Added Stuff/cleaned up some more sections

Added links/Cleaned out a couple cull sections
7 years ago · b802cd64ff
--- a/Draft/Draft/Anonymity
+++ b/Draft/Draft/Anonymity
@ -24,6 +24,9 @@ Tools



 [Can you track me now?  - Defcon20](https://www.youtube.com/watch?v=DxIF66Tcino)


 ###Articles
 [De-anonymizing facebook users through CSP](http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis)

--- a/Draft/Draft/Attacking
+++ b/Draft/Draft/Attacking
@ -34,24 +34,29 @@ Other


 ###Cull

 http://nelenkov.blogspot.com

 [elsim - Elements Similarities](https://code.google.com/p/elsim/wiki/Similarity#Diffing_of_applications)
 * Similarities/Differences of applications (aka rip-off indicator)
 * This tool detects and reports: the identical methods; the similar methods; the deleted methods; the new methods; the skipped methods. 

 [ARE - Virtual Machine for Android Reverse Engineering](https://redmine.honeynet.org/projects/are)

 [Android apps in sheep's clothing](http://www.modzero.ch/modlog/archives/2015/04/01/android_apps_in_sheeps_clothing/index.html)
 * We identified a security weakness in Android's approach of handling UI elements, circumventing parts of Android's sandboxing approach. While this attack is simple from a technical point of view, the impact of exploiting such a vulnerability is significant. It affects Android based devices as well as Blackberry mobile devices running the Android runtime environment.


 [Android Bytecode Obfuscation - Patrick Schulz 2012](http://dexlabs.org/blog/bytecode-obfuscation)

 [Instrumenting Android Applications with Frida](http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html)


 [Dissecting the Android Bouncer](https://www.duosecurity.com/blog/duo-tech-talks-dissecting-the-android-bouncer)
 * 
 [ARE - Virtual Machine for Android Reverse Engineering](https://redmine.honeynet.org/projects/are)

 [APK Studio - Android Reverse Engineering](https://apkstudio.codeplex.com/)
 * APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
 [Android Bytecode Obfuscation - Patrick Schulz 2012](http://dexlabs.org/blog/bytecode-obfuscation)


 [Android Reverse Engineering Defenses](https://bluebox.com/wp-content/uploads/2013/05/AndroidREnDefenses201305.pdf)

 [PatchDroid: Scalable Third-Party Security Patches for Android Devices](http://www.mulliner.org/collin/academic/publications/patchdroid.pdf)
 * Android is currently the largest mobile platform with around 750 million devices worldwide. Unfortunately, more than 30% of all devices contain publicly known security vulnera- bilities and, in practice, cannot be updated through normal mechanisms since they are not longer supported by the man- ufacturer and mobile operator. This failure of traditional patch distribution systems has resulted in the creation of a large population of vulnerable mobile devices. In this paper, we present PatchDroid, a system to dis- tribute and apply third-party security patches for Android. Our system is designed for device-independent patch cre- ation, and uses in-memory patching techniques to address vulnerabilities in both native and managed code. We created a fully usable prototype of PatchDroid, including a number of patches for well-known vulnerabilities in Android devices. We evaluated our system on different devices from multiple manufacturers and show that we can effectively patch se- curity vulnerabilities on Android devices without impacting performance or usability. Therefore, PatchDroid represents a realistic path towards dramatically reducing the number of exploitable Android devices in the wild.
@ -63,6 +68,15 @@ Other

 [Dalvik Bytecode Format docs](http://source.android.com/devices/tech/dalvik/dex-format.html)

 [The Android boot process from power on](http://www.androidenea.com/2009/06/android-boot-process-from-power-on.html)
 * Since mobile platforms and embedded systems has some differences compared to Desktop systems in how they initially start up and boot this post will discuss the initial boot stages of an Android phone in some detail.



 ###Securing Android

 [Android Reverse Engineering Defenses](https://bluebox.com/wp-content/uploads/2013/05/AndroidREnDefenses201305.pdf)


 ####Vulnerabilities
 [List of Android Vulnerabilities](http://androidvulnerabilities.org/all)
@ -119,7 +133,7 @@ Other
 [APKinpsector](https://github.com/honeynet/apkinspector/)
 * APKinspector is a powerful GUI tool for analysts to analyze the Android applications.

 [Droidmap](https://code.google.com/p/droidbox/)
 [DroidBox](https://code.google.com/p/droidbox/)
 * DroidBox is developed to offer dynamic analysis of Android applications. The following information is shown in the results, generated when analysis is ended: 
 Hashes for the analyzed package 
 Incoming/outgoing network data 
@ -150,6 +164,9 @@ Additionally, two images are generated visualizing the behavior of the package.

 ###Static Analysis

 [Disect Android APKs like a Pro - Static code analysis](http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/)


 Androguard](https://code.google.com/p/androguard)
 ^ Androguard is mainly a tool written in python to play with: 
 Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation), 
@ -282,8 +299,12 @@ Check the Encryption section of the overall guide for more information.


 ###Reverse Engineering Android

 [APK Studio - Android Reverse Engineering](https://apkstudio.codeplex.com/)
 * APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
 [Android apk-tool](https://code.google.com/p/android-apktool/)
 * It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc. 

 [Reversing and Auditing Android’s Proprietary bits](http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits)

 [Smali](https://code.google.com/p/smali/)
--- a/Draft/Draft/Attacking
+++ b/Draft/Draft/Attacking
@ -26,8 +26,10 @@ Jailbreaking

 ###CULL

 [iOS 678 Security - A Study in Fail](https://www.syscan.org/index.php/download/get/bec31d45168aa331fc01f84451e11186/SyScan15%20Stefan%20Esser%20-%20iOS%20678%20Security%20-%20A%20Study%20in%20Fail.pdf)


 [Jailbreak Stories - Cyril Cattiaux(pod2g) - WWJC 2014](https://www.youtube.com/watch?v=OBFLTb-AY38)



--- a/Draft/Draft/BIOS
+++ b/Draft/Draft/BIOS
@ -135,7 +135,7 @@ Grab links for his papers




 [Hardware Backdooring is Practical -Jonathan Brossard - Defcon20](https://www.youtube.com/watch?v=umBruM-wFUw)


