[Online tracking: A 1-million-site measurement and analysis](https://webtransparency.cs.princeton.edu/webcensus/index.html#fp-results)
* the largest and most detailed measurement of online tracking to date. We measure stateful (cookie-based) and stateless (fingerprinting-based) tracking, the effect of browser privacy tools, and "cookie syncing".
[Deep-Spying: Spying using Smartwatch and Deep Learning - Tony Beltramelli](https://arxiv.org/pdf/1512.05616v1.pdf)
| **Description**: Deep packet inspection DPI technologies provide much- needed visibility and control of network trac using port- independent protocol identication, where a network ow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the most comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic primitive called format-transforming encryption FTE, which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbi- trary application-layer trac, and we experimentally show that this forces misidentication for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demonstrate that it evades real-world censorship by the Great Firewall of China.
|---|
| **'I've Got Nothing to Hide' and Other Misunderstandings of Privacy** | **Link:** http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565& |
| **Description**: The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
| **Description**: The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
| **'I've Got Nothing to Hide' and Other Misunderstandings of Privacy** : http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&
| **Abstract:** We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.**
|**Description:** Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
[Deep-Spying: Spying using Smartwatch and Deep Learning - Tony Beltramelli](https://arxiv.org/pdf/1512.05616v1.pdf)
[HORNET: High-speed Onion Routing at the Network Layer](http://arxiv.org/pdf/1507.05724v1.pdf)
| Can you track me now? - Defcon20 | https://wEww.youtube.com/watch?v=DxIF66Tcino
| **Phones and Privacy for Consumers** - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer) | http://www.irongeek.com/i.php?page=videos/grrcon2015/submerssion-therapy05-phones-and-privacy-for-consumers-matt-hoy-mattrix-and-david-khudaverdyan-deltaflyerhttps://ritter.vg/blog-deanonymizing_amm.html
[ Retail Surveillance / Retail Countersurveillance 50 most unwanted retail surveillance technologies / 50 most wanted countersurveillance technologies](https://media.ccc.de/v/33c3-8238-retail_surveillance_retail_countersurveillance#video&t=1993)
| **fteproxy** - fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro, YAF, nProbe, l7-filter, and appid, as well as closed-source commercial DPI systems| https://fteproxy.org/about
| **Streisand** - Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.| https://github.com/jlund/streisand
* Exitmap is a fast and modular Python-based scanner for Tor exit relays. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays. Modules can perform any TCP-based networking task; fetching a web page, uploading a file, connecting to an SSH server, or joining an IRC channel.
[OnionCat - an Anonymous VPN adapter](https://www.onioncat.org/about-onioncat/)
### <aname="harden">List of Hardening Guides for iOS</a>
| Title | Link |
@ -97,6 +95,7 @@
| **IODIDE - The IOS Debugger and Integrated Disassembler Environment** | https://github.com/nccgroup/IODIDE
| **Clutch** - Fast iOS executable dumper | https://github.com/KJCracks/Clutch
| **MEMSCAN - Dump iPhone app RAM** - A Cigital consultant – Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use. | http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/
| **MEMSCAN - A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes. | https://github.com/hexploitable/MEMSCAN
Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
[A beginners guide to writing documentation](http://docs.writethedocs.org/writing/beginners-guide-to-docs/)
[How to Write Papers So People Can Read Them - Derek Dreyer](https://www.youtube.com/watch?v=L_6xoMjFr70)
Other Materials:
Three parter from jacobian.org:
@ -29,11 +31,13 @@ Three parter from jacobian.org:
[Writing Types of User Documentation](https://en.wikiversity.org/wiki/Technical_writing_Types_of_User_Documentation0
[How to write a great research paper - Simon Peyton Jones](https://www.microsoft.com/en-us/research/academic-program/write-great-research-paper/)
[The 7 Rules for Writing World Class Technical Documentation](http://www.developer.com/tech/article.php/3848981/The-7-Rules-for-Writing-World-Class-Technical-Documentation.htm)
* Kvasir is a vulnerability / penetration testing data management system designed to help mitigate the issues found when performing team-based assessments. Kvasir does this by homogenizing data sources into a pre-defined structure. Currently the following sources are supported:
@ -96,11 +104,13 @@ Three parter from jacobian.org:
[Reversing and Exploiting Embedded Devices: The Software Stack (Part 1)](https://p16.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack)
[More on HNAP - What is it, How to Use it, How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
[Hacking Docsis for fun and profit](https://www.defcon.org/images/defcon-18/dc-18-presentations/Blake-bitemytaco/DEFCON-18-Blake-bitemytaco-Hacking-DOCSIS.pdf)
[Hardware Hacking for Software People](http://dontstuffbeansupyournose.com/2011/08/25/hardware-hacking-for-software-people/)
[Glitching for n00bs - A journey to coax out chips' inner seccrets](http://media.ccc.de/browse/congress/2014/31c3_-_6499_-_en_-_saal_2_-_201412271715_-_glitching_for_n00bs_-_exide.html#video)
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
* Security through obscurity is unfortunately much more common than people think: many interfaces are built on the premise that since they are a "closed system" they can ignore standard security practices. This paper will demonstrate how parking meter smart cards implement their protocol and will point out some weaknesses in their design that open the doors to the system. It will also present schematics and code that you can use to perform these basic techniques for auditing almost any type of blackblox secure memory card.
