Browse Source

fixes

pull/8/head
rmusser01 6 years ago
parent
commit
993e5dc8d9
10 changed files with 212 additions and 192 deletions
  1. +44
    -37
      Draft/Exploit Development.md
  2. +13
    -13
      Draft/Forensics Incident Response.md
  3. +16
    -16
      Draft/Fuzzing Bug Hunting.md
  4. +12
    -12
      Draft/Interesting Things Useful stuff.md
  5. +18
    -18
      Draft/Malware.md
  6. +20
    -22
      Draft/Privilege Escalation & Post-Exploitation.md
  7. +41
    -26
      Draft/Reverse Engineering.md
  8. +8
    -8
      Draft/System Internals Windows and Linux Internals Reference.md
  9. +22
    -22
      Draft/Web & Browsers.md
  10. +18
    -18
      Draft/Wireless Networks & RF.md

+ 44
- 37
Draft/Exploit Development.md View File

@ -279,7 +279,7 @@ This will allow you to transfer EIP control to a specified offset within a file
###General Videos/Presentations(that aren't
### General Videos/Presentations(that aren't
[Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
@ -292,7 +292,7 @@ This will allow you to transfer EIP control to a specified offset within a file
###<a name="general">General Techniques/ Tricks</a>
### <a name="general">General Techniques/ Tricks</a>
[Shellcode Debugging with OllyDbg](https://blackc0.de/2014/06/shellcode-debugging-ollydbg/)
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
@ -313,7 +313,7 @@ This will allow you to transfer EIP control to a specified offset within a file
###<a name="oldsoft">Acquiring Old/Vulnerable Software</a>
### <a name="oldsoft">Acquiring Old/Vulnerable Software</a>
[Acquiring VMs of any Windows going back to XP to Windows 10](https://www.modern.ie/en-us/virtualization-tools#downloads)
@ -333,7 +333,7 @@ This will allow you to transfer EIP control to a specified offset within a file
###<a name="exploitdev">Exploit Development</a>
### <a name="exploitdev">Exploit Development</a>
[Compromise-as-a-Service: Our PleAZURE.](https://www.troopers.de/events/troopers14/49_compromise-as-a-service_our_pleazure/)
@ -383,7 +383,7 @@ I have tried to order the articles by technique and chronology.
###<a name="overflow">Buffer overflows:</a>
### <a name="overflow">Buffer overflows:</a>
-----------------
* [How to write buffer overflows, mudge, 1995](http://insecure.org/stf/mudge_buffer_overflow_tutorial.html)
* [Smashing the stack for fun and profit, Aleph One, 1996](http://www.phrack.com/issues.html?issue=49&id=14)
@ -402,7 +402,7 @@ I have tried to order the articles by technique and chronology.
###<a name="rop">Return-into-lib / Return oriented programming:</a>
### <a name="rop">Return-into-lib / Return oriented programming:</a>
----------------------------------------------
* [Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997](http://marc.info/?l=bugtraq&m=87602746719512)
*[More advanced ret-into-lib(c) techniques, Nergal, 2001](http://www.phrack.com/issues.html?issue=58&id=4)
@ -422,7 +422,7 @@ I have tried to order the articles by technique and chronology.
###<a name="heap">Heap exploitation:</a>
### <a name="heap">Heap exploitation:</a>
------------------
* [how2heap - shellphish](https://github.com/shellphish/how2heap)
* * A repository for learning various heap exploitation techniques.
@ -441,7 +441,7 @@ I have tried to order the articles by technique and chronology.
###<a name="format">Format string exploitation:</a>
### <a name="format">Format string exploitation:</a>
---------------------------
* [Exploiting format string vulnerabilities, scut / Team-TESO, 2001](http://crypto.stanford.edu/cs155old/cs155-spring08/papers/formatstring-1.2.pdf)
*[Advances in format string exploitation, gera, 2002](http://www.phrack.com/issues.html?issue=59&id=7)
@ -456,7 +456,7 @@ I have tried to order the articles by technique and chronology.
###<a name="int">Integer overflows:</a>
### <a name="int">Integer overflows:</a>
--------------
* [Big Loop Integer Protection, Oded Horovitz, 2002](http://www.phrack.com/issues.html?issue=60&id=9)
* [Basic Integer Overflows, blexim, 2002](http://www.phrack.com/issues.html?issue=60&id=10)
@ -473,7 +473,7 @@ I have tried to order the articles by technique and chronology.
###<a name="null">Null-ptr dereference:</a>
### <a name="null">Null-ptr dereference:</a>
---------------------
* [Large memory management vulnerabilities, Gael Delalleau, 2005](http://cansecwest.com/core05/memory_vulns_delalleau.pdf)
* [Exploiting the Otherwise Non-exploitable on Windows, skape, 2006](http://www.uninformed.org/?v=4&a=5&t=pdf)
@ -489,7 +489,7 @@ I have tried to order the articles by technique and chronology.
###<a name="jitspray">JIT-spray:</a>
### <a name="jitspray">JIT-spray:</a>
----------
* [Pointer inference and JIT-Spraying, Dion Blazakis, 2010](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
* [Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010](http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf)
@ -502,7 +502,7 @@ I have tried to order the articles by technique and chronology.
###<a name="aslr"> ASLR:</a>
### <a name="aslr"> ASLR:</a>
* [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
* [Aslr Smack and Laugh Reference](www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf)
* [Advanced Buffer Overflow Methods](cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt)
@ -537,7 +537,7 @@ I have tried to order the articles by technique and chronology.
###<a name="kernel">Kernel Exploitation</a>
### <a name="kernel">Kernel Exploitation</a>
------------------
*[Attacking the Core : Kernel Exploiting Notes](http://phrack.org/issues/64/6.html)
* [Much ado about NULL: Exploiting a kernel NULL dereference](https://blogs.oracle.com/ksplice/entry/much_ado_about_null_exploiting)
@ -569,7 +569,7 @@ Other:
###<a name="shellcode">Writing Shellcode</a>
### <a name="shellcode">Writing Shellcode</a>
[Shellcoding for Linux and Windows Tutorial - Steve Hannah](http://www.vividmachines.com/shellcode/shellcode.html)
@ -594,7 +594,7 @@ Other:
###<a name="tutorials">Tutorials</a>
### <a name="tutorials">Tutorials</a>
[Bypassing All the Things](https://www.exodusintel.com/files/Aaron_Portnoy-Bypassing_All_Of_The_Things.pdf)
* Handholding through Vuln Discovery and Exploitation
@ -618,7 +618,13 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
*[Part 2](http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii)
###<a name="bypass">Bypassing Exploit Protections/Mitigations</a>
### <a name="bypass">Bypassing Exploit Protections/Mitigations</a>
[Exploring Control-Flow-Guard in Windows10](http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf)