 [Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)
--- a/Draft/Draft/Basic
+++ b/Draft/Draft/Basic
@ -26,6 +26,8 @@






 Shodan Guide
 [Shodan Man page](http://www.shodanhq.com/help)
--- a/Draft/Draft/Cheat
+++ b/Draft/Draft/Cheat
@ -24,7 +24,7 @@ Databases




 [SiLK Toolsuite Quick Reference Guide](https://tools.netsa.cert.org/silk/silk-quickref.pdf)

 http://www.amanhardikar.com/mindmaps.html
 http://www.amanhardikar.com/mindmaps/Practice.html
--- a/Draft/Draft/Cheat
+++ b/Draft/Draft/Cheat
@ -0,0 +1,307 @@



 USAGE
 Androaxml
 Androapkinfo
 Androcsign
 Androdd
 Androdiff
 Androdump
 Androgexf
 Androlyze
 Andromercury
 Androrisk
 Androsign
 Androsim
 Androxgmml
 Apkviewer
 USAGE
 Androaxml
 BlogPost1 
 You can used it to transform Android's binary XML (eg: AndroidManifest.xml) into classic xml (human readable ;)). 
 $ ./androaxml.py -h
 Usage: androaxml.py [options]

 Options:
 -h, --help            show this help message and exit
 -i INPUT, --input=INPUT
                      filename input (APK or android's binary xml)
 -o OUTPUT, --output=OUTPUT
                      filename output of the xml
 -v, --version         version of the API

 $ ./androaxml.py -i yourfile.apk -o output.xml
 $ ./androaxml.py -i AndroidManifest.xml -o output.xml
 Androapkinfo
 This tool displays information on a given APK: 
 permissions 
 services 
 activities 
 receivers 
 usage of native code 
 usage of native code 
 axelle$ ./androapkinfo.py -i qicsomos.apk
 FILES: 
        META-INF/MANIFEST.MF    META-INF/MANIFEST.MF -7eb55c04
        res/layout/main.xml     res/layout/main.xml 54a83b5b
        AndroidManifest.xml     AndroidManifest.xml 2eef2f86
        res/drawable-mdpi/ic_launcher.png       res/drawable-mdpi/ic_launcher.png -22437ab
        res/drawable-hdpi/ic_launcher.png       res/drawable-hdpi/ic_launcher.png -4e108fda
        META-INF/PLATFORM.RSA   META-INF/PLATFORM.RSA 5c8d71d3
        META-INF/PLATFORM.SF    META-INF/PLATFORM.SF 5b48f7ec
        resources.arsc  resources.arsc -55923b8c
        classes.dex     classes.dex -bafd464
        res/drawable-ldpi/ic_launcher.png       res/drawable-ldpi/ic_launcher.png -6272d259
 PERMISSIONS: 
        android.permission.SEND_SMS ['dangerous', 'send SMS messages', 'Allows application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.']
        android.permission.READ_LOGS ['dangerous', 'read sensitive log data', "Allows an application to read from the system's various log files. This allows it to discover general information about what you are doing with the phone, potentially including personal or private information."]
 MAIN ACTIVITY:  org.projectvoodoo.simplecarrieriqdetector.Main
 ACTIVITIES:  ['org.projectvoodoo.simplecarrieriqdetector.Main']
 SERVICES:  []
 RECEIVERS:  []
 PROVIDERS:  []
 Native code: False
 Dynamic code: False
 Reflection code: False
 Androcsign
 This tool helps you to create your own signatures in order to add them in the database. In fact, it's more easy after an analysis to isolate which parts are the more interesting to add in the database in order to detect the malware (and variants). So, the idea is to describe your signature of a malware in a json format file to add this signature to the database. 
 desnos@destiny:~/androguard$ ./androcsign.py -h
 Usage: androcsign.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        file : use this filename
  -r REMOVE, --remove=REMOVE
                        remote the signature
  -o OUTPUT, --output=OUTPUT
                        output database
  -l LIST, --list=LIST  list signatures in database
  -c CHECK, --check=CHECK
                        check signatures in database
  -v, --version         version of the API
 The input file is a classical json format : 
 [ { "SAMPLE" : "apks/malwares/DroidDream/Magic Hypnotic Spiral.apk" }, { "BASE" : "AndroidOS", "NAME" : "DroidDream", "SIGNATURE" : [ { "TYPE" : "METHSIM", "CN" : "Lcom/android/root/Setting;", "MN" : "postUrl", "D" : "(Ljava/lang/String; Landroid/content/Context;)V" } ], "BF" : "0" } ]
 where SAMPLE is the file where signatures will be extracted. NAME is the name of your signature. And SIGNATURE is a list of dictionnary which describes all sub-signatures. 
 A sub-signature can be a : 
 METHSIM : CN is the classname, NM is the method name, and D is the descriptor CLASSSIM : CN is the classname So a sub-signature can be apply on a specific method or directly on an entire class. 
 BF is the boolean formula of the whole signature, so it's possible to mix different sub-signatures. 
 When the sub-signature is added to the database, the engine will keep only interesting information : 
 entropies of general signature, android packages, java packages, binary raw, and exceptions. These entropies are using to clustering sub-signatures and compare items : it is these values that which will be used to apply clustering, value of the general signature : it is this value that which will be used to apply similarity distance on each required cluster. In the previous output, we isolated one method (postUrl) in an application (droiddream malware) to create a new signature. Androcsign will extract useful information of this application to add the signature in the database : 
 desnos@destiny:~/androguard$ ./androcsign.py -i signatures/droiddream.sign -o signatures/dbandroguard
 [{u'DroidDream': [[[0, 'QltTUDBQMVNTUDJQMlAwRjBQMVAxU1AxRjBQMVAxUDFQMVAxUDJQMFAxUDFQMVAxU1AxUDFQMFAxXUJbUDFJUDFdQltQMV
 Androdd
 This tool is used to output graphs for each method of each class of an Android package. 
 $ ./androdd.py --help
 Usage: androdd.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        file : use this filename
  -o OUTPUT, --output=OUTPUT
                        base directory to output all files
  -d, --dot             write the method in dot format
  -f FORMAT, --format=FORMAT
                        write the method in specific format (png, ...)
  -v, --version         version of the API
 input: an Android APK or classes.dex 
 output directory is mandatory, or the tool does not output anything. 
 output formats: PNG, JPG. 
 if you wish both DOT and PNG output for ex, mix options -d and -f PNG 
 Androdiff
 The tool is used to compare/display the differences between two apps. The documentation is available here 
 Androdump
 BlogPost1 
 You can used it to dump a linux process in order to get the original class files. 
 $ ./androdump.py -h
 Usage: androdump.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        pid
  -v, --version         version of the API

