Browse Source

Quick Push

Quick push, local changes to clear cull list.
pull/4/merge
Robert 7 years ago
parent
commit
af5e048f64
43 changed files with 724 additions and 642 deletions
  1. +0
    -0
      Draft/Draft/4.md
  2. +17
    -0
      Draft/Draft/Anonymity Opsec Privacy -.md
  3. +0
    -0
      Draft/Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael.md
  4. +30
    -0
      Draft/Draft/Attacking Defending Android -.md
  5. +27
    -0
      Draft/Draft/BIOS UEFI Attacks Defenses.md
  6. +10
    -0
      Draft/Draft/Car Hacking.md
  7. +3
    -5
      Draft/Draft/Cheat sheets reference pages Checklists -.md
  8. +12
    -0
      Draft/Draft/Cryptography & Encryption.md
  9. +0
    -0
      Draft/Draft/Cryptography & Encryption/Linux Systems.md
  10. +0
    -0
      Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.md
  11. +0
    -0
      Draft/Draft/Cryptography & Encryption/cull.md
  12. +9
    -3
      Draft/Draft/Data AnalysisVisualization.md
  13. +4
    -0
      Draft/Draft/Disclosure -.md
  14. +1
    -1
      Draft/Draft/Embedded Device & Hardware Hacking -.md
  15. +99
    -0
      Draft/Draft/Exploit Development.md
  16. +0
    -0
      Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.md
  17. +36
    -0
      Draft/Draft/Forensics Incident Response.md
  18. +2
    -1
      Draft/Draft/Frameworks Methodologies.md
  19. +0
    -0
      Draft/Draft/Frameworks Methodologies/Metasploit Reference.md
  20. +0
    -0
      Draft/Draft/Frameworks Methodologies/Meterpreter Scripts and Description.md
  21. +0
    -0
      Draft/Draft/Frameworks Methodologies/Post Exploitation with Metasploit.md
  22. +34
    -0
      Draft/Draft/Fuzzing Bug Hunting.md
  23. +35
    -0
      Draft/Draft/Interesting Things Useful stuff.md
  24. +0
    -0
      Draft/Draft/Interesting Things Useful stuff/Writeup of Gamma Group Hack.md
  25. +21
    -0
      Draft/Draft/Malware.md
  26. +0
    -0
      Draft/Draft/Malware/Detect Virtualbox C prog.md
  27. +37
    -0
      Draft/Draft/Network Attacks & Defenses.md
  28. +10
    -0
      Draft/Draft/Network Security Monitoring & Logging.md
  29. +5
    -0
      Draft/Draft/Open Source Intelligence.md
  30. +5
    -0
      Draft/Draft/Open Source Intelligence/Active cull.md
  31. +54
    -2
      Draft/Draft/Privilege Escalation & Post-Exploitation.md
  32. +29
    -0
      Draft/Draft/Programming - Languages Libs Courses References.md
  33. +40
    -0
      Draft/Draft/Reverse Engineering.md
  34. +11
    -0
      Draft/Draft/Sandboxes.md
  35. +3
    -0
      Draft/Draft/Social Engineering.md
  36. +35
    -0
      Draft/Draft/Steal Everything Kill Everyone Profit.md
  37. +4
    -3
      Draft/Draft/Sysadmin Stuff.md
  38. +36
    -1
      Draft/Draft/System Internals Windows and Linux Internals Reference.md
  39. +26
    -0
      Draft/Draft/Threat Intelligence.md
  40. +30
    -1
      Draft/Draft/Threat Modeling.md
  41. +13
    -625
      Draft/Draft/To Do/add cull -3.txt
  42. +24
    -0
      Draft/Draft/Web & Browsers.md
  43. +22
    -0
      Draft/Draft/Wireless Networks & RF.md

Draft/Draft/To Do/4.txt → Draft/Draft/4.md View File


+ 17
- 0
Draft/Draft/Anonymity Opsec Privacy -.md View File

@ -17,6 +17,23 @@ Cull
Add shadowsocks
| OS X Security and Privacy Guide | https://github.com/drduh/OS-X-Security-and-Privacy-Guide |
http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html
| **Phones and Privacy for Consumers** - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer) | http://www.irongeek.com/i.php?page=videos/grrcon2015/submerssion-therapy05-phones-and-privacy-for-consumers-matt-hoy-mattrix-and-david-khudaverdyan-deltaflyer
[HORNET: High-speed Onion Routing at the Network Layer](http://arxiv.org/pdf/1507.05724v1.pdf)
### <a name="Articles">Articles</a>
| Title | Link


Draft/Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael.txt → Draft/Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael.md View File


+ 30
- 0
Draft/Draft/Attacking Defending Android -.md View File

@ -43,6 +43,36 @@ Cull
### Cull/Sort
[Stunneller](https://github.com/ultramancool/Stunneler)
* Android app for easy stunnel usage
https://github.com/AndroBugs/AndroBugs_Framework
* AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate.
fdroidcl
https://github.com/mvdan/fdroidcl#advantages-over-the-android-clientx
F-Droid desktop client.


+ 27
- 0
Draft/Draft/BIOS UEFI Attacks Defenses.md View File

@ -17,6 +17,33 @@ TOC
### Cull
http://x86asm.net/articles/uefi-programming-first-steps/
[Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer](https://media.ccc.de/browse/congress/2014/31c3_-_6129_-_en_-_saal_2_-_201412282030_-_attacks_on_uefi_security_inspired_by_darth_venamis_s_misery_and_speed_racer_-_rafal_wojtczuk_-_corey_kallenberg.html#video)
* On modern Intel based computers there exists two powerful and protected code regions: the UEFI firmware and System Management Mode (SMM). UEFI is the replacement for conventional BIOS and has the responsibility of initializing the platform. SMM is a powerful mode of execution on Intel CPUs that is even more privileged than a hypervisor. Because of their powerful positions, SMM and UEFI are protected by a variety of hardware mechanisms. In this talk, Rafal Wojtczuk and Corey Kallenberg team up to disclose several prevalent vulnerabilities that result in SMM runtime breakin as well as arbitrary reflash of the UEFI firmware.
[Attacking and Defending BIOS in 2015](http://www.intelsecurity.com/advanced-threat-research/content/AttackingAndDefendingBIOS-RECon2015.pdf)
Reverse Engineering UEFI Firmware
https://jbeekman.nl/blog/2015/03/reverse-engineering-uefi-firmware/
[Attacks on UEFI Security - Rafal Wojtczuk&Corey Kallenberg(https://bromiumlabs.files.wordpress.com/2015/01/attacksonuefi_slides.pdf)
[Debug SPI BIOS after Power Up Sequence](https://software.intel.com/en-us/articles/debug-spi-bios-after-power-up-sequence)
[Debug Methodology Under UEFI](http://www.uefi.org/sites/default/files/resources/UEFI_Plugfest_2011Q4_P8_PHX.pdf)
[Intel® System Studio – UEFI BIOS Debugging](https://software.intel.com/en-us/articles/intel-system-studio-2014-uefi-bios-debugging)
[Bootkit Threats: In Depth Reverse Engineering & Defense- Eugene Rodionov&Aleksandr Matrosov](https://www.eset.com/fileadmin/Images/US/Docs/Business/presentations/conference_papers/REcon2012.pdf)
[Building reliable SMM backdoor for UEFI based platforms](http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html)
http://www.legbacore.com/Research.html


+ 10
- 0
Draft/Draft/Car Hacking.md View File

@ -0,0 +1,10 @@
#Car Hacking
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](https://www.youtube.com/watch?v=WHDkf6kpE58)

+ 3
- 5
Draft/Draft/Cheat sheets reference pages Checklists -.md View File

@ -92,11 +92,9 @@ http://www.amanhardikar.com/mindmaps/Practice.html
###<a name="Linux">Linux Cheat Sheets</a>
[32bit Linux Syscall Table](http://www.informatik.htw-dresden.de/~beck/ASM/syscall_list.html)
* Complete listing of all x86 Linux Syscalls
[Linux Syscall Table](http://www.informatik.htw-dresden.de/~beck/ASM/syscall_list.html)
* Complete listing of all Linux Syscalls
[64bit Linux Syscall Table](http://blog.rchapman.org/post/36801038863/linux-system-call-table-for-x86-64)
* Complete listing of all x86-64 Linux Syscalls including calling conventions
@ -112,7 +110,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
[Linux - Breaking out of shells](https://highon.coffee/docs/linux-commands/#breaking-out-of-limited-shells)
[AIX For Pentesters](http://www.giac.org/paper/gpen/6684/aix-penetration-testers/125890)
* Good paper on exploiting/pentesting AIX based machines. From the paper itself “ The paper proposes some basic methods to do comprehensive local security checks and how to exploit the vulnerabilities.�
* Good paper on exploiting/pentesting AIX based machines. From the paper itself The paper proposes some basic methods to do comprehensive local security checks and how to exploit the vulnerabilities.
[RootVG - Website Dedicated to AIX](http://www.rootvg.net/content/view/102/98/)


