level API for all hardware features of the N64.
* [64Drive](http://64drive.retroactive.be/)
* [FAT64](https://lacklustre.net/projects/fat64/)
* FAT64 is a FAT32 library for use on the 64drive, a development cart for the Nintendo 64. It is used by the 64drive bootloader and menu.
* **Articles/Writeups**
* [Reversing the Nintendo 64 CIC - Mike Ryan, marshallh, and John McMaster - REcon 2015](https://www.youtube.com/watch?v=HwEdqAb2l50)
* This presentation covers our successful efforts to reverse engineer and clone the Nintendo 64's copy protection chip: the N64 CIC. We describe the processes and techniques we used to finally conquer this chip, nearly 20 years after its introduction.
* **Tools**
* [libdragon](https://dragonminded.com/n64dev/libdragon/)
* libdragon is meant to be a one stop library providing low level API for all hardware features of the N64.
* [64Drive](http://64drive.retroactive.be/)
* [FAT64](https://lacklustre.net/projects/fat64/)
* FAT64 is a FAT32 library for use on the 64drive, a development cart for the Nintendo 64. It is used by the 64drive bootloader and menu.
* **Nintendo Gamecube**
* [Dolphin](https://github.com/dolphin-emu/dolphin)
* Dolphin is a GameCube / Wii emulator, allowing you to play games for these two platforms on PC with improvements. https://dolphin-emu.org/
* **Nintendo Wii**
* [Dolphin](https://github.com/dolphin-emu/dolphin)
* Dolphin is a GameCube / Wii emulator, allowing you to play games for these two platforms on PC with improvements. https://dolphin-emu.org/
* [wiihacks forum](http://www.wiihacks.com/)
* [WiiHacks](https://www.reddit.com/r/WiiHacks/)
* [The Homebrew Channel](https://github.com/fail0verflow/hbc)
* The Homebrew Channel - open source edition
* [WiiUse](https://github.com/rpavlik/wiiuse)
* Wiiuse is a library written in C that connects with several Nintendo Wii remotes. Supports motion sensing, IR tracking, nunchuk, classic controller, Balance Board, and the Guitar Hero 3 controller. Single threaded and nonblocking makes a light weight and clean API.
* **Nintendo Switch**
* [yuzu](https://github.com/yuzu-emu/yuzu)
* yuzu is an experimental open-source emulator for the Nintendo Switch from the creators of Citra. It is written in C++ with portability in mind, with builds actively maintained for Windows, Linux and macOS. The emulator is currently only useful for homebrew development and research purposes.
* [Nintendo_Switch_Reverse_Engineering - dekuNukem](https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering)
* A look at inner workings of Joycon and Nintendo Switch
------------
@ -103,6 +117,15 @@ Fix ToC
* **PSP / PS Vita**
* [Hacking the PS Vita](http://yifan.lu/2015/06/21/hacking-the-ps-vita/)
* [ Playstation Portable Cracking [24c3]](https://www.youtube.com/watch?v=TgzxyO2QO1M)
* [VITA2PC](https://github.com/Rinnegatamante/VITA2PC)
* VITA2PC is a tool allowing to stream PSVITA/PSTV to your PC via WiFi.
* [psvd](https://github.com/yifanlu/psvsd)
* [henkaku](https://github.com/henkaku/henkaku)
* Homebrew enabler for PS Vita
* [vitadump](https://github.com/St4rk/vitadump)
* This homebrew can dump some PS Vita shared modules
* [vitastick](https://github.com/xerpi/vitastick)
* vitastick is a plugin and an application that lets you use a PSVita as a USB controller. It uses the UDCD (USB Device Controller Driver) infrastructure in the kernel to simulate such controller, and thus, the host thinks the PSVita is a legit USB gamepad.
* **Sony PlayStation 1**
* **Sony PlayStation 2**
* **Sony PlayStation 3**


+ 28
- 0
Draft/Interesting Things Useful stuff.md View File

@ -40,6 +40,34 @@ http://spth.virii.lu/articles.htm
* [Windows Firewall Control - Managing Windows Firewall is now easier than ever](https://www.binisoft.org/wfc.php)
* [OSX for Hackers (Mavericks/Yosemite)](https://gist.github.com/matthewmueller/e22d9840f9ea2fee4716)
* [Apple’s Software “Problem” and “Fixing” It (via twitter)](https://medium.learningbyshipping.com/apples-software-problem-and-fixing-it-via-twitter-c941a905ba20)
* [Shadowbrokers](https://github.com/misterch0c/shadowbroker)
* The Shadow Brokers "Lost In Translation" leak
* [Teach Yourself Demoscene in 14 Days](https://github.com/psenough/teach_yourself_demoscene_in_14_days)
* [The Lounge](https://github.com/thelounge/lounge)
* Modern web IRC client designed for self-hosting.
* [explainshell.com](https://github.com/idank/explainshell)
* explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page.
* [Magic Wormhole](https://github.com/warner/magic-wormhole)
* This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. The two endpoints are identified by using identical "wormhole codes": in general, the sending machine generates and displays the code, which must then be typed into the receiving machine.
* [Object-oriented HTML](https://github.com/Michaelkielstra/Object-oriented-HTML)
* HTML isn't a programming language as such, it's actually a markup language. This means that it misses out on a lot of the good stuff that real programming languages have, including the joys of object-oriented programming. This project brings inheritance, polymorphism, and public "methods" to HTML. With startling imagination, I've called it object-oriented HTML and chosen the file extension .oohtml.
* [Upspin](https://github.com/upspin/upspin)
* Upspin is an experimental project to build a framework for naming and sharing files and other data securely, uniformly, and globally: a global name system of sorts. It is not a file system, but a set of protocols and reference implementations that can be used to join things like file systems and other storage services to the name space. Performance is not a primary goal. Uniformity and security are. Upspin is not an official Google product
* [pewpew](https://github.com/hrbrmstr/pewpew)
* Why should security vendors be the only ones allowed to use silly, animated visualizations to "compensate"? Now, you can have your very own IP attack map that's just as useful as everyone else's. IPew is a feature-rich, customizable D3 / javascript visualization, needing nothing more than a web server capable of serving static content and a sense of humor to operate.
* [My Canons on (ISC)² Ethics - Such as They Are(2011)](http://infosecisland.com/blogview/15450-My-Canons-on-ISC-Ethics-Such-as-They-Are.html)
* [Hacker Scripts](https://github.com/NARKOZ/hacker-scripts)


