Browse Source

Added Stuff/cleaned up some more sections

Added links/Cleaned out a couple cull sections
Robert 7 years ago
180 changed files with 16569 additions and 527 deletions
  1. +3
      Draft/Draft/Anonymity Opsec Privacy
  2. +27
      Draft/Draft/Attacking Defending Android
  3. +2
      Draft/Draft/Attacking Defending iOS
  4. +1
      Draft/Draft/BIOS UEFI Attacks
  5. +2
      Draft/Draft/Basic Security
  6. +1
      Draft/Draft/Cheat sheets reference pages Checklists
  7. +307
      Draft/Draft/Cheat sheets reference pages Checklists -/Androguard.txt
  8. +498
      Draft/Draft/Cheat sheets reference pages Checklists -/Radare2.txt
  9. +0
      Draft/Draft/Client Side
  10. +43
      Draft/Draft/Conference Videos Stuff
  11. +10
      Draft/Draft/Courses & Training
  12. +7
      Draft/Draft/Cryptography &
  13. +9
  14. +11
  15. +0
  16. +34
  17. +98
      Draft/Draft/Documentation & Reports
  18. +21
      Draft/Draft/Embedded Device & Hardware Hacking
  19. +13
  20. +4
      Draft/Draft/Forensics Incident
  21. +14
      Draft/Draft/Forensics Incident Response/add cull.txt
  22. +22
  23. +18
      Draft/Draft/Fuzzing Bug
  24. +6
  25. +21
  26. +42
  27. +88
      Draft/Draft/Interesting Things Useful
  28. +2
  29. +142
  30. +78
      Draft/Draft/Network Attacks &
  31. +13
      Draft/Draft/Network Recon and
  32. +184
      Draft/Draft/Network Security Monitoring &
  33. +3
      Draft/Draft/Open Source
  34. +8
      Draft/Draft/Password Bruting and
  35. +38
  36. +46
      Draft/Draft/Privilege Escalation &
  37. +30
      Draft/Draft/Programming - Languages Libs Courses
  38. +28
  39. +21
  40. +7
      Draft/Draft/Securing Hardening_1/Cull.txt
  41. +7
  42. +4
      Draft/Draft/Steal Everything Kill Everyone
  43. +11
      Draft/Draft/System Internals Windows and Linux Internals
  44. +7
  45. +102
      Draft/Draft/To Do/add cull -1.txt
  46. +30
      Draft/Draft/Web &
  47. +46
      Draft/Draft/Wireless Networks &
  48. +104
      _site/Draft/Draft/Anonymity Opsec Privacy
  49. +27
  50. +165
      _site/Draft/Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael.txt
  51. +421
      _site/Draft/Draft/Attacking Defending Android
  52. +135
      _site/Draft/Draft/Attacking Defending iOS
  53. +148
      _site/Draft/Draft/BIOS UEFI Attacks
  54. +34
      _site/Draft/Draft/Basic Security
  55. +54
      _site/Draft/Draft/Building A Pentest
  56. +50
      _site/Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.txt
  57. +113
      _site/Draft/Draft/CTFs & Wargames
  58. +175
      _site/Draft/Draft/Cheat sheets reference pages Checklists
  59. +11
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Curl.txt
  60. +112
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Metasploit.txt
  61. +62
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Ncat.txt
  62. +119
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt
  63. +242
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Nmap.txt
  64. +1
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt
  65. +57
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/TCPDump.txt
  66. +3
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/ToDO.txt
  67. +98
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt
  68. +111
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt
  69. +67
      _site/Draft/Draft/Client Side
  70. +0
      _site/Draft/Draft/Con Videos Stuff
  71. +82
  72. +154
      _site/Draft/Draft/Courses & Training
  73. +20
  74. +135
      _site/Draft/Draft/Cryptography &
  75. +30
      _site/Draft/Draft/Cryptography & Encryption/Linux Systems.txt
  76. +28
      _site/Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.txt
  77. +48
      _site/Draft/Draft/Cryptography & Encryption/cull.txt
  78. +69
  79. +82
  80. +51
  81. +0
  82. +0
      _site/Draft/Draft/Documentation &
  83. +0
  84. +318
      _site/Draft/Draft/Embedded Device & Hardware Hacking
  85. +45
  86. +557
  87. +50
      _site/Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.txt
  88. +159
      _site/Draft/Draft/Forensics Incident
  89. +257
      _site/Draft/Draft/Forensics Incident Response/add cull.txt
  90. +160
  91. +19
      _site/Draft/Draft/Frameworks/Metasploit Reference.txt
  92. +67
      _site/Draft/Draft/Frameworks/Meterpreter Scripts and Description.txt
  93. +110
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt
  94. +832
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Enumeration.txt
  95. +315
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Network Footprinting.txt
  96. +0
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf
  97. +29
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Password Cracking.txt
  98. +73
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Penetration.txt
  99. +128
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/VoIP Security.txt
  100. +67
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt

+ 3
- 0
Draft/Draft/Anonymity Opsec Privacy View File

@ -24,6 +24,9 @@ Tools
[Can you track me now? - Defcon20](
[De-anonymizing facebook users through CSP](

+ 27
- 6
Draft/Draft/Attacking Defending Android View File

@ -34,24 +34,29 @@ Other
[elsim - Elements Similarities](
* Similarities/Differences of applications (aka rip-off indicator)
* This tool detects and reports: the identical methods; the similar methods; the deleted methods; the new methods; the skipped methods.
[ARE - Virtual Machine for Android Reverse Engineering](
[Android apps in sheep's clothing](
* We identified a security weakness in Android's approach of handling UI elements, circumventing parts of Android's sandboxing approach. While this attack is simple from a technical point of view, the impact of exploiting such a vulnerability is significant. It affects Android based devices as well as Blackberry mobile devices running the Android runtime environment.
[Android Bytecode Obfuscation - Patrick Schulz 2012](
[Instrumenting Android Applications with Frida](
[Dissecting the Android Bouncer](
[ARE - Virtual Machine for Android Reverse Engineering](
[APK Studio - Android Reverse Engineering](
* APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
[Android Bytecode Obfuscation - Patrick Schulz 2012](
[Android Reverse Engineering Defenses](
[PatchDroid: Scalable Third-Party Security Patches for Android Devices](
* Android is currently the largest mobile platform with around 750 million devices worldwide. Unfortunately, more than 30% of all devices contain publicly known security vulnera- bilities and, in practice, cannot be updated through normal mechanisms since they are not longer supported by the man- ufacturer and mobile operator. This failure of traditional patch distribution systems has resulted in the creation of a large population of vulnerable mobile devices. In this paper, we present PatchDroid, a system to dis- tribute and apply third-party security patches for Android. Our system is designed for device-independent patch cre- ation, and uses in-memory patching techniques to address vulnerabilities in both native and managed code. We created a fully usable prototype of PatchDroid, including a number of patches for well-known vulnerabilities in Android devices. We evaluated our system on different devices from multiple manufacturers and show that we can effectively patch se- curity vulnerabilities on Android devices without impacting performance or usability. Therefore, PatchDroid represents a realistic path towards dramatically reducing the number of exploitable Android devices in the wild.
@ -63,6 +68,15 @@ Other
[Dalvik Bytecode Format docs](
[The Android boot process from power on](
* Since mobile platforms and embedded systems has some differences compared to Desktop systems in how they initially start up and boot this post will discuss the initial boot stages of an Android phone in some detail.
###Securing Android
[Android Reverse Engineering Defenses](
[List of Android Vulnerabilities](
@ -119,7 +133,7 @@ Other
* APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
* DroidBox is developed to offer dynamic analysis of Android applications. The following information is shown in the results, generated when analysis is ended:
Hashes for the analyzed package
Incoming/outgoing network data
@ -150,6 +164,9 @@ Additionally, two images are generated visualizing the behavior of the package.
###Static Analysis
[Disect Android APKs like a Pro - Static code analysis](
^ Androguard is mainly a tool written in python to play with:
Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation),
@ -282,8 +299,12 @@ Check the Encryption section of the overall guide for more information.
###Reverse Engineering Android
[APK Studio - Android Reverse Engineering](
* APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
[Android apk-tool](
* It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
[Reversing and Auditing Android’s Proprietary bits](

