Browse Source

Added content/Set up TOC Links

reference table will be broken for a bit.
pull/4/head
Robert 8 years ago
parent
commit
a639d1a410
62 changed files with 1688 additions and 1653 deletions
  1. +0
    -0
      Draft/Draft/Anonymity Opsec Privacy.md
  2. +2
    -1
      Draft/Draft/Attacking Defending Android -.md
  3. +2
    -0
      Draft/Draft/BIOS UEFI Attacks Defenses.md
  4. +0
    -0
      Draft/Draft/Basic Security Informd.md
  5. +14
    -11
      Draft/Draft/CTFs & Wargamd.md
  6. +40
    -33
      Draft/Draft/Cheat sheets reference pages Checklists -.md
  7. +0
    -0
      Draft/Draft/Conference Video Archives Stuff -.md
  8. +8
    -12
      Draft/Draft/Counter Surveillance.md
  9. +4
    -0
      Draft/Draft/Courses & Training -.md
  10. +68
    -61
      Draft/Draft/Cryptography & Encryption.md
  11. +20
    -14
      Draft/Draft/Darknets -.md
  12. +2
    -2
      Draft/Draft/Data AnalysisVisualization.md
  13. +9
    -2
      Draft/Draft/Disinformd.md
  14. +11
    -10
      Draft/Draft/Documd.md
  15. +35
    -40
      Draft/Draft/Emd.md
  16. +22
    -16
      Draft/Draft/Exfiltration.md
  17. +115
    -96
      Draft/Draft/Exploit Developmd.md
  18. +1
    -1
      Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.txt
  19. +251
    -54
      Draft/Draft/Forensics Incident Response.md
  20. +0
    -271
      Draft/Draft/Forensics Incident Response/add cull.txt
  21. +5
    -1
      Draft/Draft/Framd.md
  22. +0
    -0
      Draft/Draft/Frameworks Methodologies/Metasploit Reference.txt
  23. +0
    -0
      Draft/Draft/Frameworks Methodologies/Meterpreter Scripts and Description.txt
  24. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt
  25. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Enumeration.txt
  26. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Network Footprinting.txt
  27. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf
  28. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Password Cracking.txt
  29. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Penetration.txt
  30. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/VoIP Security.txt
  31. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt
  32. +0
    -0
      Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Wireless Penetration.txt
  33. +0
    -0
      Draft/Draft/Frameworks Methodologies/Post Exploitation with Metasploit.txt
  34. +22
    -34
      Draft/Draft/Fuzzing Bug Hunting.md
  35. +0
    -0
      Draft/Draft/Homd.md
  36. +15
    -7
      Draft/Draft/Honeypots -.md
  37. +11
    -1
      Draft/Draft/Interesting Things Useful stuff.md
  38. +37
    -43
      Draft/Draft/Malware.md
  39. +186
    -37
      Draft/Draft/Network Attacks & Defenses.md
  40. +0
    -0
      Draft/Draft/Network Attacks & Defenses/Getting Busy at the Command Line.txt
  41. +0
    -53
      Draft/Draft/Network Recon and Enumeration.md
  42. +0
    -169
      Draft/Draft/Network Recon and Enumeration/Tools.txt
  43. +38
    -21
      Draft/Draft/Network Security Monitoring & Logging.md
  44. +27
    -27
      Draft/Draft/Password Bruting and Hashcracking.md
  45. +19
    -7
      Draft/Draft/Phishing.md
  46. +39
    -39
      Draft/Draft/Privilege Escalation & Post-Exploitation.md
  47. +44
    -22
      Draft/Draft/Programmd.md
  48. +41
    -41
      Draft/Draft/Reverse Engineering.md
  49. +17
    -19
      Draft/Draft/Rootkits.md
  50. +1
    -1
      Draft/Draft/Sandboxes.md
  51. +21
    -33
      Draft/Draft/Securing Hardening.md
  52. +5
    -1
      Draft/Draft/Simd.md
  53. +16
    -8
      Draft/Draft/Social Engineering.md
  54. +15
    -0
      Draft/Draft/Sysadmd.md
  55. +0
    -6
      Draft/Draft/Sysadmin Stuff.md
  56. +0
    -171
      Draft/Draft/System Internals Windows and Linux Internals Reference.md
  57. +306
    -0
      Draft/Draft/Systemd.md
  58. +16
    -132
      Draft/Draft/To Do/add cull -1.txt
  59. +0
    -15
      Draft/Draft/Tor.md
  60. +3
    -0
      Draft/Draft/Various purpiose based OS's.md
  61. +126
    -38
      Draft/Draft/Web & Browsers.md
  62. +74
    -103
      Draft/Draft/Wireless Networks & RF.md

Draft/Draft/Anonymity Opsec Privacy -.md → Draft/Draft/Anonymity Opsec Privacy.md View File


+ 2
- 1
Draft/Draft/Attacking Defending Android -.md View File

@ -89,7 +89,8 @@ http://nelenkov.blogspot.com
[ARE - Virtual Machine for Android Reverse Engineering](https://redmine.honeynet.org/projects/are)
[Android Bytecode Obfuscation - Patrick Schulz 2012](http://dexlabs.org/blog/bytecode-obfuscation)
[Android Pattern Lock Cracker](https://github.com/sch3m4/androidpatternlock)
* A little Python tool to crack the Pattern Lock on Android devices
[PatchDroid: Scalable Third-Party Security Patches for Android Devices](http://www.mulliner.org/collin/academic/publications/patchdroid.pdf)


+ 2
- 0
Draft/Draft/BIOS UEFI Attacks Defenses.md View File

@ -14,6 +14,8 @@ Writeups
###Cull
[Intel ME (Manageability engine) Huffman algorithm](http://io.smashthestack.org/me/)
[CHIPSEC module that exploits UEFI boot script table vulnerability](https://github.com/Cr4sh/UEFI_boot_script_expl)
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)


Draft/Draft/Basic Security Information.md → Draft/Draft/Basic Security Informd.md View File