+ 11
- 5
Draft/Malware.md View File

@ -38,8 +38,6 @@ Add
* FSG
* PESpin
* [Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 2)](https://breakingmalware.com/documentation/windows-pssetloadimagenotifyroutine-callbacks-good-bad-unclear-part-2/)
* [Modern Reconnaissance Phase by APT – Protection Layer -Paul Rascagneres](https://www.youtube.com/watch?v=4JVrK7bRKb0&index=10&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
@ -181,7 +179,8 @@ Add
* [A timeline of mobile botnets](https://www.virusbtn.com/virusbulletin/archive/2015/03/vb201503-mobile-botnets)
* With the recent explosion in smartphone usage, malware authors have increasingly focused their attention on mobile devices, leading to a steep rise in mobile malware over the past couple of years. In this paper, Ruchna Nigam focuses on mobile botnets, drawing up an inventory of types of known mobile bot variants.
* [Inside Your Botnet](http://www.exposedbotnets.com/?m=0)
* [Domain Generation Algorithms](https://github.com/baderj/domain_generation_algorithms)
* Johannes Bacher's reversing efforts
--------------------------
@ -455,7 +454,8 @@ Add
* [Analyzing Malicious Documents Cheat Sheet](https://zeltser.com/analyzing-malicious-documents/)
* [DDEtect](https://github.com/aserper/DDEtect)
* Simple DDE object detector
* [oletools](https://github.com/decalage2/oletools/blob/master/README.md)
* [oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze [Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format) (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the [olefile](http://www.decalage.info/olefile) parser. See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.
@ -504,7 +504,8 @@ WP-us-14-Mesbahi-Swinnen-One-packer-to-rule-them-all-Empirical-identification-co
* This is a brief tutorial giving the basic steps to unpack code using the OllyBonE plugin.
* [de4dot](https://github.com/0xd4d/de4dot)
* de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.
* [AMBER](https://github.com/EgeBalci/Amber)
* Amber is a proof of concept packer, it can pack regularly compiled PE files into reflective PE files that can be used as multi stage infection payloads. If you want to learn the packing methodology used inside the Amber check out below.
@ -600,6 +601,11 @@ WP-us-14-Mesbahi-Swinnen-One-packer-to-rule-them-all-Empirical-identification-co
* [Nesting doll: unwrapping Vawtrak](https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-Vawtrak)
* [Rotten Tomatoes campaign by Sophos](http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-tomato-campaign.pdf)
* [Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix](http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VP9cTDTF-PU)
* [Malware Reversing - Burpsuite Keygen - 0x00sec](https://0x00sec.org/t/malware-reversing-burpsuite-keygen/5167)