* This is a project to modify the Sony Blu-ray BDP firmware. It started out with only the BDP-S390, but has branched out to include other players and a variety of goals, including removing Cinavia and obtaining Region-Free.
* USB is used in almost every computing device produced in recent years. In addition to well-known usages like keyboard, mouse, and mass storage, a much wider range of capabilities exist such as Device Firmware Update, USB On-The-Go, debug over USB, and more. What actually happens on the wire? Is there interesting data we can observe or inject into these operations that we can take advantage of? In this talk, we will present an overview of USB and its corresponding attack surface. We will demonstrate different tools and methods that can be used to monitor and abuse USB for malicious purposes.
[Tracking Down Heap Overflows with rr](https://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/)
[Crash Course in DLL Hijacking](https://blog.fortinet.com/2015/12/10/a-crash-course-in-dll-hijacking)
[gargoyle, a memory scanning evasion technique](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
[The Chakra Exploit and the Limitations of Modern Mitigation Techniques](https://www.endgame.com/blog/chakra-exploit-and-limitations-modern-mitigation-techniques)
* SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.
* binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
[Attacking the XNU Kernel For Fun And Profit Part 1](http://blog.qwertyoruiop.com/?p=38)
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apples OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
[Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
[Debugging Windows kernel under VMWare using IDA's GDB debugger](https://cyberview.files.wordpress.com/2010/09/gdb_vmware_winkernel.pdf)
[Pandora's Cash Box - The Ghost under your POS - RECON2015](https://recon.cx/2015/slides/recon2015-17-nitay-artenstein-shift-reduce-Pandora-s-Cash-Box-The-Ghost-Under-Your-POS.pdf)
| **Muts Bypassing AV in Vista/Pissing all over your AV** presentation, listed here as it was a bitch finding a live copy | https://web.archive.org/web/20130514172102/http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4
| ** Dangerous Clipboard: Analysis of the MS15-072 Patch ** | http://blog.talosintel.com/2015/10/dangerous-clipboard.html?m=1
fREedom - capstone based disassembler for extracting to binnavi
fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
* I have just released a program named Vulnserver - a Windows based threaded TCP server application that is designed to be exploited.
[jmp2it](https://github.com/adamkramer/jmp2it)
This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader Patches / self modifications are dynamically written to jmp2it-flypaper.out
[Shellcode Debugging with OllyDbg](https://blackc0.de/2014/06/shellcode-debugging-ollydbg/)
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
[Using ARM Inline Assembly and Naked Functions to fool Disassemblers](http://www.evilsocket.net/2015/05/02/using-inline-assembly-and-naked-functions-to-fool-disassemblers/#sthash.Gt6f7f7y.4pLres53.sfju)
[Easy Ways To Bypass Anti-Virus Systems - Attila Marosi -Trooper14](https://www.youtube.com/watch?v=Sl1Sru3OwJ4)
[Shellcode without Sockets](https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440)
### General Videos/Presentations(that aren't
[Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
[Writing Manual Shellcode by Hand](https://www.exploit-db.com/docs/17065.pdf)
[Art of Picking Intel Registers](http://www.swansontec.com/sregisters.html)
[EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURE](https://www.exploit-db.com/docs/39658.pdf)
[Jump-Oriented Programming: A New Class of Code-Reuse](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf)
[Return-Oriented Programming without Returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf)
[Shellcode Debugging with OllyDbg](https://blackc0.de/2014/06/shellcode-debugging-ollydbg/)
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
[Using ARM Inline Assembly and Naked Functions to fool Disassemblers](http://www.evilsocket.net/2015/05/02/using-inline-assembly-and-naked-functions-to-fool-disassemblers/#sthash.Gt6f7f7y.4pLres53.sfju)
### General Stuff that I can't decide where else to put
[Easy Ways To Bypass Anti-Virus Systems - Attila Marosi -Trooper14](https://www.youtube.com/watch?v=Sl1Sru3OwJ4)
[Root Cause Analysis – Memory Corruption Vulnerabilities](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/)
[BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader Patches / self modifications are dynamically written to jmp2it-flypaper.out
* BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation training course.
