Browse Source

¯\_(ツ)_/¯ RT & passwords updated, others not yet. Unrelatedly, the beatings will continue until morale improves.

pull/33/head
rmusser01 2 years ago
parent
commit
96b55c8fe2
11 changed files with 1662 additions and 1110 deletions
  1. +26
    -22
      Draft/AnonOpSecPrivacy.md
  2. +388
    -124
      Draft/Building_A_Lab.md
  3. +0
    -0
      Draft/Cheat sheets reference pages Checklists -/Ncat_Cheat_Sheet.txt
  4. +0
    -182
      Draft/Cheat sheets reference pages Checklists -/Random Shit/detect_virtual_box_c_prog.txt
  5. +22
    -10
      Draft/Courses_Training.md
  6. +287
    -92
      Draft/Passwords.md
  7. +939
    -419
      Draft/RT.md
  8. +0
    -110
      Draft/Securing Hardening_1/Securing Linux.txt
  9. +0
    -43
      Draft/Securing Hardening_1/Securing OS X.txt
  10. +0
    -80
      Draft/Securing Hardening_1/Securing Windows Desktop.txt
  11. +0
    -28
      Draft/Securing Hardening_1/Securing Windows Server.txt

+ 26
- 22
Draft/AnonOpSecPrivacy.md View File

@ -2,23 +2,23 @@
### Table of Contents
- [General](#general)
- [Android/iOS/Mobile](#mobile)
- [Browser Related](#browser)
- [Communications Security](#comsec)
- [Data Collection](#dcollect)
- [De-anonymization](#de-anon)
- [Documents/Writing](#writing)
- [Facial Identification](#face)
- [Informative/Educational](#informative)
- [Journalism & Media Publishing](#media)
- [Network Obfuscation](#obfuscation)
- [Operational Security - OPSEC](#opsec)
- [References/Resources](#ref)
- [Wireless Radios](#)
- [Tor](#tor)
- [Traveling](#travel)
- [Miscellaneous Stuff](#misc)
- [Miscellaneous Tools](#misc-tools)
- [Android/iOS/Mobile](#mobile)
- [Browser Related](#browser)
- [Communications Security](#comsec)
- [Data Collection](#dcollect)
- [De-anonymization](#de-anon)
- [Documents/Writing](#writing)
- [Facial Identification](#face)
- [Informative/Educational](#informative)
- [Journalism & Media Publishing](#media)
- [Network Obfuscation](#obfuscation)
- [Operational Security - OPSEC](#opsec)
- [References/Resources](#ref)
- [Wireless Radios](#)
- [Tor](#tor)
- [Traveling](#travel)
- [Miscellaneous Stuff](#misc)
- [Miscellaneous Tools](#misc-tools)
- [Counter-Surveillance](#counter)
- [Writeups](#cwriteup)
- [Videos/Talks](#cvideos)
@ -383,7 +383,7 @@
* [Counterintelligence, False Flags, Disinformation, and Network Defense - krypt3ia](https://krypt3ia.wordpress.com/2012/10/17/counterintelligence-false-flags-disinformation-and-network-defense/)
* [Attribution As A Weapon & Marketing Tool: Hubris In INFOSEC & NATSEC](https://krypt3ia.wordpress.com/2014/12/30/attribution-as-a-weapon-marketing-tool-hubris-in-infosec-natsec/)
* [SyTech’s FSB Document Dump: Owning The Information Space and Disconnecting It - Krytp3ia](https://krypt3ia.wordpress.com/2019/08/03/sytechs-fsb-document-dump-owning-the-information-space-and-disconnecting-it/)
* [The Gentleperson’s Guide to Forum Spies](cryptome.org/2012/07/gent-forum-spies.htm)
* [The Gentleperson’s Guide to Forum Spies](http://www.cryptome.org/2012/07/gent-forum-spies.htm)
* [A Digital World Full of Ghost Armies](http://www.cigtr.info/2015/02/a-digital-world-full-of-ghost-armies.html)
* [Disinformation demystified - icyphox](https://icyphox.sh/blog/disinfo/)
* [PsyOps and Socialbots](http://resources.infosecinstitute.com/psyops-and-socialbots/)
@ -541,14 +541,11 @@
* Scuttlebutt is a protocol for building decentralized applications that work well offline and that no one person can control. Because there is no central server, Scuttlebutt clients connect to their peers to exchange information. This guide describes the protocols used to communicate within the Scuttlebutt network. Scuttlebutt is a flexible protocol, capable of supporting many different types of applications. One of its first applications was as a social network, and it has also become one of the most compelling because the people who hang out there are not jerks. This guide has a slight focus on how to use Scuttlebutt for social networking, but many of the explanations will still be useful if want to use it for something completely different, or are just curious how it works.
* [Serval](http://www.servalproject.org)
* Serval is a telecommunications system comprised of at least two mobile phones that are able to work outside of regular mobile phone tower range due thanks to the Serval App and Serval Mesh.
* [VSCodium](https://github.com/VSCodium/vscodium/)
* This is not a fork. This is a repository of scripts to automatically build Microsoft's vscode repository into freely-licensed binaries with a community-driven default configuration.
* [ungoogled-chromium](https://github.com/Eloston/ungoogled-chromium)
* ungoogled-chromium is Google Chromium, sans dependency on Google web services. It also features some tweaks to enhance privacy, control, and transparency (almost all of which require manual activation or enabling).
* [Attacks on applications of k-anonymity for password retrieval - Jack Cable](https://cablej.io/blog/k-anonymity/)
@ -561,3 +558,10 @@