+ 2
- 0
Draft/Draft/Attacking Defending iOS View File

@ -26,8 +26,10 @@ Jailbreaking
[iOS 678 Security - A Study in Fail](
[Jailbreak Stories - Cyril Cattiaux(pod2g) - WWJC 2014](

+ 1
- 1
Draft/Draft/BIOS UEFI Attacks View File

@ -135,7 +135,7 @@ Grab links for his papers
[Hardware Backdooring is Practical -Jonathan Brossard - Defcon20](
[Attackin the TPM part 2](

+ 2
- 0
Draft/Draft/Basic Security View File

@ -26,6 +26,8 @@
Shodan Guide
[Shodan Man page](

+ 1
- 1
Draft/Draft/Cheat sheets reference pages Checklists View File

@ -24,7 +24,7 @@ Databases
[SiLK Toolsuite Quick Reference Guide](

+ 307
- 0
Draft/Draft/Cheat sheets reference pages Checklists -/Androguard.txt View File

@ -0,0 +1,307 @@
You can used it to transform Android's binary XML (eg: AndroidManifest.xml) into classic xml (human readable ;)).
$ ./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
filename input (APK or android's binary xml)
-o OUTPUT, --output=OUTPUT
filename output of the xml
-v, --version version of the API
$ ./ -i yourfile.apk -o output.xml
$ ./ -i AndroidManifest.xml -o output.xml
This tool displays information on a given APK:
usage of native code
usage of native code
axelle$ ./ -i qicsomos.apk
res/layout/main.xml res/layout/main.xml 54a83b5b
AndroidManifest.xml AndroidManifest.xml 2eef2f86
res/drawable-mdpi/ic_launcher.png res/drawable-mdpi/ic_launcher.png -22437ab
res/drawable-hdpi/ic_launcher.png res/drawable-hdpi/ic_launcher.png -4e108fda
resources.arsc resources.arsc -55923b8c
classes.dex classes.dex -bafd464
res/drawable-ldpi/ic_launcher.png res/drawable-ldpi/ic_launcher.png -6272d259
android.permission.SEND_SMS ['dangerous', 'send SMS messages', 'Allows application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.']
android.permission.READ_LOGS ['dangerous', 'read sensitive log data', "Allows an application to read from the system's various log files. This allows it to discover general information about what you are doing with the phone, potentially including personal or private information."]
MAIN ACTIVITY: org.projectvoodoo.simplecarrieriqdetector.Main
ACTIVITIES: ['org.projectvoodoo.simplecarrieriqdetector.Main']
Native code: False
Dynamic code: False
Reflection code: False
This tool helps you to create your own signatures in order to add them in the database. In fact, it's more easy after an analysis to isolate which parts are the more interesting to add in the database in order to detect the malware (and variants). So, the idea is to describe your signature of a malware in a json format file to add this signature to the database.
desnos@destiny:~/androguard$ ./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use this filename
-r REMOVE, --remove=REMOVE
remote the signature
-o OUTPUT, --output=OUTPUT
output database
-l LIST, --list=LIST list signatures in database
-c CHECK, --check=CHECK
check signatures in database
-v, --version version of the API
The input file is a classical json format :
[ { "SAMPLE" : "apks/malwares/DroidDream/Magic Hypnotic Spiral.apk" }, { "BASE" : "AndroidOS", "NAME" : "DroidDream", "SIGNATURE" : [ { "TYPE" : "METHSIM", "CN" : "Lcom/android/root/Setting;", "MN" : "postUrl", "D" : "(Ljava/lang/String; Landroid/content/Context;)V" } ], "BF" : "0" } ]
where SAMPLE is the file where signatures will be extracted. NAME is the name of your signature. And SIGNATURE is a list of dictionnary which describes all sub-signatures.
A sub-signature can be a :
METHSIM : CN is the classname, NM is the method name, and D is the descriptor CLASSSIM : CN is the classname So a sub-signature can be apply on a specific method or directly on an entire class.
BF is the boolean formula of the whole signature, so it's possible to mix different sub-signatures.
When the sub-signature is added to the database, the engine will keep only interesting information :
entropies of general signature, android packages, java packages, binary raw, and exceptions. These entropies are using to clustering sub-signatures and compare items : it is these values that which will be used to apply clustering, value of the general signature : it is this value that which will be used to apply similarity distance on each required cluster. In the previous output, we isolated one method (postUrl) in an application (droiddream malware) to create a new signature. Androcsign will extract useful information of this application to add the signature in the database :
desnos@destiny:~/androguard$ ./ -i signatures/droiddream.sign -o signatures/dbandroguard
This tool is used to output graphs for each method of each class of an Android package.
$ ./ --help
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use this filename
-o OUTPUT, --output=OUTPUT
base directory to output all files
-d, --dot write the method in dot format
-f FORMAT, --format=FORMAT
write the method in specific format (png, ...)
-v, --version version of the API
input: an Android APK or classes.dex
output directory is mandatory, or the tool does not output anything.
output formats: PNG, JPG.
if you wish both DOT and PNG output for ex, mix options -d and -f PNG