+ 12
- 0
Draft/Draft/Cryptography & Encryption.md View File

@ -18,6 +18,18 @@
###Cull
http://noiseprotocol.org/noise.html
https://conversations.im/xeps/multi-end.html
https://coniks.cs.princeton.edu/
http://webee.technion.ac.il/~hugo/sigma.html
[cr.yp.to blog](http://blog.cr.yp.to/index.html)
http://www.tau.ac.il/~tromer/acoustic/


Draft/Draft/Cryptography & Encryption/Linux Systems.txt → Draft/Draft/Cryptography & Encryption/Linux Systems.md View File


Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.txt → Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.md View File


Draft/Draft/Cryptography & Encryption/cull.txt → Draft/Draft/Cryptography & Encryption/cull.md View File


+ 9
- 3
Draft/Draft/Data AnalysisVisualization.md View File

@ -2,12 +2,18 @@
ToC
###ToC
Tools
##Tools
Cull
###Cull
[Generalizing Data Flow Information](http://uninformed.org/?v=all&a=34&t=sumry)
* Generalizing information is a common method of reducing the quantity of data that must be considered during analysis. This fact has been plainly illustrated in relation to static data flow analysis where previous research has described algorithms that can be used to generalize data flow information. These generalizations have helped support more optimal data flow analysis in certain situations. In the same vein, this paper describes a process that can be employed to generalize and persist data flow information along multiple generalization tiers. Each generalization tier is meant to describe the data flow behaviors of a conceptual software element such as an instruction, a basic block, a procedure, a data type, and so on. This process makes use of algorithms described in previous literature to support the generalization of data flow information. To illustrate the usefulness of the generalization process, this paper also presents an algorithm that can be used to determine reachability at each generalization tier. The algorithm determines reachability starting from the least specific generalization tier and uses the set of reachable paths found to progressively qualify data flow information for each successive generalization tier. This helps to constrain the amount of data flow information that must be considered to a minimal subset.
Apache Nifi - supports powerful and scalable directed graphs of data routing, transformation, and system mediation logic.
https://nifi.apache.org/
http://linkurio.us/toolkit/


+ 4
- 0
Draft/Draft/Disclosure -.md View File

@ -1,6 +1,10 @@
##Disclosure
Responsible Disclosure is Wrong
https://adamcaudill.com/2015/11/19/responsible-disclosure-is-wrong/
[Portcullis Computer Security Co-ordinated Disclosure Toolkit](https://github.com/portcullislabs/co-ordinated-disclosure-toolkit)
[How to Disclose or Sell an Exploit - DEF CON 21 - James Denaro](https://www.youtube.com/watch?v=N1Xj3f4felg)


+ 1
- 1
Draft/Draft/Embedded Device & Hardware Hacking -.md View File

@ -33,7 +33,7 @@ Cull
* In the coming months and beyond, we will release a series of dead simple, easy to use tools to enable the next generation of security researchers. We, the security community have learned a lot in the past couple decades, yet the general public is still ill equipped to deal with real threats that face them every day, and ill informed as to what is possible. Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
###Cull


+ 99
- 0
Draft/Draft/Exploit Development.md View File

@ -43,18 +43,117 @@ TOC
####Sort:
Getting Started with WindDbg Series - OpenSecurity Research
[Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)
(SEH Bypass)Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server.
https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf
https://github.com/Vector35/binaryninja-python/blob/master/readme.md
https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf
Reliable Windows Heap Exploits
http://xcon.xfocus.org/XCon2004/archives/14_Reliable%20Windows%20Heap%20Exploits_BY_SHOK.pdf
[binjitsu](https://github.com/binjitsu/binjitsu/)
* binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/
https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
[Attacking the XNU Kernel For Fun And Profit – Part 1](http://blog.qwertyoruiop.com/?p=38)
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple’s OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
[Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
[Debugging Windows kernel under VMWare using IDA's GDB debugger](https://cyberview.files.wordpress.com/2010/09/gdb_vmware_winkernel.pdf)
[Pandora's Cash Box - The Ghost under your POS - RECON2015](https://recon.cx/2015/slides/recon2015-17-nitay-artenstein-shift-reduce-Pandora-s-Cash-Box-The-Ghost-Under-Your-POS.pdf)
| **Muts Bypassing AV in Vista/Pissing all over your AV** presentation, listed here as it was a bitch finding a live copy | https://web.archive.org/web/20130514172102/http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4
| ** Dangerous Clipboard: Analysis of the MS15-072 Patch ** | http://blog.talosintel.com/2015/10/dangerous-clipboard.html?m=1
| **RAP: RIP ROP (GRSEC/PaX team)** | https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
| **Kaspersky Hooking Engine Analysis** | https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
PwnAdventureZ
https://github.com/Vector35/PwnAdventureZ
NES zombie survival game made to be hacked
Win32 Assembly Components - Last Stage of Delirium Research Group
http://www.bandwidthco.com/whitepapers/programming/asm/Win32%20Assembly%20Components.pdf
fREedom - capstone based disassembler for extracting to binnavi
fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
Counterfeit Object-oriented Programming
http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf
Understanding JIT Spray
http://blog.cdleary.com/2011/08/understanding-jit-spray/
A Crash Course on the Depths of Win32™ Structured Exception Handling
https://www.microsoft.com/msj/0197/exception/exception.aspx
Meterpreter Payload Stage 1 with Obsfuscation and Evasion
https://github.com/lockfale/meterpreterjank
Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/
Art of Picking Intel Registers
http://www.swansontec.com/sregisters.html
Windows Kernel Exploitation 101 : Exploiting CVE - 2014 - 4113
https://www.exploit-db.com/docs/39665.pdf
Return into Lib(C) Theory Primer(Security-Tube)
http://www.securitytube.net/video/257
Intro to Windows kernel exploitation 1/N: Kernel Debugging
https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/
Pwning Adobe Reader with XFA
http://siberas.de/presentations/SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf
ShellSploit
https://github.com/b3mb4m/shellsploit-framework
EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURE
https://www.exploit-db.com/docs/39658.pdf
https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/
A New CVE-2015-0057 Exploit Technology
https://www.exploit-db.com/docs/39660.pdf
BinTut https://github.com/NoviceLive/bintut
Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
https://www.usenix.org/system/files/login/articles/105516-Schwartz.pdf
An Introduction to Debugging the Windows Kernel with WinDbg
http://www.contextis.com/resources/blog/introduction-debugging-windows-kernel-windbg/
Structured Exception Handling - TechNet
https://msdn.microsoft.com/en-us/library/windows/desktop/ms680657%28v=vs.85%29.aspx
Jump-Oriented Programming: A New Class of Code-Reuse


Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.txt → Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.md View File


+ 36
- 0
Draft/Draft/Forensics Incident Response.md View File

@ -23,6 +23,42 @@ Better security - Mean time to detect/Mean time to respond
###CULL
https://github.com/SekoiaLab/Fastir_Collector
http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf
[OS X Forensics Generals](https://davidkoepi.wordpress.com/category/os-x-forensics-10-8/)
[OSX Lion User Interface Preservation Analysis](https://digital-forensics.sans.org/blog/2011/10/03/osx-lion-user-interface-preservation-analysis#)
[Chromebook Forensics](www.dataforensics.org/google-chromebook-forensics/)
[Google Chrome Forensics-SANS](https://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics#)
| ** Destroying Evidence Before Its Evidence** | https://www.youtube.com/watch?v=lqBVAcxpwio&spfreload=1
| ** Forensic Imager Tools: You don't have the Evidence - Shmoocon 2014** | https://www.youtube.com/watch?v=zYYCv21I-1I
| **And That's How I Lost My Other Eye...Explorations in Data Destruction** | https://www.youtube.com/watch?v=-bpX8YvNg6Y
https://archive.org/details/No_Easy_Breach#
No Easy Breach: Challenges and Lessons Learned from an Epic Investigation
SANS CHEAT SHEET- Windows Artifact Analysis
https://uk.sans.org/posters/windows_artifact_analysis.pdf
https://forensiccontrol.com/resources/free-software/


+ 2
- 1
Draft/Draft/Frameworks Methodologies.md View File

@ -22,7 +22,8 @@ This website should eventually be your go-to reference for Metasploit: https://m
[Empire - Powershell Post-Exploitation Agent](http://www.powershellempire.com/)
* Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.