#####Originally from a randomly linked Pastebin (if you made this, thank you so much; I've now added onto it and changed it from what it originally was. [Original Page](http://pastebin.com/aqGvjhgB) I've kept the original creator's note as I feel it is highly relevant and aligns with my goal)
[Introduction to Return Oriented Programming (ROP) - ketansingh.net](https://ketansingh.net/Introduction-to-Return-Oriented-Programming-ROP/)
* "My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.
- sar"
##### Originally from (originally a pastebin link, which had been modified from a persons personal page, i believe it may have been an r2 dev?) If you made this, thank you so much; I've now added onto it and changed it from what it originally was. I've kept the original creator's note as I feel it is highly relevant and aligns with my goal)
* "yM intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.
- sar"
@ -434,7 +275,7 @@ I have tried to order the articles by technique and chronology.
* [Exploiting the wilderness, Phantasmal Phantasmagoria, 2004](http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html)
* [Yet another free() exploitation technique, huku, 2009](http://www.phrack.com/issues.html?issue=66&id=6)
* [Heap Feng Shui in JavaScript](https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf)
@ -494,11 +335,11 @@ I have tried to order the articles by technique and chronology.
* [Pointer inference and JIT-Spraying, Dion Blazakis, 2010](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
* [Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010](http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf)
[INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT SPRAYING](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
[Exploring Control-Flow-Guard in Windows10](http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf)
@ -677,17 +518,15 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Bypassing PatchGuard on Windows x64](http://uninformed.org/?v=all&a=14&t=sumry)
* The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested.
* SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.
| **Muts Bypassing AV in Vista/Pissing all over your AV** presentation, listed here as it was a bitch finding a live copy | https://web.archive.org/web/20130514172102/http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4
[Disarming Control Flow Guard Using Advanced Code Reuse Attacks](https://www.endgame.com/blog/disarming-control-flow-guard-using-advanced-code-reuse-attacks)
[X86 Shellcode Obfuscation - Part 1 - breakdev.org](https://breakdev.org/x86-shellcode-obfuscation-part-1/)
@ -743,8 +582,11 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Cheating the ELF - Subversive Dynamic Linking to Libraries](http://www.cs.dartmouth.edu/~sergey/cs108/2010/subversiveld.pdf)
[Return into Lib(C) Theory Primer(Security-Tube)](http://www.securitytube.net/video/257)
@ -755,12 +597,18 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
### <aname="winspec">Windows Specific</a>
[A Brief History of Exploit Techniques and Mitigations on Windows](http://www.hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf)
[An Introduction to Debugging the Windows Kernel with WinDbg](http://www.contextis.com/resources/blog/introduction-debugging-windows-kernel-windbg/)
[A Brief History of Exploit Techniques and Mitigations on Windows](http://www.hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf)
Getting Started with WindDbg Series - OpenSecurity Research
[Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)
[Writing Exploits for Win32 Systems from Scratch](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/)
[(SEH Bypass)Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server.](https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf)
[A Crash Course on the Depths of Win32 Structured Exception Handling](https://www.microsoft.com/msj/0197/exception/exception.aspx)
[Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)
[Win32 Assembly Components - Last Stage of Delirium Research Group](http://www.bandwidthco.com/whitepapers/programming/asm/Win32%20Assembly%20Components.pdf)
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/)
[Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass ](https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf)
[Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)](https://cansecwest.com/slides/2014/less%20is%20more3.pptx)
###<aname="tools">Tools</a>
### <aname="tools">Tools</a>
Check out the 'Reverse Engineering" Section's Tools list for a lot of useful tools that aren't listed here.
@ -901,11 +790,26 @@ Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push
* Miscellaneous tools written in Python, mostly centered around shellcodes.
..* bin2py: Embed binary files into Python source code.
..* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
[binjitsu](https://github.com/binjitsu/binjitsu/)
* binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
[Meterpreter Payload Stage 1 with Obsfuscation and Evasion](https://github.com/lockfale/meterpreterjank)
[pwndbg - Making debugging suck less](https://github.com/zachriggle/pwndbg)
* A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag.
[fREedom - capstone based disassembler for extracting to binnavi](https://github.com/cseagle/fREedom)
fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
[Setting up fREedom and BinNavi](https://summitroute.com/blog/2015/12/31/setting_up_freedom_and_binnavi/)
@ -984,7 +888,7 @@ Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push
* HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful.