@ -688,7 +694,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
###<a name="obfus">Obfuscation</a>
### <a name="obfus">Obfuscation</a>
[Obfuscating python](https://reverseengineering.stackexchange.com/questions/1943/what-are-the-techniques-and-tools-to-obfuscate-python-programs)
@ -705,7 +711,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
###<a name="armspec">ARM Specific</a>
### <a name="armspec">ARM Specific</a>
[armpwn](https://github.com/saelo/armpwn)
* Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team.
@ -724,7 +730,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
###<a name="linuxspec">Linux Specific</a>
### <a name="linuxspec">Linux Specific</a>
[Pool Blade: A new approach for kernel pool exploitation](https://zdresearch.com/pool-blade-a-new-approach-for-kernel-pool-exploitation/)
@ -752,7 +758,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
###<a name="winspec">Windows Specific</a>
### <a name="winspec">Windows Specific</a>
[A Brief History of Exploit Techniques and Mitigations on Windows](http://www.hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf)
@ -801,7 +807,7 @@ http://repo.palkeo.com/hacking/bas%20niveau/SEH%20overwrite.pdf
###<a name="antifuzz">Anti-Fuzzing</a>
### <a name="antifuzz">Anti-Fuzzing</a>
[Intro to Anti-Fuzzing](https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-in-depth-aid/]
@ -813,7 +819,7 @@ http://repo.palkeo.com/hacking/bas%20niveau/SEH%20overwrite.pdf
###<a name="asm">Assembly(x86/x64/ARM)</a>
### <a name="asm">Assembly(x86/x64/ARM)</a>
[X86 Instruction Reference](Felixcoutier.com/x86)
@ -833,7 +839,7 @@ http://repo.palkeo.com/hacking/bas%20niveau/SEH%20overwrite.pdf
###<a name="antidbg">Anti-Debugging</a>
### <a name="antidbg">Anti-Debugging</a>
[The Ultimate Anti-Debugging Reference(2011)](http://pferrie.host22.com/papers/antidebug.pdf)
* Good reference, though old.
@ -849,7 +855,7 @@ http://repo.palkeo.com/hacking/bas%20niveau/SEH%20overwrite.pdf
###<a name="presentations">Presentations</a>
### <a name="presentations">Presentations</a>
[Unusual Bugs(23C3)](https://www.youtube.com/watch?v=qj79Qdmw0Pk)
* In this presentation I'll present a series of unusual security bugs. Things that I've ran into at some point and went "There's gotta be some security consequence here". None of these are really a secret, and most of them are even documented somewhere. But apparently most people don't seem to know about them. What you'll see in this presentation is a list of bugs and then some explanation of how these could be exploited somehow. Some of the things I'll be talking about are (recursive) stack overflow, NULL pointer dereferences, regular expressions and more.
@ -903,7 +909,7 @@ Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push
###<a name="decom">Decompilers & Disassemblers</a>
### <a name="decom">Decompilers & Disassemblers</a>
[Bokken](https://inguma.eu/projects/bokken)
* Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities. Currently Bokken is neither an hexadecimal editor nor a full featured disassembler YET, so it should not be used for deep code analysis or to try to modify files with it.
@ -937,7 +943,7 @@ Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push
####<a name="debuggers">Debuggers</a>
#### <a name="debuggers">Debuggers</a>
[The Secret Lives of Debuggers - Lance Buttars - BSides SLC15](https://www.youtube.com/watch?v=V8trrmIsdb0)
* Binaries are files like any text file or a bitmap. They can be modified and changed.With some basic understanding of assembly language anyone can take a binary and modify its execution in a debugger and using a hex editor change how it executes. In this presentation I will cover the basics of binary manipulation and the use of debuggers to change program execution.
@ -996,7 +1002,7 @@ Metasploit
###<a name="papers">General Exploit Development Papers</a>
### <a name="papers">General Exploit Development Papers</a>
[Glibc Adventures: The Forgotten Chunks](http://www.contextis.com/documents/117/Glibc_Adventures-The_Forgotten_Chunks.pdf)
* Exploiting Glibc
@ -1034,7 +1040,7 @@ Metasploit
###<a name="writeups">Miscellaneous Exploit Writeups</a>
### <a name="writeups">Miscellaneous Exploit Writeups</a>
[MALLOC DES-MALEFICARUM - blackngel](http://phrack.org/issues/66/10.html)
@ -1048,8 +1054,6 @@ Metasploit
[Adventures in Xen Exploitation](https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/)
* "This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217)."
[Exploiting the DRAM rowhammer bug to gain kernel privileges](http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html)
* "Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.
When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
@ -1091,30 +1095,33 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.
###<a name="findingvuln">Finding Vulnerabilities</a>
### <a name="findingvuln">Finding Vulnerabilities</a>
[Winmerge](http://winmerge.org/)
* WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
[Analyzing Common Binary Parser Mistakes](http://uninformed.org/?v=all&a=12&t=sumry)
* With just about one file format bug being consistently released on a weekly basis over the past six to twelve months, one can only hope developers would look and learn. The reality of it all is unfortunate; no one cares enough. These bugs have been around for some time now, but have only recently gained media attention due to the large number of vulnerabilities being released. Researchers have been finding more elaborate and passive attack vectors for these bugs, some of which can even leverage a remote compromise.
Finding and analyzing Crash dumps
#### Finding and analyzing Crash dumps
[All the Ways to Capture a Crash Dump](http://blogs.msdn.com/b/pfedev/archive/2008/09/26/all-the-ways-to-capture-a-dump.aspx)
[Basic Debugging of an Application Crash](http://blogs.technet.com/b/askperf/archive/2007/05/29/basic-debugging-of-an-application-crash.aspx)
[Collecting User Mode Dumps](https://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx)
####High Level Searching
#####Searching Github for vulnerable code/credentials
#### High Level Searching
##### Searching Github for vulnerable code/credentials
- [Blogpost](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html)
- [Code - Automated Tool](https://github.com/convisoappsec/research_github_hack/blob/master/github_hack.pl)
- [Cheatsheet](https://github.com/search#search_cheatsheet_pane)
- [Actual Search Page](https://github.com/search)
###Online Resources
### Online Resources
[ropshell](http://ropshell.com/)
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.fi8ter8