+ 388
- 124
Draft/Building_A_Lab.md View File

@ -3,26 +3,50 @@
-------------------------
## Table of Contents
- [General Info](#general)
- [101](#101)
- [Virtual Machines](#vm)
- [Web Applications](#webapp)
- [Vulnerable Web Applications](#webapp)
- [OWASP](#owasp)
- [General](#general)
- [Specific](#specific)
- [API](#sapi)
- [Django](#sdj)
- [HTTP Smuggling](#shtt)
- [JSP](#sjsp)
- [Node.js](#sno)
- [Ruby](#sruby)
- [SSRF](#ssrf)
- [SSO](#ssso)
- [Web Cache Poisoning](#swcp)
- [Installing/Configuring Active Directory](#AD)
- [Installing/Configuring Active Directory](#AD)
- [Building a Defensive Lab](#defense)
- [Official Documentation](#adoc)
- [Guides](#guides)
- [Lab Generation](#alabgen)
- [Domain Generation](#adg)
- [Forest Generation](#afg)
- [User Generation](#aug)
- [User Activity Simulation](#aus)
- [Building a Pentest Lab](#pentest)
- [Talks & Presentations](#bltalks)
- [Tools](#bltools)
- [In the Cloud](#clouds)
- [Building a Defensive Lab](#defense)
- [Other Labs](#other)
- [Access Methods](#oam)
- [Containers/Related](#ocr)
- [Infrastructure Automation](#infra)
- [101](#i101)
- [Tooling](#infrauto)
* **To Do**
* Building a defensive Lab
* Infra Automation
-------------------------
### <a name="general"></a> General
* This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your "physical" machine.
* **101**<a name="101"></a>
* This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your "physical" machine.
* **Useful links**
* [Warming Up. Using ATT&CK for Self Advancement - Adam Swan](https://socprime.com/en/blog/warming-up-using-attck-for-self-advancement/)
* **Building a Dropbox**
@ -35,12 +59,35 @@
* Autossh reverse tunnel to central server.
* [P4wnP1](https://github.com/mame82/P4wnP1)
* P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W.
* **Utilities**
* **FFSend**
* [Deployment](https://github.com/mozilla/send/blob/master/docs/deployment.md)
* This document describes how to do a full deployment of Firefox Send on your own Linux server.
* [ffsend](https://github.com/timvisee/ffsend)
* Easily and securely share files from the command line. A fully featured Firefox Send client.
-------------------------
### <a name="vm"></a> Virtual Machines
### <a name="vm"></a> Virtual Labs/Machines
* **101**
* [Virtual Machine - Wikipedia](https://en.wikipedia.org/wiki/Virtual_machine)
* **VM Hypervisor Software**
@ -72,15 +119,27 @@
* macos-guest-virtualbox.sh is a Bash script that creates a macOS virtual machine guest on VirtualBox with unmodified macOS installation files downloaded directly from Apple servers. Tested on Cygwin. Works on macOS, Windows Subsystem for Linux, and centOS 7. Should work on most modern Linux distros.
* [How to create a macOS virtual machine in VmWare Fusion on Mac without a CD, USB drive or recovery partition - Oleksii Chekulaiev(2017)](https://medium.com/@achekulaev/how-to-create-a-macos-virtual-machine-in-vmware-fusion-on-mac-without-a-cd-usb-drive-or-a-recovery-cb942d821654)
* **Automated Lab/Machine Creation Tools**
* Security Scenario Generator (SecGen)](https://github.com/cliffe/SecGen)
* SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.
* [Detection Lab](https://github.com/clong/DetectionLab)
* Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
* [Set up your own malware analysis lab with VirtualBox, INetSim and Burp - Christophe Tafani-Dereeper](https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/)
* [CyRIS: Cyber Range Instantiation System](https://github.com/crond-jaist/cyris)
* CyRIS is a tool for facilitating cybersecurity training by automating the creation and management of the corresponding training environments (a.k.a, cyber ranges) based on a description in YAML format. CyRIS is being developed by the Cyber Range Organization and Design (CROND) NEC-endowed chair at the Japan Advanced Institute of Science and Technology (JAIST).
* [DockerSecurityPlayground](https://github.com/giper45/DockerSecurityPlayground)
* A Microservices-based framework for the study of Network Security and Penetration Test techniques
* **Talks/Videos**
* [Windows Server 2016 AutoLab Setup - Jason Helmick(2016)](https://www.youtube.com/watch?v=fIXHvbgxEDk&feature=youtu.be)
* Join Pluralsight author Jason Helmick as he walks through his automated lab setup for use in our Windows Server 2016 content. Check out how to build your lab environment so you can follow along with our authors as you learn the ins and outs of Windows Server 2016.
* **General**
* Security Scenario Generator (SecGen)](https://github.com/cliffe/SecGen)
* SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.
* **Malware**
* [Set up your own malware analysis lab with VirtualBox, INetSim and Burp - Christophe Tafani-Dereeper](https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/)
* [CyRIS: Cyber Range Instantiation System](https://github.com/crond-jaist/cyris)
* CyRIS is a tool for facilitating cybersecurity training by automating the creation and management of the corresponding training environments (a.k.a, cyber ranges) based on a description in YAML format. CyRIS is being developed by the Cyber Range Organization and Design (CROND) NEC-endowed chair at the Japan Advanced Institute of Science and Technology (JAIST).
* [DockerSecurityPlayground](https://github.com/giper45/DockerSecurityPlayground)
* A Microservices-based framework for the study of Network Security and Penetration Test techniques
* **Windows**
* [PSAutoLab](https://github.com/pluralsight/PS-AutoLab-Env)
* This project serves as a set of "wrapper" commands that utilize the Lability module which is a terrific tool for creating a lab environment of Windows based systems. The downside is that it is a difficult module for less experienced PowerShell users. The configurations and control commands for the Hyper-V virtual machines are written in PowerShell using Desired State Configuration (DSC) and deployed via Lability.
* [Lability](https://github.com/VirtualEngine/Lability)
* The Lability module enables simple provisioning of Windows Hyper-V development and testing environments. It uses a declarative document for machine configuration. However, rather than defining configurations in an external custom domain-specific language (DSL) document, Lability extends existing PowerShell Desired State Configuration (DSC) configuration (.psd1) documents with metadata that can be interpreted by the module. By using this approach, it allows the use of a single configuration document to describe all properties for provisioning Windows-centric development and/or test environments.
* [Detection Lab](https://github.com/clong/DetectionLab)
* Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
* [DetectionLabELK](https://github.com/cyberdefenders/DetectionLabELK)
* DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
* **VMs/Apps Designed to be Attacked**
* [List of VMs that are preconfigured virtual machines](http://www.amanhardikar.com/mindmaps/PracticeUrls.html)
* [The Hacker Games - Hack the VM before it hacks you](http://www.scriptjunkie.us/2012/04/the-hacker-games/)
@ -95,8 +154,8 @@
* CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios. Each scenario is composed of AWS resources arranged together to create a structured learning experience. Some scenarios are easy, some are hard, and many offer multiple paths to victory. As the attacker, it is your mission to explore the environment, identify vulnerabilities, and exploit your way to the scenario's goal(s).
* [CloudGoat 2: The New & Improved “Vulnerable by Design” AWS Deployment Tool - Jeffrey Anderson](https://rhinosecuritylabs.com/aws/introducing-cloudgoat-2/)
* [CloudGoat 2 Walkthrough - Part One - thetestlabs.io](https://thetestlabs.io/post/cloudgoat-2-walkthrough-part-one/)
* [OWASP Mutillidae II](https://sourceforge.net/projects/mutillidae/)
* OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.
* [Damn Vulnerable Cloud Application](https://github.com/m6a-UdS/dvca)
* This is a demonstration project to show how to do privilege escalation on AWS. DO NOT deploy this on an AWS account unless you know very well what you are doing!
* **Lambda**
* [lambhack](https://github.com/wickett/lambhack)
* A vulnerable serverless lambda application. This is certainly a bad idea to base any coding patterns of what you see here. lambhack allows you to take advantage of our tried and true application security problems, namely arbitrary code execution, XSS, injection attacks aand more. This first release only contains arbitrary code execution through the query string. Please feel free to contribute new vulnerabilities.
@ -113,114 +172,179 @@
* **Router**
* [iv-wrt](https://github.com/iv-wrt/iv-wrt)
* An Intentionally Vulnerable Router Firmware Distribution
* **'Serverless'**
* [ServerlessGoat](https://github.com/OWASP/Serverless-Goat)
* This serverless application demonstrates common serverless security flaws as described in the Serverless Security Top 10 Weaknesses guide https://github.com/puresec/sas-top-10.
* **Terraform**
* [TerraGoat](https://github.com/bridgecrewio/terragoat)
* TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
* **Thick Client**
* [Damn Vulnerable Thick Client Application - Part 1 - Setup - Parsia's Den](https://parsiya.net/blog/2018-07-15-damn-vulnerable-thick-client-application---part-1---setup/)
-----
### Web Applications
* **Web Application Focused**
* **OWASP**
* [OWASP Vulnerable Web Applications Directory Project/Pages/Offline](https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Offline)
* [OWASP Broken Web Applications Project](https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project)
* OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
* [OWASP Juiceshop](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project)
* [OWASP Juice Shop(Github)](https://github.com/bkimminich/juice-shop)
* OWASP Juice Shop is an intentionally insecure web application written entirely in Javascript which encompasses the entire range of OWASP Top Ten and other severe security flaws.
* [OWASP JuiceShop Gitbook walkthrough](https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop/details)
* [Video Walk through by Sunny Wear](https://www.youtube.com/watch?v=zi3yDovd0RY&list=PL-giMT7sGCVI9T4rKhuiTG4EDmUz-arBo)
* [Pwning OWASP Juice Shop](https://leanpub.com/juice-shop)
* [OWASP Damn Vulnerable Web Sockets](https://github.com/interference-security/DVWS)
* OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.
* [NodeGoat](https://github.com/OWASP/NodeGoat)
* Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
* [OWASP DevSlop Project](https://www.owasp.org/index.php/OWASP_DevSlop_Project)
* collection of DevOps-driven applications, specifically designed to showcase security catastrophes and vulnerabilities for use in security testing, software testing, learning and teaching for both developers and security professionals.
* **General**
* [Damn Vulnerable Web App](https://github.com/ethicalhack3r/DVWA)
* Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
* [Damn Small Vulnerable Web](https://github.com/stamparm/DSVW)
* Damn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports majority of (most popular) web application vulnerabilities together with appropriate attacks.
* [File scanner web app (Part 1 of 5): Stand-up and webserver](http://0xdabbad00.com/2013/09/02/file-scanner-web-app-part-1-of-5-stand-up-and-webserver/)
* [Xtreme Vulnerable Web Application (XVWA)](https://github.com/s4n7h0/xvwa)
* XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice.
* [Hackazon](https://github.com/rapid7/hackazon)
* Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.
* [Vulnerable Web applications Generator](https://github.com/qazbnm456/VWGen)
* This is the Git repo of the VWGen, which stands for Vulnerable Web applications Generator.
* [secDevLabs](https://github.com/globocom/secDevLabs)
* By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. woman_technologist
* [LKWA](https://github.com/weev3/LKWA)
* Lesser Known Web Attack Lab is for intermediate pentester that can test and practice lesser known web attacks such as Object Injection, XSSI, PHAR Deserialization, variables variable ..etc.
* [One Random Insecure Wep Application Please (ORIWAP) - Nancy Snoke(NolaCon2019)](https://www.irongeek.com/i.php?page=videos/nolacon2019/nolacon-2019-c-00-one-random-insecure-wep-application-please-oriwap-nancy-snoke)
* You may need an insecure web application as part of yearly developer compliance training. You may need an insecure web application for a companywide contest for cyber security awareness month. Perhaps you just like playing with insecure web applications on the weekend. There are a variety of insecure web applications out there. If you have specific needs -- maybe XSS in VBScript as opposed to JavaScript --, or regular use-case where you want something similar to showcase the OWASP top 10 yet different topics and look every time. Then what is out there may not work for you. This talk introduces a new tool -- ORIWAP (One Random Insecure Web Application Please), which can randomly generate an insecure web application (the security features, visual style, and data -- users, passwords, forum postings, about page). If you don't like randomness you can specify some or all of the settings and an application will be generated. The talk will demo creating several new applications, and show the variety of options for creating the perfect insecure web application for you. This talk will also discuss how the code works for each area: security features, visual style, and data.
* **API**
### Web Applications <a name="webapp"></a>
* **OWASP**<a name="owasp"></a>
* [OWASP Vulnerable Web Applications Directory Project/Pages/Offline](https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Offline)
* [OWASP Broken Web Applications Project](https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project)
* OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
* [OWASP Juiceshop](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project)
* [OWASP Juice Shop(Github)](https://github.com/bkimminich/juice-shop)
* OWASP Juice Shop is an intentionally insecure web application written entirely in Javascript which encompasses the entire range of OWASP Top Ten and other severe security flaws.
* [OWASP JuiceShop Gitbook walkthrough](https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop/details)
* [Video Walk through by Sunny Wear](https://www.youtube.com/watch?v=zi3yDovd0RY&list=PL-giMT7sGCVI9T4rKhuiTG4EDmUz-arBo)
* [Pwning OWASP Juice Shop](https://leanpub.com/juice-shop)
* [OWASP Damn Vulnerable Web Sockets](https://github.com/interference-security/DVWS)
* OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.
* [NodeGoat](https://github.com/OWASP/NodeGoat)
* Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
* [OWASP DevSlop Project](https://www.owasp.org/index.php/OWASP_DevSlop_Project)
* collection of DevOps-driven applications, specifically designed to showcase security catastrophes and vulnerabilities for use in security testing, software testing, learning and teaching for both developers and security professionals.
* [OWASP Mutillidae II](https://sourceforge.net/projects/mutillidae/)
* OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.
* **General**<a name="wgen"></a>
* [Damn Vulnerable Web App](https://github.com/ethicalhack3r/DVWA)
* Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
* [Damn Small Vulnerable Web](https://github.com/stamparm/DSVW)
* Damn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports majority of (most popular) web application vulnerabilities together with appropriate attacks.
* [File scanner web app (Part 1 of 5): Stand-up and webserver](http://0xdabbad00.com/2013/09/02/file-scanner-web-app-part-1-of-5-stand-up-and-webserver/)
* [Xtreme Vulnerable Web Application (XVWA)](https://github.com/s4n7h0/xvwa)
* XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice.
* [Hackazon](https://github.com/rapid7/hackazon)
* Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.
* [Vulnerable Web applications Generator](https://github.com/qazbnm456/VWGen)
* This is the Git repo of the VWGen, which stands for Vulnerable Web applications Generator.
* [secDevLabs](https://github.com/globocom/secDevLabs)
* By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. woman_technologist
* [LKWA](https://github.com/weev3/LKWA)
* Lesser Known Web Attack Lab is for intermediate pentester that can test and practice lesser known web attacks such as Object Injection, XSSI, PHAR Deserialization, variables variable ..etc.
* [One Random Insecure Wep Application Please (ORIWAP) - Nancy Snoke(NolaCon2019)](https://www.irongeek.com/i.php?page=videos/nolacon2019/nolacon-2019-c-00-one-random-insecure-wep-application-please-oriwap-nancy-snoke)
* You may need an insecure web application as part of yearly developer compliance training. You may need an insecure web application for a companywide contest for cyber security awareness month. Perhaps you just like playing with insecure web applications on the weekend. There are a variety of insecure web applications out there. If you have specific needs -- maybe XSS in VBScript as opposed to JavaScript --, or regular use-case where you want something similar to showcase the OWASP top 10 yet different topics and look every time. Then what is out there may not work for you. This talk introduces a new tool -- ORIWAP (One Random Insecure Web Application Please), which can randomly generate an insecure web application (the security features, visual style, and data -- users, passwords, forum postings, about page). If you don't like randomness you can specify some or all of the settings and an application will be generated. The talk will demo creating several new applications, and show the variety of options for creating the perfect insecure web application for you. This talk will also discuss how the code works for each area: security features, visual style, and data.
* [Damn Small Vulnerable Web in Docker](https://blog.appsecco.com/damn-small-vulnerable-web-in-docker-fd850ee129d5)
* **Specific**<a name="specific"></a>
* **API**<a name="sapi"></a>
* [vulnerable-api](https://github.com/mattvaldes/vulnerable-api)
* [How to configure Json.NET to create a vulnerable web API](https://www.alphabot.com/security/blog/2017/net/How-to-configure-Json.NET-to-create-a-vulnerable-web-API.html)
* **Django**
* **Django**<a name="sdj"></a>
* [django.nV](https://github.com/nVisium/django.nV)
* django.nV is a purposefully vulnerable Django application provided by nVisium.
* **HTTP Smuggling**
* **HTTP Smuggling**<a name="shtt"></a>