 pouik@camelot:~/androguard$ ps aux |grep java
 pouik 21008 0.1 0.5 673840 10688 pts/5 Sl+ 10:28 0:02 java Test2
 pouik 21548 0.0 0.0 3060 812 pts/2 S+ 11:00 0:00 grep java
 pouik@camelot:~/androguard$ ./androdump.py -i 21008
 HEADER 0x6f990000-0x6fee0000 (rw-p)
 Test2 ()V
 Test2 get_x ()I
 Test2 main ([Ljava/lang/String;)V
 Test2bis ()V
 Test2bis get_T ()Ljava/lang/String;
 Androgexf
 This tool outputs graphs using the GEXF format. 
 desnos@destiny:~/androguard$ ./androgexf.py -h
 Usage: androgexf.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        filename input (dex, apk)
  -o OUTPUT, --output=OUTPUT
                        filename output of the xgmml
 For instance, 
 desnos@destiny:~/androguard$ ./androgexf.py -i YOURAPP.apk -o YOURAPP.gexf
 The output graph can be viewed using an external tool, named Gephi. For real examples of visualization of Android malware, please see this page. 
 Androlyze
 Androlyze is a tool to analyze Android applications. The most common features are available via command line, the others via a Python interactive shell: 
 Usage: androlyze.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        file : use this filename
  -d, --display         display the file in human readable format
  -m METHOD, --method=METHOD
                        display method(s) respect with a regexp
  -f FIELD, --field=FIELD
                        display field(s) respect with a regexp
  -s, --shell           open a shell to interact more easily with objects
  -v, --version         version of the API
  -p, --pretty          pretty print !
  -t TYPE_PRETTY, --type_pretty=TYPE_PRETTY
                        set the type of pretty print (0, 1) !
  -x, --xpermissions    show paths of permissions
 Using androlyze via the interactive shell opens up to tons of other features. Basically, all functions of the code are available that way: 
 ./androlyze.py -s
 Welcome to Androlyze ALPHA 0-update1
 >>> j = JVMFormat( open("./VM.class").read() )
 >>> j.show()

 # Get specific methods
 >>> x = j.get_method("<init>")[0]
 >>> x.show()

 # Change name
 >>> x.set_name("toto")

 # Save it
 >>> fd = open("VM2.class", "w")
 >>> fd.write(j.save())
 >>> fd.close()
 Andromercury
 This tool links with the Mercury framework 
 See blog post 
 $ ./andromercury.py -h
 Usage: andromercury.py [options]

 Options:
  -h, --help            show this help message and exit
  -l LIST, --list=LIST  list all packages
  -i INPUT, --input=INPUT
                        get specific packages (a filter)
  -r REMOTEHOST, --remotehost=REMOTEHOST
                        specify ip of emulator/device
  -p PORT, --port=PORT  specify the port
  -o OUTPUT, --output=OUTPUT
                        output directory to write packages
  -b DATABASE, --database=DATABASE
                        database : use this database
  -c CONFIG, --config=CONFIG
                        use this configuration
  -v, --verbose         display debug information
 Androrisk
 ./androrisk.py -h
 Usage: androrisk.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        file : use these filenames
  -a, --analysis        perform analysis to calculate the risk
  -m, --method          perform analysis of each method
  -d DIRECTORY, --directory=DIRECTORY
                        directory : use this directory
  -v, --version         version of the API
 Androsign
 Checks whether a given sample is listed in the database or not. 
 $ ./androsign.py -h
 Usage: androsign.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        file : use this filename
  -d DIRECTORY, --directory=DIRECTORY
                        directory : use this directory
  -b DATABASE, --database=DATABASE
                        database : use this database
  -c CONFIG, --config=CONFIG
                        use this configuration
  -v, --verbose         display debug information
 For example, see http://code.google.com/p/androguard/wiki/AndroidMalwareAnalysis: 
 $ ./androsign.py -d apks/malwares/foncy/ -b signatures/dbandroguard -c signatures/dbconfig
 98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2 : ----> Foncy
 81dd17ea168cf884bfb5aebb7cd2241a5624d1ae14444594bf7677e1080339f9 : ----> Foncy
 d9ef940236f285548a60be0d575d7bba4587bdfc3f6c56f38b5da601686344a9 : ----> Foncy
 SuiConFo 1.26.apk : ----> None
 127sc.apk : ----> None
 Androsim
 The tool is used to get the similarities between two apps. The documentation is available here 
 axelle@caiman:~/softs/androguard$ ./androsim.py -h
 Usage: androsim.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        file : use these filenames
  -t THRESHOLD, --threshold=THRESHOLD
                        define the threshold
  -c COMPRESSOR, --compressor=COMPRESSOR
                        define the compressor
  -d, --display         display all information about methods
  -n, --new             don't calculate the similarity score with new methods
  -e EXCLUDE, --exclude=EXCLUDE
                        exclude specific class name (python regexp)
  -s SIZE, --size=SIZE  exclude specific method below the specific size
  -x, --xstrings        display similarities of strings
  -v, --version         version of the API
  -l LIBRARY, --library=LIBRARY
                        use python library (python) or specify the path of the
 shared library)
 Androxgmml
 BlogPost1 
 You can used it to transform an apk/jar/class/dex files format into an xgmml graph which represent the control flow graph or the functions call. 
 $ ./androxgmml.py -h
 Usage: androxgmml.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        filename input
  -o OUTPUT, --output=OUTPUT
                        filename output of the xgmml
  -f, --functions       include function calls
  -e, --externals       include extern function calls
  -v, --version         version of the API
 ./androxgmml.py -i myapp.jar -o output.xgmml
 ./androxgmml.py -i myapp.apk -o output.xgmml
 ./androxgmml.py -i myclass.class -o output.xgmml
 ./androxgmml.py -i mydex.dex -o output.xgmml