+ 13
- 13
Draft/Forensics Incident Response.md View File

@ -22,7 +22,7 @@
Better security - Mean time to detect/Mean time to respond
###CULL
### CULL
https://github.com/SekoiaLab/Fastir_Collector
http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf
@ -195,7 +195,7 @@ Volatility Framework
###<a name="talks">Presentations & Talks</a>
### <a name="talks">Presentations & Talks</a>
[Ways to Identify Malware on a System Ryan Irving](http://www.irongeek.com/i.php?page=videos/bsidestampa2015/201-ways-to-identify-malware-on-a-system-ryan-irving)
@ -204,7 +204,7 @@ Volatility Framework
###<a name="anti">Anti-Forensics</a>
### <a name="anti">Anti-Forensics</a>
Secure Deletion of Data from Magnetic and Solid-State Memory
@ -214,9 +214,9 @@ http://static.usenix.org/publications/library/proceedings/sec96/full_papers/gutm
###<a name="mobile">Mobile Device Forensics</a>
### <a name="mobile">Mobile Device Forensics</a>
####<a name="android">Android Forensics</a>
#### <a name="android">Android Forensics</a>
[Android Forensics class - OpenSecurity Training](http://opensecuritytraining.info/AndroidForensics.html)
* This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.
@ -240,7 +240,7 @@ http://www.iosresearch.org/
###<a name="pdf">PDF Forensics</a>
### <a name="pdf">PDF Forensics</a>
http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/
@ -248,7 +248,7 @@ http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-st
###<a name="photo">Photo Forensics</a>
###< a name="photo">Photo Forensics</a>
@ -258,7 +258,7 @@ http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-st
* Exif Jpeg header manipulation tool
###<a name="tools">Tools:</a>
### <a name="tools">Tools:</a>
Ghiro
@ -270,13 +270,13 @@ Ghiro
###<a name="linux">Linux Forensics</a>
### <a name="linux">Linux Forensics</a>
###<a name="windows">Windows Forensics</a>
### <a name="windows">Windows Forensics</a>
####Windows Forensics Tools
#### Windows Forensics Tools
@ -335,7 +335,7 @@ What are the changes done on an AD between two points in time ?
Cull
#### Cull
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
@ -379,7 +379,7 @@ Cull
* PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
####Hacking Exposed - Automating DFIR Series
#### Hacking Exposed - Automating DFIR Series
[Automating DFIR - How to series on programming libtsk with python Part 1 - ](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html)
[Automating DFIR - How to series on programming libtsk with python Part 2](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html)
[Automating DFIR - How to series on programming libtsk with python Part 3](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)


+ 16
- 16
Draft/Fuzzing Bug Hunting.md View File

@ -1,4 +1,4 @@
##Fuzzing
## Fuzzing
TOC
@ -16,7 +16,7 @@ TOC
####sort
#### sort
[honggfuzz])(https://github.com/google/honggfuzz)
* Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (sw and hw) http://google.github.io/honggfuzz/
@ -26,7 +26,7 @@ TOC
#### end sort
###General Writeups
### General Writeups
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* Is what it says on the tin.
@ -36,17 +36,17 @@ TOC
###<a name="tech">Techniques</a>
### <a name="tech">Techniques</a>
####Taint Analysis
#### Taint Analysis
[Taint analysis and pattern matching with Pin - Jonathan Salwan](http://shell-storm.org/blog/Taint-analysis-and-pattern-matching-with-Pin/)
###<a name="writeup">Writeups</a>
### <a name="writeup">Writeups</a>
[From Fuzzing to 0day.](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
@ -60,7 +60,7 @@ TOC
###<a name="papers">Papers</a>
### <a name="papers">Papers</a>
[Smart COM Fuzzing - Auditing IE Sandbox Bypass in COM Objects• Xiaoning Li • Haifei Li](https://0b3dcaf9-a-62cb3a1a-s-sites.googlegroups.com/site/zerodayresearch/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects_final.pdf?attachauth=ANoY7crUl9OP1JfFa6KaCXsjVLjsNXDgUp1SmrZZAgGiPdp7MvUVnfg-FsuFvt7lfV5s3-kcK3K2uT05XMt6zUU_cP5WWQKxmKedjlQjvTZWdLyVZVcUMUrxUr5i68jpISP84HE0hihXOz7GtyWQG4gOtf-PXmcxmBf9KjYpVob08uR-62u2swlo396pKC0mSRrymia5PAakBFV9_0TbXGEhNVc101GIRdZ33C-j8DI6bIEYVlR1vG9jUKkfIcleu-rtjnJyDXD9FFBJwqxZsVOAUb9mcPvc4SZ04uefDvQwCDEg-C4I8eA%3D&attredirects=0)
@ -81,7 +81,7 @@ TOC
###<a name="presen">Presentations/Videos</a>
### <a name="presen">Presentations/Videos</a>
[The Best of Bug Finding - Duo Tech Talk (Charlie Miller)](https://www.youtube.com/watch?v=1M1EOzulQsw)
* I look at how security vulnerabilities are found (or missed) and some of my favorite bugs and exploits I’ve come across in my career.
@ -111,7 +111,7 @@ TOC
###<a name="books">Books</a>
### <a name="books">Books</a>
[*THE* Book on fuzzing](http://fuzzing.org/)
@ -120,9 +120,9 @@ TOC
###<a name="tools">Tools</a>
### <a name="tools">Tools</a>
####Windows Specific
#### Windows Specific
[WinAFL] (https://github.com/ivanfratric/winafl)
* A fork of AFL for fuzzing Windows binaries
@ -131,7 +131,7 @@ TOC
####Linux Specific
#### Linux Specific
[American Fuzzy Lop AFL](http://lcamtuf.coredump.cx/afl/)
* American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive testing regimes down the road.
* It was made by lcamtuf. What more do you need?
@ -141,12 +141,12 @@ TOC
####Android Specific
#### Android Specific
[MFFA - Media Fuzzing Framework for Android](https://github.com/fuzzing/MFFA)
####Non OS Specific
#### Non OS Specific
| **honggfuzz** - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage | https://github.com/google/honggfuzz
[Grinder - Fuzzer](https://github.com/stephenfewer/grinder)
@ -175,7 +175,7 @@ TOC
####Peach Fuzzer
#### Peach Fuzzer
* [Peach Documentation](http://old.peachfuzzer.com/Introduction.html)
* [Creating Custom Peach Fuzzer Publishers](http://blog.opensecurityresearch.com/2014/01/creating-custom-peach-fuzzer-publishers.html)
* [Creating Custom Peach Fuzzer Publishers](http://blog.opensecurityresearch.com/2014/01/creating-custom-peach-fuzzer-publishers.html)
@ -190,7 +190,7 @@ Fuzzing with Peach tutorial
###<a name="misc">Misc</a>
### <a name="misc">Misc</a>
[Good slides on fuzzing](https://courses.cs.washington.edu/courses/cse484/14au/slides/Section8.pdf)