The tool is used to compare/display the differences between two apps. The documentation is available here
You can used it to dump a linux process in order to get the original class files.
$ ./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
-v, --version version of the API
pouik@camelot:~/androguard$ ps aux |grep java
pouik 21008 0.1 0.5 673840 10688 pts/5 Sl+ 10:28 0:02 java Test2
pouik 21548 0.0 0.0 3060 812 pts/2 S+ 11:00 0:00 grep java
pouik@camelot:~/androguard$ ./ -i 21008
HEADER 0x6f990000-0x6fee0000 (rw-p)
Test2 ()V
Test2 get_x ()I
Test2 main ([Ljava/lang/String;)V
Test2bis ()V
Test2bis get_T ()Ljava/lang/String;
This tool outputs graphs using the GEXF format.
desnos@destiny:~/androguard$ ./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
filename input (dex, apk)
-o OUTPUT, --output=OUTPUT
filename output of the xgmml
For instance,
desnos@destiny:~/androguard$ ./ -i YOURAPP.apk -o YOURAPP.gexf
The output graph can be viewed using an external tool, named Gephi. For real examples of visualization of Android malware, please see this page.
Androlyze is a tool to analyze Android applications. The most common features are available via command line, the others via a Python interactive shell:
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use this filename
-d, --display display the file in human readable format
-m METHOD, --method=METHOD
display method(s) respect with a regexp
-f FIELD, --field=FIELD
display field(s) respect with a regexp
-s, --shell open a shell to interact more easily with objects
-v, --version version of the API
-p, --pretty pretty print !
-t TYPE_PRETTY, --type_pretty=TYPE_PRETTY
set the type of pretty print (0, 1) !
-x, --xpermissions show paths of permissions
Using androlyze via the interactive shell opens up to tons of other features. Basically, all functions of the code are available that way:
./ -s
Welcome to Androlyze ALPHA 0-update1
>>> j = JVMFormat( open("./VM.class").read() )
# Get specific methods
>>> x = j.get_method("<init>")[0]
# Change name
>>> x.set_name("toto")
# Save it
>>> fd = open("VM2.class", "w")
>>> fd.write(
>>> fd.close()
This tool links with the Mercury framework
See blog post
$ ./ -h
Usage: [options]
-h, --help show this help message and exit
-l LIST, --list=LIST list all packages
-i INPUT, --input=INPUT
get specific packages (a filter)
specify ip of emulator/device
-p PORT, --port=PORT specify the port
-o OUTPUT, --output=OUTPUT
output directory to write packages
-b DATABASE, --database=DATABASE
database : use this database
-c CONFIG, --config=CONFIG
use this configuration
-v, --verbose display debug information
./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use these filenames
-a, --analysis perform analysis to calculate the risk
-m, --method perform analysis of each method
directory : use this directory
-v, --version version of the API
Checks whether a given sample is listed in the database or not.
$ ./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use this filename
directory : use this directory
-b DATABASE, --database=DATABASE
database : use this database
-c CONFIG, --config=CONFIG
use this configuration
-v, --verbose display debug information
For example, see
$ ./ -d apks/malwares/foncy/ -b signatures/dbandroguard -c signatures/dbconfig
98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2 : ----> Foncy
81dd17ea168cf884bfb5aebb7cd2241a5624d1ae14444594bf7677e1080339f9 : ----> Foncy
d9ef940236f285548a60be0d575d7bba4587bdfc3f6c56f38b5da601686344a9 : ----> Foncy
SuiConFo 1.26.apk : ----> None
127sc.apk : ----> None
The tool is used to get the similarities between two apps. The documentation is available here
axelle@caiman:~/softs/androguard$ ./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use these filenames
define the threshold
define the compressor
-d, --display display all information about methods
-n, --new don't calculate the similarity score with new methods
-e EXCLUDE, --exclude=EXCLUDE
exclude specific class name (python regexp)
-s SIZE, --size=SIZE exclude specific method below the specific size
-x, --xstrings display similarities of strings
-v, --version version of the API
-l LIBRARY, --library=LIBRARY
use python library (python) or specify the path of the
shared library)
You can used it to transform an apk/jar/class/dex files format into an xgmml graph which represent the control flow graph or the functions call.
$ ./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
filename input
-o OUTPUT, --output=OUTPUT
filename output of the xgmml
-f, --functions include function calls
-e, --externals include extern function calls
-v, --version version of the API
./ -i myapp.jar -o output.xgmml
./ -i myapp.apk -o output.xgmml
./ -i myclass.class -o output.xgmml
./ -i mydex.dex -o output.xgmml
# with functions call :
./ -i myapp.jar -f -o output.xgmml
# with external function calls
./ -i myapp.jar -e -o output.xgmml
# with both
./ -i myapp.jar -e -f -o output.xgmml
./ -h
Usage: [options]
-h, --help show this help message and exit
-i INPUT, --input=INPUT
filename input (dex, apk)
-o OUTPUT, --output=OUTPUT
directory output

+ 498
- 0
Draft/Draft/Cheat sheets reference pages Checklists -/Radare2.txt View File