Draft/Draft/CTFs & Wargames -.md → Draft/Draft/CTFs & Wargamd.md View File


+ 40
- 33
Draft/Draft/Cheat sheets reference pages Checklists -.md View File

@ -2,24 +2,31 @@
TOC
Cull
General
Android
iOS
Linux
OS X
Windows
Exploitation
Exploit Dev
Metasploit
Forensics/IR
Malware
Reverse Engineering
Web
Databases
* Cull
* [General](#General)
* [ASM(x86/64/ARM)](#ASM)
* [Android](#Android)
* [iOS](#ios)
* [Linux](#Linux
* [OS X](#OSX)
* [Windows](#Windows)
* [Exploitation](#Exploitation)
* [Exploit Dev](#Exploit)
* [Metasploit](#Metasploit)
* [Forensics/IR](#For)
* [Malware](#Malware)
* [Reverse Engineering](#RE)
* [Web](#Web)
* [Databases](#DB)
CULL
[Radare2 Cheat sheet](https://github.com/pwntester/cheatsheets/blob/master/radare2.md)
[How to Suck at Information Security](https://zeltser.com/suck-at-security-cheat-sheet/)
[Windows Privilege Escalation Cheat Sheet/Tricks](http://it-ovid.blogspot.fr/2012/02/windows-privilege-escalation.html)
@ -31,7 +38,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###General Cheat Sheets
###<a name="General">General Cheat Sheets</a>
[Tips for Troubleshooting Human Communications](https://zeltser.com/human-communications-cheat-sheet/)
@ -44,7 +51,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###x86/64/ARM
###<a name="ASM">x86/64/ARM</a>
[x86 opcode structure and instruction overview](http://pnx.tf/files/x86_opcode_structure_and_instruction_overview.pdf)
@ -56,19 +63,19 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###Android Cheat Sheets
###<a name="Android">Android Cheat Sheets</a>
[Android ADB cheat sheet](https://github.com/maldroid/adb_cheatsheet/blob/master/cheatsheet.pdf?raw=true)
###iOS Cheat Sheets
###<a name="ios">iOS Cheat Sheets</a>
###Linux Cheat Sheets
###<a name="Linux">Linux Cheat Sheets</a>
[Linux Syscall Table](http://www.informatik.htw-dresden.de/~beck/ASM/syscall_list.html)
* Complete listing of all Linux Syscalls
@ -76,13 +83,13 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###Windows Cheat Sheets
###<a name="Windows">Windows Cheat Sheets</a>
[Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php)
###Exploitation Cheat Sheets
###<a name="Exploitation">Exploitation Cheat Sheets</a>
[Linux - Breaking out of shells](https://highon.coffee/docs/linux-commands/#breaking-out-of-limited-shells)
@ -94,14 +101,14 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###Exploit Dev Cheat Sheets
###<a name="Exploitation">Exploit Dev Cheat Sheets</a>
[x86 opcode structure and instruction overview](http://pnx.tf/files/x86_opcode_structure_and_instruction_overview.pdf)
[Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)
### Metasploit Cheat Sheets
### <a name="Metasploit">Metasploit Cheat Sheets</a>
[Metasploit 4.2 documentation](https://community.rapid7.com/docs/DOC-1751)
[MSF Payload Cheat Sheet](http://aerokid240.blogspot.com/2009/11/msfpayload-goodness-cheatsheet.html)
@ -111,7 +118,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
[Tips & Tricks](https://en.wikibooks.org/wiki/Metasploit/Tips_and_Tricks)
###Forensics/IR Cheat Sheets
###<a name="For">Forensics/IR Cheat Sheets</a>
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
@ -127,9 +134,14 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###<a name="Malware">Malware Cheat Sheet</a>
[Reverse Engineering Malware Cheat Sheet](https://zeltser.com/reverse-malware-cheat-sheet/)
[Analyzing Malicious Documents Cheat Sheet](https://zeltser.com/analyzing-malicious-documents/)
###Reverse Engineering Cheat Sheets
###<a name="RE">Reverse Engineering Cheat Sheets</a>
[Radare2 Cheat-Sheet](https://github.com/pwntester/cheatsheets/blob/master/radare2.md
@ -142,14 +154,9 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###Malware Cheat Sheet
[Reverse Engineering Malware Cheat Sheet](https://zeltser.com/reverse-malware-cheat-sheet/)
[Analyzing Malicious Documents Cheat Sheet](https://zeltser.com/analyzing-malicious-documents/)
###Web Cheat Sheets
###<a name="Web">Web Cheat Sheets</a>
[WebAppSec Testing Checklist](http://tuppad.com/blog/wp-content/uploads/2012/03/WebApp_Sec_Testing_Checklist.pdf)
@ -169,7 +176,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###Database Cheat Sheets
###<a name="DB">Database Cheat Sheets</a>
[Checklist for mongodb](http://blog.mongodirector.com/10-tips-to-improve-your-mongodb-security/
)

Draft/Draft/Conference Videos Stuff -.md → Draft/Draft/Conference Video Archives Stuff -.md View File


+ 8
- 12
Draft/Draft/Counter Surveillance.md View File

@ -2,15 +2,11 @@
I am not a professional and may be a twelve year old child. Be wary.
ToC
Cull
Guides/Write-ups
Papers
Videos
####ToC
* Cull
* [Guides/Write-ups](#guides)
* [Videos/Presentations](#videos)
* [Papers](#papers)
@ -23,7 +19,7 @@ Videos
###Guides/Write-ups
###<a name="guides">Guides/Write-ups</a>
Detecting Surveillance - Spiderlabs blog
@ -35,7 +31,7 @@ Detecting Surveillance - Spiderlabs blog
###Videos
###<a name="videos">Videos</a>
[Dr. Philip Polstra - Am I Being Spied On?](https://www.youtube.com/watch?v=Bc7WoDXhcjM)
* Talk on cheap/free counter measures
@ -50,7 +46,7 @@ Detecting Surveillance - Spiderlabs blog
###Papers
###<a name="papers">Papers</a>
[Exploiting Lawful Intercept to Wiretap the Internet](https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)
* This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.


+ 4
- 0
Draft/Draft/Courses & Training -.md View File

@ -46,6 +46,10 @@ BVWA
###General Sources/Repository of Classes
[Hackr.io](http://hackr.io/)
* Share and discover the best programming tutorials and courses online.
[Open Security Training](www.opensecuritytraining.info)
Udemy