+ 12
- 12
Draft/Interesting Things Useful stuff.md View File

@ -1,15 +1,15 @@
##Interesting Things & Useful Stuff
TOC
* Interesting & Useful Attacks
* Interesting & Useful Papers
* Interesting & Useful Projects
* Interesting & Useful Software
* Interesting & Useful Write-ups
* [Interesting & Useful Attacks](#attacks)
* [Interesting & Useful Papers](#papers)
* [Interesting & Useful Projects](#projects)
* [Interesting & Useful Software](#software))
* [Interesting & Useful Write-ups](#writeup)
###General
### General
[Hamming - You and your research](https://www.youtube.com/watch?v=a1zDuOPkMSw)
@ -205,7 +205,7 @@ http://www.regular-expressions.info/creditcard.html
QR Code interesting
http://datagenetics.com/blog/november12013/index.html
###Interesting Videos
### Interesting Videos
[Kim Jong-il and Me: How to Build a Cyber Army to Defeat the U.S. - Charlie MIller](https://www.youtube.com/watch?v=4up0yTGlpaU)
@ -240,7 +240,7 @@ http://datagenetics.com/blog/november12013/index.html
###Interesting Attacks
### Interesting Attacks
[VM as injection payload ](http://infiltratecon.com/downloads/python_deflowered.pdf)
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
@ -254,7 +254,7 @@ http://datagenetics.com/blog/november12013/index.html
###Interesting Software
### Interesting Software
[Foreign LINUX](https://github.com/wishstudio/flinux)
@ -283,14 +283,14 @@ http://datagenetics.com/blog/november12013/index.html
* hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions. It is able to identify a single hash, parse a file or read multiple files in a directory and identify the hashes within them. hashID is also capable of including the corresponding hashcat mode and/or JohnTheRipper format in its output. hashID works out of the box with Python 2 = 2.7.x or Python 3 = 3.3 on any platform.
###Interesting Hardware Projects
### Interesting Hardware Projects
[Digital Ding Dong Ditch](https://github.com/samyk/dingdong)
* Digital Ding Dong Ditch is a device to hack into and ring my best friend's wireless doorbell whenever I send a text message to the device. The best part of the device is that it causes my friend, without fail, to come outside, find no one, and go back in. In this project, we'll learn not only how to create this device, but how to reverse engineer radio frequencies we know nothing about using RTL-SDR (a ~$14 software defined radio), as well as creating hardware and software using Arduino, the Adafruit FONA (GSM/SMS/2G board), an RF (radio frequency) transmitter to transmit custom signals, and even how to reverse engineer a proprietary radio signal we know nothing about!
###Interesting Writeups
### Interesting Writeups
[Hacking the Source Engine](http://vallentinsource.com/hacking-source-engine)
@ -318,7 +318,7 @@ http://datagenetics.com/blog/november12013/index.html
[More on Using Bash's Built-in /dev/tcp File (TCP/IP)](http://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip More on Using Bash's Built-in /dev/tcp File (TCP/IP))
###Interesting Papers
### Interesting Papers
[Wars Within](http://uninformed.org/?v=all&a=26&t=sumry)


+ 18
- 18
Draft/Malware.md View File

@ -17,7 +17,7 @@ TOC
#####Sort
##### Sort
http://securityxploded.com/malware-analysis-training-reference.php
@ -31,11 +31,11 @@ http://www.exposedbotnets.com/?m=0
[Malware Guard Extension: Using SGX to Conceal Cache Attacks](https://arxiv.org/abs/1702.08719)
* In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes.
#####END Sort
##### END Sort
###<a name="tutorial">Tutorials</a>
### <a name="tutorial">Tutorials</a>
[Malware Analysis Tutorials: a Reverse Engineering Approach - Dr Xiang Fu](https://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html)
@ -67,7 +67,7 @@ http://www.exposedbotnets.com/?m=0
###<a name="writeup">Writeups</a>
### <a name="writeup">Writeups</a>
[Escaping The Avast Sandbox Using A Single IOCTL](https://www.nettitude.co.uk/escaping-avast-sandbox-using-single-ioctl-cve-2016-4025)
@ -141,7 +141,7 @@ http://www.exposedbotnets.com/?m=0
###<a name="repository">Malware Repositories/Collecting & Obtaining Malware</a>
### <a name="repository">Malware Repositories/Collecting & Obtaining Malware</a>
[The Zoo](https://github.com/ytisf/theZoo)
* A repository of LIVE malwares for your own joy and pleasure
@ -164,7 +164,7 @@ Contagio/Contagio mobile
###<a name="mobile">Mobile Malware(General):</a>
### <a name="mobile">Mobile Malware(General):</a>
[A timeline of mobile botnets](https://www.virusbtn.com/virusbulletin/archive/2015/03/vb201503-mobile-botnets)
* With the recent explosion in smartphone usage, malware authors have increasingly focused their attention on mobile devices, leading to a steep rise in mobile malware over the past couple of years. In this paper, Ruchna Nigam focuses on mobile botnets, drawing up an inventory of types of known mobile bot variants.
@ -185,7 +185,7 @@ Contagio/Contagio mobile
###Android obfuscators
### Android obfuscators
[ProGuard](http://proguard.sourceforge.net/)
[DexGuard](http://www.saikoa.com/dexguard)
@ -200,7 +200,7 @@ Contagio/Contagio mobile
###Android De-obfuscators
### Android De-obfuscators
[De-hoser](https://github.com/strazzere/dehoser)
* Unpacker for the HoseDex2Jar APK Protection which packs the original file inside the dex header
@ -222,7 +222,7 @@ Contagio/Contagio mobile
###<a name="antivm">Anti-VM/Detecting VMs</a>
### <a name="antivm">Anti-VM/Detecting VMs</a>
* http://msdn.microsoft.com/en-us/library/aa394102%28v=vs.85%29.aspx
* http://msdn.microsoft.com/en-us/library/aa394077%28v=vs.85%29.aspx
@ -254,7 +254,7 @@ Contagio/Contagio mobile
###<a name="writeup">Malware Campaign Writeups</a>
### <a name="writeup">Malware Campaign Writeups</a>
[Unmasking Careto through Memory Analysis - Andrew Case](http://2014.video.sector.ca/video/110388398)
@ -290,7 +290,7 @@ Axiom Threat Actor Group Report
####FinFisher
####F inFisher
CodeandSec.com writeup:
[Part 1](https://www.codeandsec.com/FinFisher-Malware-Dropper-Analysis)
[Part 2](https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2)
@ -302,7 +302,7 @@ CodeandSec.com writeup:
####Finspy
#### Finspy
[Hacking FinSpy - a Case Study - Atilla Marosi - [TROOPERS15]](https://www.youtube.com/watch?v=Mb4mfBi06K4)
@ -320,7 +320,7 @@ CodeandSec.com writeup:
###<a name="dynamic">Dynamic Malware Analysis</a>
### <a name="dynamic">Dynamic Malware Analysis</a>
[Zero Wine](http://zerowine.sourceforge.net/)
* Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.
@ -341,7 +341,7 @@ CodeandSec.com writeup:
####Setting up the Lab
#### Setting up the Lab
http://www.cybersquared.com/2012/06/malware-analysis-lab-a-fast-and-cost-effective-howto/
@ -368,7 +368,7 @@ http://www.cybersquared.com/2012/06/malware-analysis-lab-a-fast-and-cost-effecti
###<a name="encoder">Encoders/Packers/AV Evasion</a>
### <a name="encoder">Encoders/Packers/AV Evasion</a>
Use PEiD to id most packers/etc.
@ -437,7 +437,7 @@ PESpin
###<a name="tools">Tools</a>
### <a name="tools">Tools</a>
[WinMerge](http://winmerge.org/)
* WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
@ -540,7 +540,7 @@ Regshot is an open-source (LGPL) registry compare utility that allows you to qui
###<a name="papers">Papers</a>
### <a name="papers">Papers</a>
[SubVirt: Implementing malware with virtual machines](http://web.eecs.umich.edu/virtual/papers/king06.pdf)
* We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine mon- itor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by soft- ware running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to sub- vert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a de- fense strategy suitable for protecting systems against this threat.
@ -570,7 +570,7 @@ Duping the Machine: malware strategies, post sandbox detection
###<a name="other">Other</a>
### <a name="other">Other</a>
[Generate MS Office Macro Malware Script](https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1)
* Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method