+ 28
- 6
Draft/Network Attacks & Defenses.md View File

@ -48,10 +48,11 @@
--------
##### To be sorted
http://www.pentest-standard.org/index.php/Intelligence_Gathering
* Add IPSEC Stuff
* [MassDNS](https://github.com/blechschmidt/massdns)
* MassDNS is a simple high-performance DNS stub resolver targetting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.
* Add NTLM Section
* [Microsoft NTLM - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749%28v=vs.85%29.aspx)
Printers
* [Hacking Printers Wiki](http://hacking-printers.net/wiki/index.php/Main_Page)
* [PRET](https://github.com/RUB-NDS/PRET)
@ -59,6 +60,15 @@ Printers
* [Attacking *multifunction* printers and getting creds from them](http://www.irongeek.com/i.php?page=videos/bsidescleveland2014/plunder-pillage-and-print-the-art-of-leverage-multifunction-printers-during-penetration-testing-deral-heiland)
* [HPwn - HP printer security research code](https://github.com/foxglovesec/HPwn)
* This repository contains varios scripts and projects referenced in FoxGlove security's HP printer blogpost.
* [blacksheepwall](https://github.com/tomsteele/blacksheepwall)
* blacksheepwall is a hostname reconnaissance tool written in Go. It can also be used as a stand-alone package in your tools.
* [IVRE](https://github.com/cea-sec/ivre)
* IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a network recon framework, including tools for passive recon (flow analytics relying on Bro, Argus, Nfdump, fingerprint analytics based on Bro and p0f and active recon (IVRE uses Nmap to run scans, can use ZMap as a pre-scanner; IVRE can also import XML output from Nmap and Masscan).
* [Nili](https://github.com/niloofarkheirkhah/nili)
* Nili is a Tool for Network Scan, Man in the Middle, Protocol Reverse Engineering and Fuzzing.
##### sort end
@ -276,6 +286,8 @@ Printers
* Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.
* [sub6](https://github.com/YasserGersy/sub6)
* subdomain take over detector and crawler
* [Anubis](https://github.com/jonluca/Anubis)
* Anubis is a subdomain enumeration and information gathering tool. Anubis collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Anubis also has a sister project, [AnubisDB](https://github.com/jonluca/Anubis-DB), which serves as a centralized repository of subdomains.
* **Service**
* [DNS Dumpster](https://www.DNSdumpster.com)
* free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process
@ -295,8 +307,11 @@ Printers
* Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
* [Bluto](https://github.com/darryllane/Bluto)
* DNS Recon | Brute Forcer | DNS Zone Transfer | DNS Wild Card Checks | DNS Wild Card Brute Forcer | Email Enumeration | Staff Enumeration | Compromised Account Enumeration | MetaData Harvesting
* [Judas DNS](https://github.com/mandatoryprogrammer/JudasDNS)
* A DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation. Judas works by proxying all DNS queries to the legitimate nameservers for a domain. The magic comes with Judas's rule configurations which allow you to change DNS responses depending on source IP or DNS query type. This allows an attacker to configure a malicious nameserver to do things like selectively re-route inbound email coming from specified source IP ranges (via modified MX records), set extremely long TTLs to keep poisoned records cached, and more.
* [Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target](https://thehackerblog.com/respect-my-authority-hijacking-broken-nameservers-to-compromise-your-target/)
* [MassDNS](https://github.com/blechschmidt/massdns)
* MassDNS is a simple high-performance DNS stub resolver targetting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.
------------
@ -305,6 +320,8 @@ Printers
* [Denial-of-service attack - Wikipedia](https://en.wikipedia.org/wiki/Denial-of-service_attack)
* **General/Articles/Writeups/Talks**
* [Novel session initiation protocol-based distributed denial-of-service attacks and effective defense strategies](http://www.sciencedirect.com/science/article/pii/S0167404816300980)
* [Sockstress](https://github.com/defuse/sockstress)
* Sockstress is a Denial of Service attack on TCP services discovered in 2008 by Jack C. Louis from Outpost24 [1]. It works by using RAW sockets to establish many TCP connections to a listening service. Because the connections are established using RAW sockets, connections are established without having to save any per-connection state on the attacker's machine. Like SYN flooding, sockstress is an asymmetric resource consumption attack: It requires very little resources (time, memory, and bandwidth) to run a sockstress attack, but uses a lot of resources on the victim's machine. Because of this asymmetry, a weak attacker (e.g. one bot behind a cable modem) can bring down a rather large web server. Unlike SYN flooding, sockstress actually completes the connections, and cannot be thwarted using SYN cookies. In the last packet of the three-way handshake a ZERO window size is advertised -- meaning that the client is unable to accept data -- forcing the victim to keep the connection alive and periodically probe the client to see if it can accept data yet. This implementation of sockstress takes the idea a little further by allowing the user to specify a payload, which will be sent along with the last packet of the three-way handshake, so in addition to opening a connection, the attacker can request a webpage, perform a DNS lookup, etc.
* **Tools**
* [Davoset](https://github.com/MustLive/DAVOSET)
* DAVOSET - it is console (command line) tool for conducting DDoS attacks on the sites via Abuse of Functionality and XML External Entities vulnerabilities at other sites.
@ -496,6 +513,8 @@ Printers
* [net-creds](https://github.com/DanMcInerney/net-creds)
* Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification. It sniffs: URLs visited; POST loads sent; HTTP form logins/passwords; HTTP basic auth logins/passwords; HTTP searches; FTP logins/passwords; IRC logins/passwords; POP logins/passwords; IMAP logins/passwords; Telnet logins/passwords; SMTP logins/passwords; SNMP community string; NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc; Kerberos.
* **HTTP**
* [Injectify](https://github.com/samdenty99/injectify)
* Perform advanced MiTM attacks on websites with ease.
* [node-http-mitm-proxy](https://github.com/joeferner/node-http-mitm-proxy)
* HTTP Man In The Middle (MITM) Proxy written in node.js. Supports capturing and modifying the request and response data.
* [hyperfox](https://github.com/malfunkt/hyperfox)
@ -623,6 +642,8 @@ Printers
* Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable.
* [gateway-finder](https://github.com/pentestmonkey/gateway-finder)
* Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet.
* [GTScan](https://github.com/SigPloiter/GTScan)
* The Nmap Scanner for Telco. With the current focus on telecom security, there used tools in day to day IT side penetration testing should be extended to telecom as well. From here came the motivation for an nmap-like scanner but for telco. The current security interconnect security controls might fail against reconnaissance, although mobile operators might implement SMS firewalls/proxies, Interconnect firewalls, some of those leak information that could be used for further information gathering process. The motivation behind this project, first adding a new toolking into the arsenal of telecom penetration testers. Second give the mobile operators a way to test their controls to a primitive methodology such as information gathering and reconnaissance.
* **Tor**
* [exitmap](https://github.com/NullHypothesis/exitmap)
* A fast and modular scanner for Tor exit relays. http://www.cs.kau.se/philwint/spoiled_onions/
@ -867,7 +888,8 @@ Printers
* snmpwalk - retrieve a subtree of management values using SNMP GETNEXT requests
* [Cisc0wn - Cisco SNMP Script](https://github.com/nccgroup/cisco-SNMP-enumeration)
* Automated Cisco SNMP Enumeration, Brute Force, Configuration Download and Password Cracking
* [SNMPwn](https://github.com/hatlord/snmpwn)
* SNMPwn is an SNMPv3 user enumerator and attack tool. It is a legitimate security tool designed to be used by security professionals and penetration testers against hosts you have permission to test. It takes advantage of the fact that SNMPv3 systems will respond with "Unknown user name" when an SNMP user does not exist, allowing us to cycle through large lists of users to find the ones that do.


+ 13
- 1
Draft/Network Security Monitoring & Logging.md View File

@ -22,10 +22,20 @@
##### To Do
* Create incident Response section
* Expand ELK Stack
* Flesh out InfraMonitoring
#### Sort
* [Windows Event Forwarding Guidance](https://github.com/palantir/windows-event-forwarding)
* Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
* [ElastAlert](https://github.com/Yelp/elastalert)
* ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
* [Ninja Level Infrastructure Monitoring Workshop - Defcon24](https://github.com/appsecco/defcon24-infra-monitoring-workshop)
* This repository contains all the presentation, documentation and the configuration, sample logs, ansible playbook, customized dashboards and more.
* [Advanced Security Audit Policy Settings](https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx)
* [Many ways of malware persistence (that you were always afraid to ask) ](http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html)
@ -89,6 +99,8 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
* [SweetSecurity](https://github.com/TravisFSmith/SweetSecurity)
* Scripts to setup and install Bro IDS, Elastic Search, Logstash, Kibana, and Critical Stack on a Raspberry Pi 3 device
* [Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
* **Infrastructure Monitoring**
* **General Tools**
* **General**
* [Security Onion](http://blog.securityonion.net/p/securityonion.html)