@ -0,0 +1,498 @@
Copy/pasted from [](
Command line options
-L: List of supported IO plugins
-q: Exit after processing commands
-w: Write mode enabled
-i: Interprets a r2 script
-A: Analize executable at load time (xrefs, etc)
-n: Bare load. Do not load executable info as the entrypoint
-c'cmds': Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')
-p: Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
-: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed)
Similar to r2 malloc://512
Configuration properties
They can be used in evaluations:? ${asm.tabs}
e: Returs configuration properties
e <property>: Checks a specific property:
e asm.tabs => false
e <property>=<value>: Change property value
e asm.arch=ppc
e? help about a configuration property
e? cmd.stack
You will want to set your favourite options in ~/.radare2rc since every line there will be interpreted at the beginning of each session. Mine for reference:
# Show comments at right of disassembly if they fit in screen
e asm.cmtright=true
# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true
# Display stack and register values on top of disasembly view (visual mode)
e cmd.stack = true
# Solarized theme
eco solarized
# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true
There is an easier interface accessible from the Visual mode, just typing Ve
Basic Commands
Command syntax: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe]
; Command chaining: x 3;s+3;pi 3;s+3;pxo 4;
| Pipe with shell commands: pd | less
! Run shell commands: !cat /etc/passwd
!! Escapes to shell, run command and pass output to radare buffer
Note: The double exclamation mark tells radare to skip the plugin list to find an IO plugin handling this command to launch it directly to the shell. A single one will walk through the io plugin list.
` Radare commands: wx `!ragg2 -i exec`
~ grep
~! grep -v
~[n] grep by columns afl~[0]
~:n grep by rows afl~:0
pi~mov,eax ; lines with mov or eax
pi~mov&eax ; lines with mov and eax
pi~mov,eax:6 ; 6 first lines with mov or eax
pd 20~call[0]:0 ; grep first column of the first row matching 'call'
.cmd Interprets command output
is* prints symbolos
.is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
.. repeats last commands (same as enter \n)
( Used to define and run macros
$ Used to define alias
$$: Resolves to current address
Offsets (@) are absolute, we can use $$ for relative ones @ $$+4
? Evaluate expression
[0x00000000]> ? 33 +2
35 0x23 043 0000:0023 35 00100011 35.0 0.000000
Note: | and & need to be escaped
?$? Help for variables used in expressions
$$: Here
$s: File size
$b: Block size
$l: Opcode length
$j: When $$ is at a jmp, $j is the address where we are going to jump to
$f: Same for jmp fail address
$m: Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
??? Help for ? command
?i Takes input from stdin. Eg ?i username
?? Result from previous operations
?s from to [step]: Generates sequence from to every
?p: Get physical address for given virtual address
?P: Get virtual address for given physical one
?v Show hex value of math expr
?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
?v 0x4141414a - 0x41414140 = 0xa
?l str: Returns the length of string
@@: Used for iteractions
wx ff @@10 20 30 Writes ff at offsets 10, 20 and 30
wx ff @@`?s 1 10 2` Writes ff at offsets 1, 2 and 3
wx 90 @@ sym.* Writes a nop on every symbol
s address: Move cursor to address or symbol
s-5 (5 bytes backwards)
s- undo seek
s+ redo seek
Block size
The block size is the default view size for radare. All commands will work with this constraint, but you can always temporally change the block size just giving a numeric argument to the print commands for example (px 20)
b size: Change block size
JSON Output
Most of commands such as (i)nfo and (p)rint commands accept a j to print their output in json
[0x100000d78]> ij
{"bin":{"type":"mach0","class":"MACH064","endian":"little","machine":"x86 64 all","arch":"x86","os":"osx","lang":"c","pic":true,"canary":false,"nx":false,"crypto":false,"va":true,"bits":64,"stripped":true,"static":false,"linenums":false,"syms":false,"relocs":false},"core":{"type":"Executable file","os":"osx","arch":"x86 64 all","bits":64,"endian":"little","file":"/bin/ls","fd":6,"size":34640,"mode":"r--","block":256,"uri":"/bin/ls","format":"mach064"}}
aa: Analyze all (fcns + bbs) same that running r2 with -A
ahl <length> <range>: fake opcode length for a range of bytes
ad: Analyze data
ad@rsp (analize the stack)
Function analysis (normal mode)
af: Analyze functions
afl: List all functions
number of functions: afl~?
afi: Returns information about the functions we are currently at
afr: Rename function: structure and flag
afr off: Restore function name set by r2
afn: Rename function
afn strlen 0x080483f0
af-: Removes metadata generated by the function analysis
af+: Define a function manually given the start address and length
af+ 0xd6f 403 checker_loop
axt: Returns cross references to (xref to)
axf: Returns cross references from (xref from)
Function analysis (visual mode)
d, f: Function analysis
d, u: Remove metadata generated by function analysis
Opcode analysis:
ao x: Analize x opcodes from current offset
a8 bytes: Analize the instruction represented by specified bytes
iI: File info
iz: Strings in data section
izz: Strings in the whole binary
iS: Sections
iS~w returns writable sections
is: Symbols
is~FUNC exports
il: Linked libraries
ii: Imports
ie: Entrypoint
i~pic : check if the binary has position-independent-code
i~nx : check if the binary has non-executable stack
i~canary : check if the binary has canaries
Get function address in GOT table: pd 1 @ sym.imp<funct> Returns a jmp [addr] where addr is the the address of function in the GOT. Similar to objdump -R | grep <func>
psz n @ offset: Print n zero terminated String
px n @ offset: Print hexdump (or just x) of n bytes
pxw n @ offset: Print hexdump of n words
pxw size@offset prints hexadecimal words at address
pd n @ offset: Print n opcodes disassambled
pD n @ offset: Print n bytes disassembled
pi n @ offset: Print n instructions disassambeled (no address, XREFs, etc. just instrunctions)
pdf @ offset: Print disassembled function
pdf~XREF (grep: XREFs)
pdf~call (grep: calls)
pcp n @ offset: Print n bytes in python string output.
pcp 0x20@0x8048550
import struct
buf = struct.pack ("32B",
p8 n @ offset: Print n bytes (8bits) (no hexdump)
pv: Print file contents as IDA bar and shows metadata for each byte (flags , ...)
pt: Interpret data as dates
pf: Print with format
pf.: list all formats
p=: Print entropy ascii graph
wx: Write hex values in current offset
wx 123456
wx ff @ 4
wa: Write assembly
wa jnz 0x400d24
wc: Write cache commit
wv: Writes value doing endian conversion and padding to byte
wo[x]: Write result of operation
wow 11223344 @102!10
write looped value from 102 to 102+10
0x00000066 1122 3344 1122 3344 1122 0000 0000 0000
wox 0x90
XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
wox 67 @4!10
XOR from offset 4 to 10 with value 67
wf file: Writes the content of the file at the current address or specified offset (ASCII characters only)
wF file: Writes the content of the file at the current address or specified offset
wt file [sz]: Write to file (from current seek, blocksize or sz bytes)
Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)
woO 41424344 : get the index in the De Bruijn Pattern of the given word
Flags are labels for offsets. They can be grouped in namespaces as sym for symbols ...
f: List flags
f label @ offset: Define a flag `label` at offset
f str.pass_len @ 0x804999c
f -label: Removes flag
fr: Rename flag
fd: Returns position from nearest flag (looking backwards). Eg => entry+21
fs: Show all flag spaces
fs flagspace: Change to the specified flag space
yank & paste
y n: Copies n bytes from current position
y: Shows yank buffer contentent with address and length where each entry was copied from
yp: Prints yank buffer
yy offset: Paste the contents of the yank buffer at the specified offset
yt n target @ source: Yank to. Copy n bytes fromsource to target address