+ 20
- 22
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -9,7 +9,7 @@
..* [Linux Post Exploitation](#linpost)
..* [OS X Post Exploitation](#osxpost)
..* [Windows Post Exploitation](#winpost)
..* [Grabbing Goodies](#grabbing}
..* [Grabbing Goodies](#grabbing)
..* [Gaining Awareness](#awareness)
* [Persistence Techniques](#persistence)
* [Pivoting](#pivot)
@ -60,7 +60,7 @@ http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
###<a name="generalpriv">General Privilege Escalation</a>
### <a name="generalpriv">General Privilege Escalation</a>
[Execute ShellCode Using Python](http://www.debasish.in/2012/04/execute-shellcode-using-python.html)
* In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.
@ -74,7 +74,7 @@ http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
###<a name="linpriv">Privilege Escalation - Linux</a>
### <a name="linpriv">Privilege Escalation - Linux</a>
[Using the docker command to root the host (totally not a security issue)](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host)
* It is possible to do a few more things more with docker besides working with containers, such as creating a root shell on the host, overwriting system configuration files, reading restricted stuff, etc.
@ -95,7 +95,7 @@ http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
[Chw00t: Breaking Unixes’ Chroot Solutions](https://www.youtube.com/watch?v=1A7yJxh-fyc)
###<a name="privescwin">Privilege Escalation - Windows</a>
### <a name="privescwin">Privilege Escalation - Windows</a>
[Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
@ -143,7 +143,7 @@ http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
###<a name="osxprivesc">Privilege Escalation - OS X</a>
### <a name="osxprivesc">Privilege Escalation - OS X</a>
[Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/)
* Works on 10.7 -> 10.10.2
@ -158,7 +158,7 @@ http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
###<a name="generalpost">General Post-Exploitation</a>
### <a name="generalpost">General Post-Exploitation</a>
[File Server Triage on Red Team Engagements](http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/)
@ -175,14 +175,14 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
###<a name="linpost">Post-Exploitation Linux</a>
### <a name="linpost">Post-Exploitation Linux</a>
[More on Using Bash's Built-in /dev/tcp File (TCP/IP)](http://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip More on Using Bash's Built-in /dev/tcp File (TCP/IP))
###<a name="winpost">Post-Exploitation Windows</a>
### <a name="winpost">Post-Exploitation Windows</a>
[Abusing Active Directory in Post-Exploitation](https://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez)
* Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
@ -236,7 +236,7 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
####<a namee="grabbing">Grabbing Goodies</a>
#### <a namee="grabbing">Grabbing Goodies</a>
[Dumping Windows Credentials](https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
@ -271,7 +271,7 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
####<a name="awareness">Gaining Awarness</a>
#### <a name="awareness">Gaining Awarness</a>
[Veil-PowerView](https://github.com/Veil-Framework/Veil-PowerView)
* Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. It contains a set of pure-powershell replacements for various windows "net *" commands, which utilize powershell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
@ -290,7 +290,7 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
###<a name="persistence">Persistence Techniques</a>
### <a name="persistence">Persistence Techniques</a>
[Using Alternate Data Streams to Persist on a Compromised Machine](https://enigma0x3.wordpress.com/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/)
[An Introduction to Backdooring Operating Systems for Fun and trolling - Defcon22](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/DEF%20CON%2022%20Hacking%20Conference%20Presentation%20By%20Nemus%20-%20An%20Introduction%20to%20Back%20Dooring%20Operating%20Systems%20for%20Fun%20and%20Trolling%20-%20Video%20and%20Slides.m4v)
@ -302,7 +302,7 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
###<a name="winpersist">Windows</a>
### <a name="winpersist">Windows</a>
[Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](http://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services)
@ -340,7 +340,7 @@ Startup folder on Win8
###<a name="linpersist">Linux</a>
### <a name="linpersist">Linux</a>
Linux cron tab
@ -350,7 +350,7 @@ Linux cron tab
###<a name="osxpersist">OS X</a>
### <a name="osxpersist">OS X</a>
[What's the easiest way to have a script run at boot time in OS X? - Stack Overflow](https://superuser.com/questions/245713/whats-the-easiest-way-to-have-a-script-run-at-boot-time-in-os-x)
[Userland Persistence On Mac Os X "It Just Works" - Shmoocon 2015](http://www.securitytube.net/video/12428?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20SecurityTube%20%28SecurityTube.Net%29)
@ -360,7 +360,7 @@ Linux cron tab
###<a name="pivot">Pivoting:</a>
### <a name="pivot">Pivoting:</a>
[A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/#corporate-http-proxy-as-a-way-out)
@ -390,7 +390,7 @@ Linux cron tab
####<a name="pth">Pass-The-Hash</a>
#### <a name="pth">Pass-The-Hash</a>
[Pass-the-Hash is Dead: Long Live Pass-the-Hash](http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/)
[Still Passing the Hash 15 Years Later](http://passing-the-hash.blogspot.com/)
@ -411,15 +411,13 @@ Linux cron tab
[Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012](https://www.youtube.com/watch?v=O7WRojkYR00)
##<a name="av">Avoiding/Bypassing Anti-Virus</a>
## <a name="av">Avoiding/Bypassing Anti-Virus</a>
[pecloak.py - An Experiment in AV evasion](http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/)
http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/
###<a name="kerberos">Kerberos Related</a>
### <a name="kerberos">Kerberos Related</a>
[Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades](https://www.irongeek.com/i.php?page=videos/derbycon4/t120-attacking-microsoft-kerberos-kicking-the-guard-dog-of-hades-tim-medin)
* Kerberos- besides having three heads and guarding the gates of hell- protects services on Microsoft Windows Domains. Its use is increasing due to the growing number of attacks targeting NTLM authentication. Attacking Kerberos to access Windows resources represents the next generation of attacks on Windows authentication.In this talk Tim will discuss his research on new attacks against Kerberos- including a way to attack the credentials of a remote service without sending traffic to the service as well as rewriting tickets to access systems.He will also examine potential countermeasures against Kerberos attacks with suggestions for mitigating the most common weaknesses in Windows Kerberos deployments.
@ -427,6 +425,6 @@ http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/
####<a name="exfil">Exfiltration</a>
#### <a name="exfil">Exfiltration</a>
[Data Exfiltration (Tunneling) Attacks against Corporate Network](https://pentest.blog/data-exfiltration-tunneling-attacks-against-corporate-network/)