+ 68
- 61
Draft/Draft/Cryptography & Encryption.md View File

@ -1,142 +1,149 @@
##Cryptography
#####TOC
Learning/Courses
Books
Papers
Software
Writeups
* [General Information](#general)
* [Learning/Courses](#learn
* [Writeups](#write)
* [Blogposts/Misc](#blog)
* [Presentations](#presentation)
* [Papers](#papers)
* [Software](#soft)
* [Stenography](#steno)
* [Tools](#tools)
* [Books](#books)
###Cull
###Cull
[cr.yp.to blog](http://blog.cr.yp.to/index.html)
[Crypto: 48 Dirty Little Secrets Cryptographers Don’t Want You To Know - BlackHat2014](https://www.youtube.com/watch?v=mXdFHNJ6srY)
http://www.tau.ac.il/~tromer/acoustic/
Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
[XOR Bitwise Operations Explained - Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography/ciphers/a/xor-bitwise-operation)
https://crypto.is/blog/
[HiVE — Hidden Volume Encryption](http://hive.ccs.neu.edu/#four)
[Toward Robust Hidden Volumes Using Write-Only Oblivious RAM](https://eprint.iacr.org/2014/344.pdf)
* With sensitive data being increasingly stored on mobile devices and laptops, hard disk encryption is more important than ever. In partic- ular, being able to plausibly deny that a hard disk contains certain information is a very useful and interesting research goal. However, it has been known for some time that existing “hidden volume” so- lutions, like TrueCrypt, fail in the face of an adversary who is able to observe the contents of a disk on multiple, separate occasions. In this work, we explore more robust constructions for hidden vol- umes and present HIVE, which is resistant to more powerful ad- versaries with multiple-snapshot capabilities. In pursuit of this, we propose the first security definitions for hidden volumes, and prove HIVE secure under these definitions. At the core of HIVE, we de- sign a new write-only Oblivious RAM. We show that, when only hiding writes, it is possible to achieve ORAM with optimal O (1) communication complexity and only poly-logarithmic user mem- ory. This is a significant improvement over existing work and an independently interesting result. We go on to show that our write- only ORAM is specially equipped to provide hidden volume func- tionality with low overhead and significantly increased security. Fi- nally, we implement HIVE as a Linux kernel block device to show both its practicality and usefulness on existing platforms.
###<a name="general">General Information</a>
[HashID](https://github.com/psypanda/hashID)
* hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions. It is able to identify a single hash, parse a file or read multiple files in a directory and identify the hashes within them. hashID is also capable of including the corresponding hashcat mode and/or JohnTheRipper format in its output. hashID works out of the box with Python 2 = 2.7.x or Python 3 = 3.3 on any platform.
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
[Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
[Attack of the week: FREAK (or 'factoring the NSA for fun and profit')](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html)
[XOR Bitwise Operations Explained - Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography/ciphers/a/xor-bitwise-operation)
[Widespread Weak Keys in Network Devices](https://factorable.net/)
[quipqiup](http://quipqiup.com/)
* quipqiup is a fast and automated cryptogram solver by Edwin Olson. It can solve simple substitution ciphers often found in newspapers, including puzzles like cryptoquips (in which word boundaries are preserved) and patristocrats (inwhi chwor dboun darie saren t).
###<a name="learn">Courses</a>:
Coursera Cryptography
[Matsano Crypto Challenges](Cryptopals.co)
* Go through a series of increasingly difficult challenges while learning all about cryptography. Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
###<a name="write">Writeups</a>
[Attack of the week: FREAK (or 'factoring the NSA for fun and profit')](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html)
[An Empirical Study of Cryptographic Misuse in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)
[Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption](https://eprint.iacr.org/2014/309)
* Abstract: We revisit the question of constructing secure general-purpose indistinguishability obfuscation (iO), with a security reduction based on explicit computational assumptions over multi- linear maps. Previous to our work, such reductions were only known to exist based on meta- assumptions and/or ad-hoc assumptions: In the original constructive work of Garg et al. (FOCS 2013), the underlying explicit computational assumption encapsulated an exponential family of assumptions for each pair of circuits to be obfuscated. In the more recent work of Pass et al. (Crypto 2014), the underlying assumption is a meta-assumption that also encapsulates an exponential family of assumptions, and this meta-assumption is invoked in a manner that captures the specific pair of circuits to be obfuscated. The assumptions underlying both these works substantially capture (either explicitly or implicitly) the actual structure of the obfuscation mechanism itself. In our work, we provide the first construction of general-purpose indistinguishability obfuscation proven secure via a reduction to a natural computational assumption over multilinear maps, namely, the Multilinear Subgroup Elimination Assumption. This assumption does not depend on the circuits to be obfuscated (except for its size), and does not correspond to the underlying structure of our obfuscator. The technical heart of our paper is our reduction, which gives a new way to argue about the security of indistinguishability obfuscation.
###<a name="blogs">Blogposts/Misc(doesnt explicitly fit in other sections)</a>
[Encrypting Strings in Android: Let's make better mistakes](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/)
[Decrypto](http://sourceforge.net/projects/decrypto/)
* In DeCrypto you will find a collection of scripts for helping decrypt messages.\
[Poor Man's Guide to Troubleshooting TLS Failures](http://blogs.technet.com/b/tspring/archive/2015/02/23/poor-man-s-guide-to-troubleshooting-tls-failures.aspx)
[A Messy State of the Union: Taming the Composite State Machines of TLS](https://www.smacktls.com/smack.pdf)
* Abstract —Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes and key exchange methods, where each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that can correctly multiplex between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years (they are now in the process of being patched). We argue that these vulnerabilities stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported ciphersuites. Our attacks expose the need for the formal verifica- tion of core components in cryptographic protocol libraries; our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.
###<a name="presentation">Presentations/Talks</a>
[Crypto: 48 Dirty Little Secrets Cryptographers Don’t Want You To Know - BlackHat2014](https://www.youtube.com/watch?v=mXdFHNJ6srY)
[RELIC](https://github.com/relic-toolkit/relic)
* RELIC is a modern cryptographic meta-toolkit with emphasis on efficiency and flexibility. RELIC can be used to build efficient and usable cryptographic toolkits tailored for specific security levels and algorithmic choices.
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
###<a name="papers">Papers</a>
[Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks On PCs](http://www.tau.ac.il/~tromer/handsoff/)
* We demonstrated physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels and are based on the observation that the "ground" electric potential in many computers fluctuates in a computation-dependent way. An attacker can measure this signal by touching exposed metal on the computer's chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables. Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency signals (around 2 MHz), or one hour using Low Frequency signals (up to 40 kHz).
[Poor Man's Guide to Troubleshooting TLS Failures](http://blogs.technet.com/b/tspring/archive/2015/02/23/poor-man-s-guide-to-troubleshooting-tls-failures.aspx)
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
[Encrypting Strings in Android: Let's make better mistakes](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/)
[cr.yp.to blog](http://blog.cr.yp.to/index.html)
[java-aes-crypto (Android class)](https://github.com/tozny/java-aes-crypto)
* A simple Android class for encrypting & decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.
[Why does cryptographic software fail? A case study and open problems](http://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf)
* Abstract: Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.
[RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](http://www.tau.ac.il/~tromer/acoustic/)
* Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
[Toward Robust Hidden Volumes Using Write-Only Oblivious RAM](https://eprint.iacr.org/2014/344.pdf)
* With sensitive data being increasingly stored on mobile devices and laptops, hard disk encryption is more important than ever. In partic- ular, being able to plausibly deny that a hard disk contains certain information is a very useful and interesting research goal. However, it has been known for some time that existing “hidden volume” so- lutions, like TrueCrypt, fail in the face of an adversary who is able to observe the contents of a disk on multiple, separate occasions. In this work, we explore more robust constructions for hidden vol- umes and present HIVE, which is resistant to more powerful ad- versaries with multiple-snapshot capabilities. In pursuit of this, we propose the first security definitions for hidden volumes, and prove HIVE secure under these definitions. At the core of HIVE, we de- sign a new write-only Oblivious RAM. We show that, when only hiding writes, it is possible to achieve ORAM with optimal O (1) communication complexity and only poly-logarithmic user mem- ory. This is a significant improvement over existing work and an independently interesting result. We go on to show that our write- only ORAM is specially equipped to provide hidden volume func- tionality with low overhead and significantly increased security. Fi- nally, we implement HIVE as a Linux kernel block device to show both its practicality and usefulness on existing platforms.
[keyCzar](http://www.keyczar.org/)
* Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.
[A Messy State of the Union: Taming the Composite State Machines of TLS](https://www.smacktls.com/smack.pdf)
* Abstract —Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes and key exchange methods, where each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that can correctly multiplex between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years (they are now in the process of being patched). We argue that these vulnerabilities stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported ciphersuites. Our attacks expose the need for the formal verifica- tion of core components in cryptographic protocol libraries; our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.
[RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](http://www.tau.ac.il/~tromer/acoustic/)
* Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
[Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption](https://eprint.iacr.org/2014/309)
* Abstract: We revisit the question of constructing secure general-purpose indistinguishability obfuscation (iO), with a security reduction based on explicit computational assumptions over multi- linear maps. Previous to our work, such reductions were only known to exist based on meta- assumptions and/or ad-hoc assumptions: In the original constructive work of Garg et al. (FOCS 2013), the underlying explicit computational assumption encapsulated an exponential family of assumptions for each pair of circuits to be obfuscated. In the more recent work of Pass et al. (Crypto 2014), the underlying assumption is a meta-assumption that also encapsulates an exponential family of assumptions, and this meta-assumption is invoked in a manner that captures the specific pair of circuits to be obfuscated. The assumptions underlying both these works substantially capture (either explicitly or implicitly) the actual structure of the obfuscation mechanism itself. In our work, we provide the first construction of general-purpose indistinguishability obfuscation proven secure via a reduction to a natural computational assumption over multilinear maps, namely, the Multilinear Subgroup Elimination Assumption. This assumption does not depend on the circuits to be obfuscated (except for its size), and does not correspond to the underlying structure of our obfuscator. The technical heart of our paper is our reduction, which gives a new way to argue about the security of indistinguishability obfuscation.
[Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
###<a name="software">Software</a>
[Widespread Weak Keys in Network Devices](https://factorable.net/)
###<a name="steno">Stenography</a>
http://www.tau.ac.il/~tromer/acoustic/
Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
[imagejs](https://github.com/jklmnn/imagejs)
* imagejs is a small tool to hide javascript inside a valid image file. The image file is recognized as one by content checking software, e.g. the file command you might now from Linux or other Unix based operation systems.
[Real-time Steganography with RTP](http://uninformed.org/?v=all&a=36&t=sumry)
* Real-time Transfer Protocol (RTP) is used by nearly all Voice-over-IP systems to provide the audio channel for calls. As such, it provides ample opportunity for the creation of a covert communication channel due to its very nature. While use of steganographic techniques with various audio cover-medium has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This paper details a common technique for the use of steganography with audio data cover-medium, outlines the problem issues that arise when attempting to use such techniques to establish a full-duplex communications channel within audio data transmitted via an unreliable streaming protocol, and documents solutions to these problems. An implementation of the ideas discussed entitled SteganRTP is included in the reference materials.
[Why does cryptographic software fail? A case study and open problems](http://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf)
* Abstract: Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.
https://crypto.is/blog/
###<a name="tools">Tools</a>
[Matsano Crypto Challenges](Cryptopals.co)
[Cryptographic Implementations Analysis Toolkit (CIAT)](http://ciat.sourceforge.net/)
* The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable).
[Simple crypto tools](http://rumkin.com/tools/)
[keyCzar](http://www.keyczar.org/)
* Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.
[Decrypto](http://sourceforge.net/projects/decrypto/)
* In DeCrypto you will find a collection of scripts for helping decrypt messages.\
[Cryptographic Implementations Analysis Toolkit (CIAT)](http://ciat.sourceforge.net/)
* The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable).
[RELIC](https://github.com/relic-toolkit/relic)
* RELIC is a modern cryptographic meta-toolkit with emphasis on efficiency and flexibility. RELIC can be used to build efficient and usable cryptographic toolkits tailored for specific security levels and algorithmic choices.
[quipqiup](http://quipqiup.com/)
* quipqiup is a fast and automated cryptogram solver by Edwin Olson. It can solve simple substitution ciphers often found in newspapers, including puzzles like cryptoquips (in which word boundaries are preserved) and patristocrats (in which word boundaries aren't).
[HashID](https://github.com/psypanda/hashID)
* hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions. It is able to identify a single hash, parse a file or read multiple files in a directory and identify the hashes within them. hashID is also capable of including the corresponding hashcat mode and/or JohnTheRipper format in its output. hashID works out of the box with Python 2 = 2.7.x or Python 3 = 3.3 on any platform.
[An Empirical Study of Cryptographic Misuse in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)
[HiVE — Hidden Volume Encryption](http://hive.ccs.neu.edu/#four)
###Books:
###<a name="">Books</a>:
Cryptography Engineering
Applied Cryptography
###Courses:
Coursera Cryptography
Matsano Crypto Challenges
Go through a series of increasingly difficult challenges while learning all about cryptography.
Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
http://cryptopals.com/
###Stenograhpy
[imagejs](https://github.com/jklmnn/imagejs)
* imagejs is a small tool to hide javascript inside a valid image file. The image file is recognized as one by content checking software, e.g. the file command you might now from Linux or other Unix based operation systems.