* [HTTP-Smuggling-Lab](https://github.com/ZeddYu/HTTP-Smuggling-Lab)
* Use HTTP Smuggling Lab to learn HTTP Smuggling.
* **JSP**
* **JSP**<a name="sjsp"></a>
* [MoneyX](https://github.com/nVisium/MoneyX)
* MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
* **Node.js**
* **Node.js**<a name="sno"></a>
* [node.nV](https://github.com/nVisium/node.nV)
* Intentionally Vulnerable node.js application
* [goat.js](https://github.com/nVisium/goat.js)
* Tutorial for Node.js security
* [Damn Vulnerable NodeJS Application(DVNA)](https://github.com/appsecco/dvna)
* Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vunerabilities OWASP Top 10 2017 vulnerabilities at fixes-2017 branch.
* **Ruby**
* **Ruby**<a name="sruby"></a>
* [grails_nV](https://github.com/nVisium/grails-nV)
* grails_nV is a vulnerable jobs listing website.
* [RailsGoat](https://github.com/OWASP/railsgoat)
* RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
* **SSRF**
* **SSRF**<a name="ssrf"></a>
* [SSRF Vulnerable Lab](https://github.com/incredibleindishell/SSRF_Vulnerable_Lab)
* This repository contain PHP codes which are vulnerable to Server-Side Request Forgery (SSRF) attack.
* **SSO**
* **SSO**<a name="ssso"></a>
* [Vulnerable SSO](https://github.com/dogangcr/vulnerable-sso)
* Vulnerable SSo is focused on single sign on related vulnerabilities. If you want to learn, you should check this and contribute this project. VulnSSO tool is focused on sso attacks. Nowadays most of the company uses their own implementation for sso solutions. Some of the bug hunters found really good vulnerability on the big company. There are some tools(dvwa and others .. ) that contains vulnerability. They don't have any support for sso vulnerability. Our focus is only sso related bugs. VulnSSO is training tool.It will contain redirect uri vulnerability , XXE on saml request and many others.
* **Web Cache Poisoning**
* **Web Cache Poisoning**<a name="swcp"></a>
* [Web Cache Poisoning Lab](https://poison.digi.ninja)
* Welcome to the Cache Poisoning Lab. In this lab you will have the opportunity to experiment with some of the vulnerabilities presented in the brilliant paper Practical Web Cache Poisoning by James Kettle.
* **Making One**
* [clicker-service](https://gitlab.com/r00k/clicker-service)
* Docker container that intakes post with the following form data and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF). Service runs flask to receive the post requests, and runs on the default port of 5000.
-------------------------
### <a name="AD"></a> Setting up ActiveDirectory Focused Labs
* **Official Documentation**
* **Official Documentation**<a name="adoc"></a>
* [Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
* [Active Directory Domain Services Overview](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview)
* [Understanding Active Directory - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781408(v=ws.10))
* [Windows Server 2016: Build a Windows Domain Lab at Home for Free - social.technet](https://social.technet.microsoft.com/wiki/contents/articles/36438.windows-server-2016-build-a-windows-domain-lab-at-home-for-free.aspx#Download)
* [Integrate macOS with Microsoft Active Directory - support.apple](https://support.apple.com/guide/deployment-reference-macos/integrate-macos-with-active-directory-iorbeda89d1d/1/web/1)
* **Guides**
* [Building an Effective Active Directory Lab Environment for Testing - adsecurity.org](https://adsecurity.org/?p=2653)
* [Step-By-Step: Setting up Active Directory in Windows Server 2016 - blogs.technet](https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/)
* [Pentest Home Lab - 0x2 - Building Your AD Lab on Premises-SethSec](https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html)
* [Building and Attacking an Active Directory lab with PowerShell - 1337red](https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/)
* [DarthSidious](https://github.com/chryzsh/DarthSidious)
* Building an Active Directory domain and hacking it
* [Creating a SCCM Lab: Part 1 - Setting up AD](https://www.youtube.com/watch?v=4zwQsQEtrwY&feature=share)
* [Build a new Windows Domain with a (semi) easy button - Craig Bowser](http://shadowtrackers.net/blog/build-a-new-windows-domain-with-a-semi-easy-button)
* [Introducing the Active Directory Learning Lab - @jckhmr_t](https://github.com/jckhmr/adlab)
* I'm a big fan of automation with tools such as Ansible, Vagrant and Terrorm now being put to regular use by me. Also, as a Red Team Operator I spend a lot of time modelling attacks up, trying new ideas out and generally keeping myself 'sharp'. I wanted to create something that help me to scratch all of these itches. The research and development culminated in my [BSides Belfast 2019 presentation: Offensive Ansible for Red Teams (Attack, Build, Learn)](https://github.com/jckhmr/presentations/blob/master/BSidesBelfast2019_Final_Optimized.pptx?raw=true).
* [How to Build an Active Directory Hacking Lab - TheCyberMentor](https://www.youtube.com/watch?v=xftEuVQ7kY0)
* [PAW deployment guide - Jian Yan(2018)](https://blogs.technet.microsoft.com/datacentersecurity/2018/04/30/paw-deployment-guide/)
* **Guides**<a name="aguides"></a>
* **Active Directory Locally**
* [Building an Effective Active Directory Lab Environment for Testing - adsecurity.org](https://adsecurity.org/?p=2653)
* [Step-By-Step: Setting up Active Directory in Windows Server 2016 - blogs.technet](https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/)
* [Pentest Home Lab - 0x2 - Building Your AD Lab on Premises-SethSec](https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html)
* [Building and Attacking an Active Directory lab with PowerShell - 1337red](https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/)
* [DarthSidious](https://github.com/chryzsh/DarthSidious)
* Building an Active Directory domain and hacking it
* [Creating a SCCM Lab: Part 1 - Setting up AD](https://www.youtube.com/watch?v=4zwQsQEtrwY&feature=share)
* [Build a new Windows Domain with a (semi) easy button - Craig Bowser](http://shadowtrackers.net/blog/build-a-new-windows-domain-with-a-semi-easy-button)
* [Introducing the Active Directory Learning Lab - @jckhmr_t](https://github.com/jckhmr/adlab)
* I'm a big fan of automation with tools such as Ansible, Vagrant and Terrorm now being put to regular use by me. Also, as a Red Team Operator I spend a lot of time modelling attacks up, trying new ideas out and generally keeping myself 'sharp'. I wanted to create something that help me to scratch all of these itches. The research and development culminated in my [BSides Belfast 2019 presentation: Offensive Ansible for Red Teams (Attack, Build, Learn)](https://github.com/jckhmr/presentations/blob/master/BSidesBelfast2019_Final_Optimized.pptx?raw=true).
* [How to Build an Active Directory Hacking Lab - TheCyberMentor](https://www.youtube.com/watch?v=xftEuVQ7kY0)
* [PAW deployment guide - Jian Yan(2018)](https://blogs.technet.microsoft.com/datacentersecurity/2018/04/30/paw-deployment-guide/)
* This blogpost only focusses on one aspect, which is the PAW deployment, including the backend servers.
* [Step-by-Step Guide to install Active Directory in Windows Server 2019 (PowerShell Guide) - Disham M. Francis(2018)](http://www.rebeladmin.com/2018/10/step-step-guide-install-active-directory-windows-server-2019-powershell-guide/)
* **AWS**
* [Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment - docs.aws](https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/welcome.html)
* [Active Directory Domain Services on AWS](https://aws.amazon.com/quickstart/architecture/active-directory-ds/)
* This Quick Start deploys Microsoft Active Directory Domain Services (AD DS) on the AWS Cloud. AD DS and Domain Name Server (DNS) are core Windows services that provide the foundation for many Microsoft-based solutions for the enterprise, including Microsoft SharePoint, Microsoft Exchange, and .NET Framework applications.
* **Azure**
* [Disruption](https://github.com/xFreed0m/Disruption/)
* Disruption is a code for Terraform to deploy a small AD domain-based environment in Azure. The environment contains two domain controllers (Windows Server 2012), Fileserver + Web server (Windows Server 2019), Windows 7 client, Windows 10 client, and kali Linux machine. They are connected to the same subnet. Each windows machine has some packages being installing during deployment (the list can be viewed and modified here: chocolist). All the needed configurations (Domain creation, DC promotion, joining the machines to the domain and more are automated and part of the deployment. However, there are more improvments to be added (creating OUs, Users, and stuff like that. I'll might get to it in the future, or, you will submit a pull request :))
* **Tools**
* **Lab Generation**
* **Articles/Blogposts/Writeups**
* [Automating the provisioning of Active Directory labs in Azure - Christophe Tafani-Dereeper](https://blog.christophetd.fr/automating-the-provisioning-of-active-directory-labs-in-azure/)
* **Tools**
* [Disruption](https://github.com/xFreed0m/Disruption/)
* Disruption is a code for Terraform to deploy a small AD domain-based environment in Azure. The environment contains two domain controllers (Windows Server 2012), Fileserver + Web server (Windows Server 2019), Windows 7 client, Windows 10 client, and kali Linux machine. They are connected to the same subnet. Each windows machine has some packages being installing during deployment (the list can be viewed and modified here: chocolist). All the needed configurations (Domain creation, DC promotion, joining the machines to the domain and more are automated and part of the deployment. However, there are more improvments to be added (creating OUs, Users, and stuff like that. I'll might get to it in the future, or, you will submit a pull request :))
* **Lab Generation**<a name="alabgen">
* **Tools**
* [WSLab - Official Microsoft Stuff](https://github.com/microsoft/WSLab)
* Windows Server rapid lab deployment scripts
* [AutomatedLab](https://github.com/AutomatedLab/AutomatedLab)
@ -230,37 +354,84 @@
* [Invoke-ADLabDeployer](https://github.com/outflanknl/Invoke-ADLabDeployer)
* Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
* [Blogpost](https://outflank.nl/blog/2018/03/30/automated-ad-and-windows-test-lab-deployments-with-invoke-adlabdeployer/))
* **Domain Generator**
* **Domain Generator**<a name="adg"></a>
* **Tools**
* [BadBlood](https://github.com/davidprowe/BadBlood)
* BadBlood by Secframe fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
* **User Generation**
* **Forest Generation**<a name="afg"></a>
* **Talks/Presentations/Videos**
* [How To Create An Active Directory Forest With PowerShell - Adam Bertram(2018)](https://www.youtube.com/watch?v=bWF1-rhPh5E)
* In this video, Adam will cover how the various parameters that are required to run the Install-ADDSForest command and will go over some gotchas that you should know about when building a new forest. Prerequisites include: (2) Windows Server 2016 VMs on the same network (soon-to-be domain controllers)
* **Tools**
* [Use PowerShell to Create a New Active Directory Forest on Windows 2019 Server Core Installation (no-GUI) - Mike F Robbins](https://mikefrobbins.com/2018/11/29/use-powershell-to-create-a-new-active-directory-forest-on-windows-2019-server-core-installation-no-gui/)
* **User Generation**<a name="aug"></a>
* **Articles/Blogposts/Writeups**
* [Create Bulk Users in Active Directory (Step-By-Step Guide) - Robert Allen(2018)](https://activedirectorypro.com/create-bulk-users-active-directory/)
* [New-ADUser: Creating Active Directory Users with PowerShell - Kevin Sapp(2019)](https://adamtheautomator.com/new-aduser/)
* **Tools**
* [ADImporter](https://github.com/curi0usJack/ADImporter)
* When you need to simulate a real Active Directory with thousands of users you quickly find that creating realistic test accounts is not trivial. Sure enough, you can whip up a quick PowerShell one-liner that creates any number of accounts, but what if you need real first and last names? Real (existing) addresses? Postal codes matching phone area codes? I could go on. The point is that you need two things: input files with names, addresses etc. And script logic that creates user accounts from that data. This blog post provides both.
* [youzer](https://github.com/SpiderLabs/youzer)
* Fake User Generator for Active Directory Environments
* **User Simulation**
* **User Simulation**<a name="aus"></a>
* **Tools**
* [sheepl](https://github.com/SpiderLabs/sheepl)
* sheepl is a tool that aims to bridge the gap by emulating the behaviour that people normally undertake within a network environment. Using Python3 and AutoIT3 the output can be compiled into a standalone executable without any other dependancies that when executed on an Windows endpoint, executes a set of tasks randomly over a chosen time frame.
-------------------------
### <a name="pentest"></a> Building a Pen test lab
* **Articles/Blogposts/Writeups**
* [DarthSidious](https://chryzsh.gitbooks.io/darthsidious/content/)
* To share my modest knowledge about hacking Windows systems. This is commonly refered to as red team exercises. This book however, is also very concerned with the blue team; the defenders. That is, helping those who are working as defenders, analysts and security experts to build secure Active Directory environments and monitor them for malicious activity.
* [Home Lab with pfSense & VMware Workstation - sysadmin perspective](http://itpro.outsidesys.com/2015/02/19/home-lab-with-pfsense-workstation/)
* I wanted to build a virtual lab environment at home that would emulate an office environment. My requirements were to have separate network segments for Clients & Servers, and two DMZ networks. I also wanted my home network, which is external to the virtual lab environment, to emulate the Internet, even though it really isn’t. The following is how I created multiple “named” LAN segments within VMware Workstation, and routed between them using a VM running pfSense, which is an open source firewall.
* [Setting Up a Pentest/Hacking Lab with Hyper-V](http://cyberthreathunt.com/2017/04/01/setting-up-a-pentest-lab-with-hyper-v/)
* [Setting up a Windows Lab Environment](http://thehackerplaybook.com/Windows_Domain.htm)
* [Setting Up A Penetration Testing Lab - Rapid7](https://kb.help.rapid7.com/docs/setting-up-a-penetration-testing-lab)
* [Building a Pentest Lab - stan.gr](http://www.stan.gr/2013/03/building-pentest-lab.html)
* [Privilege-Escalation](https://github.com/Ignitetechnologies/Privilege-Escalation)
* Collection of VMs aimed at teaching different privilege escalation techniques with Vulnhub machines used for examples.
* **Talks/Presentations/Videos**
### <a name="pentest"></a> Building a Pentest lab
* **Building a Lab Basics**<a name="blb"></a>
* **Articles/Blogposts/Writeups**
* [DarthSidious](https://chryzsh.gitbooks.io/darthsidious/content/)
* To share my modest knowledge about hacking Windows systems. This is commonly refered to as red team exercises. This book however, is also very concerned with the blue team; the defenders. That is, helping those who are working as defenders, analysts and security experts to build secure Active Directory environments and monitor them for malicious activity.
* [Home Lab with pfSense & VMware Workstation - sysadmin perspective](http://itpro.outsidesys.com/2015/02/19/home-lab-with-pfsense-workstation/)
* I wanted to build a virtual lab environment at home that would emulate an office environment. My requirements were to have separate network segments for Clients & Servers, and two DMZ networks. I also wanted my home network, which is external to the virtual lab environment, to emulate the Internet, even though it really isn’t. The following is how I created multiple “named” LAN segments within VMware Workstation, and routed between them using a VM running pfSense, which is an open source firewall.
* [Setting Up a Pentest/Hacking Lab with Hyper-V](http://cyberthreathunt.com/2017/04/01/setting-up-a-pentest-lab-with-hyper-v/)
* [Setting up a Windows Lab Environment](http://thehackerplaybook.com/Windows_Domain.htm)
* [Setting Up A Penetration Testing Lab - Rapid7](https://kb.help.rapid7.com/docs/setting-up-a-penetration-testing-lab)
* [Building a Pentest Lab - stan.gr](http://www.stan.gr/2013/03/building-pentest-lab.html)
* [Privilege-Escalation](https://github.com/Ignitetechnologies/Privilege-Escalation)
* Collection of VMs aimed at teaching different privilege escalation techniques with Vulnhub machines used for examples.
* [Emulating ARM Router Firmware - Azeria](https://azeria-labs.com/emulating-arm-firmware/)
* [Offensive Development with GitHub Actions - MDSec](https://www.mdsec.co.uk/2020/03/offensive-development-with-github-actions/)
* **Offensive Monitoring**
* **Articles/Blogposts/Writeups**
* [Automating a RedELK Deployment Using Ansible - Jason Lang(2020)](https://www.trustedsec.com/blog/automating-a-redelk-deployment-using-ansible/)
* **Talks/Presentations/Videos**<a name="bltalk"></a>
* [SANS Webcast: Building Your Own Super Duper Home Lab](https://www.youtube.com/watch?v=uzqwoufhwyk&app=desktop)
* [Hack Yourself: Building a Test Lab - David Boyd](https://www.youtube.com/watch?v=rgdX-hn0xXU)
* [Hack-Yourself: Building a pentesting lab for fun & profit](https://www.slideshare.net/DavidBoydCISSP/hack-yourself-building-a-pentesting-lab-for-fun-and-profit)
* **Tools**
* **Tools**<a name="bltools"></a>
* [DumpsterFire](https://github.com/TryCatchHCF/DumpsterFire)
* [Slides](https://github.com/TryCatchHCF/DumpsterFire/raw/master/CactusCon_2017_Presentation/DumpsterFire_CactusCon_2017_Slides.pdf)
* The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
@ -270,7 +441,12 @@
* "The Capsulecorp Pentest is a small virtual network managed by vagrant and ansible. It contains five virtual machines, including one Linux attacking system running xubuntu and 4 Windows 2019 servers configured with various vulnerable services. This project can be used to learn network penetration testing as a stand-alone environment but is ultimatly designed to compliment my book The Art of Network Penetration Testing"
* [Sadcloud](https://github.com/nccgroup/sadcloud)
* sadcloud is a tool for spinning up insecure AWS infrastructure with Terraform. It supports approx. 84 misconfigurations across 22 AWS Services. The inital set of misconfigurations were drawn from ScoutSuite, NCCGroup's Multi-cloud auditing tool. sadcloud was created to easily allow security researchers to misconfigure AWS for training purposes, or to use to asses AWS security tools - including built-ins and third-party.