Draft/Draft/Frameworks Methodologies/Metasploit Reference.txt → Draft/Draft/Frameworks Methodologies/Metasploit Reference.md View File


Draft/Draft/Frameworks Methodologies/Meterpreter Scripts and Description.txt → Draft/Draft/Frameworks Methodologies/Meterpreter Scripts and Description.md View File


Draft/Draft/Frameworks Methodologies/Post Exploitation with Metasploit.txt → Draft/Draft/Frameworks Methodologies/Post Exploitation with Metasploit.md View File


+ 34
- 0
Draft/Draft/Fuzzing Bug Hunting.md View File

@ -15,8 +15,42 @@ TOC
[Quick explanation of fuzzing and various fuzzers](http://whoisjoe.info/?p=16)
###Cull
[Advice From A Researcher: Hunting XXE For Fun and Profit](https://blog.bugcrowd.com/advice-from-a-researcher-xxe/)
File Format Fuzzing in Android
https://deepsec.net/docs/Slides/2015/File_Format_Fuzzing_in_Android_-Alexandru_Blanda.pdf
| **honggfuzz** - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage | https://github.com/google/honggfuzz
| **USB Fuzzing Basics: From fuzzing to bug reporting** | http://blog.quarkslab.com/usb-fuzzing-basics-from-fuzzing-to-bug-reporting.html
Fuzzing Object s d’ART Digging Into the New Android L Runtime Internals
http://census-labs.com/media/Fuzzing_Objects_d_ART_hitbsecconf2015ams_WP.pdf
MFFA - Media Fuzzing Framework for Android
https://github.com/fuzzing/MFFA
How to fuzz a server with American Fuzzy Lop
https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop
http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf
libFuzzer – library for in-process evolutionary fuzzing of other libraries.
http://llvm.org/docs/LibFuzzer.html
[Unusual bugs - 23C3](https://www.youtube.com/watch?v=qj79Qdmw0Pk) * In this presentation I'll present a series of unusual security bugs. Things that I've ran into at some point and went "There's gotta be some security consequence here". None of these are really a secret, and most of them are even documented somewhere. But apparently most people don't seem to know about them. What you'll see in this presentation is a list of bugs and then some explanation of how these could be exploited somehow. Some of the things I'll be talking about are (recursive) stack overflow, NULL pointer dereferences, regular expressions and more.
[From Fuzzing to 0day.](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)


+ 35
- 0
Draft/Draft/Interesting Things Useful stuff.md View File

@ -35,8 +35,43 @@ http://www.securitywizardry.com/radar.htm
###CULL
[[TROOPERS15] Andreas Lindh - Defender Economics](https://www.youtube.com/watch?v=mAP38Xy52X0)
How do emulators work and how are they written? [closed]
https://stackoverflow.com/questions/448673/how-do-emulators-work-and-how-are-they-written
http://googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case-study-in.html?m=1
[HORNET: High-speed Onion Routing at the Network Layer](http://arxiv.org/pdf/1507.05724v1.pdf)
[Hide data inside pointers](http://arjunsreedharan.org/post/105266490272/hide-data-inside-pointers]
[Demon](https://github.com/x0r1/Demon)
* GPU keylogger PoC by Team Jellyfish
| **Simplifying the Business Bar Coded Boarding Pass Implementation Guide** | http://www.iata.org/whatwedo/stb/documents/bcbp_implementation_guidev4_jun2009.pdf
| **What’s contained in a boarding pass barcode?** | https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc | http://www.legroom.net/software/uniextract
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
**Unicorn-Engine** - Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework. | http://www.unicorn-engine.org/
| ** NSA's Legal Authorities ** | http://electrospaces.blogspot.com/2015/09/nsas-legal-authorities.html
https://github.com/vrtadmin/moflow
Compiler Security Checks In Depth - MSDN Library
https://msdn.microsoft.com/library/aa290051.aspx
Counterfeit Object-oriented Programming
http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf
https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0#.r3x0vnfir


Draft/Draft/Interesting Things Useful stuff/Writeup of Gamma Group Hack.txt → Draft/Draft/Interesting Things Useful stuff/Writeup of Gamma Group Hack.md View File


+ 21
- 0
Draft/Draft/Malware.md View File

@ -20,6 +20,27 @@ TOC
###Cull
A Guide to Malware Binary Reconstruction
https://github.com/0xAX/linux-insides/blob/master/Misc/contribute.md
http://www.malwarearchaeology.com/mmf/
[Wepawet](https://wepawet.iseclab.org/)
* Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files
Maltrail
https://github.com/stamparm/maltrail#architecture
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).
Unicorn VS. Malware
https://r3v3rs3r.wordpress.com/2015/12/12/unicorn-vs-malware/
[Software Distribution Malware Infection Vector](http://dl.packetstormsecurity.net/papers/general/Software.Distribution.Malware.Infection.Vector.pdf)
* In this paper we present an efficient mechanism as well as the corresponding reference implementation for on- the-fly infecting of executable code with malicious soft- ware. Our algorithm deploys virus infection routines and network redirection attacks, without requiring to modify the application itself. This allows to even infect executa- bles with a embedded signature when the signature is not automatically verified before execution. We briefly dis- cuss also countermeasures such as secure channels, code authentication as well as trusted virtualization that en- ables the isolation of untrusted downloads from other ap- plication running in trusted domains or compartments.


Draft/Draft/Malware/Detect Virtualbox C prog.txt → Draft/Draft/Malware/Detect Virtualbox C prog.md View File


+ 37
- 0
Draft/Draft/Network Attacks & Defenses.md View File

@ -35,6 +35,43 @@ http://www.exploit-db.com/papers/35425/
###Cull
[discover - Kali Scripts](https://github.com/leebaird/discover)
* For use with Kali Linux - custom bash scripts used to automate various portions of a pentest.
[Consul](https://github.com/hashicorp/consul)
* Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable.
[pynessus](https://github.com/rmusser01/pynessus)
* Python Parser for Nessus Output
* [Examples](http://www.hackwhackandsmack.com/?p=422)
[Evading IDS/IPS by Exploiting IPv6 Features - Antonios Atlasis, Rafael Schaefer](https://www.youtube.com/watch?v=avMeYIaU8DA&list=PL1eoQr97VfJni4_O1c3kBCCWwxu-6-lqy)
Dragon: A Windows, non-binding, passive download / exec backdoor
http://www.shellntel.com/blog/2015/6/11/dragon-a-windows-non-binding-passive-downloadexec-backdoor
SPartan
https://github.com/sensepost/SPartan
SPartan is a Frontpage and Sharepoint fingerprinting and attack tool
MS Network Level Authentication
https://technet.microsoft.com/en-us/magazine/hh750380.aspx
[DNS Dumpster](DNSdumpster.com is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.)
[More on HNAP - What is it, How to Use it,How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)


+ 10
- 0
Draft/Draft/Network Security Monitoring & Logging.md View File

@ -18,6 +18,16 @@ Cull
###Cull - Create incident Response section
[Elasticsearch: The Definitive Guide The Definitive Guide](https://www.elastic.co/guide/en/elasticsearch/guide/current/index.html)
| **WMI-IDS** - WMI-IDS is a proof-of-concept agent-less host intrusion detection system designed to showcase the unique ability of WMI to respond to and react to operating system events in real-time. | https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS
[Many ways of malware persistence (that you were always afraid to ask) ](http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html)


+ 5
- 0
Draft/Draft/Open Source Intelligence.md View File

@ -6,6 +6,11 @@
###Cull
[Developing a Open Source Threat Intelligence Program—Edward McCabe](http://www.irongeek.com/i.php?page=videos/circlecitycon2014/105-developing-a-open-source-threat-intelligence-program-edward-mccabe)
* What if you could get out in front of common threats such as botnets, scanners and malware? Good news, you can. Learn about one geeks struggle with life on the Internet of (bad) things when it comes to being online, identifying “odd” things, and developing an Open Source Threat Intelligence Program from Open Source Tools and Public Sources.
| **Sqoop** - OSINT search engine of public documents(handy) | http://sqoop.com/
| **Pwning People Personally** - Josh Schwartz | https://www.youtube.com/watch?v=T2Ha-ZLZTz0


Draft/Draft/Open Source Intelligence/Active cull.txt → Draft/Draft/Open Source Intelligence/Active cull.md View File


+ 54
- 2
Draft/Draft/Privilege Escalation & Post-Exploitation.md View File

@ -14,14 +14,50 @@
* [Persistence Techniques](#persistence)
* [Pivoting](#pivot)
* [Pass-the-Hash](#pth)
* [Avoiding AV](#AV)
###CULL
[Detecting DLL Hijacking on Windows](http://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/)
Antimalware Scan Interface Reference
- prevents certain kinds of powershell attacks
https://msdn.microsoft.com/en-us/library/windows/desktop/dn889588
http://sdb.tools/talks.html
Shimming for Post Exploitation(blog)
http://www.sdb.tools/
https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/12/packet-sniffing-with-powershell-getting-started/
Windows - Application Shims
https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx
Defending against mimikatz
https://jimshaver.net/2016/02/14/defending-against-mimikatz/
Unofficial Guide to Mimikatz
https://adsecurity.org/?page_id=1821
PowerMemory - https://github.com/giMini/PowerMemory
Exploit the credentials present in files and memory
[Learn how to hide your trojans, backdoors, etc from anti virus.](https://www.hellboundhackers.org/articles/read-article.php?article_id=842)
[No one expect command execution!](http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html)
[twittor - twitter based backdoor](https://github.com/PaulSec/twittor)
* A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.
[Pupy](https://github.com/n1nj4sec/pupy)
* Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
| **Black hat talk on Windows Privilege Escalation** | http://www.slideshare.net/riyazwalikar/windows-privilege-escalation
| **PowerUp - Windows Privilege Escalation through Powershell** | https://n0where.net/windows-local-privilege-escalation-powerup/
[Abusing Kerberos](https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don%27t-Get-It-wp.pdf)
[PowerShell-AD-Recon](https://github.com/PyroTek3/PowerShell-AD-Recon)
@ -288,4 +324,20 @@ Linux cron tab
[smbexec](https://github.com/pentestgeek/smbexec)
* A rapid psexec style attack with samba tools
* [Blogpost that inspired it](http://carnal0wnage.attackresearch.com/2012/01/psexec-fail-upload-and-exec-instead.html)
[Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012](https://www.youtube.com/watch?v=O7WRojkYR00)
[Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012](https://www.youtube.com/watch?v=O7WRojkYR00)
##<a name="av">Avoiding/Bypassing Anti-Virus</a>
http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/

