Browse Source

cleanup yet again, also added a 'what's new since last time file'

pull/8/head
root 6 years ago
parent
commit
ab5686f498
15 changed files with 435 additions and 341 deletions
  1. +15
    -28
      Draft/Anonymity Opsec Privacy -.md
  2. +2
    -0
      Draft/Attacking Defending Android -.md
  3. +1
    -2
      Draft/Attacking Defending iOS -.md
  4. +18
    -8
      Draft/Documentation & Reports -.md
  5. +31
    -25
      Draft/Embedded Device & Hardware Hacking -.md
  6. +176
    -240
      Draft/Exploit Development.md
  7. +8
    -0
      Draft/Interesting Things Useful stuff.md
  8. +1
    -1
      Draft/Lockpicking -.md
  9. +2
    -24
      Draft/Open Source Intelligence.md
  10. +5
    -1
      Draft/Privilege Escalation & Post-Exploitation.md
  11. +2
    -2
      Draft/Reverse Engineering.md
  12. +10
    -9
      Draft/Rootkits.md
  13. +11
    -0
      Draft/System Internals Windows and Linux Internals Reference.md
  14. +152
    -0
      Draft/Things added since last update.md
  15. +1
    -1
      Draft/Wireless Networks & RF.md

+ 15
- 28
Draft/Anonymity Opsec Privacy -.md View File

@ -16,31 +16,19 @@ Cull
### Cull
| Title | Link
| -------- | --------- |
| Client Identification Mechanisms | http://www.chromium.org/Home/chromium-security/client-identification-mechanisms
| Can you track me now? - Defcon20 | https://wEww.youtube.com/watch?v=DxIF66Tcino
https://github.com/shadowsocks/shadowsocks
https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
https://github.com/NullHypothesis/exitmap/issues/37
[Online tracking: A 1-million-site measurement and analysis](https://webtransparency.cs.princeton.edu/webcensus/index.html#fp-results)
* the largest and most detailed measurement of online tracking to date. We measure stateful (cookie-based) and stateless (fingerprinting-based) tracking, the effect of browser privacy tools, and "cookie syncing".
[Deep-Spying: Spying using Smartwatch and Deep Learning - Tony Beltramelli](https://arxiv.org/pdf/1512.05616v1.pdf)
http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html
https://github.com/NullHypothesis/exitmap
https://github.com/NullHypothesis/exitmap/issues/37
### Blogposts
[De-Anonymizing Alt.Anonymous.Messages](https://ritter.vg/blog-deanonymizing_amm.html)
https://ritter.vg/blog-deanonymizing_amm.html
https://www.onioncat.org/about-onioncat/
[Defeating and Detecting Browser Spoofing - Browserprint](https://browserprint.info/blog/defeatingSpoofing)
[Invasion of Privacy - HackerFactor](http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html)
@ -48,14 +36,10 @@ https://www.onioncat.org/about-onioncat/
| Title | Link
| -------- | --------- |
| De-anonymizing facebook users through CSP | http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis
| Anonymouss Guide to OpSec | http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf
| Anonymous’s Guide to OpSec | http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf
| Cat Videos and the Death of Clear Text | https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/
[How to Spot a Spook](https://cryptome.org/dirty-work/spot-spook.htm)
### <a name="Papers">Papers</a>
@ -65,7 +49,7 @@ https://www.onioncat.org/about-onioncat/
| **Description**: Deep packet inspection DPI technologies provide much- needed visibility and control of network trac using port- independent protocol identi cation, where a network ow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the most comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic primitive called format-transforming encryption FTE, which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbi- trary application-layer trac, and we experimentally show that this forces misidenti cation for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demonstrate that it evades real-world censorship by the Great Firewall of China.
|---|
| **'I've Got Nothing to Hide' and Other Misunderstandings of Privacy** | **Link:** http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565& |
| **Description**: The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a users real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
| **Description**: The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
| **'I've Got Nothing to Hide' and Other Misunderstandings of Privacy** : http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&
| **Abstract:** We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.**
|---|
@ -82,6 +66,7 @@ https://www.onioncat.org/about-onioncat/
| **Link:** https://www.youtube.com/watch?v=JTd5TL6_zgY
|**Description:** Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
[Deep-Spying: Spying using Smartwatch and Deep Learning - Tony Beltramelli](https://arxiv.org/pdf/1512.05616v1.pdf)
[HORNET: High-speed Onion Routing at the Network Layer](http://arxiv.org/pdf/1507.05724v1.pdf)
@ -102,11 +87,12 @@ https://www.onioncat.org/about-onioncat/
| **The NSA: Capabilities and Countermeasures** - ShmooCon 2014 | https://www.youtube.com/watch?v=D5JA8Ytk9EI
| **Blinding The Surveillance State** - Christopher Soghoian - DEF CON 22 | https://www.youtube.com/watch?v=pM8e0Dbzopk
| **-------------**
| Client Identification Mechanisms | http://www.chromium.org/Home/chromium-security/client-identification-mechanisms
| Can you track me now? - Defcon20 | https://wEww.youtube.com/watch?v=DxIF66Tcino
| **Phones and Privacy for Consumers** - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer) | http://www.irongeek.com/i.php?page=videos/grrcon2015/submerssion-therapy05-phones-and-privacy-for-consumers-matt-hoy-mattrix-and-david-khudaverdyan-deltaflyerhttps://ritter.vg/blog-deanonymizing_amm.html
[ Retail Surveillance / Retail Countersurveillance 50 most unwanted retail surveillance technologies / 50 most wanted countersurveillance technologies](https://media.ccc.de/v/33c3-8238-retail_surveillance_retail_countersurveillance#video&t=1993)
@ -119,6 +105,7 @@ https://www.onioncat.org/about-onioncat/
| **fteproxy** - fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro, YAF, nProbe, l7-filter, and appid, as well as closed-source commercial DPI systems| https://fteproxy.org/about
| **Streisand** - Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.| https://github.com/jlund/streisand
[exitmap](https://github.com/NullHypothesis/exitmap)
* Exitmap is a fast and modular Python-based scanner for Tor exit relays. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays. Modules can perform any TCP-based networking task; fetching a web page, uploading a file, connecting to an SSH server, or joining an IRC channel.
[OnionCat - an Anonymous VPN adapter](https://www.onioncat.org/about-onioncat/)

+ 2
- 0
Draft/Attacking Defending Android -.md View File

@ -50,6 +50,8 @@ https://blog.gdssecurity.com/labs/2015/2/18/when-efbfbd-and-friends-come-knockin
http://nelenkov.blogspot.com
[Add Security Exception to APK](https://github.com/levyitay/AddSecurityExceptionAndroid)
### **<a name="AInternals">Android Internals</a>**