+ 41
- 26
Draft/Reverse Engineering.md View File

@ -9,7 +9,7 @@ https://en.wikipedia.org/wiki/Reverse_engineering
[What is Reverse Engineering?](http://www.program-transformation.org/Transform/DecompilationAndReverseEngineering)
[Introduction to Reverse Engineering Software](http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/)
* This book is an attempt to provide an introduction to reverse engineering software under both Linux and Microsoft Windows©. Since reverse engineering is under legal fire, the authors figure the best response is to make the knowledge widespread. The idea is that since discussing specific reverse engineering feats is now illegal in many cases, we should then discuss general approaches, so that it is within every motivated user's ability to obtain information locked inside the black box. Furthermore, interoperability issues with closed-source proprietary systems are just plain annoying, and something needs to be done to educate more open source developers as to how to implement this functionality in their software.
* This book is an attempt to provide an introduction to reverse engineering software under both Linux and Microsoft Windows©. Since reverse engineering is under legal fire, the authors figure the best response is to make the knowledge widespread. The idea is that since discussing specific reverse engineering feats is now illegal in many cases, we should then discuss general approaches, so that it is within every motivated user's ability to obtain information locked inside the black box. Furthermore, interoperability issues with closed-source proprietary systems are just plain annoying, and something needs to be done to educate more open source developers as to how to implement this functionality in their software.
[Starting from Scratch?](http://www.reddit.com/r/ReverseEngineering/comments/smf4u/reverser_wanting_to_develop_mathematically/)
@ -39,7 +39,12 @@ To be sorted
###To be sorted
### To be sorted
[PolyHook - x86/x64 Hooking Library](https://github.com/stevemk14ebr/PolyHook)
* Provides abstract C++ 11 interface for various hooking methods
* [Technical Writeup](https://www.codeproject.com/articles/1100579/polyhook-the-cplusplus-x-x-hooking-library)
[angr](http://angr.io/)
* angr is a python framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.
@ -51,6 +56,16 @@ http://stunnix.com/prod/cxxo/
[REhints MEX - WinDBG addons](https://github.com/REhints/WinDbg/tree/master/MEX)
[SyntaxHighlighter](http://alexgorbatchev.com/SyntaxHighlighter/)
* SyntaxHighlighter is a fully functional self-contained code syntax highlighter developed in JavaScript. To get an idea of what SyntaxHighlighter is capable of, have a look at the demo page.
[linguist](https://github.com/github/linguist)
* Language Savant. If your repository's language is being reported incorrectly, send us a pull request!
[Ohcount - Ohloh's source code line counter.](https://github.com/blackducksoftware/ohcount)
[Detecting programming language from a snippet](https://stackoverflow.com/questions/475033/detecting-programming-language-from-a-snippet)
[EasyHook] https://easyhook.github.io/
EasyHook makes it possible to extend (via hooking) unmanaged code APIs with pure managed functions, from within a fully managed environment on 32- or 64-bit Windows XP SP2, Windows Vista x64, Windows Server 2008 x64, Windows 7, Windows 8.1, and Windows 10.
@ -69,7 +84,7 @@ EasyHook makes it possible to extend (via hooking) unmanaged code APIs with pure
https://speakerdeck.com/patrickwardle/defcon-2016-i-got-99-problems-but-little-snitch-aint-one
[The Empire Strikes Back Apple how your Mac firmware security is completely broken](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
[The Empire Strikes Back Apple – how your Mac firmware security is completely broken](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
[A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony](https://eprint.iacr.org/2010/013)
@ -134,7 +149,7 @@ http://fileformats.archiveteam.org/wiki/PNG
[A Brief Examination of Hacking Teams Crypter: core-packer.](http://ethanheilman.tumblr.com/post/128708937890/a-brief-examination-of-hacking-teams-crypter)
[A Brief Examination of Hacking Team’s Crypter: core-packer.](http://ethanheilman.tumblr.com/post/128708937890/a-brief-examination-of-hacking-teams-crypter)
[Blackbox Reversing an Electric Skateboard Wireless Protocol ](https://blog.lacklustre.net/posts/Blackbox_Reversing_an_Electric_Skateboard_Wireless_Protocol/)
@ -147,7 +162,7 @@ http://fileformats.archiveteam.org/wiki/PNG
* Kam1n0 is a scalable system that supports assembly code clone search. It allows a user to first index a (large) collection of binaries, and then search for the code clones of a given target function or binary file. Kam1n0 tries to solve the efficient subgraph search problem (i.e. graph isomorphism problem) for assembly functions. Given a target function (the middle one in the figure below) it can identity the cloned subgraphs among other functions in the repository (the ones on the left and the right as shown below). Kam1n0 supports rich comment format and has an IDA Pro plug-in to use its indexing and searching capabilities via IDA Pro.
[Reversing Prince Harmings Kiss of Death]( https://reverse.put.as/2015/07/01/reversing-prince-harmings-kiss-of-death/)
[Reversing Prince Harming’s Kiss of Death]( https://reverse.put.as/2015/07/01/reversing-prince-harmings-kiss-of-death/)
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc | http://www.legroom.net/software/uniextract
**Unicorn-Engine** - Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework. | http://www.unicorn-engine.org/
@ -169,7 +184,7 @@ https://github.com/droidsec/droidsec.github.io/wiki/Android-Crackmes
* This session is NOT about analyzing exploits but about learning to manipulate PDF contents. Among others:hide/reveal information; remove/add watermark; just suck less about the format. It's an extended session (2 hours) to leave the audience time to try by themselves actively. The slides' PDF is entirely hand-written to explain clearly each fact, so the presentation slides themselves will be the study materials.
###<a name="general">General Research/Stuff</a>
### <a name="general">General Research/Stuff</a>
[TAMPER (Tamper And Monitoring Protection Engineering Research)](http://www.cl.cam.ac.uk/research/security/tamper/)
* In the TAMPER Lab, we study existing security products, document how they have been penetrated in the past, develop new attack techniques, and try to forecast how newly available technologies will make it easier to bypass hardware security mechanisms. We then develop and evaluate new countermeasures and assist industrial designers in staying ahead of the game, most of all by giving them an advanced understanding of which attack techniques are most dangerous. We are especially interested in protection systems for mass-market applications, and in forensic applications.
@ -185,7 +200,7 @@ https://github.com/droidsec/droidsec.github.io/wiki/Android-Crackmes
###<a name="tools">Tools</a>
### <a name="tools">Tools</a>
Will sort to static/dynamic/OS specific
[Frida](http://www.frida.re/docs/home/)
@ -230,7 +245,7 @@ Reversing iOS/OS X http://newosxbook.com/forum/viewforum.php?f=8
####Binary Visualization Tools
#### Binary Visualization Tools
[binglide](https://github.com/wapiflapi/binglide)
* binglide is a visual reverse engineering tool. It is designed to offer a quick overview of the different data types that are present in a file. This tool does not know about any particular file format, everything is done using the same analysis working on the data. This means it works even if headers are missing or corrupted or if the file format is unknown.
@ -243,7 +258,7 @@ Reversing iOS/OS X http://newosxbook.com/forum/viewforum.php?f=8