+ 29
- 0
Draft/Draft/Programming - Languages Libs Courses References.md View File

@ -22,10 +22,39 @@ Cull
[java-aes-crypto (Android class)](https://github.com/tozny/java-aes-crypto)
* A simple Android class for encrypting & decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.
Getting Started with WindDbg Series - OpenSecurity Research
[Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)
[smalisca](https://github.com/dorneanu/smalisca)
* Static Code Analysis for Smali files
https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Record_and_Replay_Debugging_Firefox
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
| **Graudit** - Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible. | http://www.justanotherhacker.com/projects/graudit.html
An Introduction to Debugging the Windows Kernel with WinDbg
http://www.contextis.com/resources/blog/introduction-debugging-windows-kernel-windbg/
| **Python in a hacker's toolbox (PyConPl'15)** | http://gynvael.coldwind.pl/?lang=en&id=572
https://github.com/bnagy/cgasm
cgasm is a standalone, offline terminal-based tool with no dependencies that gives me x86 assembly documentation. It is pronounced "SeekAzzem".
[Hide data inside pointers](http://arjunsreedharan.org/post/105266490272/hide-data-inside-pointers]
Impacket https://github.com/CoreSecurity/impacket
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
rr is a lightweight tool for recording and replaying execution of applications (trees of processes and threads). More information about the project, including instructions on how to install, run, and build rr, is at http://rr-project.org.
https://github.com/mozilla/rr
[PHPMD - PHP Mess Detector](http://phpmd.org/about.html) * What PHPMD does is: It takes a given PHP source code base and look for several potential problems within that source. These problems can be things like: Possible bugs; Suboptimal code; Overcomplicated expressions; Unused parameters, methods, properties.


+ 40
- 0
Draft/Draft/Reverse Engineering.md View File

@ -40,14 +40,54 @@ Cull
###Cull
[virusbattle-ida-plugin](https://github.com/moghimi/virusbattle-ida-plugin)
* The plugin is an integration of Virus Battle API to the well known IDA Disassembler. Virusbattle is a web service that analyses malware and other binaries with a variety of advanced static and dynamic analyses. For more information check out the
[CSCI 4974 / 6974 Hardware Reverse Engineering](http://security.cs.rpi.edu/courses/hwre-spring2014/)
http://fileformats.archiveteam.org/wiki/PNG
[Bug Hunting for the Man on the Street]()
* Finding and discovering bugs has to be one of the most special times in a security researchers life (until you realise that crash you've been searching for and finally found is not actually exploitable). But the process of searching, discovery, understanding and of course some very much needed trial and error, many would say are rewarding and fulfilling themselves (I would of course, prefer to have my exploit cherry on the top)! So this talk will detail some of the aspects required to hunt down and find these coveted security vulnerabilities and bugs and some approaches that have proven to be invaluable (and some not so much). Of course bug hunting principle need to produce bugs so as the cherry there will be a virtual box exploit and Barracuda networks 0 day exploit discussed and demon
[A list of IDA Plugins](https://github.com/onethawt/idaplugins-list)
[Dynamic IDA Enrichment (aka. DIE)](https://github.com/ynvb/DIE
* DIE is an IDA python plugin designed to enrich IDA`s static analysis with dynamic data. This is done using the IDA Debugger API, by placing breakpoints in key locations and saving the current system context once those breakpoints are hit.
[Blackbox Reversing an Electric Skateboard Wireless Protocol ](https://blog.lacklustre.net/posts/Blackbox_Reversing_an_Electric_Skateboard_Wireless_Protocol/)
[A Brief Examination of Hacking Team’s Crypter: core-packer.](http://ethanheilman.tumblr.com/post/128708937890/a-brief-examination-of-hacking-teams-crypter)
[Blackbox Reversing an Electric Skateboard Wireless Protocol ](https://blog.lacklustre.net/posts/Blackbox_Reversing_an_Electric_Skateboard_Wireless_Protocol/)
fREedom - capstone based disassembler for extracting to binnavi
fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
[Reverse Engineering Windows AFD.sys](https://recon.cx/2015/slides/recon2015-20-steven-vittitoe-Reverse-Engineering-Windows-AFD-sys.pdf)
[Kam1n0-Plugin-IDA-Pro](https://github.com/McGill-DMaS/Kam1n0-Plugin-IDA-Pro)
* Kam1n0 is a scalable system that supports assembly code clone search. It allows a user to first index a (large) collection of binaries, and then search for the code clones of a given target function or binary file. Kam1n0 tries to solve the efficient subgraph search problem (i.e. graph isomorphism problem) for assembly functions. Given a target function (the middle one in the figure below) it can identity the cloned subgraphs among other functions in the repository (the ones on the left and the right as shown below). Kam1n0 supports rich comment format and has an IDA Pro plug-in to use its indexing and searching capabilities via IDA Pro.
[Reversing Prince Harming’s Kiss of Death]( https://reverse.put.as/2015/07/01/reversing-prince-harmings-kiss-of-death/)
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc | http://www.legroom.net/software/uniextract
**Unicorn-Engine** - Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework. | http://www.unicorn-engine.org/
[TiGa's Video Tutorial Series on IDA Pro](http://woodmann.com/TiGa/idaseries.html)
[IDA PLUG-IN WRITING IN C/C++](http://www.binarypool.com/idapluginwriting/idapw.pdf)
toolbag
https://github.com/aaronportnoy/toolbag
The IDA Toolbag is a plugin providing supplemental functionality to Hex-Rays IDA Pro disassembler.
[HexRaysCodeXplorer])(https://github.com/REhints/HexRaysCodeXplorer)
* Hex-Rays Decompiler plugin for better code navigation in RE process of C++ applications or code reconstruction of modern malware as Stuxnet, Flame, Equation


+ 11
- 0
Draft/Draft/Sandboxes.md View File

@ -2,6 +2,11 @@
sandbox-attacksurface-analysis-tools
https://github.com/google/sandbox-attacksurface-analysis-tools
http://googleprojectzero.blogspot.com.mt/2015/11/windows-sandbox-attack-surface-analysis.html
[Adobe Sandbox: When the Broker is Broken - Peter Vreugdenhill](https://cansecwest.com/slides/2013/Adobe%20Sandbox.pdf)
@ -10,6 +15,12 @@
Sandboxed Execution Environment
http://pythonhosted.org/python-see
Documentation: http://pythonhosted.org/python-see
Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.
| ** sandbox-attacksurface-analysis-tools** | https://github.com/google/sandbox-attacksurface-analysis-tools | This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
[Adapting Software Fault Isolation to Contemporary CPU Architectures](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf)


+ 3
- 0
Draft/Draft/Social Engineering.md View File

@ -17,6 +17,9 @@ CULL
###Cull
Pwning People Personally
http://www.irongeek.com/i.php?page=videos/derbycon5/break-me08-pwning-people-personally-josh-schwartz
| **I Will Kill You** - Chris Rock(Defcon23)| https://www.youtube.com/watch?v=9FdHq3WfJgs