+ 1
- 2
Draft/Attacking Defending iOS -.md View File

@ -31,8 +31,6 @@
### <a name="harden">List of Hardening Guides for iOS</a>
| Title | Link |
@ -97,6 +95,7 @@
| **IODIDE - The IOS Debugger and Integrated Disassembler Environment** | https://github.com/nccgroup/IODIDE
| **Clutch** - Fast iOS executable dumper | https://github.com/KJCracks/Clutch
| **MEMSCAN - Dump iPhone app RAM** - A Cigital consultant – Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use. | http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/
| **MEMSCAN - A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes. | https://github.com/hexploitable/MEMSCAN
| **IOS Reverse Engineering toolkit** | https://github.com/S3Jensen/iRET


+ 18
- 8
Draft/Documentation & Reports -.md View File

@ -1,9 +1,9 @@
##Documentation & Reporting
## Documentation & Reporting
####For writing technical documentation.
#### For writing technical documentation.
#####TOC
##### TOC
* [Writing](#writing)
* [Reports](#reports)
* [Collaboration Tools](#collab)
@ -12,13 +12,15 @@
###<a name="writing">Writing</a>
### <a name="writing">Writing</a>
Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
[A beginners guide to writing documentation](http://docs.writethedocs.org/writing/beginners-guide-to-docs/)
[Teach, Don’t Tell](http://stevelosh.com/blog/2013/09/teach-dont-tell/)
[How to Write Papers So People Can Read Them - Derek Dreyer](https://www.youtube.com/watch?v=L_6xoMjFr70)
Other Materials:
Three parter from jacobian.org:
@ -29,11 +31,13 @@ Three parter from jacobian.org:
[Writing Types of User Documentation](https://en.wikiversity.org/wiki/Technical_writing_Types_of_User_Documentation0
[How to write a great research paper - Simon Peyton Jones](https://www.microsoft.com/en-us/research/academic-program/write-great-research-paper/)
[The 7 Rules for Writing World Class Technical Documentation](http://www.developer.com/tech/article.php/3848981/The-7-Rules-for-Writing-World-Class-Technical-Documentation.htm)
###<a name="reports">Writing Reports</a>
### <a name="reports">Writing Reports</a>
[Public penetration testing reports](https://github.com/juliocesarfort/public-pentesting-reports)
* Curated list of public penetration test reports released by several consulting firms and academic security groups
@ -46,6 +50,10 @@ Three parter from jacobian.org:
[Excellent blog post breaking down the various parts, a must read](http://wwwwebsecuritywatch.com/the-penetration-testing-report/)
[Teach Technical Writing in Two Hours per Week](http://www.cs.tufts.edu/~nr/pubs/two-abstract.html)
[Learn Technical Writing in Two Hours per Week - Norman Ramsey](http://www.cs.tufts.edu/~nr/pubs/learn-two.pdf)
[Report Template from vulnerabilityassessment.co.uk](http://www.vulnerabilityassessment.co.uk/report%20template.html)
[Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting)
@ -61,7 +69,7 @@ Three parter from jacobian.org:
###<a name="meta">Meta</a>
### <a name="meta">Meta</a>
[What is Markdown?](http://daringfireball.net/projects/markdown/syntax)
[Using markdown](https://guides.github.com/features/mastering-markdown/)
@ -74,7 +82,7 @@ Three parter from jacobian.org:
###<a name="collab">Penetration Testing &/ Collaboration Tools</a>
### <a name="collab">Penetration Testing &/ Collaboration Tools</a>
[Kvasir](https://github.com/KvasirSecurity/Kvasir)
* Kvasir is a vulnerability / penetration testing data management system designed to help mitigate the issues found when performing team-based assessments. Kvasir does this by homogenizing data sources into a pre-defined structure. Currently the following sources are supported:
@ -96,11 +104,13 @@ Three parter from jacobian.org:
###<a name="video">Video Recording</a>
### <a name="video">Video Recording</a>
[Open Broadcaster Software OBS](https://obsproject.com/)
* Open Broadcaster Software is free and open source software for video recording and live streaming.
* Cross Platform, Windows/OsX/Linux
### <a name="reading">Reading Papers</a>
[How I read a research paper](https://muratbuffalo.blogspot.com/2013/07/how-i-read-research-paper.html?m=1)