+ 20
- 14
Draft/Draft/Darknets -.md View File

@ -6,22 +6,26 @@
[For Darknet Noobs](https://www.reddit.com/r/DarkNetMarketsNoobs)
ToC
#####ToC
Cull
General
Darknets
Discussions
Ordering
Markets/Sites/Wikis
Tools
* [General](#general)
* [Darknets](#darknets)
* [Discussions](#discussion)
* [Ordering](#ordering)
* [Markets/Sites/Wikis](#markets)
* [Tools](#tools)
Cull
http://www.deepdotweb.co/
Site list: (NO CP)
http://belsec.skynetblogs.be/deepnet-the-tor-onion-directory-of-things-that-work-today.html
Tor Search Engine
https://ahmia.fi/address/skunksworkedp2cg
Tor black-market-related arrests](http://www.gwern.net/Black-market%20arrests#evolution)
* I compile a table and discussion of all known arrests and prosecutions related to Tor-Bitcoin black-markets such as Silk Road 1, along with discussion of how they came to be arrested.
@ -31,7 +35,9 @@ http://www.deepdotweb.co/
###General
###<a name="general">General</a>
* Don't think that because information posted here is valid/trustworthy. This is a dumping spot for my personal reference. This does not mean that markets/sites I post are legit/safe.
[Touring the Darkside of the Internet. An Introduction to Tor - Defcon22](https://www.youtube.com/watch?v=To5yarfAg_E)
[Darknet Dictionary ](http://www.deepdotweb.co/2014/03/02/deepdotwebs-darknet-dictionary/)
@ -40,29 +46,29 @@ http://www.deepdotweb.co/
###Darknets
###<a name="darknets">Darknets</a>
I2P
Tor
###Discussions
###<a name="discussion">Discussions</a>
[Market Discussions](https://www.reddit.com/r/DarkNetMarkets)
###Ordering
###<a name="ordering">Ordering</a>
[Ordering Checklist](https://www.reddit.com/r/DarkNetMarketsNoobs/wiki/completeorderingchecklist)
###Markets/Sites/Wikis
###<a name="markets">Markets/Sites/Wikis</a>
###Tools
###<a name="tools">Tools</a>
[Tor Search engine.](https://ahmia.fi/search/)


+ 2
- 2
Draft/Draft/Data AnalysisVisualization.md View File

@ -5,9 +5,9 @@
ToC
Tools
Cull
[Airodump-NG Scan Visualizer](http://hackoftheday.securitytube.net/2015/03/airodump-ng-scan-visualizer-ver-01.html)


Draft/Draft/Disinformation -.md → Draft/Draft/Disinformd.md View File


Draft/Draft/Documentation & Reports -.md → Draft/Draft/Documd.md View File


Draft/Draft/Embedded Device & Hardware Hacking -.md → Draft/Draft/Emd.md View File


+ 22
- 16
Draft/Draft/Exfiltration.md View File

@ -1,45 +1,51 @@
###Exfiltration
#####TOC
* [General](#general)
* [Methodologies](#methods)
* [Tools](#tools)
* [Papers](#papers)
Cull
Stunnel
iodine
http://windowsir.blogspot.com/2013/07/howto-data-exfiltration.html
[PyExfil](https://ytisf.github.io/PyExfil/)
* Exfiltration tools inspired by Regin. Alpha Status.
[Exfil - Modular tool to test exfiltration techniques](https://github.com/averagesecurityguy/exfil)
* Exfil is a tool designed to exfiltrate data using various techniques, which allows a security team to test whether its monitoring system can effectively catch the exfiltration. The idea for Exfil came from a Twitter conversation between @averagesecguy, @ChrisJohnRiley, and @Ben0xA and was sparked by the TrustWave POS malware whitepaper available at https://gsr.trustwave.com/topics/placeholder-topic/point-of-sale-malware/.
###<a name="general">General</a>
[fraud-bridge](https://github.com/stealth/fraud-bridge)
* fraud-bridge allows to tunnel TCP connections through ICMP, ICMPv6, DNS
via UDP or DNS via UDP6. Project, not stable
###<a name="methods">Methodologies</a>
[Multitun](https://github.com/covertcodes/multitun)
* Efficiently and securely tunnel everything over a harmless looking WebSocket!
Gmail/other email services Draft emails
Draft emails
Stunnel
###<a name="tools">Tools</a>
[fraud-bridge](https://github.com/stealth/fraud-bridge)
* fraud-bridge allows to tunnel TCP connections through ICMP, ICMPv6, DNS via UDP or DNS via UDP6. Project, not stable
[PyExfil](https://ytisf.github.io/PyExfil/)
* Exfiltration tools inspired by Regin. Alpha Status.
[Exfil - Modular tool to test exfiltration techniques](https://github.com/averagesecurityguy/exfil)
* Exfil is a tool designed to exfiltrate data using various techniques, which allows a security team to test whether its monitoring system can effectively catch the exfiltration. The idea for Exfil came from a Twitter conversation between @averagesecguy, @ChrisJohnRiley, and @Ben0xA and was sparked by the TrustWave POS malware whitepaper available at https://gsr.trustwave.com/topics/placeholder-topic/point-of-sale-malware/.
[Multitun](https://github.com/covertcodes/multitun)
* Efficiently and securely tunnel everything over a harmless looking WebSocket!
###Papers
[Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)
* Abstract —Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.

Draft/Draft/Exploit Development.md → Draft/Draft/Exploit Developmd.md View File


+ 1
- 1
Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.txt View File

@ -12,7 +12,7 @@ Idea with this setup, is that you have a VM of XP SP3 running with the following
Start here:
I'm designing exploit lab based on WinXP SP3. As for now I have following vulnerabilities/apps:
1. Simple RET - Ability FTP Server (FTP)
1. Simple RET - Ability FTP Server (FTP) - [Writeup of Fuzzing + Exploit Dev](http://infamoussyn.com/2013/03/17/exploit-discovery-ability-ftp-server-2-34/)
2. Simple RET - FreeFloat FTP (FTP)
3. Simple RET (harder) - CesarFTP (FTP)
4. Simple RET - Easy RM to MP3 Converter (.pls)