+ 35
- 0
Draft/Draft/Steal Everything Kill Everyone Profit.md View File

@ -4,6 +4,16 @@ j/k please don
[Davoset](https://github.com/MustLive/DAVOSET)
* DAVOSET - it is console (command line) tool for conducting DDoS attacks on the sites via Abuse of Functionality and XML External Entities vulnerabilities at other sites.
[Too Many Cooks; Exploiting the Internet of Tr-069](http://mis.fortunecook.ie/)
[Ever wanted to scan the internet in a few hours?](http://blog.erratasec.com/2013/10/faq-from-where-can-i-scan-internet.html)
@ -63,3 +73,28 @@ https://github.com/n1nj4sec/pupy
If I were a malicious *INSERT HERE* user
Drones:
Mount a rasppi running kali linux with automated wifi attacks on a medium-duty drone. Fly it to the 40th floor of your favorite bank's hq. Hover for 3-5 minutes while the automated attack does its thing. Depart & hide.
Conduct a drone "suicide mission" by mounting an EMP device as the payload. Land on top of a "mobile command" van and fire away. Pulse should destroy the drone's electronics, along with anything in the van, thus blinding C&C.
Conduct another suicide mission by flying a payload into a cell tower. Fuck it.., fly a heavy-duty payload with a rasppi, hackrf, and some solid coding, and plant it in front of a cell tower. Commence radio hijinks.
Use smaller drones with red/green construction paper mounted on toothpicks. Fly & hover in front of stoplights to confuse traffic.
Fly lighted minidrones over traffic at night. Hubsan X4 over a freeway anyone?
Use a drone as a distraction. Fly it over a prison while the real action happens under the south wall.
If not a distraction, then as a probe. Send a sacrifice from afar into a secure perimeter to observe the reaction.
Create electrical shorts by flying with an attached wire hangar (or other light metal thread) into power lines.
Use a sunroof-deployed minidrone to follow someone in traffic from 2-3 blocks back.
Harass Diane Fenstein.
Use a heavy-duty, autonomous drone to deposit small amounts of radioactive material on rooftops of tall buildings in a major city.
Fly it slowly just above your head while walking down a busy city street. Staring up at a device will be unusual and awkward. Or maybe you get laid,
Attach a fucking handgun and perform remote strong-arm robberies
Flying drones over competitors (e.g. Data Centers)
Flying drones into crowds with grenades, anthrax, etc - no human martyr required
Flying drones over prisons to drop drugs, shivs, phones and checking guard rotation timings, vehicle placements and info
Drones used for personal tracking, checking home windows for premptive robberies (see if anyone's on holiday)
Drones stealing small items (e.g. with claw attached, jewelry)
Assassinations of course, small guns or needles
Drones used by media to spy on celebrities in locations the paparazzi cannot get to (beaches, private pools, private parties)

+ 4
- 3
Draft/Draft/Sysadmin Stuff.md View File

@ -7,11 +7,12 @@ Salt
https://www.dsinternals.com/en/
[Monit](https://mmonit.com/monit/)
* Monit is a small Open Source utility for managing and monitoring Unix systems. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.
| **A Sysadmin's Unixersal Translator (ROSETTA STONE)** | http://bhami.com/rosetta.html
[Mitigating Pass-the-Hash Attacks and other credential Theft-version2](http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf)


+ 36
- 1
Draft/Draft/System Internals Windows and Linux Internals Reference.md View File

@ -1,4 +1,4 @@
##System Internals of Windows; OS X; Linux
##System Internals of Windows; OS X; Linux; ARM
TOC
@ -14,6 +14,41 @@ CULL
CULL
https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf
https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/
https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
Windows - Application Shims
https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx
[ARM Documentation](http://infocenter.arm.com/help/index.jsp?noscript=1)
A Crash Course on the Depths of Win32™ Structured Exception Handling
https://www.microsoft.com/msj/0197/exception/exception.aspx
Compiler Security Checks In Depth - MSDN Library
https://msdn.microsoft.com/library/aa290051.aspx
LSA Authentication
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326%28v=vs.85%29.aspx
LSA Authentication describes the parts of the Local Security Authority (LSA) that applications can use to authenticate and log users on to the local system. It also describes how to create and call authentication packages and security packages.
Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/
Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
https://msdn.microsoft.com/en-us/library/ms809762.aspx?utm_content=buffer4588c&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
PEB Structure 32/64 pdf
http://blog.rewolf.pl/blog/wp-content/uploads/2013/03/PEB_Evolution.pdf
TechNet Library: About Processes and Threads
https://msdn.microsoft.com/en-us/library/windows/desktop/ms681917%28v=vs.85%29.aspx


+ 26
- 0
Draft/Draft/Threat Intelligence.md View File

@ -0,0 +1,26 @@
#Threat Intelligence(or lack therof…)
[No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap - ShmooCon15](https://www.youtube.com/watch?v=DKfWukYffsE&app=desktop)
* "In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to dehttp://faydoc.tripod.com/cpu/index_a.htmvelop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers. I'll also be releasing a suite of tools I created to help threat researchers perform tracking and attribution.
[Malware Information Sharing Platform](https://github.com/MISP/MISP)
* MISP - Malware Information Sharing Platform & Threat Sharing
[Collective Intelligence Framework](http://csirtgadgets.org/collective-intelligence-framework/)
* "Our Flagship Project, is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity."
[Collaborative Research Into Threats](https://crits.github.io/)
* CRITs is an open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. It has been in development since 2010 with one goal in mind: give the security community a flexible and open platform for analyzing and collaborating on threat data. In making CRITs free and open source, we can provide organizations around the world with the capability to quickly adapt to an ever-changing threat landscape. CRITs can be installed locally for a private isolated instance or shared among other trusted organizations as a collaborative defense mechanism.

+ 30
- 1
Draft/Draft/Threat Modeling.md View File

@ -11,4 +11,33 @@
[seasponge - Mozilla Project](https://github.com/mozilla/seasponge)
* Accessible and client-side threat modeling tool
* [GIFs demonstrating usage](https://github.com/mozilla/seasponge/wiki/usage)
* [GIFs demonstrating usage](https://github.com/mozilla/seasponge/wiki/usage)[On Comparing Threat Intelligence Feeds](http://blogs.gartner.com/anton-chuvakin/2014/01/07/on-comparing-threat-intelligence-feeds/)