+ 31
- 25
Draft/Embedded Device & Hardware Hacking -.md View File

@ -2,7 +2,7 @@
https://en.wikipedia.org/wiki/Embedded_system
#####ToC
##### ToC
Cull
* [General](#general)
@ -36,13 +36,19 @@ Cull
http://www.sp3ctr3.me/hardware-security-resources/
http://greatscottgadgets.com/infiltrate2013/
[Reversing and Exploiting Embedded Devices: The Software Stack (Part 1)](https://p16.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack)
[Metasploit Hardware Brdige](https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix)
* [Hardware Bridge API](http://opengarages.org/hwbridge/)
#### end sort
###General
### General
@ -66,7 +72,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="routers">Attacking Routers</a>
### <a name="routers">Attacking Routers</a>
[More on HNAP - What is it, How to Use it, How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
@ -102,7 +108,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="modem">Cable Modem Hacking</a>
### <a name="modem">Cable Modem Hacking</a>
[Docsis hacking](https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-self.pdf)
[Hacking Docsis for fun and profit](https://www.defcon.org/images/defcon-18/dc-18-presentations/Blake-bitemytaco/DEFCON-18-Blake-bitemytaco-Hacking-DOCSIS.pdf)
@ -122,7 +128,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="education">Educational</a>
### <a name="education">Educational</a>
[Hardware Hacking for Software People](http://dontstuffbeansupyournose.com/2011/08/25/hardware-hacking-for-software-people/)
[Glitching for n00bs - A journey to coax out chips' inner seccrets](http://media.ccc.de/browse/congress/2014/31c3_-_6499_-_en_-_saal_2_-_201412271715_-_glitching_for_n00bs_-_exide.html#video)
@ -152,7 +158,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="flash">Flash Memory</a>
### <a name="flash">Flash Memory</a>
[Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](https://www.youtube.com/watch?v=E8BSnS4-Kpw)
@ -163,7 +169,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="iot">Internet of Things</a>
### <a name="iot">Internet of Things</a>
[Smart Nest Thermostat A Smart Spy in Your Home](https://www.youtube.com/watch?v=UFQ9AYMee_Q)
[A Primer on IoT Security Research](https://community.rapid7.com/community/infosec/blog/2015/03/10/iot-security-research-whats-it-take)
@ -175,7 +181,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="gentools">General Tools(Software & Hardware)</a>
### <a name="gentools">General Tools(Software & Hardware)</a>
[FCC ID Lookup](http://transition.fcc.gov/oet/ea/fccid/)
* Lookup devices according to FCC ID
@ -188,7 +194,7 @@ http://greatscottgadgets.com/infiltrate2013/
* JTAGulator is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device.
###<a name="generalhw">General Hardware Hacking</a>
### <a name="generalhw">General Hardware Hacking</a>
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
@ -208,7 +214,7 @@ http://greatscottgadgets.com/infiltrate2013/
* Security through obscurity is unfortunately much more common than people think: many interfaces are built on the premise that since they are a "closed system" they can ignore standard security practices. This paper will demonstrate how parking meter smart cards implement their protocol and will point out some weaknesses in their design that open the doors to the system. It will also present schematics and code that you can use to perform these basic techniques for auditing almost any type of blackblox secure memory card.
###<a name="misc">Miscellaneous</a>
### <a name="misc">Miscellaneous</a>
[Project bdp](http://www.malcolmstagg.com/bdp-s390.html)
* This is a project to modify the Sony Blu-ray BDP firmware. It started out with only the BDP-S390, but has branched out to include other players and a variety of goals, including removing Cinavia and obtaining Region-Free.
@ -225,7 +231,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="pci">PCI</a>
### <a name="pci">PCI</a>
[Inception](https://github.com/carmaa/inception)
@ -238,7 +244,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="USB">USB</a>
### <a name="USB">USB</a>
[USBProxy](https://github.com/dominicgs/USBProxy)
* A USB man in the middle device using USB On-The-Go, libUSB and gadgetFS
@ -250,7 +256,7 @@ http://greatscottgadgets.com/infiltrate2013/
###<a name="dropbox">Pentesting Drop Boxes</a>
### <a name="dropbox">Pentesting Drop Boxes</a>
Minipwner
@ -265,7 +271,7 @@ http://www.instructables.com/id/MyLittlePwny-Make-a-self-powered-pentesting-box-
https://github.com/pwnieexpress/raspberry_pwn
###<a name="teensy">Teensy/Rubbery Ducky Style Attacks/Etc</a>
### <a name="teensy">Teensy/Rubbery Ducky Style Attacks/Etc</a>
[USB teensy attack set OSX](http://samy.pl/usbdriveby/)
@ -279,13 +285,13 @@ https://github.com/pwnieexpress/raspberry_pwn
###<a name="sdcard">SD Cards</a>
### <a name="sdcard">SD Cards</a>
[The Exploration and Exploitation of an SD Memory Card](https://www.youtube.com/watch?v=Tj-zI8Tl218)
* This talk demonstrates a method for reverse engineering and loading code into the microcontroller within a SD memory card.
###<a name="writeups">Tutorials/Walkthroughs/Write-ups</a>
### <a name="writeups">Tutorials/Walkthroughs/Write-ups</a>
[Methodologies for Hacking Embedded Security Appliances](https://media.blackhat.com/us-13/US-13-Bathurst-Methodologies-for-Hacking-Embdded-Security-Appliances-Slides.pdf)
@ -311,7 +317,7 @@ https://github.com/pwnieexpress/raspberry_pwn
###<a name="usb">USB</a>
### <a name="usb">USB</a>
[USB in a Nutshell](http://www.beyondlogic.org/usbnutshell/usb1.shtml)
* Great explanation of the USB standard in depth
@ -326,11 +332,11 @@ https://github.com/pwnieexpress/raspberry_pwn
* USB is used in almost every computing device produced in recent years. In addition to well-known usages like keyboard, mouse, and mass storage, a much wider range of capabilities exist such as Device Firmware Update, USB On-The-Go, debug over USB, and more. What actually happens on the wire? Is there interesting data we can observe or inject into these operations that we can take advantage of? In this talk, we will present an overview of USB and its corresponding attack surface. We will demonstrate different tools and methods that can be used to monitor and abuse USB for malicious purposes.
BadUSB
[Slides](https://srlabs.de/blog/wp-content/uploads/2014/11/SRLabs-BadUSB-Pacsec-v2.pdf)
[Video](https://www.youtube.com/watch?v=nuruzFqMgIw)
[Code - Psychson](https://github.com/adamcaudill/Psychson)
[Media Transfer Protocol and USB device Research](http://nicoleibrahim.com/part-1-mtp-and-ptp-usb-device-research/)
##### BadUSB
* [Slides](https://srlabs.de/blog/wp-content/uploads/2014/11/SRLabs-BadUSB-Pacsec-v2.pdf)
* [Video](https://www.youtube.com/watch?v=nuruzFqMgIw)
* [Code - Psychson](https://github.com/adamcaudill/Psychson)
* [Media Transfer Protocol and USB device Research](http://nicoleibrahim.com/part-1-mtp-and-ptp-usb-device-research/)
[USB Device Class Specifications - Official Site](http://www.usb.org/developers/docs/devclass_docs/)
@ -344,15 +350,15 @@ BadUSB
* This project's goal is to turn PS2303-based USB flash drive into a cheap USB 3.0 development platform (i.e. fast USB 3.0 to FPGA bridge).
###SIM Cards
### SIM Cards
[Rooting SIM cards](https://www.youtube.com/watch?v=BR0yWjQYnhQ)
[The Secret Life of SIM Cards - Karl Koscher/Eric Butler](https://www.youtube.com/watch?v=_-nxemBCcmU)
###<a name="smartcard"Smartcards</a>
### <a name="smartcard"Smartcards</a>
[An analysis of the vulnerabilities introduced with Java Card 3 Connected Edition](http://www.ma.rhul.ac.uk/static/techrep/2013/MA-2013-04.pdf)