Visual Mode:
V enters visual mode
q: Exits visual mode
hjkl: move around (or HJKL) (left-down-up-right)
o: go/seek to given offset
?: Help
.: Seek EIP
<enter>: Follow address of the current jump/call
:cmd: Enter radare commands. Eg: x @ esi
d[f?]: Define cursor as a string, data, code, a function, or simply to undefine it.
dr: Rename a function
df: Define a function
v: Get into the visual code analysis menu to edit/look closely at the current function.
p/P: Rotate print (visualization) modes
hex, the hexadecimal view
disasm, the disassembly listing
Use numbers in [] to follow jump
Use "u" to go back
debug, the debugger
words, the word-hexidecimal view
buf, the C-formatted buffer
annotated, the annotated hexdump.
c: Changes to cursor mode or exits the cursor mode
select: Shift+[hjkl]
i: Insert mode
a: assembly inline
A: Assembly in visual mode
y: Copy
Y: Paste
f: Creates a flag where cursor points to
<tab> in the hexdump view to toggle between hex and strings columns
V: View ascii-art basic block graph of current function
W: WebUI
x, X: XREFs to current function. ("u" to go back)
t: track flags (browse symbols, functions..)
gG: Begging or end of file
_ Show HUD
backspace: Exits HUD
We can add new commands to HUD in: radare2/shlr/hud/main
;[-]cmt: Add/remove comment
m<char>: Define a bookmark
'<char>: Go to previously defined bookmark
/R opcodes: Search opcodes
/R pop,pop,ret
/Rl opcodes: Search opcodes and print them in linear way
/Rl jmp eax,call ebx
/a: Search assembly
/a jmp eax
pda: Returns a library of gadgets that can be use. These gadgets are obtained by disassmbling byte per byte instead of obeying to opcode length
Search depth can be configure with following properties:
e search.roplen = 4 (change the depth of the search, to speed-up the hunt)
/ bytes: Search bytes
Example: Searching function preludes:
push ebp
mov ebp, esp
Opcodes: 5589e5
/x 5589e5
[# ]hits: 54c0f4 < 0x0804c600 hits = 1
0x08049f70 hit0_0 5589e557565383e4f081ec
0x0804c31a hit0_1 5589e583ec18c704246031
0x0804c353 hit0_2 5589e583ec1889442404c7
0x0804c379 hit0_3 5589e583ec08e87cffffff
0x0804c3a2 hit0_4 5589e583ec18c70424302d
pi 5 @@hit* (Print 5 first instructions of every hit)
Its possible to run a command for each hit. Use the cmd.hit property:
e cmd.hit=px
Comments and defines
Cd [size]: Define as data
C- [size]: Define as code
Cs [size]: Define as String
Cf [size]: Define as struct
We can define structures to be shown in the disassmbly
CC: List all comments or add a new comment in console mode
C* Show all comments/metadata
CC <comment> add new comment
CC- remove comment
Magic files
pm: Print Magic files analysis
[0x00000000]> pm
0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1
Search for magic numbers
/m [magicfile]: Search magic number headers with libmagic
Search can be controlled with following properties:
search.from (0 = beginning) (0 = end)
Yara can also be used for detecting file signatures to determine compiler types, shellcodes, protections and more.
:yara scan
Zignatures are useful when dealing with stripped binaries. We can take a non-stripped binary, run zignatures on it and apply it to a different binary that was compiled statically with the same libraries.
zg <language> <output file>: Generate signatures
eg: zg go go.z
Run the generated script to load signatures
eg: . go.z
z: To show signatures loaded:
Zignatures are applied as comments:
r2-(pid2)> pd 35 @ 0x08049adb-10
| 0x08049adb call fcn.0805b030
| fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
| 0x08049ae0 add esp, 0xc
| 0x08049ae3 call fcn.08095580
Compare files
r2 -m 0xf0000 /etc/fstab ; Open source file
o /etc/issue ; Open file2 at offset 0
o ; List both files
cc offset: Diff by columns between current offset address and "offset"
Basic block graphs
af: Load function metadata
ag $$ > Dump basic block graph to file
ag $$ | xdot: Show current function basic block graph
Call graphs
af: Load function metadata
agc $$ > Dump basic block graph to file
Convert .dot in .png
dot -Tpng -o /tmp/b.png
Generate graph for file:
radiff2 -g main crackme.bin crackme.bin > /tmp/a
xdot /tmp/a
Start r2 in debugger mode. r2 will fork and attach
r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")
ptrace://pid (debug backend does not notice, only access to mapped memory)
To pass arguments:
r2 -d rarun2 program=pwn1 arg1=$(python
To pass stdin:
r2 -d rarun2 program=/bin/ls stdin=$(python
do: Reopen program
dp: Shows debugged process, child processes and threads
dc: Continue
dcu <address or symbol>: Continue until symbol (sets bp in address, continua until bp and remove bp)
dc[sfcp]: Continue until syscall(eg: write), fork, call, program address (To exit a library)
ds: Step in
dso: Step out
dss: Skip instruction
dr register=value: Change register value
dr(=)?: Show register values
db address: Sets a breakpoint at address
db sym.main add breakpoint into sym.main
db 0x804800 add breakpoint
db -0x804800 remove breakpoint
dsi (conditional step): Eg: "dsi eax==3,ecx>0"
dbt: Shows backtrace
drr: Display in colors and words all the refs from registers or memory
dm: Shows memory map (* indicates current section)
[0xb776c110]> dm
sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
sys 0xb776a000 - 0xb776b000 s r-x [vdso]
sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/
sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/
sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]
To follow child processes in forks (set-follow-fork-mode in gdb)
dcf until a fork happen
then use dp to select what process you want to debug.
PEDA like details: drr;pd 10@-10;pxr 40@esp
Debug in visual mode
toggl breakpoints with F2
single-step with F7 (s)
step-over with F8 (S)
continue with F9
WebGUI (Enyo)
=h: Start the server
=H: Start server and browser
Radare2 suite commandRadare2 suite commands
All suite commands include a -r flag to generate instructions for r2
rax2 - Base conversion
-e: Change endian
-k: random ASCII art to represent a number/hash. Similar to how SSH represents keys
-s: ASCII to hex
rax2 -S hola (from string to hex)
rax2 -s 686f6c61 (from hex to string)
-S: binary to hex (for files)
rahash2 - Entropy, hashes and checksums
-a: Specify the algorithm
-b XXX: Block size
-B: Print all blocks
-a entropy: Show file entropy or entropy per block (-B -b 512 -a entropy)
radiff2 - File diffing
-s: Calculate text distance from two files.
-d: Delta diffing (For files with different sizes. Its not byte per byte)
-C: Code diffing (instead of data)
Diff original and patched on x86_32, using graphdiff algorithm
radiff2 -a x86 -b32 -C original patched
Show differences between original and patched on x86_32
radiff2 -a x86 -b32 original patched :
rasm2 - Assembly/Disassembly
-L: Supported architectures
-a arch instruction: Sets architecture
rasm2 -a x86 'mov eax,30' => b81e000000
-b tam: Sets block size
-d: Disassembly
rasm2 -d b81e000000 => mov eax, 0x1e
-C: Assembly in C output
rasm2 -C 'mov eax,30' =>"\xb8\x1e\x00\x00\x00"
-D: Disassemble showing hexpair and opcode
rasm2 -D b81e0000 => 0x00000000 5 b81e000000 mov eax, 0x1e
-f: Read data from file instead of ARG.
-t: Write data to file
rafind2 - Search
-Z: Look for Zero terminated strings
-s str: Look for specifc string
ragg2 - Shellcode generator, C/opcode compiler
-P: Generate De Bruijn patterns
ragg2 -P 300 -r
-a arch: Configure architecture
-b bits: Specify architecture bits (32/64)
-i shellcode: Specify shellcode to generate
-e encoder: Specify encoder
Generate a x86, 32 bits exec shellcode
ragg2 -a x86 -b 32 -i exec
rabin2 - Executable analysis: symbols, imports, strings ...
-I: Executable information
-C: Returns classes. Useful to list Java Classes
-l: Dynamic linked libraries
-s: Symbols
-z: Strings
rarun2 - Launcher to run programs with different environments, args, stdin, permissions, fds
r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r) : runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
r2 -d rarun2 program=/bin/ls stdin=$(python : runs /bin/ls with the output of directed to stdin