[Bowcaster Exploit Development Framework](https://github.com/zcutlip/bowcaster)
* This framework, implemented in Python, is intended to aid those developing exploits by providing useful set of tools and modules, such as payloads, encoders, connect-back servers, etc. Currently the framework is focused on the MIPS CPU architecture, but the design is intended to be modular enough to support arbitrary architectures.
@ -995,6 +899,10 @@ Metasploit
* This is the CTF framework used by Gallopsled in every CTF.
* Miscellaneous tools written in Python, mostly centered around shellcodes.
..* bin2py: Embed binary files into Python source code.
..* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
@ -1095,6 +1003,34 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payloads URL and contents.
[The Chakra Exploit and the Limitations of Modern Mitigation Techniques](https://www.endgame.com/blog/chakra-exploit-and-limitations-modern-mitigation-techniques)
[Attacking the XNU Kernel For Fun And Profit Part 1](http://blog.qwertyoruiop.com/?p=38)
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apples OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
[Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
[Debugging Windows kernel under VMWare using IDA's GDB debugger](https://cyberview.files.wordpress.com/2010/09/gdb_vmware_winkernel.pdf)
[Pandora's Cash Box - The Ghost under your POS - RECON2015](https://recon.cx/2015/slides/recon2015-17-nitay-artenstein-shift-reduce-Pandora-s-Cash-Box-The-Ghost-Under-Your-POS.pdf)
[Pwning Adobe Reader with XFA](http://siberas.de/presentations/SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf)
[A New CVE-2015-0057 Exploit Technology](https://www.exploit-db.com/docs/39660.pdf)
| ** Dangerous Clipboard: Analysis of the MS15-072 Patch ** | http://blog.talosintel.com/2015/10/dangerous-clipboard.html?m=1
[Exploiting Memory Corruption Vulnerabilities in the Java Runtime](https://media.blackhat.com/bh-ad-11/Drake/bh-ad-11-Drake-Exploiting_Java_Memory_Corruption-WP.pdf)
[MS16-039 - "Windows 10" 64 bits Integer Overflow exploitation by using GDI objects](https://www.coresecurity.com/blog/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects)
[Make It Count Progressing through Pentesting - Bálint Varga-Perke -Silent Signal](https://silentsignal.hu/docs/Make_It_Count_-_Progressing_through_Pentesting_Balint_Varga-Perke_Silent_Signal.pdf)
[The Art of Explanation: Behavioral Models of InfoSec - Kelly Shortridge](https://www.youtube.com/embed/UdZDlt2dlqM?)
[scanless](https://github.com/vesche/scanless)
* Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)
[A newbies guide to safes, both opening and using](https://www.reddit.com/r/WhatsInThisThing/comments/1gm6uk/a_newbies_guide_to_safes_both_opening_and_using/)
[ Jos Weyers – Lock Impressioning](https://www.youtube.com/watch?v=JcNc1BVaCE0)
[Developing a Open Source Threat Intelligence Program—Edward McCabe](http://www.irongeek.com/i.php?page=videos/circlecitycon2014/105-developing-a-open-source-threat-intelligence-program-edward-mccabe)
* What if you could get out in front of common threats such as botnets, scanners and malware? Good news, you can. Learn about one geeks struggle with life on the Internet of (bad) things when it comes to being online, identifying “odd” things, and developing an Open Source Threat Intelligence Program from Open Source Tools and Public Sources.
[NameCheck](https://www.namecheck.com)
* Search usernames across multiple services/domain registries
* Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
* Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.
[Crafting Mac OS Rootkits](https://www.zdziarski.com/blog/wp-content/uploads/2017/02/Crafting-macOS-Root-Kits.pdf)
[Pitfalls of virtual machine introspection on modern hardware](https://www.acsac.org/2014/workshops/mmf/Tamas%20Lengyel-Pitfalls%20of%20virtual%20machine%20introspection%20on%20modern%20hardware.pdf)
[A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers - Filip Wecherowski](http://phrack.org/issues/66/11.html#article)
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
@ -65,7 +66,7 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
@ -102,7 +103,7 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
[Advanced Bootkit Techniques on Android](http://www.syscan360.org/slides/2014_EN_AdvancedBootkitTechniquesOnAndroid_ChenZhangqiShendi.pdf)
###<aname="tools">Tools</a>
###<aname="tools">Tools</a>
[UEFITool](https://github.com/LongSoft/UEFITool)
* UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.