* a powerful, dynamic, interactive binary visualization tool
####<a name="frameworks"Frameworks</a>
#### <a name="frameworks"Frameworks</a>
Radare2 - unix-like reverse engineering framework and commandline tools ](http://www.radare.org/y/?p=features)
@ -271,10 +286,10 @@ Radare2 - unix-like reverse engineering framework and commandline tools ](http:/
####<a name="dbg">Debuggers</a>
#### <a name="dbg">Debuggers</a>
[OllyDbg](http://www.ollydbg.de/)
* OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
* OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
* [OllyDbg Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/)
[GDB - GNU Debugger](https://www.gnu.org/software/gdb/)
@ -308,7 +323,7 @@ Radare2 - unix-like reverse engineering framework and commandline tools ](http:/
* HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful.
* [Paper](http://roberto.greyhats.it/pubs/ase10.pdf)
####<a name="decom">Decompilers & Disassemblers</a>
#### <a name="decom">Decompilers & Disassemblers</a>
[Procyon - Java Decompiler](https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler)
@ -333,7 +348,7 @@ programming environment.
* Reverse engineering for x86 binaries (elf-format). Generate a more readable code (pseudo-C) with colored syntax. Warning, the project is still in development, use it at your own risks. This tool will try to disassemble one function (by default main). The address of the function, or its symbol, can be passed by argument.
####<a name="ct">Comparison Tools</a>s
#### <a name="ct">Comparison Tools</a>s
[binwally](https://github.com/bmaia/binwally)
* Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
@ -342,7 +357,7 @@ programming environment.
####<a name="lt">Linux Specific Tools</a>
#### <a name="lt">Linux Specific Tools</a>
[readelf](https://sourceware.org/binutils/docs/binutils/readelf.html)
* Unix Tool
@ -353,7 +368,7 @@ programming environment.
[Statically Linked Library Detector](https://github.com/arvinddoraiswamy/slid)
####<a name="wt">Windows Specific Tools</a>
#### <a name="wt">Windows Specific Tools</a>
[PEview](http://wjradburn.com/software/)
* PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
@ -366,7 +381,7 @@ programming environment.
* pestudio is a tool that performs the static analysis of 32-bit and 64-bit Windows executable files. Malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of pestudio is to detect these anomalies, provide indicators and score the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.
[DotPeek](http://www.jetbrains.com/decompiler/features/)
* dotPeek is a .NET decompiler that has several handy features. I haven’t used it much, and don’t do much in .NET so I can’t say if its a good one, only that I’ve had success in using it.
* dotPeek is a .NET decompiler that has several handy features. I haven’t used it much, and don’t do much in .NET so I can’t say if its a good one, only that I’ve had success in using it.
[API Monitor](http://www.rohitab.com/apimonitor)
* API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.
@ -378,7 +393,7 @@ programming environment.
####<a name="pl">Programming Libraries</a>
#### <a name="pl">Programming Libraries</a>
[openreil](https://github.com/Cr4sh/openreil)
@ -400,7 +415,7 @@ programming environment.
###<a name="are">Anti-Reverse Engineering Techniques & Countermeasures</a>
### <a name="are">Anti-Reverse Engineering Techniques & Countermeasures</a>
[Anti-RE A collection of Anti-Reverse Engineering Techniques](http://pnx.tf/files/spring7_antire_plohmann_kannen.pdf)
@ -429,7 +444,7 @@ programming environment.
###<a name="hre">Hardware Reverse Engineering</a>
### <a name="hre">Hardware Reverse Engineering</a>
[Apple Lightning Reverse Engineered](http://ramtin-amin.fr/#tristar)
[Reverse Engineering Intels Management Engine](http://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf)
@ -447,24 +462,24 @@ Hacking the Dropcam series
[Reverse Engineering: Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](https://www.youtube.com/watch?v=E8BSnS4-Kpw)
###<a name="pa">Protocol Analysis & Related</a>
### <a name="pa">Protocol Analysis & Related</a>
[Netzob](http://www.netzob.org/)
* Originaly, the development of Netzob has been initiated to support security auditors and evaluators in their activities of modeling and simulating undocumented protocols. The tool has then been extended to allow smart fuzzing of unknown protocol.
* [Netzob Documentation](http://netzob.readthedocs.org/en/latest/overview/index.html)
###<a name="writeups">Writeups</a>
### <a name="writeups">Writeups</a>
[Reverse engineering radio weather station](http://blog.atx.name/reverse-engineering-radio-weather-station/)
[Introduction to Reverse Engineering Win32 Applications](http://uninformed.org/?v=all&a=7&t=sumry)
* During the course of this paper the reader will be (re)introduced to many concepts and tools essential to understanding and controlling native Win32 applications through the eyes of Windows Debugger (WinDBG). Throughout, WinMine will be utilized as a vehicle to deliver and demonstrate the functionality provided by WinDBG and how this functionality can be harnessed to aid the reader in reverse engineering native Win32 applications. Topics covered include an introductory look at IA-32 assembly, register significance, memory protection, stack usage, various WinDBG commands, call stacks, endianness, and portions of the Windows API. Knowledge gleaned will be used to develop an application designed to reveal and/or remove bombs from the WinMine playing grid.
[Somfy Smoove Origin RTS Protocol](https://pushstack.wordpress.com/somfy-rts-protocol/)
* This document describes the Somfy RTS protocol as used by the “Somfy Smoove Origin RTS”. Most information in this document is based on passive observation of the data send by the Smoove Origin RTS remote, and thus can be inaccurate or incorrect!
* This document describes the Somfy RTS protocol as used by the “Somfy Smoove Origin RTS�. Most information in this document is based on passive observation of the data send by the Smoove Origin RTS remote, and thus can be inaccurate or incorrect!
[ Reverse Engineering The eQSO Protocol](https://gist.github.com/anonymous/7a9d713e61ba990a3a17)
* Today I reverse engineered the eQSO protocol. If you didn't know, eQSO is a small program that allows radio amateurs to talk to each other online. Sadly this program isn't as popular as it used to be (Well, neither is the radio).
[You can ring my bell! Adventures in sub-GHz RF land](http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html)
[You can ring my bell! Adventures in sub-GHz RF land…](http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html)
Reverse engineering walk htrouhg; guy rev eng alarm system from shelf to replay
@ -486,13 +501,13 @@ Part 8: http://cybergibbons.com/uncategorized/reverse-engineering-a-wireless-bur
[Cyber Necromancy - Reverse engineering dead protocols - Defcamp 2014 ](https://www.youtube.com/watch?v=G0v2FO2Ru0w&index=6&list=PLnwq8gv9MEKgSryzYIFhpmCcqnVzdUWfH)
[Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, its something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. Whats new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
[Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](https://www.youtube.com/watch?v=E8BSnS4-Kpw)
[SATCOM Terminals Hacking by Air, Sea, and Land - Black Hat USA 2014](https://www.youtube.com/watch?v=tRHDuT__GoM)
###<a name="papers">Papers</a>
### <a name="papers">Papers</a>
[Byteweight: Learning to Recognize Functions in Binary Code](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-bao.pdf)
@ -532,7 +547,7 @@ informed, and determined reverser
###<a name="wikis">Wikis & Useful Sites</a>
### <a name="wikis">Wikis & Useful Sites</a>
[FCC ID Lookup](http://transition.fcc.gov/oet/ea/fccid/)
* Lookup devices according to FCC ID