* **In the Clouds**
* [Offensive ELK: Elasticsearch for Offensive Security](https://github.com/marco-lancini/docker_offensive_elk)
* Offensive ELK is a custom Elasticsearch setup, aiming to show how traditional “defensive” tools can be effectively used for offensive security data analysis, helping your team collaborate and triage scan results. In particular, Elasticsearch offers the chance to aggregate a multitude of disparate data sources, query them with a unified interface, with the aim of extracting actionable knowledge from a huge amount of unclassified data.
* [Blogpost](https://www.marcolancini.it/2018/blog-elk-for-nmap/)
* [RedELK](https://github.com/outflanknl/RedELK)
* Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability for the Red Team in long term operations.
* **In the Clouds**<a name="clouds"></a>
* **AWS**
* **Official Documentation**
* [Getting Started with AWS Managed Microsoft AD - docs.aws](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started.html)
@ -278,18 +454,60 @@
* **Un-Official**
* [Building A Lab on AWS - 0x1 SethSec](https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html)
* [Pentesting In The Cloud - primalsecurity](http://www.primalsecurity.net/pentesting-in-the-cloud/)
* [Designing The Adversary Simulation Lab - Adam Chester(2020)](https://www.mdsec.co.uk/2020/04/designing-the-adversary-simulation-lab/)
* **Azure**
* [Building a security lab in Azure - blogs.technet](https://blogs.technet.microsoft.com/motiba/2018/05/11/building-a-security-lab-in-azure/)
* **GCP**
-------------------------
### <a name="defense"></a> Building a Defensive Lab
* **Guides**
* **Guides**<a name="guides"></a>
* **Articles/Blogposts/Writeups**
* [DIY Single Sign-On for SSH - Carl Tashian(2020)](https://smallstep.com/blog/diy-single-sign-on-for-ssh/)
* TL;DR In this post we're going to set up Google single sign-on for SSH. Behind the scenes, we'll use OpenID Connect (OIDC), short-lived SSH certificates, a couple of clever SSH configuration tweaks, and Smallstep's open-source step-ca and step packages. We will set up an SSH Certificate Authority, and use it to bootstrap a new host and a new user in our system. While this approach requires more up-front work than a typical SSH public/private key setup, it comes with a lot of benefits beyond single sign-on. It eliminates the need for gathering and shipping and managing authorized_keys files.
* **Talks/Presentations/Videos**
* **Talks/Presentations/Videos**
* [Webcast: Group Policies That Kill Kill Chains - BHIS(2019)](https://www.blackhillsinfosec.com/webcast-group-policies-that-kill-kill-chains/)
* [Getting Started With Sysmon - John Strand(2019)](https://www.blackhillsinfosec.com/getting-started-with-sysmon/)
* [Webcast: Implementing Sysmon and Applocker - BHIS(2019)](https://www.blackhillsinfosec.com/webcast-implementing-sysmon-and-applocker/)
* [Webcast: Windows logging, Sysmon, and ELK - BHIS(2019)](https://www.blackhillsinfosec.com/webcast-windows-logging-sysmon-and-elk/)
* [Webcast: Let’s Talk About ELK Baby, Let’s Talk About You and AD - BHIS(2020)](https://www.blackhillsinfosec.com/webcast-lets-talk-about-elk-baby-lets-talk-about-you-and-ad/)
* This webcast is going to demonstrate an integration between our ongoing Windows baseline best practices configuration and improving your endpoint optics. But first, we’re going to summarize some previous webcasts, their content, and the order in which they should be reviewed to tie all of these things together. Then, with all the baseline content and configuration options summarized, we are going to help you put a bow on all that, just in time for the Holidays.
* **Application Whitelisting**
* **Elastic Search + Log Forwarder/Parser + Kibana**<a name="elk"></a>
* **101**
* **Articles/Blogposts/Writeups**
* [Installing ELK 7 (Elasticsearch, Logstash and Kibana) – Windows Server 2016 (Part I) - Rob Willis(2019)](http://robwillis.info/2019/05/installing-elk-7-elasticsearch-logstash-and-kibana-windows-server-2016/)
* [Using the ELK Stack and Python in Penetration Testing Workflow - Adam Vanderbush](https://qbox.io/blog/elk-penetration-testing-workflow-elasticsearch-python?utm_source=qbox.io&utm_medium=article&utm_campaign=elk-penetration-testing-workflow-elasticsearch-python)
* [The Complete Guide to the ELK Stack - Daniel Berman(2019)](https://logz.io/learn/complete-guide-elk-stack/)
* **Tools**
* [Elastic stack (ELK) on Docker](https://github.com/deviantony/docker-elk)
* Run the latest version of the Elastic stack with Docker and Docker Compose.
* **FW Log Visualization**
* [pfELK](https://github.com/3ilson/pfelk)
* pfELK was created in 2016 after spending hours researching firewall visualization. After stumbling across Elasticstack (formerly known as ELK stack) with weeks of troubleshooting and research. The process was refined and shared to aid others in leveraging the awesome power of Elasticsearch through the visualization of firewall events. pfELK is comprised of Java, Elasticstack, and a number of dependencies. Your firewall logs are parsed through various patterns simplifying firewall log analysis. Currently, pfSense and OPNsense are supported with extensive testing.
* **Network Access Controls**
* [PacketFence](https://packetfence.org/)
* PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired, wireless and VPN management, industry-leading BYOD capabilities, 802.1X and RBAC support, integrated network anomaly detection with layer-2 isolation of problematic devices; PacketFence can be used to effectively secure small to very large heterogeneous networks.
@ -302,7 +520,7 @@
* [Windows 10 is ‘mine’…, Part 1 - Hexacorn](http://www.hexacorn.com/blog/2020/05/05/windows-10-is-mine-part-1/)
* Hexacorn walking through setting up a Win10 VM to his standards.
* **Talks/Presentations/Videos**
* **Monitoring & Threat Hunting**
* **Monitoring & Threat Hunting**<a name="monitoring"></a>
* **Articles/Blogposts/Writeups**
* [How To Do Endpoint Monitoring on a Shoestring Budget – Webcast Write-Up - Joff Thyer, Derek Banks](https://www.blackhillsinfosec.com/endpoint-monitoring-shoestring-budget-webcast-write/)
* [Azure Sentinel To-Go: Sentinel Lab w/ Prerecorded Data 😈 & a Custom Logs Pipe via ARM Templates 🚀 - Cyb3rWard0g](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-to-go-sentinel-lab-w-prerecorded-data-amp-a/ba-p/1260191)
@ -319,13 +537,18 @@
* [Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
* [Mordor](https://github.com/Cyb3rWard0g/mordor)
* The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.
* **Windows Domain**
* [RedELK](https://github.com/outflanknl/RedELK)
* Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability for the Red Team in long term operations.
* [Adaz: Active Directory Hunting Lab in Azure](https://github.com/christophetd/Adaz)
* This project allows you to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible.
* **Windows Domain**<a name="bwd"></a>
* **Articles/Blogposts/Writeups**
* [Microsoft-Blue-Forest](https://github.com/rootsecdev/Microsoft-Blue-Forest)
* A Blue Forest is centered around Blue Team operational security in domain networks. This repository serves as a living documentation on securing Windows domain networks running modern Microsoft operating systems.
* **Talks/Presentations/Videos**
* **Tools**
* [PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs - Jorge]https://jorgequestforknowledge.wordpress.com/2020/04/06/powershell-script-to-reset-the-krbtgt-account-password-keys-for-both-rwdcs-and-rodcs-update-5/)
* **Tools**
* [Gathering Windows, PowerShell and Sysmon Events with Winlogbeat – ELK 7 – Windows Server 2016 (Part II)](http://robwillis.info/2019/05/gathering-windows-powershell-and-sysmon-events-with-winlogbeat-elk-7-windows-server-2016/)
* [PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs - Jorge]https://jorgequestforknowledge.wordpress.com/2020/04/06/powershell-script-to-reset-the-krbtgt-account-password-keys-for-both-rwdcs-and-rodcs-update-5/)
* **In the Clouds**
* [Securing Azure Infrastructure - Hands on Lab Guide - Adam Raffle, Tom Wilde](https://github.com/Araffe/azure-security-lab)
* [Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
@ -333,11 +556,39 @@
-------------------------
### Other Labs
### Other Labs <a name="other"></a>
* [DanderSpritz Lab](https://github.com/francisck/DanderSpritz_lab)
* The goal of DanderSpritz lab is to allow researchers and defenders to quickly stand up a fully functional version of DanderSpritz - The Equation Group's Post exploitation tool-set and a Windows Server 2008 Domain and client as targets. The Windows target have some reverse engineering tools that I found useful while investigating DanderSpritz and it's capabilities.
* **Containers/Related**
* [deploy-your-own-saas](https://github.com/Atarity/deploy-your-own-saas)
* 'List of "only yours" cloud services for everyday needs'
* **Access Methods**<a name="oam"></a>
* **RDP**
* [xrdp](https://github.com/neutrinolabs/xrdp)
* xrdp provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp accepts connections from a variety of RDP clients: FreeRDP, rdesktop, NeutrinoRDP and Microsoft Remote Desktop Client (for Windows, Mac OS, iOS and Android).
* **SSH**
* [ubuntu.autossh](https://github.com/Monadical-SAS/ubuntu.autossh)
* Autossh reverse tunnel to central server.
* **VPN**
* **Wireguard**
* [Wireguard - Wikipedia](https://en.wikipedia.org/wiki/Wireguard)
* WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel, and aims for better performance and more power saving than the IPsec and OpenVPN tunneling protocols. It was written by Jason A. Donenfeld and is published under the GNU General Public License (GPL) version 2.
* [wg-access-server](https://github.com/place1/wg-access-server/)
* wg-access-server is a single binary that provides a WireGuard VPN server and device management web ui. We support user authentication, 1 click device registration that works with Mac, Linux, Windows, Ios and Android including QR codes. You can configure different network isolation modes for better control and more. This project aims to deliver a simple VPN solution for developers, homelab enthusiasts and anyone else feeling adventurous.
* **Containers/Related**<a name="ocr"></a>
* **Docker**
* **Articles/Blogposts/Writeups**
* [Docker Your Command & Control (C2) - obscuritylabs](https://blog.obscuritylabs.com/docker-command-controll-c2/)
@ -350,8 +601,7 @@
* A Dockerfile that creates an image with known vulnerabilities.
* [Blogpost](https://www.stindustries.net/docker/bad-dockerfile/)
* **Kubernetes**
* **Tools**
* [Bust-a-Kube](https://www.bustakube.com/download)
* **Instances**
* [Simulator](https://github.com/kubernetes-simulator/simulator)
* A distributed systems and infrastructure simulator for attacking and debugging Kubernetes: simulator creates a kuberntes cluster for you in your AWS account; runs scenarios which misconfigure it and/or leave it vulnerable to compromise and trains you in mitigating against these vulnerabilities.
* [k3s](https://github.com/rancher/k3s)
@ -362,18 +612,28 @@
* The goal of this project is to make use of Docker and specifically kind to create a lab environment for testing Kubernetes exploits and security tools entirely locally on a single machine without any requirement for remote resources or Virtual Machines being spun up.
* [kind](https://kind.sigs.k8s.io/)
* kind is a tool for running local Kubernetes clusters using Docker container “nodes”. kind was primarily designed for testing Kubernetes itself, but may be used for local development or CI.
* **Elastic Search + Log Forwarder/Parser + Kibana**
* **101**
* **Articles/Blogposts/Writeups**
* [Installing ELK 7 (Elasticsearch, Logstash and Kibana) – Windows Server 2016 (Part I) - Rob Willis(2019)](http://robwillis.info/2019/05/installing-elk-7-elasticsearch-logstash-and-kibana-windows-server-2016/)
* [Using the ELK Stack and Python in Penetration Testing Workflow - Adam Vanderbush](https://qbox.io/blog/elk-penetration-testing-workflow-elasticsearch-python?utm_source=qbox.io&utm_medium=article&utm_campaign=elk-penetration-testing-workflow-elasticsearch-python)
* [The Complete Guide to the ELK Stack - Daniel Berman(2019)](https://logz.io/learn/complete-guide-elk-stack/)
* **Tools**
* [Elastic stack (ELK) on Docker](https://github.com/deviantony/docker-elk)
* Run the latest version of the Elastic stack with Docker and Docker Compose.
* **FW Log Visualization**
* [pfELK](https://github.com/3ilson/pfelk)
* pfELK was created in 2016 after spending hours researching firewall visualization. After stumbling across Elasticstack (formerly known as ELK stack) with weeks of troubleshooting and research. The process was refined and shared to aid others in leveraging the awesome power of Elasticsearch through the visualization of firewall events. pfELK is comprised of Java, Elasticstack, and a number of dependencies. Your firewall logs are parsed through various patterns simplifying firewall log analysis. Currently, pfSense and OPNsense are supported with extensive testing.
* **Vulnerable**
* [Bust-a-Kube](https://www.bustakube.com/download)
* [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat)
* The Kubernetes Goat designed to be intentionally vulnerable cluster environment to learn and practice Kubernetes security.
* **Development**
* [Callback Catcher](https://bitbucket.org/gavinanders/callback-catcher/src/master/)
* Callback Catcher is a multi-socket control tool designed to aid in pentest activities. It has a simple web application with an backend API that allows the user control what TCP and UDP sockets should be opened on the server. It records any and all data send to the exposed sockets and logs it to a database which can be easily accessed via it's backend API. Itís kind of intended to be like the love child of Burp Collaborator and Responder. Alternatively think of it like a low/medium interactive honeypot. Its been coded on top of the Django REST framework, which offers a number of benefits , primarily being able to create your own client scripts and tools and quickly searching and filtering of data. Opening of sockets is built on top of Python's ServerSocket library. Upon spinning up a socket a user is given the option to assign a handler to the socket, which is affectively user defined code that overwrites the handler function within the SocketServer.TCPServer and SocketServer.UDPServer classes. This code tells the socket how to handle the incoming data and what to respond with. Each connection to the socket is recorded to a database.
* **Mail Servers**
* **Hosting**
* **Local**
* [Papercut](https://github.com/changemakerstudios/papercut)
* Simple Desktop SMTP Server
* **Mobile Device Management**
* **macOS**
* [MicroMDM](https://micromdm.io/)
* MicroMDM is a project which provides an open source Mobile Device Management server for Apple devices. Our goal is to create a performant and extensible device management solution for enterprise and education.
@ -381,12 +641,13 @@
-------------------------------------------------------
### Infrastructure Automation <a name="infra"></a>
* **101**
* **101**<a name="i101"></a>
* [PhoenixServer - Martin Fowler](https://martinfowler.com/bliki/PhoenixServer.html)
* [An Introduction to the /opt Directory - Nick Sweeting](https://docs.sweeting.me/s/an-intro-to-the-opt-directory#)
* [An introduction to immutable infrastructure - Josh Stella(2015)](https://www.oreilly.com/radar/an-introduction-to-immutable-infrastructure/)
* "Why you should stop managing infrastructure and start really programming it."
* **Articles/Blogposts**
* [An Introduction to Configuration Management - Erika Heidi(2019)](https://www.digitalocean.com/community/tutorials/an-introduction-to-configuration-management)
* [Automation Testing With Ansible, Molecule, And Vagrant - Mike Spitzer](https://www.trustedsec.com/blog/automation-testing-with-ansible-molecule-and-vagrant/)
* [Building a scalable, highly available, and portable web server - Surya Dantuluri](https://blog.suryad.com/sd2/)
* [Containerised Home Server With Docker Compose and Traefik - Kristian Glass](https://blog.doismellburning.co.uk/containerised-home-server-with-docker-compose-and-traefik/)
@ -397,7 +658,7 @@
* [Building, Modifying, and Packing with Azure DevOps - Adam Chester(2020)](https://blog.xpnsec.com/building-modifying-packing-devops/)
* [Hitchhikers Guide to the PowerShell Module Pipeline - Michael Willis](https://xainey.github.io/2017/powershell-module-pipeline/)
* The following article highlights both high and mid level concepts toward creating a simple release pipeline for PowerShell modules. The major focus will cover file structure, test practices, task runners, and portability between CI/CD systems. Additional topics include generated reports, design patterns for code consistency, and a Jenkins CI implementation. The supplementary project: Xainey/PSHitchhiker is available on Github to analyze alongside the project.
* **Infrastructure Automation**
* **Infrastructure Automation Tools**<a name="infrauto"></a>
* **Ansible**
* **Articles/Blogposts**
* [AWX](https://github.com/ansible/awx)
@ -410,6 +671,7 @@
* [Modern C2 Infrastructure with Terraform, DigitalOcean, Covenant and Cloudflare - Riccardo](https://riccardoancarani.github.io/2019-09-28-modern-c2-infra/)
* [Infrastructure as Code: Setting up a web application penetration testing laboratory - avasdream](https://avasdream.engineer/terraform-hacking-lab)
* [Automating Red Team Infrastructure with Terraform - @spottheplanet](https://ired.team/offensive-security/red-team-infrastructure/automating-red-team-infrastructure-with-terraform)
* [Infrastructure as Code: Setting up a web application penetration testing laboratory - avasdream(2020)](https://avasdream.engineer/terraform-hacking-lab)
* **Vagrant & Packer**
* **101**
* [Vagrant Documentation - vagrantup.com](https://www.vagrantup.com/docs/)
@ -430,4 +692,6 @@
* **Sort**
* [Imaginary C2](https://github.com/felixweyne/imaginaryC2)
* A python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.
* [EVABS (Extremely Vulnerable Android Labs)](https://github.com/abhi-r3v0/EVABS)
* An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners. The effort is to introduce beginners with very limited or zero knowledge to some of the major and commonly found real-world based Android application vulnerabilities in a story-based, interactive model. EVABS follows a level-wise difficulty approach and in each level, the player learns a new concept. This project is still under progress and aims at incorporating as many levels as possible.