+ 0
- 49
Draft/Draft/Client Side View File

@ -6,62 +6,13 @@ I define client-side attacks as any form of attack that requires deliberate acti
###Different forms of client side attacks:
[3 Types of XSS](
* Dom-based
* Reflected
* Persistent
[Cross Frame Scripting](
[Cross Site Request Forgery](
[Client Side attacks using Powershell](
Attacking Browsers
Need to read Browser hackers handbook
[White Lightning Attack Platform](
[BeEF Browser Exploitation Framework](
[Technical analysis of client identification mechanisms](
[The definition from wikipedia](
* “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”
####Phishing Techniques:
[Post exploitation trick - Phish users for creds on domains, from their own box](
[Real World Phishing Techniques - Honeynet Project](
[Tab Napping - Phishing](
[How do I phish? – Advanced Email Phishing Tactics - Pentest Geek](
####Phishing Frameworks:
[Phishing Frenzy](
* Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.
* Simple Phishing Toolkit is a super easy to install and use phishing framework built to help Information Security professionals find human vulnerabilities

+ 43
- 0
Draft/Draft/Conference Videos Stuff View File

@ -0,0 +1,43 @@
##Information Security Conference Videos & Stuff
[31st Chaos Communication Congress Archive](
[Shmoocon 2015 Videos](
[Defcon Media Archive](
[You and Your Research - Haroon Meer](
* What does it take to do quality research? What stops you from being a one-hit wonder? Is there an age limit to productive hackery? What are the key ingredients needed and how can you up your chances of doing great work? In a talk unabashedly stolen from far greater minds we hope to answer these questions and discuss their repercussions.
[A talk about (info-sec) talks - Haroon Meer ](
* Last year there was an Information Security conference taking place for almost every day of the year. This translates to about 15 information security talks per day, every day. The question is, is this a bad thing? Even niche areas of the info-sec landscape have their own dedicated conference these days. Is this a good thing?
[Archive of security conference videos](
[Trooper Conference - 2015](
[CanSecWest Vancouver 2015 Slides](
[SyScan2015 Slides](

+ 10
- 0
Draft/Draft/Courses & Training View File

@ -22,6 +22,13 @@ Reverse Engineering Classes/Training
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.
[Modern Binary Exploitation - CSCI 4968 - Spring '15](
* The course will start off by covering basic x86 reverse engineering, vulnerability analysis, and classical forms of Linux based userland binary exploitation. It will then transitionin to protections found on modern systems(Canaries, DEP, ASLR, RELRO, FortifySource, etc) and the techniques used to defeat them.Time permitting, the course will also cover other subjects in exploitation including kernel land and Windows based exploitation.
@ -29,8 +36,11 @@ Hackingdojo
[mammon_'s tales to his grandson - Reverse Engineering](
[Software Modeling and Verification - Static Analysis](
###General Sources/Repository of Classes

+ 7
- 0
Draft/Draft/Cryptography & View File

@ -16,6 +16,13 @@ Writeups
[Crypto: 48 Dirty Little Secrets Cryptographers Don’t Want You To Know - BlackHat2014](
[XOR Bitwise Operations Explained - Khan Academy](
[HiVE — Hidden Volume Encryption](
[Toward Robust Hidden Volumes Using Write-Only Oblivious RAM](
* With sensitive data being increasingly stored on mobile devices and laptops, hard disk encryption is more important than ever. In partic- ular, being able to plausibly deny that a hard disk contains certain information is a very useful and interesting research goal. However, it has been known for some time that existing “hidden volume” so- lutions, like TrueCrypt, fail in the face of an adversary who is able to observe the contents of a disk on multiple, separate occasions. In this work, we explore more robust constructions for hidden vol- umes and present HIVE, which is resistant to more powerful ad- versaries with multiple-snapshot capabilities. In pursuit of this, we propose the first security definitions for hidden volumes, and prove HIVE secure under these definitions. At the core of HIVE, we de- sign a new write-only Oblivious RAM. We show that, when only hiding writes, it is possible to achieve ORAM with optimal O (1) communication complexity and only poly-logarithmic user mem- ory. This is a significant improvement over existing work and an independently interesting result. We go on to show that our write- only ORAM is specially equipped to provide hidden volume func- tionality with low overhead and significantly increased security. Fi- nally, we implement HIVE as a Linux kernel block device to show both its practicality and usefulness on existing platforms.
* hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions. It is able to identify a single hash, parse a file or read multiple files in a directory and identify the hashes within them. hashID is also capable of including the corresponding hashcat mode and/or JohnTheRipper format in its output. hashID works out of the box with Python 2 = 2.7.x or Python 3 = 3.3 on any platform.

+ 9
- 0
Draft/Draft/Darknets View File

@ -22,6 +22,15 @@ Cull
Tor black-market-related arrests](
* I compile a table and discussion of all known arrests and prosecutions related to Tor-Bitcoin black-markets such as Silk Road 1, along with discussion of how they came to be arrested.
[Touring the Darkside of the Internet. An Introduction to Tor - Defcon22](

+ 11
- 0
Draft/Draft/Data View File

@ -13,14 +13,25 @@ ToC
* plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline.
[Graphite - Scalable Realtime Graphing](
* [Quick Start Guide](
* A network daemon that runs on the Node.js platform and listens for statistics, like counters and timers, sent over UDP or TCP and sends aggregates to one or more pluggable backend services (e.g., Graphite).
[Kismet Log Viewer - KLV](
* The Kismet Log Viewer (KLV) takes Kismet .xml log files and produces a nicely formatted html interface to browse the logs with. KLV has the ability to utilize available GPS information to create links for external maps via the net, and provides the ability for those with Snort to generate a page of Snort output for each specific bssid that has data available. KLV also comes with my Kismet Log Combiner script to help users consolidate multiple .xml and .dump log files.
* Visualize statistics from a Kippo SSH honeypot

Draft/Draft/ → Draft/Draft/Disclosure View File

+ 34
- 0
Draft/Draft/Disinformation View File

@ -0,0 +1,34 @@
[Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme](
[[TROOPERS15] Azhar Desai, Marco Slaviero - Weapons of Mass Distraction](
[The Gentleperson’s Guide to Forum Spies]
[Attribution As A Weapon & Marketing Tool: Hubris In INFOSEC & NATSEC](
[Disinformation of Charlie Hebdo and The Fake BBC Website](
[Counterintelligence, False Flags, Disinformation, and Network Defense - krypt3ia](
[PsyOps and Socialbots](
[A Digital World Full of Ghost Armies](
* Not very related to infosec per say, but the general idea/takeaway is very applicable.
[Russia Convention on International Information Security](