+ 4
- 1
Draft/Open Source Intelligence.md View File

@ -174,7 +174,8 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
* gitDigger: Creating realworld wordlists from github hosted data.
* [gitrob](https://github.com/michenriksen/gitrob)
* Gitrob is a command line tool which can help organizations and security professionals find sensitive information lingering in publicly available files on GitHub. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information. Looking for sensitive information in GitHub repositories is not a new thing, it has been [known for a while](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html) that things such as private keys and credentials can be found with GitHub's search functionality, however Gitrob makes it easier to focus the effort on a specific organization.
* [reposcanner](https://github.com/Dionach/reposcanner)
* Python script to scan Git repos for interesting strings
----------------
@ -297,6 +298,8 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
* This script uses selenium to scrape linkedin employee details from a specified company. If the script isn't working, you can always browse to the desired company's employee page and paste in the link on line 69 like this: "employees_page = url"
* [The Secrets of LinkedIn](https://webbreacher.com/2017/01/14/the-secrets-of-linkedin/)
* Grabbing usernames/connections(link analysis)
* [The Endorser](https://github.com/eth0izzle/the-endorser)
* An OSINT tool that allows you to draw out relationships between people on LinkedIn via endorsements/skills.
* Tinder
* [OSINT: Advanced tinder capture](https://www.learnallthethings.net/osmosis)
* Twitter


+ 8
- 6
Draft/Password Bruting and Hashcracking.md View File

@ -18,8 +18,6 @@
#### Sort
#### End cull
@ -61,15 +59,18 @@
* Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. Hashview is a web application that manages hashcat (https://hashcat.net) commands. Hashview strives to bring constiency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports.
* [Cracking Active Directory Passwords or “How to Cook AD Crack"](https://www.sans.org/reading-room/whitepapers/testing/cracking-active-directory-passwords-how-cook-ad-crack-37940)
* [Cracking Corporate Passwords – Exploiting Password Policy Weaknesses - Minga / Rick Redman Derbycon 2013](https://www.irongeek.com/i.php?page=videos/derbycon3/1301-cracking-corporate-passwords-exploiting-password-policy-weaknesses-minga-rick-redman)
* [hcxtools](https://github.com/ZerBea/hcxtools)
* Small set of tools to capture and convert packets from wlan devices (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta) and John the Ripper git branch ( "bleeding-jumbo").
* [PACK (Password Analysis and Cracking Toolkit)](https://github.com/iphelix/pack)
* PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.
### <a name="appt">App Specific Tools(as in single application focus)</a>
* [crackxls2003 0.4](https://github.com/GavinSmith0123/crackxls2003)
* This program may be used to break the encryption on Microsoft Excel and Microsoft Word file which have been encrypted using the RC4 method, which uses a 40-bit-long key. This was the default encryption method in Word and Excel 97/2000/2002/2003. This program will not work on files encrypted using Word or Excel 2007 or later, or for versions 95 or earlier. It will not work if a file was encrypted with a non-default method. Additionally, documents created with the Windows system locale set to France may use a different encryption method.
* [mod0keecrack](https://github.com/devio/mod0keecrack)
* mod0keecrack is a simple tool to crack/bruteforce passwords of KeePass 2 databases. It implements a KeePass 2 Database file parser for .kdbx files, as well as decryption routines to verify if a supplied password is correct. mod0keecrack only handles the encrypted file format and is not able to parse the resulting plaintext database. The only purpose of mod0keecrack is the brute-forcing of a KeePass 2 database password.
@ -187,7 +188,8 @@
* A core objective of the Password Research Institute is to improve the industry awareness of existing authentication research. Many valuable solutions for the problems associated with authentication have gone unnoticed by the people interested in, or responsible for, authentication security. This project will compile and share a comprehensive, but moderated, index of password and authentication related research papers. We aim to share the details of useful papers, provide access to the papers, and encourage collaboration between authors and other security professionals.
* [When Privacy meets Security: Leveraging personal information for password cracking - M. Dürmuth,A. ChaabaneD. Perito,C. Castelluccia]()
* Passwords are widely used for user authentication and, de- spite their weaknesses, will likely remain in use in the fore seeable future. Human-generated passwords typically have a rich structure , which makes them susceptible to guessing attacks. In this paper, we stud y the effectiveness of guessing attacks based on Markov models. Our contrib utions are two-fold. First, we propose a novel password cracker based o n Markov models, which builds upon and extends ideas used by Narayana n and Shmatikov (CCS 2005). In extensive experiments we show that it can crack up to 69% of passwords at 10 billion guesses, more than a ll probabilistic password crackers we compared against. Second, we systematically analyze the idea that additional personal informatio n about a user helps in speeding up password guessing. We find that, on avera ge and by carefully choosing parameters, we can guess up to 5% more pas swords, especially when the number of attempts is low. Furthermore, we show that the gain can go up to 30% for passwords that are actually b ased on personal attributes. These passwords are clearly weaker an d should be avoided. Our cracker could be used by an organization to detect and reject them. To the best of our knowledge, we are the first to syst ematically study the relationship between chosen passwords and users’ personal in- formation. We test and validate our results over a wide colle ction of leaked password databases.
* [PassGAN](https://github.com/brannondorsey/PassGAN)
* This repository contains code for the [PassGAN: A Deep Learning Approach for Password Guessing paper](https://arxiv.org/abs/1709.00440). The model from PassGAN is taken from [Improved Training of Wasserstein GANs](https://arxiv.org/abs/1704.00028) and it is assumed that the authors of PassGAN used the [improved_wgan_training tensorflow](https://github.com/igul222/improved_wgan_training) implementation in their work. For this reason, I have modified that reference implementation in this repository to make it easy to train (train.py) and sample (sample.py) from.