+ 176
- 240
Draft/Exploit Development.md View File

@ -15,25 +15,25 @@ TOC
* [Anti-Fuzzing](#antifuzz)
* [ASM Stuff](#asm)
* [Exploit dev](#exploitdev)
..* [Tutorials](#tutorials)
..* [Writing Shellcode](#shellcode)
..* [Windows Specific](#winspec)
..* [Linux Specific](#linuxspec)
..* [Obfuscation](#obfus)
..* [Bypassing Exploit Protections](#bypass)
..* [Presentations](#presentation)
..* [Tools](#tools)
* [Debuggers](#debug)
* [Disassemblers](#dissa)
..* [Papers](#dispapers)
..* [Buffer Overflows](#overflow)
..* [Return-into-lib / Return oriented programming](#rop)
..* [Heap Exploitation](#heap)
..* [Format String Exploitation](#format)
..* [Integer Overflows](#int)
..* [Null Pointer De-Reference](#null)
..* [JIT Heap Spraying](#jitheap)
..* [ASLR](#aslr)
* [Tutorials](#tutorials)
* [Writing Shellcode](#shellcode)
* [Windows Specific](#winspec)
* [Linux Specific](#linuxspec)
* [Obfuscation](#obfus)
* [Bypassing Exploit Protections](#bypass)
* [Presentations](#presentation)
* [Tools](#tools)
* [Debuggers](#debug)
* [Disassemblers](#dissa)
* [Papers](#dispapers)
* [Buffer Overflows](#overflow)
* [Return-into-lib / Return oriented programming](#rop)
* [Heap Exploitation](#heap)
* [Format String Exploitation](#format)
* [Integer Overflows](#int)
* [Null Pointer De-Reference](#null)
* [JIT Heap Spraying](#jitheap)
* [ASLR](#aslr)
* [Exploit Writeups](#writeups)
* [Finding Vulnerabilities](#finding)
* [Papers](#papers)
@ -59,174 +59,11 @@ TOC
####Sort:
#### Sort:
https://repo.zenk-security.com/Reversing%20.%20cracking/Bypassing%20SEHOP.pdf
[Tracking Down Heap Overflows with rr](https://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/)
[Crash Course in DLL Hijacking](https://blog.fortinet.com/2015/12/10/a-crash-course-in-dll-hijacking)
[gargoyle, a memory scanning evasion technique](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
[The Chakra Exploit and the Limitations of Modern Mitigation Techniques](https://www.endgame.com/blog/chakra-exploit-and-limitations-modern-mitigation-techniques)
*
http://xcon.xfocus.org/XCon2004/archives/14_Reliable%20Windows%20Heap%20Exploits_BY_SHOK.pdf
[SideStep](https://github.com/codewatchorg/SideStep)
* SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.
http://sector876.blogspot.com/2013/03/backdooring-pe-files-part-1.html
http://sector876.blogspot.com/2013/03/backdooring-pe-files-part-2.html
https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf
https://media.blackhat.com/bh-ad-11/Drake/bh-ad-11-Drake-Exploiting_Java_Memory_Corruption-WP.pdf
[Shellcode without Sockets](https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440)
http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf
[X86 Shellcode Obfuscation - Part 1 - breakdev.org](https://breakdev.org/x86-shellcode-obfuscation-part-1/)
https://blog.coresecurity.com/2016/06/28/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects/
[Embedding reverse shell in .lnk file or Old horse attacks](http://onready.me/old_horse_attacks.html)
[Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/
[pwndbg - Making debugging suck less](https://github.com/zachriggle/pwndbg)
* A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag.
* Uses capstone as backend.
[Introduction to Return Oriented Programming (ROP) - ketansingh.net](https://ketansingh.net/Introduction-to-Return-Oriented-Programming-ROP/)
[Differential Slicing: Identifying Causal Execution Diffe
rences for
Security Applications](http://bitblaze.cs.berkeley.edu/papers/diffslicing_oakland11.pdf)
[INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT SPRAYING](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
[Crafting Mac OS Rootkits](https://www.zdziarski.com/blog/wp-content/uploads/2017/02/Crafting-macOS-Root-Kits.pdf)
https://github.com/NoviceLive/bintut
http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf
Getting Started with WindDbg Series - OpenSecurity Research
[Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)
https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf
https://github.com/Vector35/binaryninja-python/blob/master/readme.md
https://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/
https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/
https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf
[binjitsu](https://github.com/binjitsu/binjitsu/)
* binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/
https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
[Attacking the XNU Kernel For Fun And Profit – Part 1](http://blog.qwertyoruiop.com/?p=38)
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple’s OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
[Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
[Debugging Windows kernel under VMWare using IDA's GDB debugger](https://cyberview.files.wordpress.com/2010/09/gdb_vmware_winkernel.pdf)
[Pandora's Cash Box - The Ghost under your POS - RECON2015](https://recon.cx/2015/slides/recon2015-17-nitay-artenstein-shift-reduce-Pandora-s-Cash-Box-The-Ghost-Under-Your-POS.pdf)
| **Muts Bypassing AV in Vista/Pissing all over your AV** presentation, listed here as it was a bitch finding a live copy | https://web.archive.org/web/20130514172102/http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4
| ** Dangerous Clipboard: Analysis of the MS15-072 Patch ** | http://blog.talosintel.com/2015/10/dangerous-clipboard.html?m=1
| **RAP: RIP ROP (GRSEC/PaX team)** | https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
| **Kaspersky Hooking Engine Analysis** | https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
PwnAdventureZ
https://github.com/Vector35/PwnAdventureZ
NES zombie survival game made to be hacked
Win32 Assembly Components - Last Stage of Delirium Research Group
http://www.bandwidthco.com/whitepapers/programming/asm/Win32%20Assembly%20Components.pdf
fREedom - capstone based disassembler for extracting to binnavi
fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
Counterfeit Object-oriented Programming
http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf
Understanding JIT Spray
http://blog.cdleary.com/2011/08/understanding-jit-spray/
A Crash Course on the Depths of Win32™ Structured Exception Handling
https://www.microsoft.com/msj/0197/exception/exception.aspx
Meterpreter Payload Stage 1 with Obsfuscation and Evasion
https://github.com/lockfale/meterpreterjank
Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/
Art of Picking Intel Registers
http://www.swansontec.com/sregisters.html
Windows Kernel Exploitation 101 : Exploiting CVE - 2014 - 4113
https://www.exploit-db.com/docs/39665.pdf
Return into Lib(C) Theory Primer(Security-Tube)
http://www.securitytube.net/video/257
Intro to Windows kernel exploitation 1/N: Kernel Debugging
https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/
Pwning Adobe Reader with XFA
http://siberas.de/presentations/SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf
ShellSploit
https://github.com/b3mb4m/shellsploit-framework
EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURE
https://www.exploit-db.com/docs/39658.pdf
https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/
A New CVE-2015-0057 Exploit Technology
https://www.exploit-db.com/docs/39660.pdf
BinTut https://github.com/NoviceLive/bintut
Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
https://www.usenix.org/system/files/login/articles/105516-Schwartz.pdf
An Introduction to Debugging the Windows Kernel with WinDbg
http://www.contextis.com/resources/blog/introduction-debugging-windows-kernel-windbg/
Structured Exception Handling - TechNet
https://msdn.microsoft.com/en-us/library/windows/desktop/ms680657%28v=vs.85%29.aspx
[Jump-Oriented Programming: A New Class of Code-Reuse](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf)