+ 98
- 0
Draft/Draft/Documentation & Reports View File

@ -0,0 +1,98 @@
##Documentation & Reporting
For writing technical documentation.
Video Documentation
###Penetration Testing &/ Collaboration Tools
* Kvasir is a vulnerability / penetration testing data management system designed to help mitigate the issues found when performing team-based assessments. Kvasir does this by homogenizing data sources into a pre-defined structure. Currently the following sources are supported:
* Dradis is an open source collaboration framework, tailored to InfoSec teams.
* It can integrate with a lot of existing tools you probably are using if you're reading this.
* Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.1
* Lair is a reactive attack collaboration framework and web application built with meteor.
Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
[A beginners guide to writing documentation](
[Teach, Don’t Tell](
Other Materials:
Three parter from
* [What to write](
* [Technical Style](
* [Editors](
[Writing Types of User Documentation](
[The 7 Rules for Writing World Class Technical Documentation](
###Writing Reports
[Penetration tests done by cure53, good examples of how a report should be done.]( )
[Offensive Security 2013 Demo report](
[Writing a Penetration Testing Report by SANS](
[Excellent blog post breaking down the various parts, a must read](
[Report Template from](
[Penetration Testing Execution Standard section on Reporting](
[Tips for Creating an Information Security Assessment Report Cheat Sheet](
[SANS InfoSec Policy Templates](
[What is Markdown?](
[Using markdown](
[Markdown Syntax](
[Markdown basics](
[Mastering Markdown](
###Video Recording
[Open Broadcaster Software OBS](
* Open Broadcaster Software is free and open source software for video recording and live streaming.
* Cross Platform, Windows/OsX/Linux

+ 21
- 2
Draft/Draft/Embedded Device & Hardware Hacking View File

@ -38,6 +38,18 @@ Papers
Chameleon Mini
* [Chameleon: A Versatile Emulator for Contactless Smartcards - Paper](
* [Milking the Digital Cash Cow [29c3] Video Presentation](
* [ChameleonMini Hardware](
[Introduction to Trusted Execution Environments - Steven J. Murdoch](
[U-Boot -- the Universal Boot Loader](
* Very popular on embedded devices open source bootloader for linux
* [Manual/Documentation](
[Anti-Evil Maid](
@ -138,7 +150,8 @@ TR-069
* The Logic Pirate is an inexpensive, yet capable open source logic analyzer. It is designed to support the SUMP logic analyzer protocol. Costs $30. Recommended to me by those who use it.
* [Blog Post about it](
* JTAGulator is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device.
###General Hardware Hacking
@ -268,6 +281,11 @@ BadUSB
* This project's goal is to turn PS2303-based USB flash drive into a cheap USB 3.0 development platform (i.e. fast USB 3.0 to FPGA bridge).
###SIM Cards
[Rooting SIM cards](
@ -291,7 +309,8 @@ Embedded Systems](
[Implementation and Implications of a Stealth Hard-Drive Backdoor](
* Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to ex-filtrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diffculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.
[Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors](
* Abstract. Memory isolation is a key property of a reliable and secure computing system — an access to one memory ad- dress should not have unintended side e ects on data stored in other addresses. However, as DRAM process technology scales down to smaller dimensions, it becomes more di  cult to prevent DRAM cells from electrically interacting with each other. In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses. We induce errors in most DRAM modules (110 out of 129) from three major DRAM manufacturers. From this we conclude that many deployed systems are likely to be at risk. We identify the root cause of disturbance errors as the repeated toggling of a DRAM row’s wordline, which stresses inter-cell coupling e ects that accelerate charge leakage from nearby rows. We provide an extensive characterization study of disturbance errors and their behavior using an FPGA-based testing plat- form. Among our key findings, we show that (i) it takes as few as 139K accesses to induce an error and (ii) up to one in every 1.7K cells is susceptible to errors. After examining var- ious potential ways of addressing the problem, we propose a low-overhead solution to prevent the errors.

+ 13
- 1
Draft/Draft/Exploit View File

@ -34,11 +34,23 @@ Exploit dev -
[The Userland Exploits of Pangu 8](
[The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations](
* GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development.
* Why not PEDA?
* Yes ! Why not ?! PEDA is a fantastic tool to do the same, but is only to be used for x86-32 or x86-64. On the other hand, GEF supports all the architecture supported by GDB (x86, ARM, MIPS, PowerPC, SPARC, and so on).
[The Wallstreet of Windows Binaries - Marion Marschalek, Joseph Moti](
* [Wallstreet - Github Repository](
* Wallstreet of Windows binaries 7, 8, 9 err 10 sorry
[OllyDbg Tricks for Exploit Development](
@ -95,7 +107,7 @@
[Shellcode Debugging with OllyDbg](
[Exploit Mitigation Killchain](

+ 4
- 1
Draft/Draft/Forensics Incident View File

@ -17,10 +17,13 @@ OS Forensics
Better security - Mean time to detect/Mean time to respond
[Triaging Malware Incidents](
* Good writeup/blogpost from Journey into Incidence Response

+ 14
- 0
Draft/Draft/Forensics Incident Response/add cull.txt View File

@ -7,6 +7,12 @@
* NSA 70-page writeup on windows event log monitoring
[Forensics on Amazon’s EC2](
[Analysis of a Romanian Botnet](
* Going from first sighting in logs to tracing attackers to their C2 IRC room
[How to Pull passwords from a memory dump](
[Investigating PowerShell Attacks - Ryan Kazanciyan and Matt Hastings - DEFCON22](
@ -22,6 +28,14 @@
* Real-time Transfer Protocol (RTP) is used by nearly all Voice-over-IP systems to provide the audio channel for calls. As such, it provides ample opportunity for the creation of a covert communication channel due to its very nature. While use of steganographic techniques with various audio cover-medium has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This paper details a common technique for the use of steganography with audio data cover-medium, outlines the problem issues that arise when attempting to use such techniques to establish a full-duplex communications channel within audio data transmitted via an unreliable streaming protocol, and documents solutions to these problems. An implementation of the ideas discussed entitled SteganRTP is included in the reference materials.
[Bootkit Disk Forensics
[Part 1](
[Part 2](
[Kansa -A Powershell incident response framework ](
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
[Windows Memory Analysis Checklist](