Draft/Cheat sheets reference pages Checklists -/Ncat.txt → Draft/Cheat sheets reference pages Checklists -/Ncat_Cheat_Sheet.txt View File


+ 0
- 182
Draft/Cheat sheets reference pages Checklists -/Random Shit/detect_virtual_box_c_prog.txt View File

@ -1,182 +0,0 @@
http://pastebin.com/RU6A2UuB
//http://waleedassar.blogspot.com - (@waleedassar)
#include "stdafx.h"
#include "windows.h"
void ToLower(unsigned char* Pstr)
{
char* P=(char*)Pstr;
unsigned long length=strlen(P);
for(unsigned long i=0;i<length;i++) P[i]=tolower(P[i]);
return;
}
int main(int argc, char* argv[])
{
//method 1
HKEY HK=0;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"HARDWARE\\ACPI\\DSDT\\VBOX__",0,KEY_READ,&HK)==ERROR_SUCCESS)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(1);
}
//method 2 -- requires Guest Additions to be installed.
HANDLE hF1=CreateFile("\\\\.\\VBoxMiniRdrDN",GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,0,OPEN_EXISTING,0,0);
if(hF1!=INVALID_HANDLE_VALUE)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(2);
}
//method 3 -- requires Guest Additions to be installed
HMODULE hM1=LoadLibrary("VBoxHook.dll");
if(hM1)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(3);
}
//method 4 -- requires Guest Additions to be installed
HK=0;
if( (ERROR_SUCCESS==RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Oracle\\VirtualBox Guest Additions",0,KEY_READ,&HK)) && HK)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
RegCloseKey(HK);
ExitProcess(4);
}
//method 5
HK=0;
char* subkey="SYSTEM\\CurrentControlSet\\Enum\\IDE";
if( (ERROR_SUCCESS==RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_READ,&HK)) && HK )
{
unsigned long n_subkeys=0;
unsigned long max_subkey_length=0;
if(ERROR_SUCCESS==RegQueryInfoKey(HK,0,0,0,&n_subkeys,&max_subkey_length,0,0,0,0,0,0))
{
if(n_subkeys) //Usually n_subkeys are 2
{
char* pNewKey=(char*)LocalAlloc(LMEM_ZEROINIT,max_subkey_length+1);
for(unsigned long i=0;i<n_subkeys;i++) //Usually n_subkeys are 2
{
memset(pNewKey,0,max_subkey_length+1);
HKEY HKK=0;
if(ERROR_SUCCESS==RegEnumKey(HK,i,pNewKey,max_subkey_length+1))
{
if((RegOpenKeyEx(HK,pNewKey,0,KEY_READ,&HKK)==ERROR_SUCCESS) && HKK)
{
unsigned long nn=0;
unsigned long maxlen=0;
RegQueryInfoKey(HKK,0,0,0,&nn,&maxlen,0,0,0,0,0,0);
char* pNewNewKey=(char*)LocalAlloc(LMEM_ZEROINIT,maxlen+1);
if(RegEnumKey(HKK,0,pNewNewKey,maxlen+1)==ERROR_SUCCESS)
{
HKEY HKKK=0;
if(RegOpenKeyEx(HKK,pNewNewKey,0,KEY_READ,&HKKK)==ERROR_SUCCESS)
{
unsigned long size=0xFFF;
unsigned char ValName[0x1000]={0};
if(RegQueryValueEx(HKKK,"FriendlyName",0,0,ValName,&size)==ERROR_SUCCESS)
{
ToLower(ValName);
if(strstr((char*)ValName,"vbox"))
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(5);
}
}
RegCloseKey(HKKK);
}
}
LocalFree(pNewNewKey);
RegCloseKey(HKK);
}
}
}
LocalFree(pNewKey);
}
}
RegCloseKey(HK);
}
//method 6
HK=0;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"HARDWARE\\DESCRIPTION\\System",0,KEY_READ,&HK)==ERROR_SUCCESS)
{
unsigned long type=0;
unsigned long size=0x100;
char* systembiosversion=(char*)LocalAlloc(LMEM_ZEROINIT,size+10);
if(ERROR_SUCCESS==RegQueryValueEx(HK,"SystemBiosVersion",0,&type,(unsigned char*)systembiosversion,&size))
{
ToLower((unsigned char*)systembiosversion);
if(type==REG_SZ||type==REG_MULTI_SZ)
{
if(strstr(systembiosversion,"vbox"))
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(6);
}
}
}
LocalFree(systembiosversion);
type=0;
size=0x200;
char* videobiosversion=(char*)LocalAlloc(LMEM_ZEROINIT,size+10);
if(ERROR_SUCCESS==RegQueryValueEx(HK,"VideoBiosVersion",0,&type,(unsigned char*)videobiosversion,&size))
{
if(type==REG_MULTI_SZ)
{
char* video=videobiosversion;
while(*(unsigned char*)video)
{
ToLower((unsigned char*)video);
if(strstr(video,"oracle")||strstr(video,"virtualbox") )
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(6);
}
video=&video[strlen(video)+1];
}
}
}
LocalFree(videobiosversion);
RegCloseKey(HK);
}
//method 7 - requires guest additions to be installed.
HANDLE hxx=CreateFile("\\\\.\\pipe\\VBoxTrayIPC",GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0);
if(hxx!=INVALID_HANDLE_VALUE)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
CloseHandle(hxx);
ExitProcess(7);
}
//method 8 - requires guest additions installed
HWND hY1=FindWindow("VBoxTrayToolWndClass",0);
HWND hY2=FindWindow(0,"VBoxTrayToolWnd");
if(hY1 || hY2)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(8);
}
//method 9
unsigned long pnsize=0x1000;
char* provider=(char*)LocalAlloc(LMEM_ZEROINIT,pnsize);
int retv=WNetGetProviderName(WNNC_NET_RDR2SAMPLE,provider,&pnsize);
if(retv==NO_ERROR)
{
if(lstrcmpi(provider,"VirtualBox Shared Folders")==0)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(9);
}
}
return 0;
}

+ 22
- 10
Draft/Courses_Training.md View File

@ -11,6 +11,7 @@
- [AWS](#aws)
- [Azure](#azure)
- [GCP](#gcp)
- [Computer Science](#cs)
- [Containers](#containers)
- [Cryptography](#crypto)
- [Data Science](#ds)
@ -38,6 +39,7 @@
------------------------------------------------------------------------------------------------------------------------------------------------------
### Classes & Training
* **HEADS UP**
@ -88,11 +90,12 @@
* A free, self-paced curriculum that builds a base of knowledge in computers and networking prior to moving on to the fundamentals of security and defense. The course is intended to build up a student with no prior technical knowledge to be confident in their ability to learn anything and continue their security education.
* [Hopper's Roppers Security Fundamentals](https://www.hoppersroppers.org/courseSecurity.html)
* A free, self-paced curriculum that teaches a beginner how security works in the real world. Learn security theory and execute defensive measures so that you are better prepared against threats online and in the physical world.
* **Cloud**
* **AWS**
* **Cloud**<a name="cloud"></a>
* **AWS**<a name="aws"></a>
* **Azure**
* [So you want to learn Azure Security? - Michael Howard(2020)](https://michaelhowardsecure.blog/2020/02/14/so-you-want-to-learn-azure-security/)
* **GCP**
- **Computer Science**<a name="cs"></a>
* **Containers**<a name="containers"></a>
* [Attacking and Auditing Docker Containers and Kubernetes Clusters](https://github.com/appsecco/attacking-and-auditing-docker-containers-and-kubernetes-clusters)
* This course will set the base for security testers and DevOps teams to test for common security vulnerabilities and configuration weaknesses across containerised environments and distributed systems. It also helps to understand approach and process to audit the Kubernetes environment for security posture. The courseware is meant to introduce participants to container and cluster management with Kubernetes.
@ -169,13 +172,20 @@
* Florida State University Offensive Security 2013 Class materials
* [HackSplaining](https://www.hacksplaining.com/faq)
* Security training aimed towards developers. Free.
* [Beginner Network Pentesting - The Cyber Mentor](https://github.com/hmaverickadams/Beginner-Network-Pentesting)
* Welcome to the Beginner Network Pentesting course. Previously, the course was delivered weekly on Twitch and built from lessons learned in the previous week. The course provides an opportunity for those interested in becoming an ethical hacker / penetration tester the chance to learn the practical skills necessary to work in the field. Throughout the course, we will develop our own Active Directory lab in Windows, make it vulnerable, hack it, and patch it. We'll cover the red and blue sides. We'll also cover some of the boring stuff like report writing :).
* [Penetration Test Guide based on the OWASP + Extra](https://github.com/Voorivex/pentest-guide)
* This guid[e] is for the penetration testers seeking for the appropriate test cases required during a penetration test project. I rearranged the OWASP Testing Guide v4 from my point of view including 9 Test Classes and each class has several Test Cases to conduct against the target. Each Test Case covers several OWASP tests which also is useful for the report document. I've also added 14 extra Tests Cases marked by the EXTRA-TEST. I hope it will be useful in both penetration test projects and bug-bounty.
* [SpecterOps Adversary Tactics: PowerShell Course](https://github.com/specterops/at-ps)
* [Powershell-Attack-Guide](https://github.com/rootclay/Powershell-Attack-Guide)
* Learning PowerShell for internal Pentesting
* **Cloud**
* [Breaking and Pwning Apps and Servers on AWS and Azure - Appsecco](https://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-training)
* The training covers a multitude of scenarios taken from our vulnerability assessment, penetration testing and OSINT engagements which take the student through the journey of discovery, identification and exploitation of security weaknesses, misconfigurations and poor programming practices that can lead to complete compromise of the cloud infrastructure. The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing. Due to the attack, focused nature of the training, not a lot of documentation is around security architecture, defence in depth etc. Additional references are provided in case further reading is required.
* **'Network' Pentesting**
* [Beginner Network Pentesting - The Cyber Mentor](https://github.com/hmaverickadams/Beginner-Network-Pentesting)
* Welcome to the Beginner Network Pentesting course. Previously, the course was delivered weekly on Twitch and built from lessons learned in the previous week. The course provides an opportunity for those interested in becoming an ethical hacker / penetration tester the chance to learn the practical skills necessary to work in the field. Throughout the course, we will develop our own Active Directory lab in Windows, make it vulnerable, hack it, and patch it. We'll cover the red and blue sides. We'll also cover some of the boring stuff like report writing :).
* **PowerShell**
* [Fundamentals of Leveraging PowerShell - Carlos Perez(Defcon25)](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20workshops/DEF%20CON%2025%20-%20Carlos-Perez-Leveraging-PowerShell.pdf)
* [SpecterOps Adversary Tactics: PowerShell Course](https://github.com/specterops/at-ps)
* [Powershell-Attack-Guide](https://github.com/rootclay/Powershell-Attack-Guide)
* Learning PowerShell for internal Pentesting
* **Web**
* [Penetration Test Guide based on the OWASP + Extra](https://github.com/Voorivex/pentest-guide)
* This guid[e] is for the penetration testers seeking for the appropriate test cases required during a penetration test project. I rearranged the OWASP Testing Guide v4 from my point of view including 9 Test Classes and each class has several Test Cases to conduct against the target. Each Test Case covers several OWASP tests which also is useful for the report document. I've also added 14 extra Tests Cases marked by the EXTRA-TEST. I hope it will be useful in both penetration test projects and bug-bounty.
* **Product Management**<a name="pm"></a>
* [Software Product Management Specialization - University of Alabama(Coursera)](https://www.coursera.org/specializations/product-management)
* In this Software Product Management Specialization, you will master Agile software management practices to lead a team of developers and interact with clients. In the final Capstone Project, you will practice and apply management techniques to realistic scenarios that you will face as a Software Product Manager. You will have the opportunity to share your experiences and learn from the insights of others as part of a Software Product Management
@ -326,6 +336,8 @@
* [The case for case studies of programming problems - Marcia C. Linn, Michael J Clancy](https://dl.acm.org/doi/10.1145/131295.131301)
* [The Effect of Reading Code Aloud on Comprehension: An Empirical Study with School Students - Alaaeddin Swidan, Felienne Hermans](https://dl.acm.org/doi/10.1145/3300115.3309504)
* [Constructivism in computer science education - Mordechai Ben-Ari](https://dl.acm.org/doi/10.1145/274790.274308)
* **Problem Based Learning**
* [Problem-based learning - Wikipedia](https://en.wikipedia.org/wiki/Problem-based_learning)
* "[..] a student-centered pedagogy in which students learn about a subject through the experience of solving an open-ended problem found in trigger material. The PBL process does not focus on problem solving with a defined solution, but it allows for the development of other desirable skills and attributes."