[OneRNG](http://moonbaseotago.com/onerng/theory.html)
[The Danger of Unrandomized Code](https://www.usenix.org/system/files/login/articles/105516-Schwartz.pdf)
Finding Opcodes
Methods of finding opcodes:
@ -235,33 +72,21 @@ metasploit opcode DB
memdump
pvefindaddr - mona.py
Corelan Exploit Series: https://www.corelan.be/index.php/articles/
[Vulnserver](http://www.thegreycorner.com/2010/12/introducing-vulnserver.html)
* I have just released a program named Vulnserver - a Windows based threaded TCP server application that is designed to be exploited.
[jmp2it](https://github.com/adamkramer/jmp2it)
This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader Patches / self modifications are dynamically written to jmp2it-flypaper.out
[Shellcode_Tools](https://github.com/MarioVilas/shellcode_tools)
* Miscellaneous tools written in Python, mostly centered around shellcodes.
..* bin2py: Embed binary files into Python source code.
..* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
[BMP / x86 Polyglot](https://warroom.securestate.com/bmp-x86-polyglot/)
[Writing Manual Shellcode by Hand](https://www.exploit-db.com/docs/17065.pdf)
Corelan Exploit Series
#### end sort
[BYPASS CONTROL FLOW GUARD COMPREHENSIVELY - Zhang Yunhai](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf)
### General Videos/Presentations(that aren't
[Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
@ -272,45 +97,61 @@ This will allow you to transfer EIP control to a specified offset within a file
### <a name="general">General Techniques/ Tricks</a>
[Shellcode Debugging with OllyDbg](https://blackc0.de/2014/06/shellcode-debugging-ollydbg/)
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
[Using ARM Inline Assembly and Naked Functions to fool Disassemblers](http://www.evilsocket.net/2015/05/02/using-inline-assembly-and-naked-functions-to-fool-disassemblers/#sthash.Gt6f7f7y.4pLres53.sfju)
[Easy Ways To Bypass Anti-Virus Systems - Attila Marosi -Trooper14](https://www.youtube.com/watch?v=Sl1Sru3OwJ4)
[Shellcode without Sockets](https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440)
### General Videos/Presentations(that aren't
[Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
[Writing Manual Shellcode by Hand](https://www.exploit-db.com/docs/17065.pdf)
[Art of Picking Intel Registers](http://www.swansontec.com/sregisters.html)
[EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURE](https://www.exploit-db.com/docs/39658.pdf)
[Jump-Oriented Programming: A New Class of Code-Reuse](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf)
[Return-Oriented Programming without Returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf)
### <a name="general">General Techniques/ Tricks</a>
[Shellcode Debugging with OllyDbg](https://blackc0.de/2014/06/shellcode-debugging-ollydbg/)
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
[Using ARM Inline Assembly and Naked Functions to fool Disassemblers](http://www.evilsocket.net/2015/05/02/using-inline-assembly-and-naked-functions-to-fool-disassemblers/#sthash.Gt6f7f7y.4pLres53.sfju)
### General Stuff that I can't decide where else to put
[Easy Ways To Bypass Anti-Virus Systems - Attila Marosi -Trooper14](https://www.youtube.com/watch?v=Sl1Sru3OwJ4)
[Root Cause Analysis – Memory Corruption Vulnerabilities](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/)
[BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
| **RAP: RIP ROP (GRSEC/PaX team)** | https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
[Counterfeit Object-oriented Programming](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf)
[jmp2it](https://github.com/adamkramer/jmp2it)
This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader Patches / self modifications are dynamically written to jmp2it-flypaper.out
[PwnAdventureZ](https://github.com/Vector35/PwnAdventureZ)
* NES zombie survival game made to be hacked
[OneRNG](http://moonbaseotago.com/onerng/theory.html)
[Differential Slicing: Identifying Causal Execution Differences for Security Applications](http://bitblaze.cs.berkeley.edu/papers/diffslicing_oakland11.pdf)
[BMP / x86 Polyglot](https://warroom.securestate.com/bmp-x86-polyglot/)
[Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
[gargoyle, a memory scanning evasion technique](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
### <a name="oldsoft">Acquiring Old/Vulnerable Software</a>
@ -366,16 +207,16 @@ This will allow you to transfer EIP control to a specified offset within a file
[ BISC: Borrowed Instructions Synthetic Computation](https://github.com/trailofbits/bisc)
* BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation training course.
#####Originally from a randomly linked Pastebin (if you made this, thank you so much; I've now added onto it and changed it from what it originally was. [Original Page](http://pastebin.com/aqGvjhgB) I've kept the original creator's note as I feel it is highly relevant and aligns with my goal)
[Introduction to Return Oriented Programming (ROP) - ketansingh.net](https://ketansingh.net/Introduction-to-Return-Oriented-Programming-ROP/)
* "My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.
- sar"
##### Originally from (originally a pastebin link, which had been modified from a persons personal page, i believe it may have been an r2 dev?) If you made this, thank you so much; I've now added onto it and changed it from what it originally was. I've kept the original creator's note as I feel it is highly relevant and aligns with my goal)
* "yM intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.
- sar"
@ -434,7 +275,7 @@ I have tried to order the articles by technique and chronology.
* [Exploiting the wilderness, Phantasmal Phantasmagoria, 2004](http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html)
*[Malloc Maleficarum, Phantasmal Phantasmagoria, 2005](http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt)
* [Yet another free() exploitation technique, huku, 2009](http://www.phrack.com/issues.html?issue=66&id=6)
* [Heap Feng Shui in JavaScript](https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf)
@ -494,11 +335,11 @@ I have tried to order the articles by technique and chronology.
* [Pointer inference and JIT-Spraying, Dion Blazakis, 2010](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
* [Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010](http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf)
[INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT SPRAYING](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
[Understanding JIT Spray](http://blog.cdleary.com/2011/08/understanding-jit-spray/)
[Writing JIT-Spray Shellcode For Fun And Profit](https://packetstormsecurity.com/files/86975/Writing-JIT-Spray-Shellcode-For-Fun-And-Profit.html)
@ -624,7 +465,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
### <a name="bypass">Bypassing Exploit Protections/Mitigations</a>
### <a name="bypass">AV Bypass / Bypassing Exploit Protections/Mitigations</a>
[Exploring Control-Flow-Guard in Windows10](http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf)
@ -677,17 +518,15 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Bypassing PatchGuard on Windows x64](http://uninformed.org/?v=all&a=14&t=sumry)
* The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested.
[SideStep](https://github.com/codewatchorg/SideStep)
* SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.
| **Muts Bypassing AV in Vista/Pissing all over your AV** presentation, listed here as it was a bitch finding a live copy | https://web.archive.org/web/20130514172102/http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4
| **Kaspersky Hooking Engine Analysis** | https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