+ 22
- 35
Draft/Draft/ View File

@ -108,53 +108,40 @@ Windows exploitation framework composed of Powershell modules
###Veil Framework
[Veil-Evasion]( * Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions.
* Veil-Ordnance is a tool that can be used to quickly generate valid stager shellcode.
Veil Projects:
Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. Veil-Evasion’s code is located at and it’s a part of the Veil super project at which we recommend mosts users clone and install.”
* Veil-Catapult is a payload delivery tool that integrates with Veil-Evasion for payload generation.
* [Github](
Veil-Ordnance is a tool that can be used to quickly generate valid stager shellcode.
eil-Catapult is a payload delivery tool that integrates with Veil-Evasion for payload generation. Veil-Catapult’s code is located at
Veil-Pillage is a modular post-exploitation framework that integrates with Veil-Evasion for payload generation.
Veil-Pillage is a modular post-exploitation framework that integrates with Veil-Evasion for payload generation. Veil-Pillage’s code is located at
[Veil Power-View[](
* Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. Veil-PowerView’s code is located at
* Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output. The graph output will represent access direction (opposite of trust direction)
Veil Power-View
Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. Veil-PowerView’s code is located at
Text Tutorials:
Framework Usage Tutorial
Payload Creation Tutorial
Customizing backdoors with Veil
Video Tutorial:
Creating a windows payload
Veil Tutorials:
* [Framework Usage Tutorial](
* [Payload Creation Tutorial](
* [Customizing backdoors with Veil](
* [Creating a windows payload](
More videos:
Talks on Veil:
Adventures in Asymmetric Warfare by Will Schroeder
Using Veil you can achieve
Talks on Veil
[Adventures in Asymmetric Warfare by Will Schroeder](

+ 18
- 23
Draft/Draft/Fuzzing Bug View File

@ -10,43 +10,23 @@ Books
[Quick explanation of fuzzing and various fuzzers](
[afl-dyninst ; AFL Fuzzing blackbox binaries](
* American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries The tool has two parts. The instrumentation tool and the instrumentation library. Instrumentation library has an initialization callback and basic block callback functions which are designed to emulate what AFL is doing with afl-gcc/afl-g++/afl-as. Instrumentation tool (afl-dyninst) instruments the supplied binary by inserting callbacks for each basic block and an initialization callback either at _init or at specified entry point.
* A very simple browser fuzzer based on tornado.
[Zulu Fuzzer](
* The Zulu fuzzer
[Quick explanation of fuzzing and various fuzzers](
###General Writeups
[Fuzzing for MS15-010](
* Is what it says on the tin.
[!exploitable Crash Analyzer](
* !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at Additonally, see the blog post at, or watch the video at
@ -63,7 +43,7 @@
@ -91,6 +71,8 @@
[Walkthrough of setting up CERT’s FOE fuzzer and fuzzing irfanview](
[Effective Bug Discovery](
@ -102,6 +84,8 @@
[*THE* Book on fuzzing](
@ -109,6 +93,9 @@
* American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive testing regimes down the road.
* It was made by lcamtuf. What more do you need?
[afl-dyninst ; AFL Fuzzing blackbox binaries](
* American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries The tool has two parts. The instrumentation tool and the instrumentation library. Instrumentation library has an initialization callback and basic block callback functions which are designed to emulate what AFL is doing with afl-gcc/afl-g++/afl-as. Instrumentation tool (afl-dyninst) instruments the supplied binary by inserting callbacks for each basic block and an initialization callback either at _init or at specified entry point.
[Grinder - Fuzzer](
* Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.
@ -116,8 +103,16 @@
[CERT’s Failure Observation Engine (FOE)](
* The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
[Zulu Fuzzer](
* The Zulu fuzzer
* Radamsa is a test case generator for robustness testing, aka a fuzzer. It can be used to test how well a program can stand malformed and potentially malicious inputs. It operates based on given sample inputs and thus requires minimal effort to set up. The main selling points of radamsa are that it is easy to use, contains several old and new fuzzing algorithms, is easy to script from command line and has already been used to find a slew of bugs in programs that actually matter.
* A very simple browser fuzzer based on tornado.
[!exploitable Crash Analyzer](
* !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at Additonally, see the blog post at, or watch the video at
####Peach Fuzzer
* [Peach Documentation](
* [Creating Custom Peach Fuzzer Publishers](

+ 6
- 1
Draft/Draft/Google View File

@ -22,4 +22,9 @@
[Google Hacking for Penetration Testers](
[Google Hacking for Penetration Testers](
[Github dorks - finding vulns](

+ 21
- 1
Draft/Draft/Home View File

@ -3,4 +3,24 @@
Anchored window covers
[Home Alone with localhost - Automating Home Defense - Chris Littlebury Defcon22](
[Home Alone with localhost - Automating Home Defense - Chris Littlebury Defcon22](
[Physical Home Security Options - DiabloHorn](

+ 42
- 2
Draft/Draft/Honeypots View File

@ -16,6 +16,7 @@ Write-ups
@ -28,10 +29,14 @@
* Elastichoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch.
HoneyData - Strings, shares/drives, etc.
@ -76,6 +81,41 @@ Beeswarm](
[Thug - Python low-interaction honeyclient](
* Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.
* Elastichoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch.
* romanHunter (router man Hunter) is a wireless honeypot or closer to a sinkhole that will bait a cracker, capture the MAC address, reset the WIFI password (effectively destroying their connection) and wait for the next authorized connection. The password changes happen on a round robin basis from entries in the password file (pw_list.txt).
* Wordpot is a Wordpress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation.
* HoneyAgent is a Java agent library that creates a Sandbox for Java applications and applets. Therefore, it uses the JVMTI as well as the JNI to intercept class loading and function calls. During runtime HoneyAgent traces function calls from the analysed application. It is displayed which class calles which function with which parameters. Reflected function calls are translated to the original function names for simpler reading.
* A framework for targeted geolocation.
[Amun Honeypot](
* [Amun Honeypot Paper](
* Probably one of the smallest and simplest web honeypots out there...
[Web Labyrinth](
* A simple tool that creates a maze of bogus web pages to confuse web scanners. It's main goal is to delay and occupy malicious scanners that scan websites in order for incident handlers to detected and respond to them before damage is done.
[Web Bug Server](
* Easily embed a web bug inside word processing documents. These bugs are hidden to the casual observer by using things like linked style sheets and 1 pixel images.
* Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin's Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware.
[Honeypots for Active Defense - A Practical Guide to Deploying Honeynets Within the Enterprise - Greg Foss](
* InfoSec analysts are all somewhat familiar with honeypots. When they are given the proper attention, care and feeding, they produce invaluable information. This intelligence has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor -- how can an organization that is not focused on research gain valuable intelligence using honeypots and actively defend their network using the data obtained? The answer is honeypots for active defense. There are currently many open source security tool distributions that come pre-loaded with honeypots among other useful tools, however the honeypot software is often not deployed in an effective manner. This session will discuss techniques to deploy honeypots in ways that will not overburden the security team with massive logs to sift through and focuses on correlating active threat data observed in the honeypot with the production environment. When deploying honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network.

+ 88
- 77
Draft/Draft/Interesting Things Useful View File

@ -30,42 +30,6 @@ Interesting & Useful Write-ups