 # with functions call :
 ./androxgmml.py -i myapp.jar -f -o output.xgmml

 # with external function calls
 ./androxgmml.py -i myapp.jar -e -o output.xgmml

 # with both
 ./androxgmml.py -i myapp.jar -e -f -o output.xgmml

 Apkviewer
 ./apkviewer.py -h
 Usage: apkviewer.py [options]

 Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        filename input (dex, apk)
  -o OUTPUT, --output=OUTPUT
                        directory output 


--- a/Draft/Draft/Cheat
+++ b/Draft/Draft/Cheat
@ -0,0 +1,498 @@
 Copy/pasted from [https://github.com/pwntester/cheatsheets/blob/master/radare2.md](https://github.com/pwntester/cheatsheets/blob/master/radare2.md)


 Radare2 


 Command line options 
 -L: List of supported IO plugins
 -q: Exit after processing commands
 -w: Write mode enabled
 -i: Interprets a r2 script
 -A: Analize executable at load time (xrefs, etc)
 -n: Bare load. Do not load executable info as the entrypoint
 -c'cmds': Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')
 -p: Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
 -: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed)
    Similar to r2 malloc://512
 
 Configuration properties 
 They can be used in evaluations:? ${asm.tabs} 
 e: Returs configuration properties
 e <property>: Checks a specific property:
    e asm.tabs => false
 e <property>=<value>: Change property value
    e asm.arch=ppc
 e? help about a configuration property
    e? cmd.stack
 
 You will want to set your favourite options in ~/.radare2rc since every line there will be interpreted at the beginning of each session. Mine for reference: 
 # Show comments at right of disassembly if they fit in screen
 e asm.cmtright=true

 # Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
 e asm.pseudo = true

 # Display stack and register values on top of disasembly view (visual mode)
 e cmd.stack = true

 # Solarized theme
 eco solarized

 # Use UTF-8 to show cool arrows that do not look like crap :)
 e scr.utf8 = true
 
 There is an easier interface accessible from the Visual mode, just typing Ve 
 Basic Commands 
 Command syntax: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe] 
 ; Command chaining: x 3;s+3;pi 3;s+3;pxo 4; 
 | Pipe with shell commands: pd | less 
 ! Run shell commands: !cat /etc/passwd 
 !! Escapes to shell, run command and pass output to radare buffer
 Note: The double exclamation mark tells radare to skip the plugin list to find an IO plugin handling this command to launch it directly to the shell. A single one will walk through the io plugin list.
 ` Radare commands: wx `!ragg2 -i exec` 
 ~ grep
 ~! grep -v
 ~[n] grep by columns afl~[0] 
 ~:n grep by rows afl~:0 
    pi~mov,eax            ; lines with mov or eax
    pi~mov&eax            ; lines with mov and eax
    pi~mov,eax:6          ; 6 first lines with mov or eax
    pd 20~call[0]:0       ; grep first column of the first row matching 'call'
 
 .cmd Interprets command output 
 is* prints symbolos
 .is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
 
 .. repeats last commands (same as enter \n)
 ( Used to define and run macros
 $ Used to define alias
 $$: Resolves to current address
 Offsets (@) are absolute, we can use $$ for relative ones @ $$+4 
 ? Evaluate expression 
 [0x00000000]> ? 33 +2
 35 0x23 043 0000:0023 35 00100011 35.0 0.000000

 Note: | and & need to be escaped
 
 ?$? Help for variables used in expressions
 $$: Here
 $s: File size
 $b: Block size
 $l: Opcode length
 $j: When $$ is at a jmp, $j is the address where we are going to jump to
 $f: Same for jmp fail address
 $m: Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
 ??? Help for ? command
 ?i Takes input from stdin. Eg ?i username 
 ?? Result from previous operations
 ?s from to [step]: Generates sequence from to every 
 ?p: Get physical address for given virtual address
 ?P: Get virtual address for given physical one
 ?v Show hex value of math expr 
 ?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
 ?v 0x4141414a - 0x41414140  = 0xa
 
 ?l str: Returns the length of string
@@: Used for iteractions 
 wx ff @@10 20 30      Writes ff at offsets 10, 20 and 30
 wx ff @@`?s  1 10 2`  Writes ff at offsets 1, 2 and 3
 wx 90 @@ sym.*        Writes a nop on every symbol
 
 Positioning 
 s address: Move cursor to address or symbol
    s-5 (5 bytes backwards)
    s- undo seek
    s+ redo seek
 
 Block size 
 The block size is the default view size for radare. All commands will work with this constraint, but you can always temporally change the block size just giving a numeric argument to the print commands for example (px 20) 
 b size: Change block size
 
 JSON Output 
 Most of commands such as (i)nfo and (p)rint commands accept a j to print their output in json 
 [0x100000d78]> ij
 {"bin":{"type":"mach0","class":"MACH064","endian":"little","machine":"x86 64 all","arch":"x86","os":"osx","lang":"c","pic":true,"canary":false,"nx":false,"crypto":false,"va":true,"bits":64,"stripped":true,"static":false,"linenums":false,"syms":false,"relocs":false},"core":{"type":"Executable file","os":"osx","arch":"x86 64 all","bits":64,"endian":"little","file":"/bin/ls","fd":6,"size":34640,"mode":"r--","block":256,"uri":"/bin/ls","format":"mach064"}}
 
 Analyze 
 aa: Analyze all (fcns + bbs) same that running r2 with -A
 ahl <length> <range>: fake opcode length for a range of bytes
 ad: Analyze data
    ad@rsp (analize the stack)
 
 Function analysis (normal mode) 
 af: Analyze functions
 afl: List all functions
    number of functions: afl~?
 afi: Returns information about the functions we are currently at
 afr: Rename function: structure and flag
 afr off: Restore function name set by r2
 afn: Rename function
    afn strlen 0x080483f0
 af-: Removes metadata generated by the function analysis
 af+: Define a function manually given the start address and length
    af+ 0xd6f 403 checker_loop
 axt: Returns cross references to (xref to)
 axf: Returns cross references from (xref from)
 