[Disarming Control Flow Guard Using Advanced Code Reuse Attacks](https://www.endgame.com/blog/disarming-control-flow-guard-using-advanced-code-reuse-attacks)
[X86 Shellcode Obfuscation - Part 1 - breakdev.org](https://breakdev.org/x86-shellcode-obfuscation-part-1/)
@ -743,8 +582,11 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Cheating the ELF - Subversive Dynamic Linking to Libraries](http://www.cs.dartmouth.edu/~sergey/cs108/2010/subversiveld.pdf)
[Return into Lib(C) Theory Primer(Security-Tube)](http://www.securitytube.net/video/257)
[Understanding glibc malloc](https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/)
[Linux GLibC Stack Canary Values](https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/)
@ -755,12 +597,18 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
### <a name="winspec">Windows Specific</a>
[A Brief History of Exploit Techniques and Mitigations on Windows](http://www.hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf)
[An Introduction to Debugging the Windows Kernel with WinDbg](http://www.contextis.com/resources/blog/introduction-debugging-windows-kernel-windbg/)
### <a name="winspec">Windows Specific</a>
[Windows Kernel Exploitation 101 : Exploiting CVE - 2014 - 4113](https://www.exploit-db.com/docs/39665.pdf)
[A Brief History of Exploit Techniques and Mitigations on Windows](http://www.hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf)
Getting Started with WindDbg Series - OpenSecurity Research
[Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)
[Writing Exploits for Win32 Systems from Scratch](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/)
[Windows DLL-Injection basics](http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html)
@ -790,17 +638,38 @@ https://www.exploit-db.com/docs/18482.pdf
[Reliable Windows Heap Exploits](http://xcon.xfocus.org/XCon2004/archives/14_Reliable%20Windows%20Heap%20Exploits_BY_SHOK.pdf)
[Vulnserver](http://www.thegreycorner.com/2010/12/introducing-vulnserver.html)
* I have just released a program named Vulnserver - a Windows based threaded TCP server application that is designed to be exploited.
####SEH/SE-HOP Defeat/Bypass
[WinAPI for Hackers](https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf)
[Reliable Windows Heap Exploits](http://xcon.xfocus.org/XCon2004/archives/14_Reliable%20Windows%20Heap%20Exploits_BY_SHOK.pdf)
Great Writeup/Example of SEH Bypass
http://www.primalsecurity.net/0x3-exploit-tutorial-buffer-overflow-seh-bypass/
SEH Overwrites Simplified v1.01
http://repo.palkeo.com/hacking/bas%20niveau/SEH%20overwrite.pdf
#### SEH/SE-HOP Defeat/Bypass
[Bypassing SEHOP](https://repo.zenk-security.com/Reversing%20.%20cracking/Bypassing%20SEHOP.pdf)
[Great Writeup/Example of SEH Bypass](http://www.primalsecurity.net/0x3-exploit-tutorial-buffer-overflow-seh-bypass/)
[SEH Overwrites Simplified v1.01](http://repo.palkeo.com/hacking/bas%20niveau/SEH%20overwrite.pdf)
[(SEH Bypass)Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server.](https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf)
[A Crash Course on the Depths of Win32™ Structured Exception Handling](https://www.microsoft.com/msj/0197/exception/exception.aspx)
[Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)
[Win32 Assembly Components - Last Stage of Delirium Research Group](http://www.bandwidthco.com/whitepapers/programming/asm/Win32%20Assembly%20Components.pdf)
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/)
[Structured Exception Handling - TechNet](https://msdn.microsoft.com/en-us/library/windows/desktop/ms680657%28v=vs.85%29.aspx)
[Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass ](https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf)
@ -874,7 +743,27 @@ http://repo.palkeo.com/hacking/bas%20niveau/SEH%20overwrite.pdf
[Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)](https://cansecwest.com/slides/2014/less%20is%20more3.pptx)
###<a name="tools">Tools</a>
### <a name="tools">Tools</a>
Check out the 'Reverse Engineering" Section's Tools list for a lot of useful tools that aren't listed here.
@ -901,11 +790,26 @@ Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push
[Using Binwally](http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html)
[Shellcode_Tools](https://github.com/MarioVilas/shellcode_tools)
* Miscellaneous tools written in Python, mostly centered around shellcodes.
..* bin2py: Embed binary files into Python source code.
..* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
[binjitsu](https://github.com/binjitsu/binjitsu/)
* binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
[Meterpreter Payload Stage 1 with Obsfuscation and Evasion](https://github.com/lockfale/meterpreterjank)
[pwndbg - Making debugging suck less](https://github.com/zachriggle/pwndbg)
* A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag.
* Uses capstone as backend.
[ShellSploit](https://github.com/b3mb4m/shellsploit-framework)
[fREedom - capstone based disassembler for extracting to binnavi](https://github.com/cseagle/fREedom)
fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
[Setting up fREedom and BinNavi](https://summitroute.com/blog/2015/12/31/setting_up_freedom_and_binnavi/)
@ -984,7 +888,7 @@ Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push
* HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful.
* [Paper](http://roberto.greyhats.it/pubs/ase10.pdf)
###<a name="framework">Frameworks</a>
### <a name="framework">Frameworks</a>
[Bowcaster Exploit Development Framework](https://github.com/zcutlip/bowcaster)
* This framework, implemented in Python, is intended to aid those developing exploits by providing useful set of tools and modules, such as payloads, encoders, connect-back servers, etc. Currently the framework is focused on the MIPS CPU architecture, but the design is intended to be modular enough to support arbitrary architectures.
@ -995,6 +899,10 @@ Metasploit
* This is the CTF framework used by Gallopsled in every CTF.
[Shellcode_Tools](https://github.com/MarioVilas/shellcode_tools)
* Miscellaneous tools written in Python, mostly centered around shellcodes.
..* bin2py: Embed binary files into Python source code.
..* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
@ -1095,6 +1003,34 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.
[The Chakra Exploit and the Limitations of Modern Mitigation Techniques](https://www.endgame.com/blog/chakra-exploit-and-limitations-modern-mitigation-techniques)
[Attacking the XNU Kernel For Fun And Profit – Part 1](http://blog.qwertyoruiop.com/?p=38)
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple’s OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
[Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
[Debugging Windows kernel under VMWare using IDA's GDB debugger](https://cyberview.files.wordpress.com/2010/09/gdb_vmware_winkernel.pdf)
[Pandora's Cash Box - The Ghost under your POS - RECON2015](https://recon.cx/2015/slides/recon2015-17-nitay-artenstein-shift-reduce-Pandora-s-Cash-Box-The-Ghost-Under-Your-POS.pdf)
[Pwning Adobe Reader with XFA](http://siberas.de/presentations/SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf)
[A New CVE-2015-0057 Exploit Technology](https://www.exploit-db.com/docs/39660.pdf)
| ** Dangerous Clipboard: Analysis of the MS15-072 Patch ** | http://blog.talosintel.com/2015/10/dangerous-clipboard.html?m=1
[Exploiting Memory Corruption Vulnerabilities in the Java Runtime](https://media.blackhat.com/bh-ad-11/Drake/bh-ad-11-Drake-Exploiting_Java_Memory_Corruption-WP.pdf)
[MS16-039 - "Windows 10" 64 bits Integer Overflow exploitation by using GDI objects](https://www.coresecurity.com/blog/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects)