+ 287
- 92
Draft/Passwords.md View File

@ -1,53 +1,115 @@
# Password Bruting and Hashcracking
----------------------------------------------------
## Table of Contents
- [General](#general)
- [Making Better Passwords](#better)
- [BruteForce](#brute)
- [CAPTCHA](#captcha)
- [Password Auditing](#audit)
- [Default Credentials](#default)
- [Password Statistics](#stats)
- [Password Spraying](#spray)
- [Wordlist Generation](#wordlistgen)
- [Wordlists](#wordlists)
- [Cracking Passwords/Hashes](#crack)
- [CAPTCHA](#captcha)
- [John-the-Ripper](#jtr)
- [Hashcat](#hashcat)
- [Automating Hashcat](#hauto)
- [Hashcat Attacks](#hattack)
- [Hashcat Rules](#hrules)
- [Hashcat Tools](#htools)
- [App Specific Tools(as in single application focus)](#appt)
- [KeePass](#keepass)
- [MS Office](#msoffice)
- [PDFs](#pdf)
- [Zip Files](#zip)
- [General Cracking Tools](#generalt)
- [App Specific Tools](#appt)
- [Write-ups/Guides](#writeup)
- [Miscellaneous](#misc)
- [Wordlists](#wordlist)
- [Wordlist Generation](#)
- [Talks & Presentations](#)
- [Papers](#papers)
----------------------------------------------------
---------------------------
### Password Spraying <a name="spray"></a>
* **General**
* **Articles/Papers/Talks/Writeups**
* [Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 1 - Beau Bullock](https://www.blackhillsinfosec.com/exploiting-password-reuse-on-personal-accounts-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-1/)
* [Password Spraying Outlook Web Access – How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 2 - Beau Bullock](https://www.blackhillsinfosec.com/password-spraying-outlook-web-access-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-2/)
* [Brute Forcing with Burp - Pentesters Tips & Tricks Week 1 - securenetwork.com](https://www.securenetworkinc.com/news/2017/7/16/brute-forcing-with-burp-pentesters-tips-tricks-week-1)
* **Tools**
* [brut3k1t](https://github.com/ex0dus-0x/brut3k1t)
* brute is a Python-based library framework and engine that enables security professionals to rapidly construct bruteforce / credential stuffing attacks. It features both a multi-purpose command-line application (brute), and a software library that can be used in tandem to quickly generate standalone module scripts for attack.
* **MS Outlook/Office365**
* **Articles/Papers/Talks/Writeups**
* **Tools**
* [MSOLSpray](https://github.com/dafthack/MSOLSpray)
* A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
* [SprayingToolkit](https://github.com/byt3bl33d3r/SprayingToolkit)
* Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
* **To-Do**
* Crackmeifyoucan contests
* Other contests
* Other stuff
---------------------------
### <a name="general"></a> General
* **101**
* **Account Validation**
* [Six Methods to Determine Valid User Accounts in Web Applications - Dave](https://whiteoaksecurity.com/blog/2019/2/11/six-methods-to-determine-valid-user-accounts-in-web-applications)
* **Articles/Papers/Talks/Writeups**
* [RockYou Wordlist Origin](https://en.wikipedia.org/wiki/RockYou#Data_breach)
* [How I fcame a password cracker](https://arstechnica.com/information-technology/2013/03/how-i-became-a-password-cracker/)
* **BruteForce Tools**
* [Crowbar](https://github.com/galkan/crowbar)
* Crowbar is brute forcing tool that can be used during penetration tests. It is developed to support protocols that are not currently supported by thc-hydra and other popular brute forcing tools.
* **Password Spraying**
* [Th3 L@s7 0f u$: Analysis of Survival Password Genetics - @netmux](https://www.netmux.com/blog/survivor-password-hashes)
* [A cr4cking g00d time – 12 challenges. 1 cryptocurrency prize! - @stealthsploit](https://in.security/password-cracking-ctf/)
* [A cr4cking g00d time – walkthrough](https://in.security/a-cr4cking-g00d-time-walkthrough/)
* [Authentication Research Paper Index - PasswordResearch.com](http://www.passwordresearch.com/papers/pubindex.html)
* This project is an ongoing effort to compile and share a comprehensive, but curated, index of password and authentication related research produced by academic, industry, and government experts. We share the details of useful research, provide links to free copies of the papers (when possible), and encourage collaboration between authors and other security professionals.
* **Building a Hash Cracking Rig**
* [Why Most Passwords Suck - Brett Dewall(2019)](https://whiteoaksecurity.com/blog/2019/5/2/why-most-passwords-suck)
* [How To Build A Password Cracking Rig](https://www.netmux.com/blog/how-to-build-a-password-cracking-rig)
* **BruteForce**<a name="brute"></a>
* **Tools**
* [Crowbar](https://github.com/galkan/crowbar)
* Crowbar is brute forcing tool that can be used during penetration tests. It is developed to support protocols that are not currently supported by thc-hydra and other popular brute forcing tools.
* **CAPTCHA**<a name="captcha"></a>
* **Default Credentials**<a name="default"></a>
* [Web Application Defaults DB(2012)](https://github.com/pwnwiki/webappdefaultsdb)
* A DB of known Web Application Admin URLS, Username/Password Combos and Exploits
* [Web Application Defaults DB(2013)](https://github.com/pwnwiki/webappdefaultsdb)
* [Default Oracle Creds](http://www.petefinnigan.com/default/default_password_list.htm)
* **Password Analysis/Auditing**<a name="audit"></a>
* **101**
* [Validating the user password selection in Azure AD B2C by invoking Troy Hunt’s “Pwned Passwords” API - Rory Braybrook](https://medium.com/the-new-control-plane/validating-the-user-password-selection-in-azure-ad-b2c-by-invoking-troy-hunts-pwned-passwords-fbb044b26698)
* **Articles/Papers/Talks/Writeups**
* [Analyzing large password dumps with Elastic Stack and Python - Victor Pasknel(2018)](https://morphuslabs.com/analyzing-large-password-dumps-with-elastic-stack-and-python-cde7eb384f7)
* **Tools**
* **Active Directory**
* [Domain Password Audit Tool (DPAT)](https://github.com/clr2of8/DPAT)
* This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking. The report is an HTML report with clickable links.
* [Match-ADHashes](https://github.com/DGG-IT/Match-ADHashes)
* Builds a hashmap of AD NTLM hashes/usernames and iterates through a second list of hashes checking for the existence of each entry in the AD NTLM hashmap
* **General**
* [Cryptbreaker](https://github.com/Sy14r/Cryptbreaker)
* Upload files and use AWS Spot Instances to crack passwords. Using cloud capabilities you can even prevent plaintext credentials from leaving the isolated cracking box ensuring that you get usable statistics on passwords while minimizing plaintext credential exposure.
* **Password Generation**
* **Tools**
* [DPG](https://github.com/62726164/dpg)
* DPG is a deterministic password generator that does not store data or keep state. Its output is based purely on user input.
* [Password Guessing Framework](https://github.com/RUB-SysSec/Password-Guessing-Framework)
* The Password Guessing Framework is an open source tool to provide an automated and reliable way to compare password guessers. It can help to identify individual strengths and weaknesses of a guesser, its modes of operation or even the underlying guessing strategies. Therefor, it gathers information about how many passwords from an input file (password leak) have been cracked in relation to the amount of generated guesses. Subsequent to the guessing process an analysis of the cracked passwords is performed.
* **Password Strength/Usage Statistics**<a name="stats"></a>
* [Password Statistics - ldapwiki(2018)](https://ldapwiki.com/wiki/Password%20Statistics)
* [Authentication Statistic Index - PasswordResearch.com](http://www.passwordresearch.com/stats/statindex.html)
* This page offers an categorized index of useful and commonly requested authentication statistics. Want to see how your organization's password practices compare to others? Interested in targeting a topic for user awareness training? Find the statistics that interest you and click on the title to read the details.
* [A Study of Chinese Passwords - Sunnia Ye(2018)](https://medium.com/@ye.sunnia/an-analysis-of-chinese-passwords-e49b97b91919)
* [Analysing over 1M leaked passwords from the UK's biggest companies - passlo](https://www.passlo.com/blog/analysing-over-1m-leaked-passwords-from-the-uks-biggest-companies/)
* [Uncovering Password Habits: Are Users’ Password Security Habits Improving? (Infographic) - Nate Lord(2018)](https://digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic)
* [44 million Microsoft users reused passwords in the first three months of 2019 - Catalin Cimpanu(2019)]
* [Most hacked passwords revealed as UK cyber survey exposes gaps in online security](https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security)
* The NCSC's first 'UK cyber survey' published alongside global password risk list
* [Ranked: The World’s Top 100 Worst Passwords - Davey Winder(2019)](https://www.forbes.com/sites/daveywinder/2019/12/14/ranked-the-worlds-100-worst-passwords/#276122e169b4)
* **Password Spraying <a name="spray"></a>**
* **General**
* **Articles/Papers/Talks/Writeups**
* [Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 1 - Beau Bullock](https://www.blackhillsinfosec.com/exploiting-password-reuse-on-personal-accounts-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-1/)
* [Brute Forcing with Burp - Pentesters Tips & Tricks Week 1 - securenetwork.com](https://www.securenetworkinc.com/news/2017/7/16/brute-forcing-with-burp-pentesters-tips-tricks-week-1)
* **Tools**
* [brut3k1t](https://github.com/ex0dus-0x/brut3k1t)
* brute is a Python-based library framework and engine that enables security professionals to rapidly construct bruteforce / credential stuffing attacks. It features both a multi-purpose command-line application (brute), and a software library that can be used in tandem to quickly generate standalone module scripts for attack.
* **Linux**
* [Raining shells on Linux environments with Hwacha](https://www.n00py.io/2017/12/raining-shells-on-linux-environments-with-hwacha/)
* [Hwacha](https://github.com/n00py/Hwacha)
* Hwacha is a tool to quickly execute payloads on `*`Nix based systems. Easily collect artifacts or execute shellcode on an entire subnet of systems for which credentials are obtained.
* **MS Outlook/Office365**
* **Articles/Papers/Talks/Writeups**
* [Password Spraying Outlook Web Access – How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 2 - Beau Bullock](https://www.blackhillsinfosec.com/password-spraying-outlook-web-access-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-2/)
* **Tools**
* [MSOLSpray](https://github.com/dafthack/MSOLSpray)
* A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
* [SprayingToolkit](https://github.com/byt3bl33d3r/SprayingToolkit)
* Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
* **Windows**
* [Use PowerShell to Get Account Lockout and Password Policy](https://blogs.technet.microsoft.com/heyscriptingguy/2014/01/09/use-powershell-to-get-account-lockout-and-password-policy/)
* [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray)
@ -64,6 +126,8 @@
* **Articles/Writeups**
* [Generating Wordlists](http://netsec.ws/?p=457)
* [Weak in, Weak out: Keeping Password Lists Current - @NYXGEEK](https://www.trustedsec.com/blog/weak-in-weak-out-keeping-password-lists-current/)
* [Efficient Wordlists - Why you don't need 25GB To Be a Pro - Dimitri Fousekis(2015)](http://passwordresearch.com/papers/paper622.html)
* [Generating Custom Wordlists For Targeted Attacks - securethelogs(2019)](https://securethelogs.com/2019/05/25/generating-custom-wordlists-for-targeted-attacks/)
* **Source: From Nothing**
* [Creating Wordlists with Crunch](http://adaywithtape.blogspot.com/2011/05/creating-wordlists-with-crunch-v30.html)
* [weakpass_generator](https://github.com/nyxgeek/weakpass_generator)
@ -98,7 +162,15 @@
* **Modifying Wordlists**
* [HVAZARD Dictionary Modifier](https://github.com/MichaelDim02/Hvazard)
* Remove short passwords & duplicates, change lowercase to uppercase & reverse, combine wordlists!
* **Wordlists** <a name="wordlists"></a>
* [duprule](https://github.com/0xbsec/duprule)
* Detect & filter duplicate hashcat rules
* [rurasort](https://github.com/bitcrackcyber/rurasort)
* This utility is used to help you streamline your worldlists by performing tasks on them. Note that output is made to STDOUT and you have to pipe data to where you want it to go. Usually to a file with > myfile.txt
* [cauldera](https://github.com/aaronjones111/cauldera)
* Distillations, expansions and riffs on Rocktastic Why cauldera? As potent as I've found rocktastic to be, and wickedly effective using PACK has been, I picture the gargantuon results of their combination to be a massive, simmering pool of doom. Like Yellowstone.
* [cudaMergeSort](https://github.com/epixoip/cudaMergeSort)
* cudaMergeSort is a highly parallel hybrid mergesort for sorting large files of arbitrary ASCII text (such as password cracking wordlists.) It is intended to be a fast replacement for sort(1) for large files. A parallel radix sort is performed on each chunk of the input file on GPU (complements of Thrust), while each chunk is merged in parallel on the host CPU. Only unique lines are merged, and cudaMergeSort is therefore directly analogous to performing sort -u on an ASCII text file.
* **Lists of Wordlists** <a name="wordlists"></a>
* [Probable-Wordlists](https://github.com/berzerk0/Probable-Wordlists)
* Wordlists sorted by probability originally created for password generation and testing
* [statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
@ -117,6 +189,12 @@
* Passhunt is a simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords.
* [Rocktastic: a word list on steroids - nettitude](https://labs.nettitude.com/blog/rocktastic/)
* [Commonspeak: Content discovery wordlists built with BigQuery - Shubham Shah](https://pentester.io/commonspeak-bigquery-wordlists/)
* [passphrase-wordlist](https://github.com/initstring/passphrase-wordlist)
* Passphrase wordlist and hashcat rules for offline cracking of long, complex passwords
* [Google Fuzzing dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries)
* **Wordlist Tools**
* [HVAZARD Dictionary Modifier](https://github.com/MichaelDim02/Hvazard)
* Remove short passwords & duplicates, change lowercase to uppercase & reverse, combine wordlists!
* **Other**
* [HashView](https://github.com/hashview/hashview)
* Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. Hashview is a web application that manages hashcat (https://hashcat.net) commands. Hashview strives to bring constiency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports.
@ -125,6 +203,38 @@
* Password spraying using AWS Lambda for IP rotation
--------------------
### Cracking Hashes
* **Cracking Passwords/Hashes**<a name="crack"></a>
@ -133,6 +243,13 @@
/)
* Good introduction source to hash cracking.
* [Example hashes - hashcat.net](https://hashcat.net/wiki/doku.php?id=example_hashes)
* [A Practical Guide to Cracking Password Hashes - Matt Marx(2015)](https://labs.f-secure.com/archive/a-practical-guide-to-cracking-password-hashes/)
* [My password cracking brings all the hashes to the yard.. - Larry Pesce(Hackfest2015)](https://web.archive.org/web/20190926024106/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493862354.pdf)
* [Password Cracking 201: Beyond the Basics - Royce Williams(2017)](https://www.youtube.com/watch?v=cSOjQI0qbuU)
* [Slides](https://www.techsolvency.com/talks/2017-bsideslv/bslv17_ground1234_passwords-201-beyond-the-basics_royce-williams_2017-07-26.pdf)
* [Password Cracking – Here’s How the Pros Do It - Nick VanGilder(2018)](http://blog.cspire.com/password-cracking-heres-how-the-pros-do-it)
* [Let's Get Cracking: A Beginner's Guide to Password Analysis - Steve Tornio(2019)](https://blog.focal-point.com/lets-get-cracking-a-beginners-guide-to-password-analysis)
* [Hashcat: How to discard words of length less than N after rules have been applied? - StackExchange(2018)](https://security.stackexchange.com/questions/195682/hashcat-how-to-discard-words-of-length-less-than-n-after-rules-have-been-applie)
* **Reference**
* [List of hash types/examples](https://docs.google.com/file/d/0B0TzWBRmg5pWWUtxRTFMbFRRZzA/edit)
* [Password Recovery Speeds](http://www.lockdown.co.uk/?pg=combi)
@ -148,12 +265,25 @@
* [oclHashcat, HalfLM (netlm), and Bruteforcing the Second Half - jedge.com](http://www.jedge.com/wordpress/2014/01/oclhashcat-halflm-netlm-and-bruteforcing-the-second-half/)
* [Hashdumps and Passwords(2010-2014) - adeptus-mechanicus](http://www.adeptus-mechanicus.com/codex/hashpass/hashpass.php)
* [Statistics Will Crack Your Password - Julian Dunning](https://p16.praetorian.com/blog/statistics-will-crack-your-password-mask-structure)
* [ Unmasked: What 10 million passwords reveal about the people who choose them](https://wpengine.com/unmasked/)
* [A 9-step recipe to crack a NTLMv2 Hash from a freshly acquired .pcap - kimvb3r](https://research.801labs.org/cracking-an-ntlmv2-hash/)
* **Talks & Presentations**
* [Cracking Corporate Passwords Exploiting Password Policy Weaknesses - Minga Rick Redm - Derbycon2013](https://www.youtube.com/watch?v=qR-qRUbeKAo)
* [Unmasked: What 10 million passwords reveal about the people who choose them](https://wpengine.com/unmasked/)
* [Password cracking and auditing - DarthSidious](https://hunter2.gitbook.io/darthsidious/credential-access/password-cracking-and-auditing)
* [Estimating Password Cracking Times - BetterBuys(2016)](https://www.betterbuys.com/estimating-password-cracking-times/)
* **Talks/Videos/Presentations**
* [Cracking Corporate Passwords – Exploiting Password Policy Weaknesses - Rick Redman(Derbycon2013)](https://www.irongeek.com/i.php?page=videos/derbycon3/1301-cracking-corporate-passwords-exploiting-password-policy-weaknesses-minga-rick-redman)
* “Cracking corporate passwords is no different than cracking public MD5 leaks off of pastebin. Except, it totally is. Corporate passwords are not in the same formats you are used to, they require capital letters, numbers and/or special characters.“Cracking corporate passwords is no different than cracking public MD5 leaks off of pastebin. Except, it totally is. Corporate passwords are not in the same formats you are used to, they require capital letters, numbers and/or special characters. - How can we use this knowledge to our advantage?; - What sort of tricks are users doing when they think no one is looking?; - What other types of vulnerabilities is Password policy introducing?; - What patterns is password rotation policy creating?
* [PRINCE: modern password guessing algorithm - Jens Steube(2014)](https://web.archive.org/web/20200214080638/https://hashcat.net/events/p14-trondheim/prince-attack.pdf)
* [Tutorial - atom(2015)](https://web.archive.org/web/20200721235117/https://hashcat.net/forum/thread-3914.html)
* [Modeling Password Creation Habits with Probabilistic Context Free Grammars - Dr Matt Weir(BSidesLV2016)](https://www.youtube.com/watch?v=IjqjVduCB6k)
* [Slides](http://passwordresearch.com/papers/paper668.html)
* [Hashcat: GPU password cracking for maximum win - `_NSAKEY`(PhreakNIC 19)](https://www.youtube.com/watch?v=_QbVP1yh2YI)
* After briefly touching on the general concept of password cracking, the focus of the talk will be on the effectiveness of different attack modes in hashcat, with a heavy emphasis on rule-based attacks. While the name of the talk is “hashcat,†this talk will almost exclusively discuss the GPU-enabled versions (Specifically cudahashcat). The final phase of the talk will include the results of my own experiments in creating rule sets for password cracking, along with an analysis of the known plaintext passwords from the test hash list.
* [Slides](https://www.slideshare.net/_NSAKEY/hashcat-gpu-password-cracking-for-maximum-win-57720263)
* **Password Rulesets**
* [password_cracking_rule - notsosecure](https://github.com/NotSoSecure/password_cracking_rules)
* [Statistics Will Crack Your Password - Julian Dunning(2015)](https://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure)
* [Hob0Rules Released: Statistics Based Password Cracking Rules - Julian Dunning(2016)](https://www.praetorian.com/blog/hob064-statistics-based-password-cracking-rules-hashcat-d3adhob0)
* [One Rule to Rule Them All - notsosecure(2017)](https://www.notsosecure.com/one-rule-to-rule-them-all/)
* [rulesfinder](https://github.com/synacktiv/rulesfinder)
* This tool finds efficient password mangling rules (for John the Ripper or Hashcat) for a given dictionary and a list of passwords.
* **Tools**
* [Hashtag](http://www.smeegesec.com/2013/11/hashtag-password-hash-identification.html)
* Password hash identification tool written in python
@ -165,10 +295,15 @@
* MD5 Cracker
* [Cryptbreaker](https://github.com/Sy14r/Cryptbreaker)
* Upload files and use AWS Spot Instances to crack passwords. Using cloud capabilities you can even prevent plaintext credentials from leaving the isolated cracking box ensuring that you get usable statistics on passwords while minimizing plaintext credential exposure.
* [princeprocessor](https://github.com/hashcat/princeprocessor)
* Standalone password candidate generator using the PRINCE algorithm
* **Miscellaneous**
* **Cisco**
* [Cisco Password Cracking and Decrypting Guide - infosecmatter.com](https://www.infosecmatter.com/cisco-password-cracking-and-decrypting-guide/)
* In this guide we will go through Cisco password types that can be found in Cisco IOS-based network devices. We will cover all common Cisco password types (0, 4, 5, 7, 8 and 9) and provide instructions on how to decrypt them or crack them using popular open-source password crackers such as John the Ripper or Hashcat.
* **Windows**
* **Articles/Papers/Talks/Writeups**
* [Cracking NTLMv1 \w ESS/SSP - crack.sh]()https://crack.sh/cracking-ntlmv1-w-ess-ssp/
* [Cracking NTLMv1 \w ESS/SSP - crack.sh](https://crack.sh/cracking-ntlmv1-w-ess-ssp/)