+ 13
- 625
Draft/Draft/To Do/add cull -3.txt View File

@ -1,28 +1,16 @@
Shellsploit let's you generate customized shellcodes, backdoors, injectors for various operating system. And let's you obfuscation every byte via encoders
Maltrail
https://github.com/stamparm/maltrail#architecture
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).
http://jakob.engbloms.se/archives/1554
https://conversations.im/omemo/
Antimalware Scan Interface Reference
- prevents certain kinds of powershell attacks
https://msdn.microsoft.com/en-us/library/windows/desktop/dn889588
Meterpreter Payload Stage 1 with Obsfuscation and Evasion
https://github.com/lockfale/meterpreterjank
http://nsarchive.gwu.edu/cybervault/
Urge Everyone to watch:
Hamming - You and your research
https://www.youtube.com/watch?v=a1zDuOPkMSw
@ -30,24 +18,16 @@ https://www.youtube.com/watch?v=a1zDuOPkMSw
https://www.sysmocom.de/news/sysmocom-publicly-releases-osmocom-user-manuals/
https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
https://github.com/Vector35/binaryninja-python/blob/master/readme.md
https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
http://www.wxhexeditor.org/home.php
http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html
https://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks
http://wiki.osdev.org/Stack_Smashing_Protector
Computer SCience from the Bottom Up | http://www.bottomupcs.com/
http://mig.mozilla.org/
@ -55,41 +35,20 @@ https://github.com/google/sanitizers
Defending against mimikatz
https://jimshaver.net/2016/02/14/defending-against-mimikatz/
Unofficial Guide to Mimikatz
https://adsecurity.org/?page_id=1821
SANS CHEAT SHEET- Windows Artifact Analysis
https://uk.sans.org/posters/windows_artifact_analysis.pdf
https://www.dsinternals.com/en/
Computer SCience from the Bottom Up | http://www.bottomupcs.com/
https://github.com/elceef/dnstwist
https://github.com/strazzere/anti-emulator/blob/master/slides/Dex%20Education%20201%20-%20Anti-Emulation.pdf
https://github.com/drduh/OS-X-Security-and-Privacy-Guide
https://warroom.securestate.com/bmp-x86-polyglot/
Pwning People Personally
http://www.irongeek.com/i.php?page=videos/derbycon5/break-me08-pwning-people-personally-josh-schwartz
https://warroom.securestate.com/bmp-x86-polyglot/
https://github.com/httphacker/gethead/blob/gh-pages/gethead.py
USBPcap
https://github.com/bnagy/cgasm
cgasm is a standalone, offline terminal-based tool with no dependencies that gives me x86 assembly documentation. It is pronounced "SeekAzzem".
Fuzzing Object s d’ART Digging Into the New Android L Runtime Internals
http://census-labs.com/media/Fuzzing_Objects_d_ART_hitbsecconf2015ams_WP.pdf
http://www.scribd.com/doc/47334072/How-to-Steal-a-Nuclear-Warhead-Without-Voiding-Your-XBox-Warranty-paper
@ -97,90 +56,23 @@ http://www.scribd.com/doc/47334072/How-to-Steal-a-Nuclear-Warhead-Without-Voidin
https://github.com/strazzere/IDAnt-wanna
Sandboxed Execution Environment
http://pythonhosted.org/python-see
Documentation: http://pythonhosted.org/python-see
Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.
MS Network Level Authentication
https://technet.microsoft.com/en-us/magazine/hh750380.aspx
https://github.com/codewatchorg/SideStep
https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/
A Crash Course on the Depths of Win32™ Structured Exception Handling
https://www.microsoft.com/msj/0197/exception/exception.aspx
MFFA - Media Fuzzing Framework for Android
https://github.com/fuzzing/MFFA
SPartan
https://github.com/sensepost/SPartan
SPartan is a Frontpage and Sharepoint fingerprinting and attack tool
https://github.com/codewatchorg/SideStep
https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
https://github.com/stamparm/maltrail
http://x86asm.net/articles/uefi-programming-first-steps/
File Format Fuzzing in Android
https://deepsec.net/docs/Slides/2015/File_Format_Fuzzing_in_Android_-Alexandru_Blanda.pdf
Win32 Assembly Components - Last Stage of Delirium Research Group
http://www.bandwidthco.com/whitepapers/programming/asm/Win32%20Assembly%20Components.pdf
Reliable Windows Heap Exploits
http://xcon.xfocus.org/XCon2004/archives/14_Reliable%20Windows%20Heap%20Exploits_BY_SHOK.pdf
Compiler Security Checks In Depth - MSDN Library
https://msdn.microsoft.com/library/aa290051.aspx
PEB Structure 32/64 pdf
http://blog.rewolf.pl/blog/wp-content/uploads/2013/03/PEB_Evolution.pdf
Blogpost explaining above
http://blog.rewolf.pl/blog/?p=573
LSA Authentication
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326%28v=vs.85%29.aspx
LSA Authentication describes the parts of the Local Security Authority (LSA) that applications can use to authenticate and log users on to the local system. It also describes how to create and call authentication packages and security packages.
sandbox-attacksurface-analysis-tools
https://github.com/google/sandbox-attacksurface-analysis-tools
http://googleprojectzero.blogspot.com.mt/2015/11/windows-sandbox-attack-surface-analysis.html
https://archive.org/details/No_Easy_Breach#
No Easy Breach: Challenges and Lessons Learned from an Epic Investigation
(SEH Bypass) Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server.
https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf
fREedom - capstone based disassembler for extracting to binnavi
fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
http://illmatics.com/Remote%20Car%20Hacking.pdf
Counterfeit Object-oriented Programming
http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf
http://toshellandback.com/2015/11/24/ms-priv-esc/
Windows - Application Shims
https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx
http://toshellandback.com/2015/11/24/ms-priv-esc/
https://github.com/securestate/king-phisher
@ -193,488 +85,52 @@ https://fosdem.org/2016/schedule/event/radar/
https://getgophish.com/documentation/
http://sdb.tools/talks.html
Shimming for Post Exploitation(blog)
http://www.sdb.tools/
http://www.programminghorizon.com/win32assembly/
Dragon: A Windows, non-binding, passive download / exec backdoor
http://www.shellntel.com/blog/2015/6/11/dragon-a-windows-non-binding-passive-downloadexec-backdoor
http://x86asm.net/articles/introduction-to-uefi/
toolbag
https://github.com/aaronportnoy/toolbag
The IDA Toolbag is a plugin providing supplemental functionality to Hex-Rays IDA Pro disassembler.
http://googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case-study-in.html?m=1
Reverse Engineering UEFI Firmware
https://jbeekman.nl/blog/2015/03/reverse-engineering-uefi-firmware/
Reverse Engineering UEFI Firmware
https://jbeekman.nl/blog/2015/03/reverse-engineering-uefi-firmware/
A Guide to Malware Binary Reconstruction
https://github.com/0xAX/linux-insides/blob/master/Misc/contribute.md
Linux kernel development
https://github.com/0xAX/linux-insides/blob/master/Misc/contribute.md
HTTP Evasion
http://noxxi.de/research/http-evader-explained-8-borderline-robustness.html
PwnAdventureZ
https://github.com/Vector35/PwnAdventureZ
NES zombie survival game made to be hacked
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
Understanding JIT Spray
http://blog.cdleary.com/2011/08/understanding-jit-spray/
http://noxxi.de/research/http-evader-explained-6-whitespace.html
https://github.com/AndroBugs/AndroBugs_Framework
* AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate.
https://github.com/SekoiaLab/Fastir_Collector
http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf
| ** NSA's Legal Authorities ** | http://electrospaces.blogspot.com/2015/09/nsas-legal-authorities.html
| **USB Fuzzing Basics: From fuzzing to bug reporting** | http://blog.quarkslab.com/usb-fuzzing-basics-from-fuzzing-to-bug-reporting.html
http://meyerweb.com/eric/comment/chech.html
| ** Forensic Imager Tools: You don't have the Evidence - Shmoocon 2014** | https://www.youtube.com/watch?v=zYYCv21I-1I
| ** Destroying Evidence Before Its Evidence** | https://www.youtube.com/watch?v=lqBVAcxpwio&spfreload=1
| **And That's How I Lost My Other Eye...Explorations in Data Destruction** | https://www.youtube.com/watch?v=-bpX8YvNg6Y
| **Kaspersky Hooking Engine Analysis** | https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
| **PowerUp - Windows Privilege Escalation through Powershell** | https://n0where.net/windows-local-privilege-escalation-powerup/
| ** Dangerous Clipboard: Analysis of the MS15-072 Patch ** | http://blog.talosintel.com/2015/10/dangerous-clipboard.html?m=1
| **RAP: RIP ROP (GRSEC/PaX team)** | https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
| **Security
www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
| **Graudit** - Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible. | http://www.justanotherhacker.com/projects/graudit.html
| **WMI-IDS** - WMI-IDS is a proof-of-concept agent-less host intrusion detection system designed to showcase the unique ability of WMI to respond to and react to operating system events in real-time. | https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS
| **Simple websockets based webshell** | http://ibreak.software/2015/02/18/simple-websockets-based-webshell/
| **Black hat talk on Windows Privilege Escalation** | http://www.slideshare.net/riyazwalikar/windows-privilege-escalation
**Unicorn-Engine** - Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework. | http://www.unicorn-engine.org/
http://www.pentest.guru/index.php/2015/10/19/ditch-psexec-spraywmi-is-here/
| ** sandbox-attacksurface-analysis-tools** | https://github.com/google/sandbox-attacksurface-analysis-tools | This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
| **Python in a hacker's toolbox (PyConPl'15)** | http://gynvael.coldwind.pl/?lang=en&id=572
| **honggfuzz** - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage | https://github.com/google/honggfuzz
| **Muts Bypassing AV in Vista/Pissing all over your AV** presentation, listed here as it was a bitch finding a live copy | https://web.archive.org/web/20130514172102/http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4
blogs.technet.com/b/markrussinovich/archive/2005/08/17/unkillable-processes.aspx
https://github.com/google/honggfuzz
http://faydoc.tripod.com/cpu/index_a.htm