+ 8
- 8
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -66,7 +66,7 @@ http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx
#### End Sort
###<a name="general">General Internals</a>
### <a name="general">General Internals</a>
[C Function Call Conventions and the Stack](https://archive.is/o2nD5)
[The Anatomy of an Executable](https://github.com/mewrev/dissection)
@ -77,9 +77,9 @@ http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx
###<a name="winref">Windows Reference</a>
### <a name="winref">Windows Reference</a>
###<a name="Winternals">Windows Internals</a>
### <a name="Winternals">Windows Internals</a>
[theForger's Win32 API Programming Tutorial](http://www.winprog.org/tutorial/)
@ -161,16 +161,16 @@ WinPrefetchView is a small utility that reads the Prefetch files stored in your
####<a name="kerberos">Kerberos Related</a>
#### <a name="kerberos">Kerberos Related</a>
[Kerberos Delegation, SPNs and More...](https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more)
###<a name="linux">Linux General</a>
### <a name="linux">Linux General</a>
###<a name="linux">Linux Internals</a>
### <a name="linux">Linux Internals</a>
[linux-insides](https://www.gitbook.com/book/0xax/linux-insides/details)
* A series of posts about the linux kernel. The goal is simple - to share my modest knowledge about the internals of the linux kernel and help people who are interested in the linux kernel, and other low-level subject matter.
@ -284,7 +284,7 @@ Linux Filesystem infographic
###<a name="ARM">ARM References</a>
### <a name="ARM">ARM References</a>
@ -299,7 +299,7 @@ Linux Filesystem infographic
###<a name="osx">OS X Internals</a>
### <a name="osx">OS X Internals</a>
[Instruments - OS X system analysis](https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/InstrumentsUserGuide/Introduction/Introduction.html)
* Instruments is a performance-analysis and testing tool for dynamically tracing and profiling OS X and iOS code. It is a flexible and powerful tool that lets you track a process, collect data, and examine the collected data. In this way, Instruments helps you understand the behavior of both user apps and the operating system.


+ 22
- 22
Draft/Web & Browsers.md View File

@ -45,7 +45,7 @@
####To-add
#### To-add
Java Serialization papers/stuff
@ -161,7 +161,7 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
###<a name="javascript">JavaScript</a>
### <a name="javascript">JavaScript</a>
[JSDetox](http://relentless-coding.org/projects/jsdetox/info)
* JSDetox is a tool to support the manual analysis of malicious Javascript code.
@ -169,7 +169,7 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
####<a name="encode">De/Encoders</a>
#### <a name="encode">De/Encoders</a>
[Unphp.net php decoder](http://www.unphp.net/decode/)
@ -183,7 +183,7 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
###<a name="edu">Educational</a>
### <a name="edu">Educational</a>
[Intro to content Security Policy](www.html5rocks.com/en/tutorials/security/content-security-policy/)
@ -201,7 +201,7 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
###<a name="generalt">General Tools</a>
### <a name="generalt">General Tools</a>
[ParrotNG](https://github.com/ikkisoft/ParrotNG/releases)
* ParrotNG is a Java-based tool for automatically identifying vulnerable SWF files, built on top of swfdump. One JAR, two flavors: command line tool and Burp Pro Passive Scanner Plugin.
@ -239,7 +239,7 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
###<a name="brute">Brute Force/Fuzzing</a>
### <a name="brute">Brute Force/Fuzzing</a>
[Dirbuster](https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)
* DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
@ -286,7 +286,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###Site/Webapp Scanners
### Site/Webapp Scanners
[skipfish](https://code.google.com/p/skipfish/)
* Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
@ -305,7 +305,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###<a name="webproxy">Web Proxies</a>
### <a name="webproxy">Web Proxies</a>
[Burpsuite](http://portswigger.net/burp/)
* Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
@ -334,7 +334,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###<a name="shells">Web Shells</a>
### <a name="shells">Web Shells</a>
[Weevely](https://github.com/epinna/weevely3)
* Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
@ -352,12 +352,12 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###<a name="generalencode">General Encoders/Decoders</a>
### <a name="generalencode">General Encoders/Decoders</a>
###<a name="nonwriteup">Non-Attack Writeups</a>
### <a name="nonwriteup">Non-Attack Writeups</a>
[Security and Open Redirects Impact of 301-ing people in 2013](https://makensi.es/rvl/openredirs/#/)
@ -376,7 +376,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###<a name="checklist">Securing Web Applications/Checklists</a>
### <a name="checklist">Securing Web Applications/Checklists</a>
[Center for Internet Security Apache Server 2.4 Hardening Guide](https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_HTTP_Server_2.4_Benchmark_v1.1.0.pdf)
@ -404,7 +404,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###<a name="waf">Web Application Firewalls</a>
### <a name="waf">Web Application Firewalls</a>
[ModSecurity](https://github.com/SpiderLabs/ModSecurity)
@ -424,7 +424,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###<a name="writeups">Web Application Attack Write-ups</a>
### <a name="writeups">Web Application Attack Write-ups</a>
[Hacking with Pictures - Syscan2015](http://www.slideshare.net/saumilshah/hacking-with-pictures-syscan-2015)
@ -445,7 +445,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###<a name="lrfi">LFI & RFI</a>
### <a name="lrfi">LFI & RFI</a>
[LFI Local File Inclusion Techniques (paper)](http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/)
* This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.
@ -459,7 +459,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
###<a name="xss">XSS</a>
### <a name="xss">XSS</a>
[Writing an XSS Worm](http://blog.gdssecurity.com/labs/2013/5/8/writing-an-xss-worm.html)
[3 Types of XSS](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting)
@ -479,7 +479,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
##(NO)SQL Injection
## (NO)SQL Injection
[SQL Injection Cheat Sheet](http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/)
[PostgreSQL Pass The Hash protocol design weakness](https://hashcat.net/misc/postgres-pth/postgres-pth.pdf)
@ -531,7 +531,7 @@ Secondary channel extraction
###<a name="atkb"Attacking Browsers</a>
### <a name="atkb"Attacking Browsers</a>
[White Lightning Attack Platform](https://github.com/TweekFawkes/White_Lightning/tree/master/var/www)
[BeEF Browser Exploitation Framework](http://beefproject.com/
@ -557,7 +557,7 @@ Secondary channel extraction