* [LM, NTLM, Net-NTLMv2, oh my! A Pentester’s Guide to Windows Hashes- Peter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* **Tools**
* [Rainbow Crackalack v1.2](https://github.com/jtesta/rainbowcrackalack)
@ -176,62 +311,128 @@
* [Homepage](https://www.rainbowcrackalack.com/)
* [ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi)
* This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
* **App Specific Tools(as in single application focus)**<a name="appt"></a>
* [crackxls2003 0.4](https://github.com/GavinSmith0123/crackxls2003)
* This program may be used to break the encryption on Microsoft Excel and Microsoft Word file which have been encrypted using the RC4 method, which uses a 40-bit-long key. This was the default encryption method in Word and Excel 97/2000/2002/2003. This program will not work on files encrypted using Word or Excel 2007 or later, or for versions 95 or earlier. It will not work if a file was encrypted with a non-default method. Additionally, documents created with the Windows system locale set to France may use a different encryption method.
* [mod0keecrack](https://github.com/devio/mod0keecrack)
* mod0keecrack is a simple tool to crack/bruteforce passwords of KeePass 2 databases. It implements a KeePass 2 Database file parser for .kdbx files, as well as decryption routines to verify if a supplied password is correct. mod0keecrack only handles the encrypted file format and is not able to parse the resulting plaintext database. The only purpose of mod0keecrack is the brute-forcing of a KeePass 2 database password.
* **John the Ripper**
* [John the Ripper benchmarks - openwall](https://openwall.info/wiki/john/benchmarks)
* [John The Ripper Hash Formats - pentestmonkey](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
* **OCL/Hashcat** <a name="ocl"></a>
* **General**
* [OCL hashcat wiki](http://hashcat.net/wiki/)
* Its the Wiki
* **CAPTCHA**
* **Talks & Presentations**
* [Releasing the CAPTCHA Cracken - Sean Brodie, Tinus Green](https://labs.f-secure.com/blog/releasing-the-captcha-cracken/)
* **Tools**
* [CAPTCHA22](https://github.com/FSecureLABS/captcha22)
* CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks. These models can then be used to crack CAPTCHAs with a high degree of accuracy. When used in conjunction with other scripts, CAPTCHA22 gives rise to attack automation; subverting the very control that aims to stop it.
* **Cracking Specific Application Passwords/Hashes**<a name="appt"></a>
* **KeePass**<a name="keepass"></a>
* [mod0keecrack](https://github.com/devio/mod0keecrack)
* mod0keecrack is a simple tool to crack/bruteforce passwords of KeePass 2 databases. It implements a KeePass 2 Database file parser for .kdbx files, as well as decryption routines to verify if a supplied password is correct. mod0keecrack only handles the encrypted file format and is not able to parse the resulting plaintext database. The only purpose of mod0keecrack is the brute-forcing of a KeePass 2 database password.
* **MS Office**<a name="msoffice"></a>
* [crackxls2003 0.4](https://github.com/GavinSmith0123/crackxls2003)
* This program may be used to break the encryption on Microsoft Excel and Microsoft Word file which have been encrypted using the RC4 method, which uses a 40-bit-long key. This was the default encryption method in Word and Excel 97/2000/2002/2003. This program will not work on files encrypted using Word or Excel 2007 or later, or for versions 95 or earlier. It will not work if a file was encrypted with a non-default method. Additionally, documents created with the Windows system locale set to France may use a different encryption method.
* **NTLM**
* [LM, NTLM, Net-NTLMv2, oh my! - Péter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* [A 9-step recipe to crack a NTLMv2 Hash from a freshly acquired .pcap - kimvb3r](https://research.801labs.org/cracking-an-ntlmv2-hash/)
* [How to Dump NTLM Hashes & Crack Windows Passwords - Tokyoneon](https://null-byte.wonderhowto.com/how-to/hacking-windows-10-dump-ntlm-hashes-crack-windows-passwords-0198268/)
* **PDF**<a name="pdf"></a>
* [PDFCrack](http://pdfcrack.sourceforge.net/)
* PDFCrack is a GNU/Linux (other POSIX-compatible systems should work too) tool for recovering passwords and content from PDF-files. It is small, command line driven without external dependencies. The application is Open Source (GPL).
* **SAP**
* [SAP password hacking Part I: SAP BCODE hash hacking - saptechnicalguru.com](https://www.saptechnicalguru.com/sap-password-hacking-bcode/)
* This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.
* [SAP password hash hacking Part II: SAP PASSCODE hash hacking](https://www.saptechnicalguru.com/sap-password-hacking-passcode/)
* [SAP password hash hacking Part III: SAP PWDSALTEDHASH hash hacking](https://www.saptechnicalguru.com/sap-password-hash-hacking-pwdsaltedhash/)
* [SAP password hash hacking Part IV: rule based attack](https://www.saptechnicalguru.com/sap-password-hash-hacking-rulebased-attack/)
* **Wordpress**
* [Cracking WordPress Passwords with Hashcat - Jonas Lejon(2019)](https://blog.wpsec.com/cracking-wordpress-passwords-with-hashcat/)
* **WPA2**
* [WPA2 Cracking Using HashCat - rootsh3ll](https://rootsh3ll.com/wpa2-cracking/)
* **ZIP Archives**<a name="zip"></a>
* [Cracking ZIP files with fcrackzip - Allan Feid(2009)](https://allanfeid.com/content/cracking-zip-files-fcrackzip)
* [fcrackzip](https://github.com/hyc/fcrackzip)
* A braindead program for cracking encrypted ZIP archives. Forked from http://oldhome.schmorp.de/marc/fcrackzip.html
* **John the Ripper**<a name="jtr"></a>
* **101**
* [John the Ripper benchmarks - openwall](https://openwall.info/wiki/john/benchmarks)
* [John The Ripper Hash Formats - pentestmonkey](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
* [JTR Docs](https://www.openwall.com/john/doc/)
* **Rules**
* [KoreLogic Custom Rules(2010)](https://contest-2010.korelogic.com/rules.html)
* "KoreLogic used a variety of custom rules to generate the passwords. These _same_ rules can be used to crack passwords in corporate environments. These rules were originally created because the default ruleset for John the Ripper fails to crack passwords with more complex patterns used in corporate environments."
* **OCL/Hashcat** <a name="hashcat"></a>
* **101**
* [OCL hashcat](http://n0where.net/introduction-break-that-hash/)
* It’s OCL hashcat
* **Automating Hashcat**
* [OCL hashcat wiki](http://hashcat.net/wiki/)
* Its the Wiki
* [Hashcat FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions)
* **Articles/Blogposts/Writeups**
* [Password Analysis To Hashcat (PATH) script](https://tickorone.wordpress.com/2012/06/02/password-analysis-to-hashcat-path-script/)
* [Advanced Password Guessing: Hashcat techniques for the last 20%](https://www.yumpu.com/en/document/read/33666366/advanced-password-guessing-hashcat)
* **Automating Hashcat**<a name="hauto"></a>
* [Hate_Crack](https://github.com/trustedsec/hate_crack)
* A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
* [Automated Password Cracking: Use oclHashcat To Launch A Fingerprint Attack](https://www.question-defense.com/2010/08/15/automated-password-cracking-use-oclhashcat-to-launch-a-fingerprint-attack)
* [HAT - Hashcat Automation Tool](https://github.com/sp00ks-git/hat)
* An automated Hashcat tool for common wordlists and rules to speed up the process of cracking hashes during engagements. HAT is simply a wrapper for Hashcat (with a few extra features) - https://hashcat.net, however I take no credit for that superb tool.
* **Hashcat Attacks**
* [Mask atttack](http://hashcat.net/wiki/doku.php?id=mask_attack)
* Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.
* [Combinator attack](http://hashcat.net/wiki/doku.php?id=combinator_attack)
* Each word of a dictionary is appended to each word in a dictionary.
* [Dictionary attack](http://hashcat.net/wiki/doku.php?id=dictionary_attack)
* The dictionary attack is a very simple attack mode. It is also known as a “Wordlist attack”.
* [Fingerprint Attack](http://hashcat.net/wiki/doku.php?id=fingerprint_attack)
* The Fingerprint attack is a combination of the results of the expander with a combination engine. It is an automatically generated attack on pattern that works fine on GPGPU.
* [Hybrid attack](http://hashcat.net/wiki/doku.php?id=hybrid_attack)
* Basically, the hybrid attack is just a Combinator attack. One side is simply a dictionary, the other is the result of a Brute-Force attack. In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. That's why it's called “hybrid”.
* [Mask attack](http://hashcat.net/wiki/doku.php?id=mask_attack)
* Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.
* [Permutation attack[(http://hashcat.net/wiki/doku.php?id=permutation_attack)
* Each word in a dictionary generates all permutations of itself.
* [Rule Based attack](http://hashcat.net/wiki/doku.php?id=rule_based_attack)
* The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
* [Table Lookup attack](http://hashcat.net/wiki/doku.php?id=table_lookup_attack)
* With each word in our dictionary, it automatically generates masks as in a batch of Mask attack.
* [Toggle-Case attack](http://hashcat.net/wiki/doku.php?id=toggle_case_attack)
* For each word in a dictionary, all possible combinations of upper- and lower-case variants are generated.
* [OCLHashcat Hash Examples + hash code](https://hashcat.net/wiki/doku.php?id=example_hashes)
* **Hashcat Related Stuff**
* [Password Analysis To Hashcat (PATH) script](https://tickorone.wordpress.com/2012/06/02/password-analysis-to-hashcat-path-script/)
* [nsa-rules](https://github.com/NSAKEY/nsa-rules)
* Password cracking rules and masks for hashcat that I generated from cracked passwords.
* **Hashcat-related Tools**
* [Hashtopolis](https://github.com/s3inlc/hashtopolis)
* Hashtopolis is a multi-platform client-server tool for distributing hashcat tasks to multiple computers. The main goals for Hashtopolis's development are portability, robustness, multi-user support, and multiple groups management.
* **Hashcat Attacks**<a name="hattack"></a>
* **Types of**
* [Mask atttack](http://hashcat.net/wiki/doku.php?id=mask_attack)
* Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.
* [Combinator attack](http://hashcat.net/wiki/doku.php?id=combinator_attack)
* Each word of a dictionary is appended to each word in a dictionary.
* [Dictionary attack](http://hashcat.net/wiki/doku.php?id=dictionary_attack)
* The dictionary attack is a very simple attack mode. It is also known as a “Wordlist attack”.
* [Fingerprint Attack](http://hashcat.net/wiki/doku.php?id=fingerprint_attack)
* The Fingerprint attack is a combination of the results of the expander with a combination engine. It is an automatically generated attack on pattern that works fine on GPGPU.
* [Hybrid attack](http://hashcat.net/wiki/doku.php?id=hybrid_attack)
* Basically, the hybrid attack is just a Combinator attack. One side is simply a dictionary, the other is the result of a Brute-Force attack. In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. That's why it's called “hybrid”.
* [Mask attack](http://hashcat.net/wiki/doku.php?id=mask_attack)
* Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.
* [Permutation attack[(http://hashcat.net/wiki/doku.php?id=permutation_attack)
* Each word in a dictionary generates all permutations of itself.
* [Rule Based attack](http://hashcat.net/wiki/doku.php?id=rule_based_attack)
* The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
* [Table Lookup attack](http://hashcat.net/wiki/doku.php?id=table_lookup_attack)
* With each word in our dictionary, it automatically generates masks as in a batch of Mask attack.
* [Toggle-Case attack](http://hashcat.net/wiki/doku.php?id=toggle_case_attack)
* For each word in a dictionary, all possible combinations of upper- and lower-case variants are generated.
* [Purple Rain Attack: Password Cracking With Random Generation - netmux](https://www.netmux.com/blog/purple-rain-attack)
* [OCLHashcat Hash Examples + hash code](https://hashcat.net/wiki/doku.php?id=example_hashes)
* **Performing**
* [How To Perform a Combinator Attack Using Hashcat - William Hurer-Mackay(2016)](https://www.4armed.com/blog/hashcat-combinator-attack/#)
* [How to Perform a Mask Attack Using hashcat - William Hurer-Mackay(2016)](https://www.4armed.com/blog/perform-mask-attack-hashcat/)
* [Hashcat Mask Attack - Sevenlayers](https://www.sevenlayers.com/index.php/287-hashcat-mask-attack)
* [How To Perform A Rule-Based Attack Using Hashcat - William Hurer-Mackay(2016)](https://www.4armed.com/blog/hashcat-rule-based-attack/)
* [Performing Rule Based Attack Using Hashcat - Shubhankar Singh](https://www.armourinfosec.com/performing-rule-based-attack-using-hashcat/)
* [Run All Rules for Hashcat - mubix(2020)](https://malicious.link/post/2020/run-all-rules-hashcat/)
* "This is just a quick script to demonstrate using PowerShell to run all the rules against a specific hash (or hash file), starting from the smallest file (usually the simplest rules)"
* [Automated Password Cracking: Use oclHashcat To Launch A Fingerprint Attack](https://www.question-defense.com/2010/08/15/automated-password-cracking-use-oclhashcat-to-launch-a-fingerprint-attack)
* **Hashcat Masks**
* [Corporate_Masks](https://github.com/golem445/Corporate_Masks)
* 8-14 character Hashcat masks based on analysis of 1.5 million NTLM hashes cracked while pentesting
* **Hashcat Rules**<a name="hrules"></a>
* **101**
* [Rule Based Attack - Hashcat Wiki](https://hashcat.net/wiki/doku.php?id=rule_based_attack)
* [Hashcat Tutorial – Rule Writing - LaconicWolf](https://laconicwolf.com/2019/03/29/hashcat-tutorial-rule-writing/)
* **Articles/Blogposts/Writeups**
* [How To Perform A Rule-Based Attack Using Hashcat - William Hurer-Mackay(2016)](https://www.4armed.com/blog/hashcat-rule-based-attack/)
* [An Explanation of Hashcat Rules - Kaotic Creations(2011)](https://kaoticcreations.blogspot.com/2011/09/explanation-of-hashcat-rules.html)
* [RevsUp Lab: Hashcat 06](https://www.cs.csub.edu/~melissa/revs-up/sum2018/polo/hashcat06.html)
* Rulesets
* [nsa-rules](https://github.com/NSAKEY/nsa-rules)
* Password cracking rules and masks for hashcat that I generated from cracked passwords.
* [Hob0Rules](https://github.com/praetorian-code/Hob0Rules)
* Password cracking rules for Hashcat based on statistics and industry patterns.
* [password_cracking_rule - notsosecure](https://github.com/NotSoSecure/password_cracking_rules)
* [One Rule to Rule Them All - ](https://www.notsosecure.com/one-rule-to-rule-them-all/)
* **Hashcat-related Tools**<a name="htools"></a>
* [CrackerJack](https://github.com/ctxis/crackerjack)
* Web Interface for Hashcat by Context Information Security
* **Tools** <a name="generalt"></a>
* **General**
* **Distributed Hash-Cracking**
* [Hashtopolis](https://github.com/s3inlc/hashtopolis)
* Hashtopolis is a multi-platform client-server tool for distributing hashcat tasks to multiple computers. The main goals for Hashtopolis's development are portability, robustness, multi-user support, and multiple groups management.
* [Automating Hashtopolis - EvilMog(NolaCon2019)](https://www.irongeek.com/i.php?page=videos/nolacon2019/nolacon-2019-c-04-automating-hashtopolis-evil-mog)
* [Cracklord](https://github.com/jmmcatee/cracklord)
* CrackLord is a system designed to provide a scalable, pluggable, and distributed system for both password cracking as well as any other jobs needing lots of computing resources. Better said, CrackLord is a way to load balance the resources, such as CPU, GPU, Network, etc. from multiple hardware systems into a single queueing service across two primary services: the Resource and Queue. It won't make these tasks faster, but it will make it easier to manage them.
* **Tools** <a name="generalt"></a>
* [Patator](https://github.com/lanjelot/patator)
* Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.
* [NPK](https://github.com/Coalfire-Research/npk)
* NPK is a distributed hash-cracking platform built entirely of serverless components in AWS including Cognito, DynamoDB, and S3. It was designed for easy deployment and the intuitive UI brings high-power hash-cracking to everyone.
* [High-Power Hash Cracking with NPK - Brad Woodward(2019)](https://www.coalfire.com/The-Coalfire-Blog/March-2019/High-Power-Hash-Cracking-with-NPK)
* [Firefox password cracker](https://github.com/pradeep1288/ffpasscracker)
* [Dagon](https://github.com/Ekultek/Dagon)
* Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more.
@ -243,18 +444,12 @@
* Breaking encrypted passwords has been of interest to hackers for a long time, and protecting them has always been one of the biggest security problems operating systems have faced, with Microsoft's Windows being no exception. Due to errors in the design of the password encryption scheme, especially in the LanMan(LM) scheme, Windows has a bad track in this field of information security. Especially in the last couple of years, where the outdated DES encryption algorithm that LanMan is based on faced more and more processing power in the average household, combined with ever increasing harddisk size, made it crystal clear that LanMan nowadays is not just outdated, but even antiquated.
* [Website Dedicated to Password Research](http://www.passwordresearch.com/papers/pubindex.html)
* A core objective of the Password Research Institute is to improve the industry awareness of existing authentication research. Many valuable solutions for the problems associated with authentication have gone unnoticed by the people interested in, or responsible for, authentication security. This project will compile and share a comprehensive, but moderated, index of password and authentication related research papers. We aim to share the details of useful papers, provide access to the papers, and encourage collaboration between authors and other security professionals.
* [When Privacy meets Security: Leveraging personal information for password cracking - M. Dürmuth,A. ChaabaneD. Perito,C. Castelluccia]()
* [When Privacy meets Security: Leveraging personal information for password cracking - M. Dürmuth,A. ChaabaneD. Perito,C. Castelluccia](https://arxiv.org/abs/1304.6584)
* Passwords are widely used for user authentication and, de- spite their weaknesses, will likely remain in use in the fore seeable future. Human-generated passwords typically have a rich structure , which makes them susceptible to guessing attacks. In this paper, we stud y the effectiveness of guessing attacks based on Markov models. Our contrib utions are two-fold. First, we propose a novel password cracker based o n Markov models, which builds upon and extends ideas used by Narayana n and Shmatikov (CCS 2005). In extensive experiments we show that it can crack up to 69% of passwords at 10 billion guesses, more than a ll probabilistic password crackers we compared against. Second, we systematically analyze the idea that additional personal informatio n about a user helps in speeding up password guessing. We find that, on avera ge and by carefully choosing parameters, we can guess up to 5% more pas swords, especially when the number of attempts is low. Furthermore, we show that the gain can go up to 30% for passwords that are actually b ased on personal attributes. These passwords are clearly weaker an d should be avoided. Our cracker could be used by an organization to detect and reject them. To the best of our knowledge, we are the first to syst ematically study the relationship between chosen passwords and users’ personal in- formation. We test and validate our results over a wide colle ction of leaked password databases.
* [PassGAN](https://github.com/brannondorsey/PassGAN)
* This repository contains code for the [PassGAN: A Deep Learning Approach for Password Guessing paper](https://arxiv.org/abs/1709.00440). The model from PassGAN is taken from [Improved Training of Wasserstein GANs](https://arxiv.org/abs/1704.00028) and it is assumed that the authors of PassGAN used the [improved_wgan_training tensorflow](https://github.com/igul222/improved_wgan_training) implementation in their work. For this reason, I have modified that reference implementation in this repository to make it easy to train (train.py) and sample (sample.py) from.
* [Mnemonic Password Formulas](http://uninformed.org/?v=all&a=33&t=sumry)
* The current information technology landscape is cluttered with a large number of information systems that each have their own individual authentication schemes. Even with single sign-on and multi-system authentication methods, systems within disparate management domains are likely to be utilized by users of various levels of involvement within the landscape as a whole. Due to this complexity and the abundance of authentication requirements, many users are required to manage numerous credentials across various systems. This has given rise to many different insecurities relating to the selection and management of passwords. This paper details a subset of issues facing users and managers of authentication systems involving passwords, discusses current approaches to mitigating those issues, and finally introduces a new method for password management and recalls termed Mnemonic Password Formulas.
* **ZIP Archives**
* [Cracking ZIP files with fcrackzip - Allan Feid(2009)](https://allanfeid.com/content/cracking-zip-files-fcrackzip)
* [fcrackzip](https://github.com/hyc/fcrackzip)
* A braindead program for cracking encrypted ZIP archives. Forked from http://oldhome.schmorp.de/marc/fcrackzip.html
* [PDFCrack](http://pdfcrack.sourceforge.net/)
* PDFCrack is a GNU/Linux (other POSIX-compatible systems should work too) tool for recovering passwords and content from PDF-files. It is small, command line driven without external dependencies. The application is Open Source (GPL).