+ 251
- 54
Draft/Draft/Forensics Incident Response.md View File

@ -1,19 +1,21 @@
##Forensics & Incident Response
Anti-Forensics
#####TOC
Mobile Device Forensics
* Android
* iOS
* Blackberry
PDF Forensics
Photo Forensics
Tools
OS Forensics
* Linux Forensics
* OS X Forensics
* Windows Forensics
* [Presentations/Talks](#talks)
* [Anti-Forensics](#anti)
* [Mobile Device Forensics](#mobile)
* [Android](#android)
* [iOS](#ios)
* [Blackberry](#bb)
[PDF Forensics](#pdf)
[Photo Forensics](#photo)
[Tools](#tools)
[OS Forensics](#os)
* [Linux Forensics](#linux)
* [OS X Forensics](#osx)
* [Windows Forensics](#windows)
@ -22,6 +24,34 @@ Better security - Mean time to detect/Mean time to respond
###CULL
[Unmasking Careto through Memory Analysis - Andrew Case](http://2014.video.sector.ca/video/110388398)
[IRMA - Incident Response & Malware Analysis](http://irma.quarkslab.com/index.html)
* IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ... An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).
—————————Sniper Forensics
http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
http://blog.spiderlabs.com/2011/11/sniper-forensics-context-context-context.html
http://blog.spiderlabs.com/2011/03/sniper-forensics-part-4.html
https://digital-forensics.sans.org/summit-archives/2010/2-newell-spiderlabs-sniper-forensics.pdf
http://blog.spiderlabs.com/2011/07/sniper-forensics-part-v-finding-evil-part-ii.html http://blog.spiderlabs.com/2011/01/sniper-forensics-part-two-target-acquisition-in-part-one-of-the-sniper-forensics-post-we-discussed-the-history-of-forensic.html
[triage-ir](https://code.google.com/p/triage-ir/)
* Triage: Incident Response automatically collect information from a system that needs basic triage functions performed upon it. The script allows for easy modification for customization to your needs, in an easy to comprehend and implement language. This tool uses a lot others to get its information. Eventually I hope to eliminate the need for them, but use them as verification. This tool requires you to download the Sysinternals Suite if you want full functionality to it.
[Computer Security Incident Handling Guide - NIST](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)
[An Incident Handling Process for Small and Medium Businesses - SANS 2007](https://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791)
[Triaging Malware Incidents](http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html)
* Good writeup/blogpost from Journey into Incidence Response
@ -29,10 +59,84 @@ applexaminer.com
[Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)
[How to Pull passwords from a memory dump](https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/)
http://blog.didierstevens.com/programs/pdf-tools/
[Sniper Forensics](https://digital-forensics.sans.org/summit-archives/2010/2-newell-spiderlabs-sniper-forensics.pdf)
* Pg10 and onward
https://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf
[Forensics on Amazon’s EC2](https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html)
[SSDeep](http://ssdeep.sourceforge.net/)
* ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
———————Firmware
[Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)
————Bitlocker
[NVbit : Accessing Bitlocker volumes from linux](http://www.nvlabs.in/index.php?/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html)
————IR
[Rapier](https://code.google.com/p/rapier/)
* RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst
###Anti-Forensics
—————IOC
[IOC Bucket](https://www.iocbucket.com/)
* IOC sharing platform
—————Browser Forensics
[Firefox private browsing forensics](http://www.magnetforensics.com/forensic-implications-of-a-person-using-firefoxs-private-browsing/)
[MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
—————Memory Forensics
[Detekt](https://github.com/botherder/detekt)
* Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit). Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer.
[Dshell](https://github.com/USArmyResearchLab/Dshell)
* An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
[Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)
Volatility Framework
——————————Training material
[ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.
###<a name="talks">Presentations & Talks</a>
[Ways to Identify Malware on a System Ryan Irving](http://www.irongeek.com/i.php?page=videos/bsidestampa2015/201-ways-to-identify-malware-on-a-system-ryan-irving)
[Investigating PowerShell Attacks - Ryan Kazanciyan and Matt Hastings - DEFCON22](https://www.youtube.com/watch?v=qF06PFcezLs)
* This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, etc. - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.
###<a name="anti">Anti-Forensics</a>
Secure Deletion of Data from Magnetic and Solid-State Memory
@ -42,8 +146,9 @@ http://static.usenix.org/publications/library/proceedings/sec96/full_papers/gutm
###Mobile Device Forensics
####Android Forensics
###<a name="mobile">Mobile Device Forensics</a>
####<a name="android">Android Forensics</a>
[Android Forensics class - OpenSecurity Training](http://opensecuritytraining.info/AndroidForensics.html)
* This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.
@ -51,7 +156,7 @@ http://static.usenix.org/publications/library/proceedings/sec96/full_papers/gutm
* Androick is a python tool to help in forensics analysis on android. Put the package name, some options and the program will download automatically apk, datas, files permissions, manifest, databases and logs. It is easy to use and avoid all repetitive tasks!
####iOS Forensics
####<a name="ios">iOS Forensics</a>
http://www.forensicswiki.org/wiki/Apple_iPhone
@ -60,21 +165,22 @@ http://www.iosresearch.org/
[iOSForensic](https://github.com/Flo354/iOSForensic)
* iosForensic is a python tool to help in forensics analysis on iOS. It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
[iOS Forensics Analyis(2012) SANS Whitepaper](https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092)
[iOS Forensic Investigative Methods Guide](http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf)
###PDF Forensics
###<a name="pdf">PDF Forensics</a>
http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/
[PDF Forensics](http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/)
###Photo Forensics
###<a name="photo">Photo Forensics</a>
@ -84,7 +190,7 @@ http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-st
* Exif Jpeg header manipulation tool
###Tools:
###<a name="tools">Tools:</a>
Ghiro
@ -96,59 +202,150 @@ Ghiro
###<a name="linux">Linux Forensics</a>
###<a name="windows">Windows Forensics</a>
####Windows Forensics Tools
###Windows Forensics
[NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)
* Description from the page: This framework was developed by the author in order to provide the community
with a solution to extract forensically important information from the main
database of Microsoft Active Directory (NTDS.DIT).
[Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
[HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
[Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
[License to Kill: Malware Hunting with the Sysinternals Tools](http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
[Windows Program Automatic Startup Locations](http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/)
[Collection of Windows Autostart locations](http://gladiator-antivirus.com/forum/index.php?showtopic=24610)
[Spotting the Adversary with Windows Event Log Monitoring - NSA](http://cryptome.org/2014/01/nsa-windows-event.pdf)
* NSA 70-page writeup on windows event log monitoring
[DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
[Techniques for fast windows forensics investigations](https://www.youtube.com/watch?v=eI4ceLgO_CE)
* Look at sniper forensics, skip around, 18min has resources you want to grab for snapshots
[Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
[WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
[BTA - AD Security Audit Framework](https://bitbucket.org/iwseclabs/bta)
* BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:
Who has rights over a given object (computer, user account, etc.) ?
Who can read a given mailbox ?
Which are the accounts with domain admin rights ?
Who has extended rights (userForceChangePassword, SendAs, etc.) ?
What are the changes done on an AD between two points in time ?
###<a name="osx">OS X Forensics Tools</a>
[OS X Audiotr](https://github.com/jipegit/OSXAuditor)
* OS X Auditor is a free Mac OS X computer forensics tool.
Cull
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
[Extensible Metadata Platform](https://en.wikipedia.org/wiki/Extensible_Metadata_Platform)
* The Extensible Metadata Platform (XMP) is an ISO standard, originally created by Adobe Systems Inc., for the creation, processing and interchange of standardized and custom metadata for digital documents and data sets.
[Bootkit Disk Forensics
[Part 1](http://www.malwaretech.com/2015/02/bootkit-disk-forensics-part-1.html)
[Part 2](http://www.malwaretech.com/2015/03/bootkit-disk-forensics-part-2.html)
[Windows Memory Analysis Checklist](http://www.dumpanalysis.org/windows-memory-analysis-checklist)
[MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
[Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
* This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.
[Handler Diaries - Another Hunting Post(DFIR)](http://blog.handlerdiaries.com/?p=775)
* Good post on not only knowing the layout, but knowing expected behaviours.
[Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)](https://cansecwest.com/slides/2014/less%20is%20more3.pptx)
[PEview](http://wjradburn.com/software/)
* PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
####Hacking Exposed - Automating DFIR Series
[Automating DFIR - How to series on programming libtsk with python Part 1 - ](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html)
[Automating DFIR - How to series on programming libtsk with python Part 2](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html)
[Automating DFIR - How to series on programming libtsk with python Part 3](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[Windows Attribute changer](http://www.petges.lu/home/)
[Malware Management Framework - Sniper Forensics Toolkit](http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework/)
[Xmount](https://www.pinguin.lu/xmount)
* What is xmount? xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, DMG, VHD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.
[binwally](https://github.com/bmaia/binwally)
* Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
https://sysforensics.org/2014/01/know-your-windows-processes.html
[Attrition Forensics](http://2014.video.sector.ca/video/110334184)
###OS X Forensics Tools
https://github.com/jipegit/OSXAuditor
OS X Auditor is a free Mac OS X computer forensics tool.
OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:
the kernel extensions
the system agents and daemons
the third party's agents and daemons
the old and deprecated system and third party's startup items
the users' agents
the users' downloaded files
the installed applications
It extracts:
the users' quarantined files
the users' Safari history, downloads, topsites, LastSession, HTML5 databases and localstore
the users' Firefox cookies, downloads, formhistory, permissions, places and signons
the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
the users' social and email accounts
the WiFi access points the audited system has been connected to (and tries to geolocate them)
It also looks for suspicious keywords in the .plist themselves.
It can verify the reputation of each file on:
Team Cymru's MHR
VirusTotal
Malware.lu
your own local database
It can aggregate all logs from the following directories into a zipball:
/var/log (-> /private/var/log)
/Library/logs
the user's ~/Library/logs
Finally, the results can be:
rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
rendered as a HTML log file
sent to a Syslog server
https://santoku-linux.com/howtos
http://blog.didierstevens.com/programs/pdf-tools/
Forensics wiki
Add Enterprise Forensics section?
Yelp/Github - OSX Collector - Mass style forensics/management