 Function analysis (visual mode) 
 d, f: Function analysis
 d, u: Remove metadata generated by function analysis
 
 Opcode analysis: 
 ao x: Analize x opcodes from current offset
 a8 bytes: Analize the instruction represented by specified bytes
 
 Information 
 iI: File info
 iz: Strings in data section
 izz: Strings in the whole binary
 iS: Sections
    iS~w returns writable sections
 is: Symbols
    is~FUNC exports
 il: Linked libraries
 ii: Imports
 ie: Entrypoint
 
 Mitigations: 
 i~pic : check if the binary has position-independent-code
 i~nx : check if the binary has non-executable stack
 i~canary : check if the binary has canaries
 
 Get function address in GOT table: pd 1 @ sym.imp<funct> Returns a jmp [addr] where addr is the the address of function in the GOT. Similar to objdump -R | grep <func> 
 Print 
 psz n @ offset: Print n zero terminated String
 px n @ offset: Print hexdump (or just x) of n bytes
 pxw n @ offset: Print hexdump of n words
    pxw size@offset  prints hexadecimal words at address
 pd n @ offset: Print n opcodes disassambled
 pD n @ offset: Print n bytes disassembled
 pi n @ offset: Print n instructions disassambeled (no address, XREFs, etc. just instrunctions)
 pdf @ offset: Print disassembled function
    pdf~XREF (grep: XREFs)
    pdf~call (grep: calls)
 pcp n @ offset: Print n bytes in python string output.
    pcp 0x20@0x8048550
    import struct
    buf = struct.pack ("32B",
    0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
    0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
    0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)
 p8 n @ offset: Print n bytes (8bits) (no hexdump)
 pv: Print file contents as IDA bar and shows metadata for each byte (flags , ...)
 pt: Interpret data as dates
 pf: Print with format
 pf.: list all formats
 p=: Print entropy ascii graph
 
 Write 
 wx: Write hex values in current offset
    wx 123456
    wx ff @ 4
 wa: Write assembly
    wa jnz 0x400d24
 wc: Write cache commit
 wv: Writes value doing endian conversion and padding to byte
 wo[x]: Write result of operation
    wow 11223344 @102!10
        write looped value from 102 to 102+10
        0x00000066  1122 3344 1122 3344 1122 0000 0000 0000
    wox 0x90
        XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
    wox 67 @4!10
        XOR from offset 4 to 10 with value 67
 wf file: Writes the content of the file at the current address or specified offset (ASCII characters only)
 wF file: Writes the content of the file at the current address or specified offset
 wt file [sz]: Write to file (from current seek, blocksize or sz bytes)
    Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)
 woO 41424344 : get the index in the De Bruijn Pattern of the given word
 
 Flags 
 Flags are labels for offsets. They can be grouped in namespaces as sym for symbols ... 
 f: List flags
 f label @ offset: Define a flag `label` at offset
    f str.pass_len @ 0x804999c
 f -label: Removes flag
 fr: Rename flag
 fd: Returns position from nearest flag (looking backwards). Eg => entry+21
 fs: Show all flag spaces
 fs flagspace: Change to the specified flag space
 
 yank & paste 
 y n: Copies n bytes from current position
 y: Shows yank buffer contentent with address and length where each entry was copied from
 yp: Prints yank buffer
 yy offset: Paste the contents of the yank buffer at the specified offset
 yt n target @ source: Yank to. Copy n bytes fromsource to target address
 
 Visual Mode: 
 V enters visual mode 
 q: Exits visual mode
 hjkl: move around (or HJKL) (left-down-up-right)
 o: go/seek to given offset
 ?: Help
 .: Seek EIP
 <enter>: Follow address of the current jump/call
 :cmd: Enter radare commands. Eg: x @ esi
 d[f?]: Define cursor as a string, data, code, a function, or simply to undefine it.
    dr: Rename a function
    df: Define a function
 v: Get into the visual code analysis menu to edit/look closely at the current function.
 p/P: Rotate print (visualization) modes
    hex, the hexadecimal view
    disasm, the disassembly listing
        Use numbers in [] to follow jump
        Use "u" to go back
    debug, the debugger
    words, the word-hexidecimal view
    buf, the C-formatted buffer
    annotated, the annotated hexdump.
 c: Changes to cursor mode or exits the cursor mode
    select: Shift+[hjkl]
    i: Insert mode
    a: assembly inline
    A: Assembly in visual mode
    y: Copy
    Y: Paste
    f: Creates a flag where cursor points to
    <tab> in the hexdump view to toggle between hex and strings columns
 V: View ascii-art basic block graph of current function
 W: WebUI
 x, X: XREFs to current function. ("u" to go back)
 t: track flags (browse symbols, functions..)
 gG: Begging or end of file
 HUD
    _ Show HUD
    backspace: Exits HUD
    We can add new commands to HUD in: radare2/shlr/hud/main
 ;[-]cmt: Add/remove comment
 m<char>: Define a bookmark
 '<char>: Go to previously defined bookmark
 
 ROP 
 /R opcodes: Search opcodes
    /R pop,pop,ret
 /Rl opcodes: Search opcodes and print them in linear way
    /Rl jmp eax,call ebx
 /a: Search assembly
    /a jmp eax
 pda: Returns a library of gadgets that can be use. These gadgets are obtained by disassmbling byte per byte instead of obeying to opcode length
 
 Search depth can be configure with following properties: 
 e search.roplen = 4  (change the depth of the search, to speed-up the hunt)
 
 Searching 
 / bytes: Search bytes
    \x7fELF
 
 Example: Searching function preludes: 
 push ebp
 mov ebp, esp

 Opcodes: 5589e5

 /x 5589e5
    [# ]hits: 54c0f4 < 0x0804c600  hits = 1
    0x08049f70 hit0_0 5589e557565383e4f081ec
    0x0804c31a hit0_1 5589e583ec18c704246031
    0x0804c353 hit0_2 5589e583ec1889442404c7
    0x0804c379 hit0_3 5589e583ec08e87cffffff
    0x0804c3a2 hit0_4 5589e583ec18c70424302d

 pi 5 @@hit* (Print 5 first instructions of every hit)
 