+ 939
- 419
Draft/RT.md
File diff suppressed because it is too large
View File


+ 0
- 110
Draft/Securing Hardening_1/Securing Linux.txt View File

@ -1,110 +0,0 @@
Securing A Linux Desktop
This is currently a collection of pieces of advice relating to hardening Linux systems.
Index:
Quick Tips
Baseline Config
Web Browser
Tools
Guides
6 Quick tips that apply to all Linux desktops:
Disable every service that isn’t required
Close every port except one’s required to be in use.
Disable remote root login.
Do not run anything as root unless you must.
Change the default SSH port to a high non-standard port.
Keep your software and system up to date through its respective maintainers’ repositories.
General
Due to the large amount of variation in the Linux environment, a one-size fits all approach doesn’t really work. Because of this, I have listed some best practices and tools one can use to help in hardening their systems.
Baseline config
Creating a baseline Configuration
I suggest that you create a
Analyze attack surface
Analyzing the attack surface of a Linux machine:
Services
Checking running services:
Users
Checking current users on the system:
Firewall
Configuring a firewall:
Tools
Artillery.py
https://github.com/trustedsec/artillery
Artillery is a combination of a honeypot, monitoring tool, and alerting system. Eventually this will evolve into a hardening monitoring platform as well to detect insecure configurations from nix systems. It's relatively simple, run ./setup.py and hit yes, this will install Artillery in /var/artillery and edit your /etc/init.d/rc.local to start artillery on boot up.
Why artillery?
It sets up multiple common ports that are attacked. If someone connects to these ports, it blacklists them forever (to remove blacklisted ip's, remove them from /var/artillery/banlist.txt)
It monitors what folders you specify, by default it checks /var/www and /etc for modifications.
It monitors the SSH logs and looks for brute force attempts.
It will email you when attacks occur and let you know what the attack was.
Bastille Linux
http://bastille-linux.sourceforge.net/index.html
Setting up Bastille Linux on your distro of choice:
http://bastille-linux.sourceforge.net/running_bastille_on.htm
Summary(From their “What is…”)
The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works.
Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with HP-UX. It also supports Mac OS X.
Bastille's focuses on letting the system's user/administrator choose exactly how to harden the operating system. In its default hardening mode, it interactively asks the user questions, explains the topics of those questions, and builds a policy based on the user's answers. It then applies the policy to the system. In its assessment mode, it builds a report intended to teach the user about available security settings as well as inform the user as to which settings have been tightened.
Lynis
http://rootkit.nl/software/lynis/
From the above: Lynis is an open source security auditing tool. Its main goal is to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks.
I would look at the documentation for more info on what it actually does.
Lynis Documentation:
http://cisofy.com/documentation/lynis/
Web Browser
Firefox
If you really need to be told what Firefox is, I don’t even. Iceweasel is firefox for intents and purposes relating to plugins.
https://www.mozilla.org/en-US/firefox/new/
Firefox Plugins
One of the beautiful things Firefox are the plugins, and the extra functionality added through them. The list below is my recommendations for securing your browser as well as controlling what information it sends out.
Adblock - Blocks ads. Ads are a large vector of attack due to the lack of verification within the advertising industry.
Link: https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/
Noscript - Allows for granular control of Javascript on pages.
Link: https://addons.mozilla.org/en-US/firefox/addon/noscript/
Request Policy - Control the HTTP requests made by your browser to 3rd party websites.
Link: https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/
Self destructing cookies - Prevent tracking and abuse of session information.
Link: https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/
HTTPS Everywhere - Forces sites when possible to use HTTPS encryption.
Link: https://www.eff.org/https-everywhere
Port Obfuscation
knockd
Description: knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
Link: http://www.zeroflux.org/projects/knock/
Fwknop
Description: fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports iptables on Linux, ipfw on FreeBSD and Mac OS X, and PF on OpenBSD) and libpcap.
Link: http://www.cipherdyne.org/fwknop/
Link to the technique: http://www.cipherdyne.org/blog/2012/09/single-packet-authorization-the-fwknop-approach.html
Encryption
Check the Encryption section of the overall guide for more information.