+ 8
- 0
Draft/Interesting Things Useful stuff.md View File

@ -38,6 +38,14 @@ http://www.securitywizardry.com/radar.htm
#### To Sort
[Make It Count Progressing through Pentesting - Bálint Varga-Perke -Silent Signal](https://silentsignal.hu/docs/Make_It_Count_-_Progressing_through_Pentesting_Balint_Varga-Perke_Silent_Signal.pdf)
[The Art of Explanation: Behavioral Models of InfoSec - Kelly Shortridge](https://www.youtube.com/embed/UdZDlt2dlqM?)
[scanless](https://github.com/vesche/scanless)
* Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)
[Alexsey’s TTPs](https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551#.y2krgov7t)


+ 1
- 1
Draft/Lockpicking -.md View File

@ -20,7 +20,7 @@ http://www.keypicking.com/
[A newbies guide to safes, both opening and using](https://www.reddit.com/r/WhatsInThisThing/comments/1gm6uk/a_newbies_guide_to_safes_both_opening_and_using/)
[ Jos Weyers – Lock Impressioning](https://www.youtube.com/watch?v=JcNc1BVaCE0)
###General Information


+ 2
- 24
Draft/Open Source Intelligence.md View File

@ -9,30 +9,8 @@
[Developing a Open Source Threat Intelligence Program—Edward McCabe](http://www.irongeek.com/i.php?page=videos/circlecitycon2014/105-developing-a-open-source-threat-intelligence-program-edward-mccabe)
* What if you could get out in front of common threats such as botnets, scanners and malware? Good news, you can. Learn about one geeks struggle with life on the Internet of (bad) things when it comes to being online, identifying “odd” things, and developing an Open Source Threat Intelligence Program from Open Source Tools and Public Sources.
[NameCheck](https://www.namecheck.com)
* Search usernames across multiple services/domain registries
https://github.com/gojhonny/InSpy


+ 5
- 1
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -24,11 +24,13 @@
#### CULL
[Inveigh](https://github.com/Kevin-Robertson/Inveigh)
* Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
https://odzhan.wordpress.com/2015/11/19/dllpic-injection-on-windows-from-wow64-process/
[Command and Control Using Active Directory](http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/)
https://warroom.securestate.com/index.php/dll-injection-part-2-createremotethread-and-more/
@ -50,6 +52,8 @@ http://www.leonteale.co.uk/decrypting-windows-2008-gpp-user-passwords-using-gppr
http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html
http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
[Crash Course in DLL Hijacking](https://blog.fortinet.com/2015/12/10/a-crash-course-in-dll-hijacking)
[Detecting DLL Hijacking on Windows](http://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/)
##### end sort


+ 2
- 2
Draft/Reverse Engineering.md View File

@ -435,7 +435,7 @@ programming environment.
[Android Reverse Engineering Defenses](https://bluebox.com/wp-content/uploads/2013/05/AndroidREnDefenses201305.pdf)
###<a name="guide">Guides & Tutorials</a>
### <a name="guide">Guides & Tutorials</a>
[How to RE data files?](https://www.reddit.com/r/ReverseEngineering/comments/l8ac0/how_to_re_data_files/)
* Good read over.
@ -493,7 +493,7 @@ Part 6: http://cybergibbons.com/uncategorized/reverse-engineering-a-wireless-bur
Part 7: http://cybergibbons.com/uncategorized/reverse-engineering-a-wireless-burglar-alarm-part-7/
Part 8: http://cybergibbons.com/uncategorized/reverse-engineering-a-wireless-burglar-alarm-part-8/
###<a name="talks">Talks & Videos</a>
### <a name="talks">Talks & Videos</a>
[The Three Billion Dollar App - Vladimir Wolstencroft -Troopers14](https://www.youtube.com/watch?v=5Duc-uUFzoU)
* Talk about reverse engineering SnapChat and Wickr Messaging apps.


+ 10
- 9
Draft/Rootkits.md View File

@ -1,4 +1,4 @@
##Rootkits
## Rootkits
Windows Rootkits(excellent writeup/introduction to windows rootkits)
@ -7,10 +7,9 @@ Windows Rootkits(excellent writeup/introduction to windows rootkits)
* [Part 3](http://www.programdevelop.com/5408212/)
TOC
Cull
### TOC
* Cull
* [Developing](#dev)
* [Identifying/Defending](#id)
* [Writeups](#writeups)
@ -19,7 +18,7 @@ Cull
* [Papers](#papers)
###Cull
### Cull
[Analyzing the Jynx rootkit and the LD-Preload technique](http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html)
@ -40,6 +39,8 @@ https://github.com/rrbranco/Troopers2015
* Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.
[Crafting Mac OS Rootkits](https://www.zdziarski.com/blog/wp-content/uploads/2017/02/Crafting-macOS-Root-Kits.pdf)
[Pitfalls of virtual machine introspection on modern hardware](https://www.acsac.org/2014/workshops/mmf/Tamas%20Lengyel-Pitfalls%20of%20virtual%20machine%20introspection%20on%20modern%20hardware.pdf)
[A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers - Filip Wecherowski](http://phrack.org/issues/66/11.html#article)
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
@ -65,7 +66,7 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
###<a name="dev">Developing</a>
### <a name="dev">Developing</a>
[Android Rootkit](https://github.com/hiteshd/Android-Rootkit)
[Masochist](https://github.com/squiffy/Masochist)
* Masochist is a framework for creating XNU based rootkits. Very useful in OS X and iOS security research.
@ -77,7 +78,7 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
###<a name="id">Identifiying/Defending</a>
### <a name="id">Identifiying/Defending</a>
[Killing Rootkits](http://blog.ioactive.com/2014/09/killing-rootkit.html)
@ -102,7 +103,7 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
[Advanced Bootkit Techniques on Android](http://www.syscan360.org/slides/2014_EN_AdvancedBootkitTechniquesOnAndroid_ChenZhangqiShendi.pdf)
###<a name="tools">Tools</a>
### <a name="tools">Tools</a>
[UEFITool](https://github.com/LongSoft/UEFITool)
* UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.
@ -132,7 +133,7 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
###<a name="papers">Papers</a>
### <a name="papers">Papers</a>
[A Catalog of Windows Local Kernel-mode Backdoors](http://uninformed.org/?v=all&a=35&t=sumry)
* This paper presents a detailed catalog of techniques that can be used to create local kernel-mode backdoors on Windows. These techniques include function trampolines, descriptor table hooks, model-specific register hooks, page table modifications, as well as others that have not previously been described. The majority of these techniques have been publicly known far in advance of this paper. However, at the time of this writing, there appears to be no detailed single point of reference for many of them. The intention of this paper is to provide a solid understanding on the subject of local kernel-mode backdoors. This understanding is necessary in order to encourage the thoughtful discussion of potential countermeasures and perceived advancements. In the vein of countermeasures, some additional thoughts are given to the common misconception that PatchGuard, in its current design, can be used to prevent kernel-mode rootkits.