@ -132,7 +133,7 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
###<aname="papers">Papers</a>
###<aname="papers">Papers</a>
[A Catalog of Windows Local Kernel-mode Backdoors](http://uninformed.org/?v=all&a=35&t=sumry)
* This paper presents a detailed catalog of techniques that can be used to create local kernel-mode backdoors on Windows. These techniques include function trampolines, descriptor table hooks, model-specific register hooks, page table modifications, as well as others that have not previously been described. The majority of these techniques have been publicly known far in advance of this paper. However, at the time of this writing, there appears to be no detailed single point of reference for many of them. The intention of this paper is to provide a solid understanding on the subject of local kernel-mode backdoors. This understanding is necessary in order to encourage the thoughtful discussion of potential countermeasures and perceived advancements. In the vein of countermeasures, some additional thoughts are given to the common misconception that PatchGuard, in its current design, can be used to prevent kernel-mode rootkits.
+ 11- 0
Draft/System Internals Windows and Linux Internals Reference.mdView File
[Windows Filtering Platform: Persistent state under the hood](http://blog.quarkslab.com/windows-filtering-platform-persistent-state-under-the-hood.html)
[What registry entries are needed to register a COM object.](https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries-are-needed-to-register-a-com-object/)
[Minimal COM object registration](https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object-registration/)
[What is a DLL?](https://support.microsoft.com/en-us/help/815065/what-is-a-dll)
* This article describes what a dynamic link library (DLL) is and the various issues that may occur when you use DLLs. Then, this article describes some advanced issues that you should consider when you develop your own DLLs. In describing what a DLL is, this article describes dynamic linking methods, DLL dependencies, DLL entry points, exporting DLL functions, and DLL troubleshooting tools.
[Secrets and LIE-abilities: The State of Modern Secret Management (2017)](https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d)
## Exploit Dev
[Windows 10 HAL’s Heap – Extinction of the "HalpInterruptController" Table Exploitation Technique Another kernel exploitation technique killed in Windows 10 Creators Update](https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/)
## Fuzzing
[syzkaller - linux syscall fuzzer](https://github.com/google/syzkaller)
* syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer. It is meant to be used with KASAN (CONFIG_KASAN=y), KTSAN (CONFIG_KTSAN=y), or KUBSAN.
## Interesting Things
[ Penetration Testing considered Harmful Today](http://blog.thinkst.com/p/penetration-testing-considered-harmful.html)
[Teaching Evil - Chris Niemira](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t200-teaching-evil-chris-niemira)
[Volatile Memory: Behavioral Game Theory in Defensive Security](https://www.slideshare.net/kshortridge/volatile-memory-behavioral-game-theory-in-defensive-security)
[Fools of Golden Gate](https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/)
* How major vulnerabilities/large amounts of publicly vulnerable systems can exist without public recognition for long periods of time. (i.e. CVEs(10.0) exist, but no mapping in nessus/metasploit/etc)
https://www.youtube.com/watch?v=h92vmwg9Tyc
[Statement for the Record Worldwide Threat Assessment of the US Intelligence Community Senate Select Committee on Intelligence](https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf)
[Make It Count Progressing through Pentesting - Bálint Varga-Perke -Silent Signal](https://silentsignal.hu/docs/Make_It_Count_-_Progressing_through_Pentesting_Balint_Varga-Perke_Silent_Signal.pdf)
[The Art of Explanation: Behavioral Models of InfoSec - Kelly Shortridge](https://www.youtube.com/embed/UdZDlt2dlqM?)
[scanless](https://github.com/vesche/scanless)
* Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.
[When the Cops Come A-Knocking: Handling Technical Assistance Demands from Law Enforcement](https://www.youtube.com/watch?v=PX2RjJAfTYg)
[The Distribution of Users’ Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)
[ Jos Weyers – Lock Impressioning](https://www.youtube.com/watch?v=JcNc1BVaCE0)
## Wireless Stuff
[Frony Fronius - Exploring Zigbee signals from Solar City](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t102-frony-fronius-exploring-zigbee-signals-from-solar-city-jose-fernandez)
* Solar equipment is becoming more readily used in homes and businesses due to cost savings, eco-friendly conservationism and current tax incentives. Companies like SolarCity use Power Inverters/Meters from 3rd parties in order to provide it's services while making the solution affordable for customers. This research will focus on understanding the communication between the Inverter, Internet Gateway and web portal used to view electrical consumption of subscriber.
[Decoding the LoRa IoT Protocol with an RTL-SDR](http://www.rtl-sdr.com/decoding-the-iot-lora-protocol-with-an-rtl-sdr/)
[Using Software Defined Radio for IoT Analysis](https://www.irongeek.com/i.php?page=videos/bsidesnova2017/102-using-software-defined-radio-for-iot-analysis-samantha-palazzolo)