+ 0
- 271
Draft/Draft/Forensics Incident Response/add cull.txt View File

@ -1,271 +0,0 @@
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
[Firefox private browsing forensics](http://www.magnetforensics.com/forensic-implications-of-a-person-using-firefoxs-private-browsing/)
[Spotting the Adversary with Windows Event Log Monitoring - NSA](http://cryptome.org/2014/01/nsa-windows-event.pdf)
* NSA 70-page writeup on windows event log monitoring
[Forensics on Amazon’s EC2](https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html)
[Analysis of a Romanian Botnet](http://www.politoinc.com/2015/04/analysis-of-a-romanian-botnet/)
* Going from first sighting in logs to tracing attackers to their C2 IRC room
[How to Pull passwords from a memory dump](https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/)
[Investigating PowerShell Attacks - Ryan Kazanciyan and Matt Hastings - DEFCON22](https://www.youtube.com/watch?v=qF06PFcezLs)
* This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, etc. - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.
[Extensible Metadata Platform](https://en.wikipedia.org/wiki/Extensible_Metadata_Platform)
* The Extensible Metadata Platform (XMP) is an ISO standard, originally created by Adobe Systems Inc., for the creation, processing and interchange of standardized and custom metadata for digital documents and data sets.
[Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)
[Real-time Steganography with RTP](http://uninformed.org/?v=all&a=36&t=sumry)
* Real-time Transfer Protocol (RTP) is used by nearly all Voice-over-IP systems to provide the audio channel for calls. As such, it provides ample opportunity for the creation of a covert communication channel due to its very nature. While use of steganographic techniques with various audio cover-medium has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This paper details a common technique for the use of steganography with audio data cover-medium, outlines the problem issues that arise when attempting to use such techniques to establish a full-duplex communications channel within audio data transmitted via an unreliable streaming protocol, and documents solutions to these problems. An implementation of the ideas discussed entitled SteganRTP is included in the reference materials.
[Bootkit Disk Forensics
[Part 1](http://www.malwaretech.com/2015/02/bootkit-disk-forensics-part-1.html)
[Part 2](http://www.malwaretech.com/2015/03/bootkit-disk-forensics-part-2.html)
[Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
[Windows Memory Analysis Checklist](http://www.dumpanalysis.org/windows-memory-analysis-checklist)
[MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
[Exfil Framework](https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework)
* The Exfil Framework is a suite of Bro scripts that detect file uploads in TCP connections. The Exfil Framework can detect file uploads in most TCP sessions including sessions that have encrypted payloads (SCP,SFTP,HTTPS).
[Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
* This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.
[Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
[Handler Diaries - Another Hunting Post(DFIR)](http://blog.handlerdiaries.com/?p=775)
* Good post on not only knowing the layout, but knowing expected behaviours.
[DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API).
[Ways to Identify Malware on a System Ryan Irving](http://www.irongeek.com/i.php?page=videos/bsidestampa2015/201-ways-to-identify-malware-on-a-system-ryan-irving)
[HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
[Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)](https://cansecwest.com/slides/2014/less%20is%20more3.pptx)
[PEview](http://wjradburn.com/software/)
* PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
[BTA - AD Security Audit Framework](https://bitbucket.org/iwseclabs/bta)
BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:
Who has rights over a given object (computer, user account, etc.) ?
Who can read a given mailbox ?
Which are the accounts with domain admin rights ?
Who has extended rights (userForceChangePassword, SendAs, etc.) ?
What are the changes done on an AD between two points in time ?
The framework is made of
an importer able to translate a ntds.dit file, containing all the AD data, into a database
tools to query the database
AD miner framework
AD diff utility
small utilities (list of databases, etc.)
The comprehensive set of attributes are imported and can be querried including all schema extensions (Exchange, Sharepoint, etc.).
####Hacking Exposed - Automating DFIR Series
[Automating DFIR - How to series on programming libtsk with python Part 1 - ](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html)
[Automating DFIR - How to series on programming libtsk with python Part 2](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html)
[Automating DFIR - How to series on programming libtsk with python Part 3](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
[IOC Bucket](https://www.iocbucket.com/)
* IOC sharing platform
[Rapier](https://code.google.com/p/rapier/)
* RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst
[ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.
[WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it.
WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
[PostgreSQL Pass The Hash protocol design weakness](https://hashcat.net/misc/postgres-pth/postgres-pth.pdf)
[License to Kill: Malware Hunting with the Sysinternals Tools](http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
[triage-ir](https://code.google.com/p/triage-ir/)
* Triage: Incident Response automatically collect information from a system that needs basic triage functions performed upon it. The script allows for easy modification for customization to your needs, in an easy to comprehend and implement language. This tool uses a lot others to get its information. Eventually I hope to eliminate the need for them, but use them as verification. This tool requires you to download the Sysinternals Suite if you want full functionality to it.
[Computer Security Incident Handling Guide - NIST](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)
[An Incident Handling Process for Small and Medium Businesses - SANS 2007](https://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791)
[Instruments - OS X system analysis](https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/InstrumentsUserGuide/Introduction/Introduction.html)
* Instruments is a performance-analysis and testing tool for dynamically tracing and profiling OS X and iOS code. It is a flexible and powerful tool that lets you track a process, collect data, and examine the collected data. In this way, Instruments helps you understand the behavior of both user apps and the operating system.
[Windows Program Automatic Startup Locations](http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/)
[Passive DNS](https://github.com/gamelinux/passivedns)
* A tool to collect DNS records passively to aid Incident handling, Network
Security Monitoring (NSM) and general digital forensics.
* PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs
the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate
DNS answers in-memory, limiting the amount of data in the logfile without
losing the essense in the DNS answer.
[MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
[Windows Attribute changer](http://www.petges.lu/home/)
[NVbit : Accessing Bitlocker volumes from linux](http://www.nvlabs.in/index.php?/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html)
[PDF Forensics](http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/)
[Malware Management Framework - Sniper Forensics Toolkit](http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework/)
[Dshell](https://github.com/USArmyResearchLab/Dshell)
* An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
[Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)
[Captipper](http://www.omriher.com/2015/01/captipper-malicious-http-traffic.html)
* CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.
CapTipper sets up a web server that acts exactly as the server in the PCAP file,
and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.
[Xmount](https://www.pinguin.lu/xmount)
* What is xmount? xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, DMG, VHD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.
[Sniper Forensics](https://digital-forensics.sans.org/summit-archives/2010/2-newell-spiderlabs-sniper-forensics.pdf)
* Pg10 and onward
https://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf
[Detekt](https://github.com/botherder/detekt)
* Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit).
Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer. Currently it is provided with patterns for:
DarkComet RAT
XtremeRAT
BlackShades RAT
njRAT
FinFisher FinSpy
HackingTeam RCS
ShadowTech RAT
Gh0st RAT
[NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)
* Description from the page: This framework was developed by the author in order to provide the community
with a solution to extract forensically important information from the main
database of Microsoft Active Directory (NTDS.DIT).
[SSDeep](http://ssdeep.sourceforge.net/)
* ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
[binwally](https://github.com/bmaia/binwally)
* Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
[Unmasking Careto through Memory Analysis - Andrew Case](http://2014.video.sector.ca/video/110388398)
http://blog.didierstevens.com/programs/pdf-tools/
http://windowsir.blogspot.com/2013/07/howto-data-exfiltration.html
https://sysforensics.org/2014/01/know-your-windows-processes.html
[Attrition Forensics](http://2014.video.sector.ca/video/110334184)
https://santoku-linux.com/howtos
http://blog.didierstevens.com/programs/pdf-tools/
http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
http://blog.spiderlabs.com/2011/11/sniper-forensics-context-context-context.html
http://blog.spiderlabs.com/2011/03/sniper-forensics-part-4.html
https://digital-forensics.sans.org/summit-archives/2010/2-newell-spiderlabs-sniper-forensics.pdf
http://blog.spiderlabs.com/2011/07/sniper-forensics-part-v-finding-evil-part-ii.html http://blog.spiderlabs.com/2011/01/sniper-forensics-part-two-target-acquisition-in-part-one-of-the-sniper-forensics-post-we-discussed-the-history-of-forensic.html
Forensics wiki
Add Enterprise Forensics section?
Yelp/Github - OSX Collector - Mass style forensics/management