+ 11
- 0
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -44,6 +44,10 @@ https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-strea
[Windows Filtering Platform: Persistent state under the hood](http://blog.quarkslab.com/windows-filtering-platform-persistent-state-under-the-hood.html)
[What registry entries are needed to register a COM object.](https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries-are-needed-to-register-a-com-object/)
[Minimal COM object registration](https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object-registration/)
https://tribalchicken.com.au/technical/recovering-bitlocker-keys-on-windows-8-1-and-10/
@ -81,6 +85,13 @@ http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx
### <a name="Winternals">Windows Internals</a>
[What is a DLL?](https://support.microsoft.com/en-us/help/815065/what-is-a-dll)
* This article describes what a dynamic link library (DLL) is and the various issues that may occur when you use DLLs. Then, this article describes some advanced issues that you should consider when you develop your own DLLs. In describing what a DLL is, this article describes dynamic linking methods, DLL dependencies, DLL entry points, exporting DLL functions, and DLL troubleshooting tools.
[Run-Time Dynamic Linking](https://msdn.microsoft.com/en-us/library/ms685090.aspx)
[Thread Local Storage](https://msdn.microsoft.com/en-us/library/ms686749.aspx)
[theForger's Win32 API Programming Tutorial](http://www.winprog.org/tutorial/)
[About Processes and Threads](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681917%28v=vs.85%29.aspx)


+ 152
- 0
Draft/Things added since last update.md View File

@ -0,0 +1,152 @@
### Things added since last update:
[Abusing Google App Scripting Through Social Engineering](http://www.redblue.team/2017/02/abusing-google-app-scripting-through.html)
[WHID Injector: an USB-Rubberducky/BadUSB on Steroids](https://whid-injector.blogspot.lt/2017/04/whid-injector-how-to-bring-hid-attacks.html)
[OnionScan](https://github.com/s-rah/onionscan)
* [What OnionScan Scans for](https://github.com/s-rah/onionscan/blob/master/doc/what-is-scanned-for.md)
[Writing Win32 Shellcode with VisualStudio](http://winternl.com/2016/05/02/hello-world/)
* demonstrating how to write optimized (sort of) Win32 shellcode using Visual Studio’s compiler
[Active Directory Design Best Practices](https://krva.blogspot.com/2008/04/ad-design-best-practices.html)
[I'm In Your $PYTHONPATH, Backdooring Your Py thon Programs](http://www.ikotler.org/InYourPythonPath.pdf)
## Anonymity/OPSEC
[How to Spot a Spook](https://cryptome.org/dirty-work/spot-spook.htm)
[Trawling Tor Hidden Service – Mapping the DHT](https://donncha.is/2013/05/trawling-tor-hidden-services/)
## Documentation/Technical writing
[Teach Technical Writing in Two Hours per Week](http://www.cs.tufts.edu/~nr/pubs/two-abstract.html)
[Learn Technical Writing in Two Hours per Week - Norman Ramsey](http://www.cs.tufts.edu/~nr/pubs/learn-two.pdf)
[How to write a great research paper - Simon Peyton Jones](https://www.microsoft.com/en-us/research/academic-program/write-great-research-paper/)
[How to Write Papers So People Can Read Them - Derek Dreyer](https://www.youtube.com/watch?v=L_6xoMjFr70)
## Courses
https://www.google.com/about/careers/students/guide-to-technical-development.html
https://teachyourselfcs.com/
https://github.com/open-source-society/computer-science
[BFH Exploiting & Defense Course - Dobin Rutishauser](https://blog.compass-security.com/2017/05/bfh-exploiting-defense-course/)
[How To Give A Digital Security Training](https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40)
[](https://www.level-up.cc/)
* Resources for the global digital safety training community.
[Be a Better Trainer](https://www.level-up.cc/you-the-trainer/be-a-better-trainer/)
# Crypto
[Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/)
[Secrets and LIE-abilities: The State of Modern Secret Management (2017)](https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d)
## Exploit Dev
[Windows 10 HAL’s Heap – Extinction of the "HalpInterruptController" Table Exploitation Technique Another kernel exploitation technique killed in Windows 10 Creators Update](https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/)
## Fuzzing
[syzkaller - linux syscall fuzzer](https://github.com/google/syzkaller)
* syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer. It is meant to be used with KASAN (CONFIG_KASAN=y), KTSAN (CONFIG_KTSAN=y), or KUBSAN.
## Interesting Things
[ Penetration Testing considered Harmful Today](http://blog.thinkst.com/p/penetration-testing-considered-harmful.html)
[Teaching Evil - Chris Niemira](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t200-teaching-evil-chris-niemira)
[Volatile Memory: Behavioral Game Theory in Defensive Security](https://www.slideshare.net/kshortridge/volatile-memory-behavioral-game-theory-in-defensive-security)
[Fools of Golden Gate](https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/)
* How major vulnerabilities/large amounts of publicly vulnerable systems can exist without public recognition for long periods of time. (i.e. CVEs(10.0) exist, but no mapping in nessus/metasploit/etc)
https://www.youtube.com/watch?v=h92vmwg9Tyc
[Statement for the Record Worldwide Threat Assessment of the US Intelligence Community Senate Select Committee on Intelligence](https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf)
[Make It Count Progressing through Pentesting - Bálint Varga-Perke -Silent Signal](https://silentsignal.hu/docs/Make_It_Count_-_Progressing_through_Pentesting_Balint_Varga-Perke_Silent_Signal.pdf)
[The Art of Explanation: Behavioral Models of InfoSec - Kelly Shortridge](https://www.youtube.com/embed/UdZDlt2dlqM?)
[scanless](https://github.com/vesche/scanless)
* Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.
[When the Cops Come A-Knocking: Handling Technical Assistance Demands from Law Enforcement](https://www.youtube.com/watch?v=PX2RjJAfTYg)
[The Distribution of Users’ Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)
## Privilege Escalation/Post Exploitatoin
[Dangerous Sudoers Entries – Series, 5 parts](https://blog.compass-security.com/2012/10/dangerous-sudoer-entries-part-1-command-execution/)
## Lockpicking
[ Jos Weyers – Lock Impressioning](https://www.youtube.com/watch?v=JcNc1BVaCE0)
## Wireless Stuff
[Frony Fronius - Exploring Zigbee signals from Solar City](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t102-frony-fronius-exploring-zigbee-signals-from-solar-city-jose-fernandez)
* Solar equipment is becoming more readily used in homes and businesses due to cost savings, eco-friendly conservationism and current tax incentives. Companies like SolarCity use Power Inverters/Meters from 3rd parties in order to provide it's services while making the solution affordable for customers. This research will focus on understanding the communication between the Inverter, Internet Gateway and web portal used to view electrical consumption of subscriber.

+ 1
- 1
Draft/Wireless Networks & RF.md View File

@ -45,7 +45,7 @@ Scapy
[Decoding the LoRa IoT Protocol with an RTL-SDR](http://www.rtl-sdr.com/decoding-the-iot-lora-protocol-with-an-rtl-sdr/)
[Using Software Defined Radio for IoT Analysis](https://www.irongeek.com/i.php?page=videos/bsidesnova2017/102-using-software-defined-radio-for-iot-analysis-samantha-palazzolo)


Loading…
Cancel
Save