 Its possible to run a command for each hit. Use the cmd.hit property: 
 e cmd.hit=px
 
 Comments and defines 
 Cd [size]: Define as data
 C- [size]: Define as code
 Cs [size]: Define as String
 Cf [size]: Define as struct
    We can define structures to be shown in the disassmbly
 CC: List all comments or add a new comment in console mode
    C* Show all comments/metadata
    CC <comment> add new comment
    CC- remove comment
 
 Magic files 
 pm: Print Magic files analysis
    [0x00000000]> pm
    0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1
 
 Search for magic numbers 
 /m [magicfile]: Search magic number headers with libmagic
 
 Search can be controlled with following properties: 
 search.align
 search.from (0 = beginning)
 search.to (0 = end)
 search.asmstr
 search.in
 
 Yara 
 Yara can also be used for detecting file signatures to determine compiler types, shellcodes, protections and more. 
 :yara scan
 
 Zignatures 
 Zignatures are useful when dealing with stripped binaries. We can take a non-stripped binary, run zignatures on it and apply it to a different binary that was compiled statically with the same libraries. 
 zg <language> <output file>: Generate signatures
    eg: zg go go.z
 Run the generated script to load signatures
    eg: . go.z
 z: To show signatures loaded:
 
 Zignatures are applied as comments: 
 r2-(pid2)> pd 35 @ 0x08049adb-10
 |          0x08049adb   call fcn.0805b030
 |             fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
 |          0x08049ae0   add esp, 0xc
 |          0x08049ae3   call fcn.08095580
 
 Compare files 
 r2 -m 0xf0000 /etc/fstab    ; Open source file
 o /etc/issue                ; Open file2 at offset 0
 o                           ; List both files
 cc offset: Diff by columns between current offset address and "offset"
 
 Graphs 
 Basic block graphs 
 af: Load function metadata
 ag $$ > a.dot: Dump basic block graph to file
 ag $$ | xdot: Show current function basic block graph
 
 Call graphs 
 af: Load function metadata
 agc $$ > b.dot: Dump basic block graph to file
 
 Convert .dot in .png 
 dot -Tpng -o /tmp/b.png b.dot
 
 Generate graph for file: 
 radiff2 -g main crackme.bin crackme.bin > /tmp/a
 xdot /tmp/a
 
 Debugger 
 Start r2 in debugger mode. r2 will fork and attach 
 r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")

 ptrace://pid (debug backend does not notice, only access to mapped memory)
 
 To pass arguments: 
 r2 -d rarun2 program=pwn1 arg1=$(python exploit.py)
 
 To pass stdin: 
 r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)
 
 Commands 
 do: Reopen program
 dp: Shows debugged process, child processes and threads
 dc: Continue
 dcu <address or symbol>: Continue until symbol (sets bp in address, continua until bp and remove bp)
 dc[sfcp]: Continue until syscall(eg: write), fork, call, program address (To exit a library)
 ds: Step in
 dso: Step out
 dss: Skip instruction
 dr register=value: Change register value
 dr(=)?: Show register values
 db address: Sets a breakpoint at address
    db sym.main add breakpoint into sym.main
    db 0x804800 add breakpoint
    db -0x804800 remove breakpoint
 dsi (conditional step): Eg: "dsi eax==3,ecx>0"
 dbt: Shows backtrace
 drr: Display in colors and words all the refs from registers or memory
 dm: Shows memory map (* indicates current section)
    [0xb776c110]> dm
    sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
    sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
    sys 0xb776a000 - 0xb776b000 s r-x [vdso]
    sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/ld-2.17.so
    sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/ld-2.17.so
    sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]
 
 To follow child processes in forks (set-follow-fork-mode in gdb) 
 dcf until a fork happen
 then use dp to select what process you want to debug.
 
 PEDA like details: drr;pd 10@-10;pxr 40@esp 
 Debug in visual mode 
 toggl breakpoints with F2
 single-step with F7 (s)
 step-over with F8 (S)
 continue with F9
 
 WebGUI (Enyo) 
 =h: Start the server
 =H: Start server and browser
 
 Radare2 suite commandRadare2 suite commands 
 All suite commands include a -r flag to generate instructions for r2 
 rax2 - Base conversion 
 -e: Change endian
 -k: random ASCII art to represent a number/hash. Similar to how SSH represents keys
 -s: ASCII to hex
    rax2 -S hola (from string to hex)
    rax2 -s 686f6c61 (from hex to string)
 -S: binary to hex (for files)
 
 rahash2 - Entropy, hashes and checksums 
 -a: Specify the algorithm
 -b XXX: Block size
 -B: Print all blocks
 -a entropy: Show file entropy or entropy per block (-B -b 512 -a entropy)
 
 radiff2 - File diffing 
 -s: Calculate text distance from two files.
 -d: Delta diffing (For files with different sizes. Its not byte per byte)
 -C: Code diffing (instead of data)
 
 Examples: 
 Diff original and patched on x86_32, using graphdiff algorithm
    radiff2 -a x86 -b32 -C original patched
 Show differences between original and patched on x86_32
    radiff2 -a x86 -b32 original patched :
 
 rasm2 - Assembly/Disassembly 
 -L: Supported architectures
 -a arch instruction: Sets architecture
    rasm2 -a x86 'mov eax,30' => b81e000000
 -b tam: Sets block size
 -d: Disassembly
    rasm2 -d b81e000000 => mov eax, 0x1e
 -C: Assembly in C output
    rasm2 -C 'mov eax,30' =>"\xb8\x1e\x00\x00\x00"
 -D: Disassemble showing hexpair and opcode
    rasm2 -D b81e0000 => 0x00000000   5               b81e000000  mov eax, 0x1e
 -f: Read data from file instead of ARG.
 -t: Write data to file
 
 rafind2 - Search 
 -Z: Look for Zero terminated strings
 -s str: Look for specifc string
 
 ragg2 - Shellcode generator, C/opcode compiler 
 -P: Generate De Bruijn patterns
    ragg2 -P 300 -r
 -a arch: Configure architecture
 -b bits: Specify architecture bits (32/64)
 -i shellcode: Specify shellcode to generate
 -e encoder: Specify encoder
 