Draft/Draft/Frameworks.md → Draft/Draft/Framd.md View File


Draft/Draft/Frameworks/Metasploit Reference.txt → Draft/Draft/Frameworks Methodologies/Metasploit Reference.txt View File


Draft/Draft/Frameworks/Meterpreter Scripts and Description.txt → Draft/Draft/Frameworks Methodologies/Meterpreter Scripts and Description.txt View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Enumeration.txt → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Enumeration.txt View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Network Footprinting.txt → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Network Footprinting.txt View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Password Cracking.txt → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Password Cracking.txt View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Penetration.txt → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Penetration.txt View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/VoIP Security.txt → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/VoIP Security.txt View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt View File


Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Wireless Penetration.txt → Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Wireless Penetration.txt View File


Draft/Draft/Frameworks/Post Exploitation with Metasploit.txt → Draft/Draft/Frameworks Methodologies/Post Exploitation with Metasploit.txt View File


+ 22
- 34
Draft/Draft/Fuzzing Bug Hunting.md View File

@ -2,12 +2,13 @@
TOC
Methodologies
Write-ups
Tools
Papers
Books
Miscellaneous
* [Techniques](#tech)
[Methodologies](#method)
[Write-ups](#writeup)
[Tools](#tools)
[Papers](#papers)
[Books](#books)
[Miscellaneous](#misc)
[Quick explanation of fuzzing and various fuzzers](http://whoisjoe.info/?p=16)
@ -15,9 +16,10 @@ Miscellaneous
###Cull
[Mining for Bugs with Graph Database Queries [31c3]](https://www.youtube.com/watch?v=291hpUE5-3g)
* [Starting out with Joern](http://tsyrklevich.net/2015/03/28/starting-out-with-joern/)
[Implementing an USB Host Driver Fuzzer - Daniel Mende - Troopers14](https://www.youtube.com/watch?v=h777lF6xjs4)
http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf
@ -29,7 +31,9 @@ http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at
###Techniques
###<a name="tech">Techniques</a>
####Taint Analysis
@ -37,16 +41,16 @@ http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at
#####Writeups
###<a name="writeup">Writeups</a>
[Taint analysis and pattern matching with Pin - Jonathan Salwan](http://shell-storm.org/blog/Taint-analysis-and-pattern-matching-with-Pin/)
[Faster Fuzzing with Python](https://labs.mwrinfosecurity.com/blog/2014/12/10/faster-fuzzing-with-python/)
[Walkthrough of setting up CERT’s FOE fuzzer and fuzzing irfanview](http://www.singlehop.com/blog/lets-fuzz-irfanview/)
w
#####Papers
###<a name="papers">Papers</a>
[Smart COM Fuzzing - Auditing IE Sandbox Bypass in COM Objects• Xiaoning Li • Haifei Li](https://0b3dcaf9-a-62cb3a1a-s-sites.googlegroups.com/site/zerodayresearch/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects_final.pdf?attachauth=ANoY7crUl9OP1JfFa6KaCXsjVLjsNXDgUp1SmrZZAgGiPdp7MvUVnfg-FsuFvt7lfV5s3-kcK3K2uT05XMt6zUU_cP5WWQKxmKedjlQjvTZWdLyVZVcUMUrxUr5i68jpISP84HE0hihXOz7GtyWQG4gOtf-PXmcxmBf9KjYpVob08uR-62u2swlo396pKC0mSRrymia5PAakBFV9_0TbXGEhNVc101GIRdZ33C-j8DI6bIEYVlR1vG9jUKkfIcleu-rtjnJyDXD9FFBJwqxZsVOAUb9mcPvc4SZ04uefDvQwCDEg-C4I8eA%3D&attredirects=0)
@ -58,35 +62,19 @@ w
[A Critical Review of Dynamic Taint Analysis and Forward Symbolic Execution](https://asankhaya.github.io/pdf/ACriticalReviewofDynamicTaintAnalysisandForwardSymbolicExecution.pdf)
* In this note , we describe a critical review of the paper titled “All you wanted to know about dynamics taint analysis and forward symbolic execution (but may have been afraid to ask)” [1] . We analyze the paper using Paul Elder critical thinking framework [2] . We sta rt with a summary of the paper and motivation behind the research work described in [1]. Then we evaluate the study with respect to the universal intellectual standards of [2]. We find that the paper provides a good survey of the existing techniques and algorithms used for security analysis. It explains them using the theoretical framework of operational runtime semantics. However in some places t he paper can do a better job in highlighting what new insights or heuristics can be gained from a runtime seman tics formulation. The paper fails to convince the reader how such an intricate understanding of operational semantics of a new generic language SimpIL helps in advancing the state of the art in dynamic taint analysis and forward symbolic execution. We also found that the Paul Elder critical thinking framework is a useful technique to reason about and analyze research papers.
[TAJ: Effective Taint Analysis of Web Applications - Java Webapps](http://manu.sridharan.net/files/pldi153-tripp.pdf)
* Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address criti- cal requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applica- tions, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors. We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applica- tions. TAJ can analyze applications of virtually any size, as it em- ploys a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vec- tors, with techniques to handle reflective calls, flow through con- tainers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.
###Writeups
[Faster Fuzzing with Python](https://labs.mwrinfosecurity.com/blog/2014/12/10/faster-fuzzing-with-python/)
[Walkthrough of setting up CERT’s FOE fuzzer and fuzzing irfanview](http://www.singlehop.com/blog/lets-fuzz-irfanview/)
###Papers
[Effective Bug Discovery](http://uninformed.org/?v=all&a=27&t=sumry)
* Sophisticated methods are currently being developed and implemented for mitigating the risk of exploitable bugs. The process of researching and discovering vulnerabilities in modern code will require changes to accommodate the shift in vulnerability mitigations. Code coverage analysis implemented in conjunction with fuzz testing reveals faults within a binary file that would have otherwise remained undiscovered by either method alone. This paper suggests a research method for more effective runtime binary analysis using the aforementioned strategy. This study presents empirical evidence that despite the fact that bug detection will become increasingly difficult in the future, analysis techniques have an opportunity to evolve intelligently.
[TAJ: Effective Taint Analysis of Web Applications - Java Webapps](http://manu.sridharan.net/files/pldi153-tripp.pdf)
* Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address criti- cal requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applica- tions, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors. We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applica- tions. TAJ can analyze applications of virtually any size, as it em- ploys a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vec- tors, with techniques to handle reflective calls, flow through con- tainers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.
###Books
###<a name="books">Books</a>
[*THE* Book on fuzzing](http://fuzzing.org/)
###Tools
###<a name="tools">Tools</a>
[American Fuzzy Lop AFL](http://lcamtuf.coredump.cx/afl/)
@ -128,7 +116,7 @@ Fuzzing with Peach tutorial
###Misc
###<a name="misc">Misc</a>
[Good slides on fuzzing](https://courses.cs.washington.edu/courses/cse484/14au/slides/Section8.pdf)