[HORNET: High-speed Onion Routing at the Network Layer](http://arxiv.org/pdf/1507.05724v1.pdf)
http://fabiensanglard.net/reverse_engineering_strike_commander/index.php
| **Phones and Privacy for Consumers** - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer) | http://www.irongeek.com/i.php?page=videos/grrcon2015/submerssion-therapy05-phones-and-privacy-for-consumers-matt-hoy-mattrix-and-david-khudaverdyan-deltaflyer
| **Security of RFID Protocols – A Case Study** |
In the context of Dolev-Yao style analysis of security proto cols, we investigate the security claims of a pro- posed strong-security RFID authentication protocol. We ex hibit a flaw which has gone unnoticed in RFID protocol literature and present the resulting attacks on au thentication, untraceability, and desynchroniza- tion resistance. We analyze and discuss the authors’ proofs of security. References to other vulnerable protocols are given.
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc | http://www.legroom.net/software/uniextract
[Google Chrome Forensics-SANS](https://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics#)
[Chromebook Forensics](www.dataforensics.org/google-chromebook-forensics/)
| **ClearImage Free Online Barcode Reader / Decoder** | http://online-barcode-reader.inliteresearch.com/
| **A Sysadmin's Unixersal Translator (ROSETTA STONE)** | http://bhami.com/rosetta.html
| **Sqoop** - OSINT search engine of public documents(handy) | http://sqoop.com/
| **What’s contained in a boarding pass barcode?** | https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode
| **Simplifying the Business Bar Coded Boarding Pass Implementation Guide** | http://www.iata.org/whatwedo/stb/documents/bcbp_implementation_guidev4_jun2009.pdf
http://blog.sematext.com/2015/10/05/recipe-apache-logs-rsyslog-parsing-elasticsearch/
[OSX Lion User Interface Preservation Analysis](https://digital-forensics.sans.org/blog/2011/10/03/osx-lion-user-interface-preservation-analysis#)
[
OS X Forensics Generals](https://davidkoepi.wordpress.com/category/os-x-forensics-10-8/)
[The Secret Life of SIM Cards - Defcon21](https://www.youtube.com/watch?v=31D94QOo2gY)
[Kam1n0-Plugin-IDA-Pro](https://github.com/McGill-DMaS/Kam1n0-Plugin-IDA-Pro)
* Kam1n0 is a scalable system that supports assembly code clone search. It allows a user to first index a (large) collection of binaries, and then search for the code clones of a given target function or binary file. Kam1n0 tries to solve the efficient subgraph search problem (i.e. graph isomorphism problem) for assembly functions. Given a target function (the middle one in the figure below) it can identity the cloned subgraphs among other functions in the repository (the ones on the left and the right as shown below). Kam1n0 supports rich comment format and has an IDA Pro plug-in to use its indexing and searching capabilities via IDA Pro.
[The big GSM write-up – how to capture, analyze and crack GSM?](http://domonkos.tomcsanyi.net/?p=418)
[Attacking the XNU Kernel For Fun And Profit – Part 1](http://blog.qwertyoruiop.com/?p=38)
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple’s OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
[KillerBee](https://github.com/riverloopsec/killerbee)
* Framework and Tools for Attacking ZigBee and IEEE 802.15.4 networks.
[Debug Methodology Under UEFI](http://www.uefi.org/sites/default/files/resources/UEFI_Plugfest_2011Q4_P8_PHX.pdf)
[A list of IDA Plugins](https://github.com/onethawt/idaplugins-list)
[Pandora's Cash Box - The Ghost under your POS - RECON2015](https://recon.cx/2015/slides/recon2015-17-nitay-artenstein-shift-reduce-Pandora-s-Cash-Box-The-Ghost-Under-Your-POS.pdf)
[Reverse Engineering Windows AFD.sys](https://recon.cx/2015/slides/recon2015-20-steven-vittitoe-Reverse-Engineering-Windows-AFD-sys.pdf)
[On Comparing Threat Intelligence Feeds](http://blogs.gartner.com/anton-chuvakin/2014/01/07/on-comparing-threat-intelligence-feeds/)
[Developing a Open Source Threat Intelligence Program—Edward McCabe](http://www.irongeek.com/i.php?page=videos/circlecitycon2014/105-developing-a-open-source-threat-intelligence-program-edward-mccabe)
* What if you could get out in front of common threats such as botnets, scanners and malware? Good news, you can. Learn about one geeks struggle with life on the Internet of (bad) things when it comes to being online, identifying “odd” things, and developing an Open Source Threat Intelligence Program from Open Source Tools and Public Sources.
[No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap - ShmooCon15](https://www.youtube.com/watch?v=DKfWukYffsE&app=desktop)
* "In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to dehttp://faydoc.tripod.com/cpu/index_a.htmvelop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers. I'll also be releasing a suite of tools I created to help threat researchers perform tracking and attribution.
[Malware Information Sharing Platform](https://github.com/MISP/MISP)
* MISP - Malware Information Sharing Platform & Threat Sharing
[Collaborative Research Into Threats](https://crits.github.io/)
* CRITs is an open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. It has been in development since 2010 with one goal in mind: give the security community a flexible and open platform for analyzing and collaborating on threat data. In making CRITs free and open source, we can provide organizations around the world with the capability to quickly adapt to an ever-changing threat landscape. CRITs can be installed locally for a private isolated instance or shared among other trusted organizations as a collaborative defense mechanism.
[Collective Intelligence Framework](http://csirtgadgets.org/collective-intelligence-framework/)
* "Our Flagship Project, is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity."
[ShinySDR](https://github.com/kpreid/shinysdr)
* This is the software component of a software-defined radio receiver. When combined with hardware devices such as the USRP, RTL-SDR, or HackRF, it can be used to listen to a wide variety of radio transmissions, and can be extended via plugins to support even more modes.
[Bootkit Threats: In Depth Reverse Engineering & Defense- Eugene Rodionov&Aleksandr Matrosov](https://www.eset.com/fileadmin/Images/US/Docs/Business/presentations/conference_papers/REcon2012.pdf)
[Debugging Windows kernel under VMWare using IDA's GDB debugger](https://cyberview.files.wordpress.com/2010/09/gdb_vmware_winkernel.pdf)
[Intel® System Studio – UEFI BIOS Debugging](https://software.intel.com/en-us/articles/intel-system-studio-2014-uefi-bios-debugging)
[Debug SPI BIOS after Power Up Sequence](https://software.intel.com/en-us/articles/debug-spi-bios-after-power-up-sequence)
[Empire - Powershell Post-Exploitation Agent](http://www.powershellempire.com/)
* Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.
[JSDetox](http://relentless-coding.org/projects/jsdetox/info)
* JSDetox is a tool to support the manual analysis of malicious Javascript code.
[Attacks on UEFI Security - Rafal Wojtczuk&Corey Kallenberg(https://bromiumlabs.files.wordpress.com/2015/01/attacksonuefi_slides.pdf)
[Attacking and Defending BIOS in 2015](http://www.intelsecurity.com/advanced-threat-research/content/AttackingAndDefendingBIOS-RECon2015.pdf)
[Wepawet](https://wepawet.iseclab.org/)
* Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files
[Pupy](https://github.com/n1nj4sec/pupy)
* Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
[Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer](https://media.ccc.de/browse/congress/2014/31c3_-_6129_-_en_-_saal_2_-_201412282030_-_attacks_on_uefi_security_inspired_by_darth_venamis_s_misery_and_speed_racer_-_rafal_wojtczuk_-_corey_kallenberg.html#video)
* On modern Intel based computers there exists two powerful and protected code regions: the UEFI firmware and System Management Mode (SMM). UEFI is the replacement for conventional BIOS and has the responsibility of initializing the platform. SMM is a powerful mode of execution on Intel CPUs that is even more privileged than a hypervisor. Because of their powerful positions, SMM and UEFI are protected by a variety of hardware mechanisms. In this talk, Rafal Wojtczuk and Corey Kallenberg team up to disclose several prevalent vulnerabilities that result in SMM runtime breakin as well as arbitrary reflash of the UEFI firmware.
[JSFuck](http://www.jsfuck.com/)
* JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
[Scapy-Radio](https://bitbucket.org/cybertools/scapy-radio/src
* This tool is a modified version of scapy that aims at providing an quick and efficient pentest tool with RF capabilities.
A modified version of scapy that can leverage GNU Radio to handle a SDR card
GNU Radio flow graphs (GRC files) we have build that allows full duplex communication
GNU Radio blocks we have written to handle several protocols
[SecBee](https://github.com/Cognosec/SecBee)
* SecBee is a ZigBee security testing tool developed by Cognosec. The goal is to enable developers and security testers to test ZigBee implementations for security issues.
https://programmers.stackexchange.com/questions/7652/identifying-programming-languages-by-a-piece-of-code
http://blogs.technet.com/b/markrussinovich/archive/2005/08/17/unkillable-processes.aspx
[Dynamic IDA Enrichment (aka. DIE)](https://github.com/ynvb/DIE
* DIE is an IDA python plugin designed to enrich IDA`s static analysis with dynamic data. This is done using the IDA Debugger API, by placing breakpoints in key locations and saving the current system context once those breakpoints are hit.
[Demon](https://github.com/x0r1/Demon)
* GPU keylogger PoC by Team Jellyfish
[Blackbox Reversing an Electric Skateboard Wireless Protocol ](https://blog.lacklustre.net/posts/Blackbox_Reversing_an_Electric_Skateboard_Wireless_Protocol/)
[Elasticsearch: The Definitive Guide The Definitive Guide](https://www.elastic.co/guide/en/elasticsearch/guide/current/index.html)
[ARM Documentation](http://infocenter.arm.com/help/index.jsp?noscript=1)
[CSCI 4974 / 6974 Hardware Reverse Engineering](http://security.cs.rpi.edu/courses/hwre-spring2014/)