 Example: 
 Generate a x86, 32 bits exec shellcode
    ragg2 -a x86 -b 32 -i exec
 
 rabin2 - Executable analysis: symbols, imports, strings ... 
 -I: Executable information
 -C: Returns classes. Useful to list Java Classes
 -l: Dynamic linked libraries
 -s: Symbols
 -z: Strings
 
 rarun2 - Launcher to run programs with different environments, args, stdin, permissions, fds 
 Examples: 
 r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r) : runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
 r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py) : runs /bin/ls with the output of exploit.py directed to stdin
 
--- a/Draft/Draft/Client
+++ b/Draft/Draft/Client
@ -6,62 +6,13 @@ I define client-side attacks as any form of attack that requires deliberate acti



 ###Different forms of client side attacks:





 [3 Types of XSS](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting)
 	* Dom-based
 	* Reflected
 	* Persistent

 [Cross Frame Scripting](https://www.owasp.org/index.php/Cross_Frame_Scripting)
 [Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)

 
 [Client Side attacks using Powershell](http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html)


 Attacking Browsers

 Need to read Browser hackers handbook


 [White Lightning Attack Platform](https://github.com/TweekFawkes/White_Lightning/tree/master/var/www)

 [BeEF Browser Exploitation Framework](http://beefproject.com/

 [Technical analysis of client identification mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms) 



 ###Phishing 




 	[The definition from wikipedia](en.wikipedia.org/wiki/Phishing):
 * “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”

 ####Phishing Techniques:

 [Post exploitation trick - Phish users for creds on domains, from their own box](https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)

 [Real World Phishing Techniques - Honeynet Project](http://www.honeynet.org/book/export/html/89)

 [Tab Napping - Phishing](http://www.exploit-db.com/papers/13950/)

 [How do I phish? – Advanced Email Phishing Tactics - Pentest Geek](https://www.pentestgeek.com/2013/01/30/how-do-i-phish-advanced-email-phishing-tactics/)


 ####Phishing Frameworks:

 [Phishing Frenzy](http://www.phishingfrenzy.com/)
 * Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.

 [sptoolkit](https://github.com/sptoolkit/sptoolkit)
 * Simple Phishing Toolkit is a super easy to install and use phishing framework built to help Information Security professionals find human vulnerabilities


--- a/Draft/Draft/Conference
+++ b/Draft/Draft/Conference
@ -0,0 +1,43 @@
 ##Information Security Conference Videos & Stuff


 [31st Chaos Communication Congress Archive](http://cdn.media.ccc.de/congress/31C3/)

 [Shmoocon 2015 Videos](https://archive.org/details/shmoocon-2015-videos-playlist)

 [Defcon Media Archive](https://media.defcon.org/)







 [You and Your Research - Haroon Meer](https://www.youtube.com/watch?v=JoVx_-bM8Tg)
 * What does it take to do quality research? What stops you from being a one-hit wonder? Is there an age limit to productive hackery? What are the key ingredients needed and how can you up your chances of doing great work? In a talk unabashedly stolen from far greater minds we hope to answer these questions and discuss their repercussions.


 [A talk about (info-sec) talks - Haroon Meer ](https://www.youtube.com/watch?v=BlVjdUkrSFY)
 * Last year there was an Information Security conference taking place for almost every day of the year. This translates to about 15 information security talks per day, every day. The question is, is this a bad thing? Even niche areas of the info-sec landscape have their own dedicated conference these days. Is this a good thing?

 [Archive of security conference videos](http://wipkip.nikhef.nl/events/)




 [Trooper Conference - 2015](https://www.youtube.com/channel/UCPY5aUREHmbDO4PtR6AYLfQ)



 ###Slides/PDFs



 [CanSecWest Vancouver 2015 Slides](https://cansecwest.com/csw15archive.html)

 [SyScan2015 Slides](https://www.syscan.org/index.php/download)





--- a/Draft/Draft/Courses
+++ b/Draft/Draft/Courses
@ -22,6 +22,13 @@ Reverse Engineering Classes/Training
 * ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions. 



 [Modern Binary Exploitation - CSCI 4968 - Spring '15](http://security.cs.rpi.edu/courses/binexp-spring2015/)
 * The course will start off by covering basic x86 reverse engineering, vulnerability analysis, and classical forms of Linux based userland binary exploitation. It will then transitionin to protections found on modern systems(Canaries, DEP, ASLR, RELRO, FortifySource, etc) and the techniques used to defeat them.Time permitting, the course will also cover other subjects in exploitation including kernel land and Windows based exploitation.




 DVWA

 Hackingdojo
@ -29,8 +36,11 @@ Hackingdojo
 BVWA


 [mammon_'s tales to his grandson - Reverse Engineering](https://mammon.github.io/tales/)



 [Software Modeling  and Verification - Static Analysis](http://www-i2.informatik.rwth-aachen.de/i2/spa12/)


 ###General Sources/Repository of Classes
--- a/Draft/Draft/Cryptography
+++ b/Draft/Draft/Cryptography
@ -16,6 +16,13 @@ Writeups

 [Crypto: 48 Dirty Little Secrets Cryptographers Don’t Want You To Know - BlackHat2014](https://www.youtube.com/watch?v=mXdFHNJ6srY)

 [XOR Bitwise Operations Explained - Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography/ciphers/a/xor-bitwise-operation)

 [HiVE — Hidden Volume Encryption](http://hive.ccs.neu.edu/#four)

 [Toward Robust Hidden Volumes Using Write-Only Oblivious RAM](https://eprint.iacr.org/2014/344.pdf) 
 * With sensitive data being increasingly stored on mobile devices and laptops, hard disk encryption is more important than ever. In partic- ular, being able to plausibly deny that a hard disk contains certain information is a very useful and interesting research goal. However, it has been known for some time that existing “hidden volume” so- lutions, like TrueCrypt, fail in the face of an adversary who is able to observe the contents of a disk on multiple, separate occasions. In this work, we explore more robust constructions for hidden vol- umes and present HIVE, which is resistant to more powerful ad- versaries with multiple-snapshot capabilities. In pursuit of this, we propose the first security definitions for hidden volumes, and prove HIVE secure under these definitions. At the core of HIVE, we de- sign a new write-only Oblivious RAM. We show that, when only hiding writes, it is possible to achieve ORAM with optimal O (1) communication complexity and only poly-logarithmic user mem- ory.  This is a significant improvement over existing work and an independently interesting result.  We go on to show that our write- only ORAM is specially equipped to provide hidden volume func- tionality with low overhead and significantly increased security. Fi- nally, we implement HIVE as a Linux kernel block device to show both its practicality and usefulness on existing platforms.