Draft/Draft/Home Security.md → Draft/Draft/Homd.md View File


+ 15
- 7
Draft/Draft/Honeypots -.md View File

@ -7,15 +7,23 @@
TOC
Cull
Honeypots/nets
Tools
Write-ups
* [Honeypots/nets](#honey)
* [Presentations](#presentation)
* [Write-ups](#writeup)
* [Papers](#papers)
###Cull
[Hflow2](https://projects.honeynet.org/hflow)
* Data Analysis System
[Tango Honeypot Intelligence](https://github.com/aplura/Tango)
* Honeypot Intelligence with Splunk
[Security Onions and Honey Potz - Ethan Dodge - BSidesSLC2015](https://www.youtube.com/watch?v=1Jbm1zwiGTM)
http://www.cuckoosandbox.org/
@ -42,7 +50,7 @@ HoneyData - Strings, shares/drives, etc.
###Honeypots/nets
###<a name="honey">Honeypots/nets</a>
[Modern Honey Network(MHN)](https://threatstream.github.io/mhn/)
* From the secure deployment to the aggregation of thousands of events MHN provides enteprise grade management of the most current open source honeypot software. MHN is completely free open source software which supports external and internal honeypot deployments at a large and distributed scale. MHN uses the HPFeeds standard and low-interaction honeypots to keep effectiveness and security at enterprise grade levels. MHN provides full REST API out of the box and we are making CEF and STIX support available now for direct SIEM integration through our Commercial platform Optic.
@ -120,7 +128,7 @@ Beeswarm](http://www.beeswarm-ids.org/)
###Writeups
###<a name="writeup">Writeups</a>
[ Deploying Dionaea on a Raspberry Pi using MHN](https://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-Pi)
@ -135,7 +143,7 @@ Beeswarm](http://www.beeswarm-ids.org/)
* The research study investigates Secure Shell (SSH) attacks on Amazon EC2 cloud instances across different AWS zones by means of deploying Smart Honeypot (SH). It provides an in-depth analysis of SSH attacks, SSH intruders profile, and attempts to identify their tactics and purposes.
###Papers
###<a name="paper">Papers</a>
[Analysis of Attacks Using a Honeypot - Verlag Berlin Heidelberg 2011]
* Abstract. A Honeypot is a software based security device, deployed to attract hackers by displaying services and open ports which are potentially vulnerable. While the attackers are diverted, t heir activities can then be monitored and an a- lysed to identify current a ttack methods and trends. A low - interaction Honeypot called Dion aea was chosen for this project because it can simulate services while preventing an attacker from gaining full control. Results were collected over the six week period of the experiment. The logged information of the o b- served attacks was analysed and compared with current vulnerabilities, the loc a- tions where the attacks were originating from and the time of day at the orig i- nating site. A profile of individual attackers can then be built to ga in an insight into the current attack trends in order to improve network defences.


+ 11
- 1
Draft/Draft/Interesting Things Useful stuff.md View File

@ -33,10 +33,20 @@ http://www.securitywizardry.com/radar.htm
###CULL
[Anti-Virus Software Gone Wrong](http://uninformed.org/?v=all&a=21&t=sumry)
* Anti-virus software is becoming more and more prevalent on end-user computers today. Many major computer vendors (such as Dell) bundle anti-virus software and other personal security suites in the default configuration of newly-sold computer systems. As a result, it is becoming increasingly important that anti-virus software be well-designed, secure by default, and interoperable with third-party applications. Software that is installed and running by default constitutes a prime target for attack and, as such, it is especially important that said software be designed with security and interoperability in mind. In particular, this article provides examples of issues found in well-known anti-virus products. These issues range from not properly validating input from an untrusted source (especially within the context of a kernel driver) to failing to conform to API contracts when hooking or implementing an intermediary between applications and the underlying APIs upon which they rely. For popular software, or software that is installed by default, errors of this sort can become a serious problem to both system stability and security. Beyond that, it can impact the ability of independent software vendors to deploy functioning software on end-user systems.
[Foreign LINUX](https://github.com/wishstudio/flinux)
* Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools.
[Take Charge of Your Infosec Career! - Glen Roberts - BSidesSLC2015](https://www.youtube.com/watch?v=QqlnB2FeODo)
* You spent $5,000, a plane trip, a hotel and a full workweek on your last infosec course but when was the last time you invested even just a few hours of your time exclusively to developing your infosec career in a truly meaningful way? This talk will challenge the way you view your career and give you actionable steps for taking charge of it so you can optimize the rewards and fulfillment you receive from your work. Glen will leverage the stories and best practices from dozens of information security professionals to help inspire your infosec career journey. This presentation will be engaging and speak to the soul in a way that instills ownership of your own career and generates a passion for finding and carving out your own authentic career path.
[stupid_malware](https://github.com/andrew-morris/stupid_malware)
* Python malware for pentesters that bypasses most antivirus (signature and heuristics) and IPS using sheer stupidity
[China’s Great Cannon](https://citizenlab.org/2015/04/chinas-great-cannon/) * This post describes our analysis of China’s “Great Cannon,” our term for an attack tool that we identify as separate from, but co-located with, the Great Firewall of China. The first known usage of the Great Cannon is in the recent large-scale novel DDoS attack on both GitHub and servers used by GreatFire.org.
[How to Hack All the Transport Networks of a Country - Defcon20](https://www.youtube.com/watch?v=D6KEhdHFc9I)
[ZeroMQ](http://zguide.zeromq.org/page:all)
[Underhanded C contest](http://underhanded-c.org/)
Regex for credit cards


+ 37
- 43
Draft/Draft/Malware.md View File

@ -1,33 +1,38 @@
##Malware
Tutorials
Writeups
Malware Repositories
Anti-VM/Detecting VMs
Tools
Static Analysis
Dynamic Analysis
AV Evasion/Encoders/Packers
Papers
Other
TOC
* [Tutorials](#tutorial)
* [Writeups](#writeup)
* [Malware Repositories](#repository)
* [Mobile}(#mobile)
* [Anti-VM/Detecting VMs](#antivm)
* [Tools](#tools)
* [Static Analysis](#static)
* [Dynamic Analysis](#dynamic)
* [AV Evasion/Encoders/Packers](#packers]
* [Papers](#papers)
* [Other](#other)
###Cull
[Analysis of a Romanian Botnet](http://www.politoinc.com/2015/04/analysis-of-a-romanian-botnet/)
* Going from first sighting in logs to tracing attackers to their C2 IRC room
[Statistical Structures: Fingerprinting Malware for Classification and Analysis - Daniel Bilar](https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf)
http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/
[Malcom - Malware Communication Analyzer](https://github.com/tomchop/malcom)
* Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
[IRMA - Incident Response & Malware Analysis](http://irma.quarkslab.com/index.html)
* IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ... An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).
http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardening-virtualbox.html
###Tutorials
###<a name="tutorial">Tutorials</a>
[Malware Analysis Tutorials: a Reverse Engineering Approach](http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html)
[Malware analyis noob to ninja 60min presentation slides](http://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-cactuscon-on-april-4-2014)
@ -38,7 +43,7 @@ http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardening-virtualbox.html
{DIY Android Malware Analysis with OBAD](http://securityintelligence.com/diy-android-malware-analysis-taking-apart-obad-part-1/)
###Writeups
###<a name="writeup">Writeups</a>
[Decoding ZeuS disguised as an .RTF File](http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/)
* Excellent step by step writeup
@ -75,7 +80,7 @@ http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardening-virtualbox.html
###Malware Repositories/Collecting & Obtaining Malware
###<a name="repository">Malware Repositories/Collecting & Obtaining Malware</a>
[The Zoo](https://github.com/ytisf/theZoo)
* A repository of LIVE malwares for your own joy and pleasure
@ -87,7 +92,9 @@ Contagio/Contagio mobile
* Ragpicker is a Plugin based malware crawler with pre-analysis and reporting functionalities. Use this tool if you are testing antivirus products, collecting malware for another analyzer/zoo.
###Mobile:
###<a name="mobile">Mobile:</a>
[A timeline of mobile botnets](https://www.virusbtn.com/virusbulletin/archive/2015/03/vb201503-mobile-botnets)
* With the recent explosion in smartphone usage, malware authors have increasingly focused their attention on mobile devices, leading to a steep rise in mobile malware over the past couple of years. In this paper, Ruchna Nigam focuses on mobile botnets, drawing up an inventory of types of known mobile bot variants.
[Android Sandbox V1](http://androidsandbox.net/)
* Automated Malware Analysis
@ -117,9 +124,9 @@ Contagio/Contagio mobile
###Anti-VM/Detecting VMs
http://msdn.microsoft.com/en-us/library/aa394102%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa394077%28v=vs.85%29.aspx
###<a name="antivm">Anti-VM/Detecting VMs</a>
* http://msdn.microsoft.com/en-us/library/aa394102%28v=vs.85%29.aspx
* http://msdn.microsoft.com/en-us/library/aa394077%28v=vs.85%29.aspx
[antivmdetection](https://github.com/nsmfoo/antivmdetection)
* Script to create templates to use with VirtualBox to make vm detection harder.
@ -143,7 +150,7 @@ http://msdn.microsoft.com/en-us/library/aa394077%28v=vs.85%29.aspx
###Malware Campaign Writeups
###<a name="writeup">Malware Campaign Writeups</a>
[Unmasking Careto through Memory Analysis - Andrew Case](http://2014.video.sector.ca/video/110388398)