+ 20
- 6
Draft/Phishing.md View File

@ -15,10 +15,7 @@
#### Sort
* [Add-In Opportunities for Office Persistence](https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/)
* This post will explore various opportunities for gaining persistence through native Microsoft Office functionality. It was inspired by Kostas Lintovois’ similar work which identified ways to persist in transient Virtual Desktop Infrastructure (VDI) environments through adding a VBA backdoor to Office template files
* [One Template To Rule 'Em All](https://labs.mwrinfosecurity.com/publications/one-template-to-rule-em-all/)
* This presentation discussed how Office security settings and templates can be abused to gain persistence in VDI implementations where traditional techniques relying on the file system or the Registry are not applicable. Additionally, it was described how the introduction of application control and anti-exploitation technologies may affect code execution in locked down environments and how these controls can be circumvented through the use of VBA.
#### End sort
@ -49,7 +46,10 @@
* [Real World Phishing Techniques - Honeynet Project](http://www.honeynet.org/book/export/html/89)
* [Phishing with Maldocs - n00py](https://www.n00py.io/2017/04/phishing-with-maldocs/)
* [Tabnabbing - An art of phishing - securelayer7](http://blog.securelayer7.net/tabnabbing-art-phishing/)
* [Add-In Opportunities for Office Persistence](https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/)
* This post will explore various opportunities for gaining persistence through native Microsoft Office functionality. It was inspired by Kostas Lintovois’ similar work which identified ways to persist in transient Virtual Desktop Infrastructure (VDI) environments through adding a VBA backdoor to Office template files
* [One Template To Rule 'Em All](https://labs.mwrinfosecurity.com/publications/one-template-to-rule-em-all/)
* This presentation discussed how Office security settings and templates can be abused to gain persistence in VDI implementations where traditional techniques relying on the file system or the Registry are not applicable. Additionally, it was described how the introduction of application control and anti-exploitation technologies may affect code execution in locked down environments and how these controls can be circumvented through the use of VBA.
@ -100,6 +100,12 @@
* SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.
* [CredSniper](https://github.com/ustayready/CredSniper)
* CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. Easily launch a new phishing site fully presented with SSL and capture credentials along with 2FA tokens using CredSniper. The API provides secure access to the currently captured credentials which can be consumed by other applications using a randomly generated API token.
* [Ares](https://github.com/dutchcoders/ares)
* Phishing toolkit for red teams and pentesters. Ares allows security testers to create a landing page easily, embedded within the original site. Ares acts as a proxy between the phised and original site, and allows (realtime) modifications and injects. All references to the original site are being rewritten to the new site. Users will use the site like they'll normally do, but every step will be recorded of influenced. Ares will work perfect with dns poisoning as well.
* [SocialFish](https://github.com/UndeadSec/SocialFish)
* Ultimate phishing tool with Ngrok integrated.
------------------
@ -120,7 +126,9 @@
* [Demiguise](https://github.com/nccgroup/demiguise)
* The aim of this project is to generate .html files that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user.
* [morphHTA - Morphing Cobalt Strike's evil.HTA](https://github.com/vysec/morphHTA)
* * [Social-Engineering-Payloads - t3ntman](https://github.com/t3ntman/Social-Engineering-Payloads)
* [Social-Engineering-Payloads - t3ntman](https://github.com/t3ntman/Social-Engineering-Payloads)
* [backdoorppt](https://github.com/r00t-3xp10it/backdoorppt)
* transform your payload.exe into one fake word doc (.ppt)
* **Recon**
* [hackability](https://github.com/PortSwigger/hackability)
* Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
@ -133,6 +141,11 @@
------------------
### <a name="msoutlook"></a>Microsoft Outlook/Exchange Stuff
* **General**
@ -168,6 +181,7 @@
* **DDE**
* [About Dynamic Data Exchange](https://msdn.microsoft.com/en-us/library/windows/desktop/ms648774(v=vs.85).aspx)
* [Exploiting Office native functionality: Word DDE edition](https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html)
* [Excel DDE Walkthrough](https://github.com/merrillmatt011/Excel_DDE_Walkthrough/blob/master/Excel_DDE_Walkthrough.pdf)
* **DLL**
* [DLL Tricks with VBA to Improve Offensive Macro Capability](https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/)
* [DLL Execution via Excel.Application RegisterXLL() method](https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52)


+ 4
- 1
Draft/Policy-Compliance.md View File

@ -14,7 +14,7 @@
### <a name="general"></a>General
* [The Red Book: A Roadmap for Systems Security Research](http://www.red-book.eu/m/documents/syssec_red_book.pdf)
* [IT Law Wiki](http://itlaw.wikia.com/wiki/The_IT_Law_Wiki))
* [The security laws, regulations and guidelines directory - csoonline](https://www.csoonline.com/article/2126072/compliance/compliance-the-security-laws-regulations-and-guidelines-directory.html)
------------
### <a name="guides"></a>Guides
@ -31,6 +31,9 @@
* [Information Security Risk Assessment Guidelines - mass.gov](http://www.mass.gov/anf/research-and-tech/cyber-security/security-for-state-employees/risk-assessment/risk-assessment-guideline.html)
* [NIST Special Publication 800 -46 Revision 2 - Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf)
------------
### <a name="talks"></a>Talks & Presentations
* [The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)