[Blackbox Reversing an Electric Skateboard Wireless Protocol ](https://blog.lacklustre.net/posts/Blackbox_Reversing_an_Electric_Skateboard_Wireless_Protocol/)
https://github.com/iv-wrt/iv-wrt
http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/
https://github.com/danielmiessler/SecLists
http://sector876.blogspot.com/2013/03/backdooring-pe-files-part-1.html
http://sector876.blogspot.com/2013/03/backdooring-pe-files-part-2.html
[Consul](https://github.com/hashicorp/consul)
* Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable.
[Monit](https://mmonit.com/monit/)
* Monit is a small Open Source utility for managing and monitoring Unix systems. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.
[jsgifkeylogger](https://github.com/wopot/jsgifkeylogger)
* a javascript keylogger included in a gif file This is a PoC
[Hide data inside pointers](http://arjunsreedharan.org/post/105266490272/hide-data-inside-pointers]
From:
http://it-ovid.blogspot.com/2012/02/enumeration-and-reconnaissance.html
Network Enumeration and Scanning Cheat sheet
Network Scanning and Mapping
------------------------------------------------------------------------
Network Service Discovery
Nmap
nmap -sSV -vv -PN --send-ip -A -O -oG <address-range>_`date +%Y-%m-%d_%H:%M` <address-range>nmap -A -vv -PN --send-ip -oG <address-range>_`date +%Y-%m-%d_%H:%M` <address-range>
Unicorn Scan
us -H -msf -Iv <address> -p 1-65535
us -H -mU -Iv <address> -p 1-65535
Layer 2 - Arp - netdiscover
netdiscover -i <interface> -r <address-range>
------------------------------------------------------------------------
TCPDump Sniffing
tcpdump -s0 -xxXX -vv -i eth0 'host <address> and (dst port <num> or <num> )' | tee <address>_<service>_`date +%Y-%m-%d_%H:%M`.txt
or save the pcap file with additional flag (filename shortcut):
-w <address>_<service>_`date +%Y-%m-%d_%H:%M`.pcap
Locate VLAN Tagstcpdump -vv -i <interface> -s &ltsnap-length> -c <num-packet-count> 'ether[20:2] == 0x2000'
------------------------------------------------------------------------
Specific Service Queries
DNS TCP:53/UDP:53
DNS TCP and UDP 53 - DNS walking and Zone transfers
dig <domain> @<dns-server> AXFR | tee dns_<domain>_axfr._`date +%Y-%m-%d_%H:%M`.txt
DNS TCP and UDP 53 - DNS cache poisoning check
dig +short @<dns-server> porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"<dns-server> is GREAT: 26 queries in 4.4 seconds from 26 ports with std dev 22336"
------------------------------------------------------------------------
HTTP Web applications TCP 80,8000
nikto -h -p -C all -Display D -output nikto_<target-server><port>_`date +%Y-%m-%d_%H:%M`.txt -Format txt
DirBuster
cd /pentest/web/dirbuster && java -jar DirBuster-0.12.jar
WFuzz
wfuzz.py -c -z file,<wordlist> --hc 404 -o <html|magictree> http://<site-url>/FUZZ
e.g.
./wfuzz.py -c -z file,/pentest/passwords/wordlists/combined --hc 404 -o html http://<site-url>/FUZZ 2> /dev/null
HTTP commands for webserver enumeration
nc <target-address> <port>
HEAD / HTTP/1.0
or
OPTIONS / HTTP/1.0
or
TRACE / HTTP/1.0
WebDAV
IIS 6.0
HTTPS/SSL TCP 443
openssl s_client -connect <target-server>443 -state -debug
HEAD / HTTP/1.0
CONNECTED(00000003)
SSL_connect:before/connect initialization
... ... ... cut ... ... ...
SSL_connect:SSLv3 write client key exchange A
... ... ... cut ... ... ...
HTTP/1.1 302 Found
Date: Mon 02 Apr 2012 06:53:49 GMT
Server IBM_HTTP_Server/6.0.2.33 Apache/2.0.47 (Unix)
... ... ... cut ... ... ...
------------------------------------------------------------------------
SNMP commands UDP 161
SNMPWalk
snmpwalk -c public -v[1|2c] <target-server> | tee <address>_snmp_`date +%Y-%m-%d_%H:%M`.txt
SNMPv2-MIB::sysDescr.0 = STRING: hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.58.1.1.1.2.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (24030770) 2 days, 18:45:07.70
SNMPv2-MIB::sysContact.0 = STRING: System contact unknown at this time
SNMPv2-MIB::sysName.0 = STRING:
SNMPv2-MIB::sysLocation.0 = STRING: System location unknown at this time
SNMPv2-MIB::sysServices.0 = INTEGER: 72
... ... ...
SNMPEnum
/snmpenum.pl public linux.txt
UPTIME... ... ...
HOSTNAME... ... ...
RUNNING SOFTWARE PATHS
... ... ...
RUNNING PROCESSES... ... ...
MOUNTPOINTS... ... ...
SYSTEM INFO
... ... ...
LISTENING UDP PORTS
... ... ... LISTENING TCP PORTS
OneSixtyOne
./onesixtyone -c <dictionary-file> -i <hosts-file> -o <address-range>_snmp_`date`.log -w
./onesixtyone <target-address>
Scanning 1 hosts, 2 communities [public] hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
SNMPCheck
./snmpcheck-1.8.pl -c <community-name> -v <version 1,2> -t <address-range>
snmpcheck.pl v1.8 - SNMP enumerator
Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
[*] Try to connect to
[*] Connected to
[*] Starting enumeration at 2011-07-25 10:32:58
[*] System information
-----------------------------------------------------------------------------------------------
Hostname :
Description : hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
Uptime system : 0.00 seconds
Uptime SNMP daemon : 2 days, 18:17:07.01
[*] Network information
... ... ...
[*] Network interfaces
... ... ...
[*] Routing information
... ... ...
[*] Listening TCP ports and connections
... ... ...
------------------------------------------------------------------------
Samba/CIFS/NETBIOS TCP 135,139,445
nbtscan -v -s : -r <address-range> | tee <address-range>_nbtscan_`date +%Y-%m-%d_%H:%M`.txt
SMBClient - Discover and mount shares
smbclient -L \\\<target-address>\\ -U <Username>
smbclient -U <Username> -W <Workgroup> \\\\<target-address>\\\<sharename>
------------------------------------------------------------------------
RPC, PortMapper and NFS TCP/UDP:111
rpcinfo -p >target-address> | tee <address>_rpcinfo_`date +%Y-%m-%d_%H:%M`.txt
showmount -e <ip-address>
mount <ip-address>:<exported_path> <local_path>
Tunnelling and Pivoting
------------------------------------------------------------------------
SSH Tunnelling and pivoting
ssh -v -f -N -L <localIP>:<local-port>:<dest-ip>:<dest-port> <user>@&ltpivot-host> -i <authentication-key-file>
Verbosity (-v), Background (-f), No command execution (-N), Local port forwarding (-L)
Forward localhost port 25 to the localhost of 192.168.1.6 using ssh DSA key
ssh -v -f -N -L 127.0.0.1:25:127.0.0.1:25 user@192.168.1.6 -i /dsa/1024/f1fb2162a02f0f7c40c210e6167f05ca-16858
Proxy Chains
Dual-honed proxies or for proxying some port-scans
Edit the configuration file:
/etc/proxychains.conf
Under the ProxyList section:
[ProxyList]
http <proxy-server-ip> <port>
Execute with:
proxychains &ltsocket-aware command>
e.g
proxychains nmap -sT -vv --send-ip -pT:21,22,25,80,443,445,3389 <target-address>
Posted 22nd February 2012 by Tim Arneaud dfir-information.html)0
Good source for internals section: http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx
[Stunneller](https://github.com/ultramancool/Stunneler)
* Android app for easy stunnel usage
http://www.securitytracker.com/id/1032048
https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/
https://trmm.net/SPI
Defeating Sniffers and Intrustion Detection Systems - Horizon, 12/25/1998
Armouring the ELF: Binary Encryption on the UNIX Platform - grugq, scut, 12/28/2001
Runtime Process Infection - anonymous, 07/28/2002
@ -692,45 +148,14 @@ http://fileformats.archiveteam.org/wiki/Encyclopedia_of_Graphics_File_Formats
[](https://github.com/rrbranco/Troopers2015)
[virusbattle-ida-plugin](https://github.com/moghimi/virusbattle-ida-plugin)
* The plugin is an integration of Virus Battle API to the well known IDA Disassembler. Virusbattle is a web service that analyses malware and other binaries with a variety of advanced static and dynamic analyses. For more information check out the
[pwndbg - Making debugging suck less](https://github.com/zachriggle/pwndbg)
* A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag.
* Uses capstone as backend.
[binjitsu](https://github.com/binjitsu/binjitsu/)
* binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
http://fileformats.archiveteam.org/wiki/PNG
[Bug Hunting for the Man on the Street]()
* Finding and discovering bugs has to be one of the most special times in a security researchers life (until you realise that crash you've been searching for and finally found is not actually exploitable). But the process of searching, discovery, understanding and of course some very much needed trial and error, many would say are rewarding and fulfilling themselves (I would of course, prefer to have my exploit cherry on the top)! So this talk will detail some of the aspects required to hunt down and find these coveted security vulnerabilities and bugs and some approaches that have proven to be invaluable (and some not so much). Of course bug hunting principle need to produce bugs so as the cherry there will be a virtual box exploit and Barracuda networks 0 day exploit discussed and demon
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](https://www.youtube.com/watch?v=WHDkf6kpE58)
[Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
Getting Started with WindDbg Series - OpenSecurity Research
[Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)
[discover - Kali Scripts](https://github.com/leebaird/discover)
* For use with Kali Linux - custom bash scripts used to automate various portions of a pentest.
*********
IPv6
@ -740,7 +165,7 @@ IPv6: Basic Attacks and Defences - Christopher Werny[TROOPERS15]
* [Part 2](https://www.youtube.com/watch?v=V-GYPp-j-lE)
[[TROOPERS15] Andreas Lindh - Defender Economics](https://www.youtube.com/watch?v=mAP38Xy52X0)
http://www.legbacore.com/Research.html
@ -762,21 +187,12 @@ https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet
https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet
[GRAUDIT](https://github.com/wireghoul/graudit/)
* Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
[Davoset](https://github.com/MustLive/DAVOSET)
* DAVOSET - it is console (command line) tool for conducting DDoS attacks on the sites via Abuse of Functionality and XML External Entities vulnerabilities at other sites.
*********
General Section?
********
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)
********
https://mobilesecuritywiki.com/