+ 84
- 28
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -34,42 +34,42 @@
---------------
#### Sort
* Add code injection stuff to post-exploitation Windows
* Add linux/windows/os x to code injection section
* Add linux post exploitation/persistence stuff
* [Collection of Symantec Endpoint Protection Vulnerabilities + some exploits](http://codewhitesec.blogspot.nl/2015/07/symantec-endpoint-protection.html)
* [VMware Escape Exploit](https://github.com/unamer/vmware_escape)
* VMware Escape Exploit before VMware WorkStation 12.5.5
* [Wix Toolkit](http://wixtoolset.org/)
* Tool for crafting msi binaries
* [Battle Of SKM And IUM How Windows 10 Rewrites OS Architecture - Alex Ionescu - BHUSA2015](https://www.youtube.com/watch?v=LqaWIn4y26E&index=15&list=PLH15HpR5qRsXF78lrpWP2JKpPJs_AFnD7)
* [Slides](http://www.alex-ionescu.com/blackhat2015.pdf)
* [Windows DACL Enum Project](https://github.com/nccgroup/WindowsDACLEnumProject)
* A collection of tools to enumerate and analyse Windows DACLs
* [Escaping The Avast Sandbox Using A Single IOCTL](https://www.nettitude.co.uk/escaping-avast-sandbox-using-single-ioctl-cve-2016-4025)
* [AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing](https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf)
* [How to Bypass Anti-Virus to Run Mimikatz - **Spoiler, AV still suck, changing strings is helpful**](http://www.blackhillsinfosec.com/?p=5555)
* [peCloak.py - An Experiment in AV Evasion](http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/)
* [Making FinFisher Undetectable](https://lqdc.github.io/making-finfisher-undetectable.html)
* [Bypass AV through several basic/effective techniques](http://packetstorm.foofus.com/papers/virus/BypassAVDynamics.pdf)
* [stupid_malware](https://github.com/andrew-morris/stupid_malware)
* Python malware for pentesters that bypasses most antivirus (signature and heuristics) and IPS using sheer stupidity
* [InfectPE](https://github.com/secrary/InfectPE)
* Using this tool you can inject x-code/shellcode into PE file. InjectPE works only with 32-bit executable files.
* [Doubletap](https://github.com/benrau87/doubletap)
* A very loud but fast recon scan and pentest template creator for use in CTF's/OSCP/Hackthebox...
#### end Sort
* [Invoke-PSImage](https://github.com/peewpw/Invoke-PSImage)
* Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web (when the -Web flag is passed). The least significant 4 bits of 2 color values in each pixel are used to hold the payload. Image quality will suffer as a result, but it still looks decent. The image is saved as a PNG, and can be losslessly compressed without affecting the ability to execute the payload as the data is stored in the colors themselves. It can accept most image types as input, but output will always be a PNG because it needs to be lossless. Each pixel of the image is used to hold one byte of script, so you will need an image with at least as many pixels as bytes in your script. This is fairly easy—for example, Invoke-Mimikatz fits into a 1920x1200 image.
* [Wix Toolkit](http://wixtoolset.org/)
* Tool for crafting msi binaries
* [Cloak](https://github.com/UltimateHackers/Cloak)
* Cloak generates a python payload via msfvenom and then intelligently injects it into the python script you specify.
* [Brutal](https://github.com/Screetsec/Brutal)
* Brutal is a toolkit to quickly create various payload,powershell attack , virus attack and launch listener for a Human Interface Device
* [Oneliner-izer](https://github.com/csvoss/onelinerizer)
* Convert any Python file into a single line of code which has the same functionality.
* [One-Lin3r](https://github.com/D4Vinci/One-Lin3r)
* Gives you one-liners that aids in penetration testing operations
* [AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester](http://www.labofapenetrationtester.com/2016/09/amsi.html)
------------------
### <a name="general"></a>General
#### end Sort
----------------
---------------
### <a name="hardware">Hardware-based Privilege Escalation</a>
* **Writeups**
* [Windows DMA Attacks : Gaining SYSTEM shells using a generic patch](https://sysdream.com/news/lab/2017-12-22-windows-dma-attacks-gaining-system-shells-using-a-generic-patch/)
@ -126,6 +126,8 @@
* Initrd encrypted root fs attack
* [Triple-Fetch-Kernel-Creds](https://github.com/coffeebreakerz/Tripple-Fetch-Kernel-Creds)
* Attempt to steal kernelcredentials from launchd + task_t pointer (Based on: CVE-2017-7047)
* [LinEnum](https://github.com/rebootuser/LinEnum)
@ -146,6 +148,8 @@
* **Logic**
* [Introduction to Logical Privilege Escalation on Windows - James Forshaw](https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20-%20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf)
* [Windows Logical EoP Workbook](https://docs.google.com/document/d/1qujIzDmFrcFCBeIgMjWDZTLNMCAHChAnKDkHdWYEomM/edit)
* [Abusing Token Privileges For EoP](https://github.com/hatRiot/token-priv)
* This repository contains all code and a Phrack-style paper on research into abusing token privileges for escalation of privilege. Please feel free to ping us with questions, ideas, insults, or bugs.
* PentestLab Windows PrivEsc Writeup List
* [Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/)
* [Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/)
@ -220,13 +224,18 @@
* [AutoDane at BSides Cape Town](https://sensepost.com/blog/2015/autodane-at-bsides-cape-town/)
* [Auto DANE](https://github.com/sensepost/autoDANE)
* Auto DANE attempts to automate the process of exploiting, pivoting and escalating privileges on windows domains.
* [lonelypotato](https://github.com/decoder-it/lonelypotato)
* Modified version of RottenPotatoNG C++
* [Blogpost](https://decoder.cloud/2017/12/23/the-lonely-potato/)
* [psgetsystem](https://github.com/decoder-it/psgetsystem)
* getsystem via parent process using ps1 & embeded c#
* **Misc Privilege Escalation**
* [dtappgather-poc.sh](https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh)
* Exploit PoC reverse engineered from EXTREMEPARR which provides local root on Solaris 7 - 11 (x86 & SPARC). Uses a environment variable of setuid binary dtappgather to manipulate file permissions and create a user owned directory anywhere on the system (as root). Can then add a shared object to locale folder and run setuid binaries with an untrusted library file.
* [Privilege Escalation Using Keepnote](http://0xthem.blogspot.com/2014/05/late-night-privilege-escalation-keepup.html)
* [#AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine](https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/)
* [VMware Escape Exploit](https://github.com/unamer/vmware_escape)
* VMware Escape Exploit before VMware WorkStation 12.5.5
---------------
@ -268,6 +277,10 @@
* Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB services are accessed through .NET TCPClient connections. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.
* [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit)
* Tool to audit and attack LAPS environments
* [Wireless_Query](https://github.com/gobiasinfosec/Wireless_Query)
* Query Active Directory for Workstations and then Pull their Wireless Network Passwords. This tool is designed to pull a list of machines from AD and then use psexec to pull their wireless network passwords. This should be run with either a DOMAIN or WORKSTATION Admin account.
* [Grouper](https://github.com/l0ss/Grouper)
* Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
* **AV Bypass Stuff**
* [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
* Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
@ -280,7 +293,12 @@
* **Articles/Videos**
* [AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - Blogpost](http://www.labofapenetrationtester.com/2016/09/amsi.html)
* [AMSI: How Windows 10 Plans to Stop Script-Based Attaacks and How Well It Does It - BH US16](https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf)
* [15 Ways to bypass Powershell execution-policy settings](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
* [15 Ways to by/github.com/jseidl/Babadook)
* Connection-less Powershell Persistent and Resilient Backdoor
* **Active Directory**
* [Offensive Active Directory with Powershell](https://www.youtube.com/watch?v=cXWtu-qalSs)
* [Attacking ADFS Endpoints with PowerShell](http://www.irongeek.com/i.php?page=videos/derbycon6/118-attacking-adfs-endpoints-with-powershell-karl-fosaaen)
* [Find AD userpass Powershell execution-policy settings](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
* Does what it says on the tin. Overall, its clear that execution-policy was not meant as a security method. Or if it was, someone was drinking a bit too much.
* [PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10](http://www.irongeek.com/i.php?page=videos/derbycon7/t104-psamsi-an-offensive-powershell-module-for-interacting-with-the-anti-malware-scan-interface-in-windows-10-ryan-cobb)
* [Bypassing AMSI via COM Server Hijacking](https://posts.specterops.io/bypassing-amsi-via-com-server-hijacking-b8a3354d1aff)
@ -311,6 +329,11 @@
* PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a powershell runspace environment (.NET). It intends to include multiple offensive PowerShell modules to make the process of Post Exploitation easier.
* [PowerLine](https://github.com/fullmetalcache/powerline)
* [Presentation](https://www.youtube.com/watch?v=HiAtkLa8FOc)
* **Bypass Logging**
* [A Critique of Logging Capabilities in PowerShell v6](http://www.labofapenetrationtester.com/2018/01/powershell6.html)
* Introduces 'PowerShell Upgrade Attack'
* [Bypass for PowerShell ScriptBlock Warning Logging of Suspicious Commands - cobbr.io](https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html)
* [PowerShell ScriptBlock Logging Bypass - cobbr.io](https://cobbr.io/ScriptBlock-Logging-Bypass.html)
* **Dumping/Grabbing Creds**
* [PShell Script: Extract All GPO Set Passwords From Domain](http://www.nathanv.com/2012/07/04/pshell-script-extract-all-gpo-set-passwords-from-domain/)
* This script parses the domain’s Policies folder looking for Group.xml files. These files contain either a username change, password setting, or both. This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences. Microsoft chose to use a static AES key for encrypting this password. How awesome is that!
@ -438,15 +461,17 @@
* [Shellpaste](https://github.com/andrew-morris/shellpaste)
* Tiny snippet of code that pulls ASCII shellcode from pastebin and executes it. The purpose of this is to have a minimal amount of benign code so AV doesn't freak out, then it pulls down the evil stuff. People have been doing this kind of stuff for years so I take no credit for the concept. That being said, this code (or similar code) works surprisingly often during pentests when conventional malware fails.
* [JVM Post-Exploitation One-Liners](https://gist.github.com/frohoff/a976928e3c1dc7c359f8)
* [Meltdown PoC for Reading Google Chrome Passwords](https://github.com/RealJTG/Meltdown)
-------------------
### <a name="linpost">Post-Exploitation Linux</a>
* **101**
* **101**linpost
* **Articles/Blogposts/Writeups**
* [More on Using Bash's Built-in /dev/tcp File (TCP/IP)](http://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip)
* **Tools**
* [nullinux](https://github.com/m8r0wn/nullinux)
* nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided, nullinux will attempt to connect to the target using an SMB null session. Unlike many of the enumeration tools out there already, nullinux can enumerate multiple targets at once and when finished, creates a users.txt file of all users found on the host(s). This file is formatted for direct implementation and further exploitation.This program assumes Python 2.7, and the smbclient package is installed on the machine. Run the setup.sh script to check if these packages are installed.
----------------------
@ -473,7 +498,12 @@
* [atom-bombing](https://github.com/BreakingMalwareResearch/atom-bombing)
* Here’s a new code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). Currently, this technique goes undetected by common security solutions that focus on preventing infiltration.
* [ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWs](https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows)
* [DoubleAgent](https://github.com/Cybellum/DoubleAgent)
* DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
* [Technical Writeup](https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/)
* **Tools**
* [Windows DACL Enum Project](https://github.com/nccgroup/WindowsDACLEnumProject)
* A collection of tools to enumerate and analyse Windows DACLs
* [WMI Shell Tool](https://github.com/secabstraction/Create-WMIshell)
* The WMI shell tool that we have developed allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using only the WMI service available on port 135.
* [WMIcmd](https://github.com/nccgroup/WMIcmd)
@ -499,9 +529,11 @@
* [Abusing Active Directory in Post Exploitation - Carlos Perez - Derbycon 4](https://www.youtube.com/watch?v=sTU-70dD-Ok)
* [Setting up Samba as a Domain Member](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member)
* [ATA Suspicious Activity Playbook - technet.ms](https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38)
* **Specific Vulnerabilities**
* [Practically Exploiting MS15-014 and MS15-011 - MWR](https://labs.mwrinfosecurity.com/blog/practically-exploiting-ms15-014-and-ms15-011/)
* [MS15-011 - Microsoft Windows Group Policy real exploitation via a SMB MiTM attack - coresecurity](https://www.coresecurity.com/blog/ms15-011-microsoft-windows-group-policy-real-exploitation-via-a-smb-mitm-attack)
* [DCShadow explained: A technical deep dive into the latest AD attack technique - Luc Delsalle](https://blog.alsid.eu/dcshadow-explained-4510f52fc19d)
* [Skeleton Key Malware Analysis - SecureWorks](https://www.secureworks.com/research/skeleton-key-malware-analysis)
* **Specific Vulnerabilities**
* [Practically Exploiting MS15-014 and MS15-011 - MWR](https://labs.mwrinfosecurity.com/blog/practically-exploiting-ms15-014-and-ms15-011/)
* [MS15-011 - Microsoft Windows Group Policy real exploitation via a SMB MiTM attack - coresecurity](https://www.coresecurity.com/blog/ms15-011-microsoft-windows-group-policy-real-exploitation-via-a-smb-mitm-attack)
* **Getting(Hunting) Domain User(s)**
* [hunter](https://github.com/fdiskyou/hunter)
* (l)user hunter using WinAPI calls only
@ -530,6 +562,7 @@
* [How To Pass the Ticket Through SSH Tunnels](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
* [Pass-the-ticket - ldapwiki](http://ldapwiki.com/wiki/Pass-the-ticket)
* **Silver**
* [Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets - adsecurity](https://adsecurity.org/?p=2753)
* [Impersonating Service Accounts with Silver Tickets - stealthbits](https://blog.stealthbits.com/impersonating-service-accounts-with-silver-tickets)
* [Mimikatz 2.0 - Silver Ticket Walkthrough](https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html)
* **Golden**
@ -565,6 +598,8 @@
* GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. GoFetch first loads a path of local admin users and computers generated by BloodHound and converts it to its own attack plan format. Once the attack plan is ready, GoFetch advances towards the destination according to plan step by step, by successively applying remote code execution techniques and compromising credentials with Mimikatz.
* [DomainTrustExplorer](https://github.com/sixdub/DomainTrustExplorer)
* Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output.
* [NtdsAudit](https://github.com/Dionach/NtdsAudit)
* NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
* **Skeleton Key**
* [Active Directory Domain Controller Skeleton Key Malware & Mimikatz - ADSecurity](https://adsecurity.org/?p=1255)
* [Skeleton Key Malware Analysis - SecureWorks](https://www.secureworks.com/research/skeleton-key-malware-analysis)
@ -776,7 +811,9 @@
* [Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor](https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf)
* **WPAD**
* [WPAD Persistence](http://room362.com/post/2016/wpad-persistence/)
* **Miscellaneous**
* [backdoorme](https://github.com/Kkevsterrr/backdoorme)
* Tools like metasploit are great for exploiting computers, but what happens after you've gained access to a computer? Backdoorme answers that question by unleashing a slew of backdoors to establish persistence over long periods of time. Once an SSH connection has been established with the target, Backdoorme's strengths can come to fruition. Unfortunately, Backdoorme is not a tool to gain root access - only keep that access once it has been gained.
--------------
@ -871,6 +908,8 @@
* Forward local or remote tcp ports through SMB pipes.
* [MeterSSH](https://github.com/trustedsec/meterssh)
* MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter's listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.
* [shootback](https://github.com/aploium/shootback)
* shootback is a reverse TCP tunnel let you access target behind NAT or firewall
@ -885,6 +924,7 @@
* [Easy Ways To Bypass Anti-Virus Systems - Attila Marosi -Trooper14](https://www.youtube.com/watch?v=Sl1Sru3OwJ4)
* [Muts Bypassing AV in Vista/Pissing all over your AV](https://web.archive.org/web/20130514172102/http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4)
* presentation, listed here as it was a bitch finding a live copy
* [How to Bypass Anti-Virus to Run Mimikatz - **Spoiler, AV still suck, changing strings is helpful**](http://www.blackhillsinfosec.com/?p=5555)
* **Articles/Blogposts/Presentations/Talks/Writeups**
* [Bypass Cylance Memory Exploitation Defense & Script Cntrl](https://www.xorrior.com/You-Have-The-Right-to-Remain-Cylance/)
* [AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing](https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf)
@ -972,6 +1012,13 @@
* Stealing Signatures and Making One Invalid Signature at a Time
* [SideStep](https://github.com/codewatchorg/SideStep)
* SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.
* [peCloak.py - An Experiment in AV Evasion](http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/)
* [Making FinFisher Undetectable](https://lqdc.github.io/making-finfisher-undetectable.html)
* [Bypass AV through several basic/effective techniques](http://packetstorm.foofus.com/papers/virus/BypassAVDynamics.pdf)
* [stupid_malware](https://github.com/andrew-morris/stupid_malware)
* Python malware for pentesters that bypasses most antivirus (signature and heuristics) and IPS using sheer stupidity
* [InfectPE](https://github.com/secrary/InfectPE)
* Using this tool you can inject x-code/shellcode into PE file. InjectPE works only with 32-bit executable files.
* **Application Whitelisting**
* [Whitelist Evasion revisited](https://khr0x40sh.wordpress.com/2015/05/27/whitelist-evasion-revisited/)
* [Shackles, Shims, and Shivs - Understanding Bypass Techniques](http://www.irongeek.com/i.php?page=videos/derbycon6/535-shackles-shims-and-shivs-understanding-bypass-techniques-mirovengi)
@ -1140,6 +1187,15 @@
* [Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)](https://cansecwest.com/slides/2014/less%20is%20more3.pptx)
* [Equip: python bytecode instrumentation](https://github.com/neuroo/equip)
* equip is a small library that helps with Python bytecode instrumentation. Its API is designed to be small and flexible to enable a wide range of possible instrumentations. The instrumentation is designed around the injection of bytecode inside the bytecode of the program to be instrumented. However, the developer does not need to know anything about the Python bytecode since the injected code is Python source.
* [Jugaad - Thread Injection Kit](https://github.com/aseemjakhar/jugaad)
* Jugaad is an attempt to create CreateRemoteThread() equivalent for `*nix` platform. The current version supports only Linux operating system. For details on what is the methodology behind jugaad and how things work under the hood visit http://null.co.in/section/projects for a detailed paper.
* [linux-injector](https://github.com/dismantl/linux-injector)
* Utility for injecting executable code into a running process on x86/x64 Linux. It uses ptrace() to attach to a process, then mm