 [HashID](https://github.com/psypanda/hashID)
 * hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions. It is able to identify a single hash, parse a file or read multiple files in a directory and identify the hashes within them. hashID is also capable of including the corresponding hashcat mode and/or JohnTheRipper format in its output. hashID works out of the box with Python 2 = 2.7.x or Python 3 = 3.3 on any platform.
--- a/Draft/Draft/Darknets
+++ b/Draft/Draft/Darknets
@ -22,6 +22,15 @@ Cull
 http://www.deepdotweb.co/



 Tor black-market-related arrests](http://www.gwern.net/Black-market%20arrests#evolution)
 * I compile a table and discussion of all known arrests and prosecutions related to Tor-Bitcoin black-markets such as Silk Road 1, along with discussion of how they came to be arrested.






 ###General
 [Touring the Darkside of the Internet. An Introduction to Tor - Defcon22](https://www.youtube.com/watch?v=To5yarfAg_E)

--- a/AnalysisVisualization.md
+++ b/AnalysisVisualization.md
@ -13,14 +13,25 @@ ToC



 http://plaso.kiddaland.net/
 [plaso](https://github.com/log2timeline/plaso)
 * plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline. 


 [Graphite - Scalable Realtime Graphing](http://graphite.wikidot.com/start) 
 * [Quick Start Guide](http://graphite.wikidot.com/quickstart-guide)

 [StatsD](https://github.com/etsy/statsd/)
 * A network daemon that runs on the Node.js platform and listens for statistics, like counters and timers, sent over UDP or TCP and sends aggregates to one or more pluggable backend services (e.g., Graphite).

 [Kismet Log Viewer - KLV](http://mindflip.org/klv/)
 * The Kismet Log Viewer (KLV) takes Kismet .xml log files and produces a nicely formatted html interface to browse the logs with. KLV has the ability to utilize available GPS information to create links for external maps via the net, and provides the ability for those with Snort to generate a page of Snort output for each specific bssid that has data available. KLV also comes with my Kismet Log Combiner script to help users consolidate multiple .xml and .dump log files.




 [kippo-graph](https://github.com/ikoniaris/kippo-graph)
 * Visualize statistics from a Kippo SSH honeypot 



--- a/Draft/Draft/Disclosure.md
+++ b/Draft/Draft/Disclosure.md
--- a/Draft/Draft/Disinformation
+++ b/Draft/Draft/Disinformation
@ -0,0 +1,34 @@
 ##Disinformation







 ###Talks
 [Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme](http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-7-governments-and-ufos-a-historical-analysis-of-disinformation-and-deception-richard-thieme)

 [[TROOPERS15] Azhar Desai, Marco Slaviero - Weapons of Mass Distraction](https://www.youtube.com/watch?v=jdaPJLJCK1M)





 ###Papers/Write-ups
 [The Gentleperson’s Guide to Forum Spies]cryptome.org/2012/07/gent-forum-spies.htm)

 [Attribution As A Weapon & Marketing Tool: Hubris In INFOSEC & NATSEC](https://krypt3ia.wordpress.com/2014/12/30/attribution-as-a-weapon-marketing-tool-hubris-in-infosec-natsec/)

 [Disinformation of Charlie Hebdo and The Fake BBC Website](http://thetrendythings.com/read/18256)


 [Counterintelligence, False Flags, Disinformation, and Network Defense - krypt3ia](https://krypt3ia.wordpress.com/2012/10/17/counterintelligence-false-flags-disinformation-and-network-defense/)

 [PsyOps and Socialbots](http://resources.infosecinstitute.com/psyops-and-socialbots/)

 [A Digital World Full of Ghost Armies](http://www.cigtr.info/2015/02/a-digital-world-full-of-ghost-armies.html)
 * Not very related to infosec per say, but the general idea/takeaway is very applicable.

 [Russia Convention on International Information Security](http://cryptome.org/2014/05/ru-international-infosec.htm)

--- a/Draft/Draft/Documentation
+++ b/Draft/Draft/Documentation
@ -0,0 +1,98 @@
 ##Documentation & Reporting

 For writing technical documentation.


 Writing
 Reports
 Meta
 Video Documentation





 ###Penetration Testing &/ Collaboration Tools

 [Kvasir](https://github.com/KvasirSecurity/Kvasir)
 * Kvasir is a vulnerability / penetration testing data management system designed to help mitigate the issues found when performing team-based assessments. Kvasir does this by homogenizing data sources into a pre-defined structure. Currently the following sources are supported:

 [Dradis](https://github.com/dradis/dradisframework#welcome-to-dradis)
 * Dradis is an open source collaboration framework, tailored to InfoSec teams.
 * It can integrate with a lot of existing tools you probably are using if you're reading this.

 [Faraday](https://github.com/infobyte/faraday)
 * Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.  The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.1

 [Lair](https://github.com/lair-framework/lair)
 * Lair is a reactive attack collaboration framework and web application built with meteor. 




 ##Writing

 Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.


 [A beginners guide to writing documentation](http://docs.writethedocs.org/writing/beginners-guide-to-docs/)
 [Teach, Don’t Tell](http://stevelosh.com/blog/2013/09/teach-dont-tell/)

 Other Materials:

 Three parter from jacobian.org:
 * [What to write](http://jacobian.org/writing/what-to-write/)
 * [Technical Style](http://jacobian.org/writing/technical-style/)
 * [Editors](http://jacobian.org/writing/editors/)


 [Writing Types of User Documentation](https://en.wikiversity.org/wiki/Technical_writing_Types_of_User_Documentation0


 [The 7 Rules for Writing World Class Technical Documentation](http://www.developer.com/tech/article.php/3848981/The-7-Rules-for-Writing-World-Class-Technical-Documentation.htm)


 ###Writing Reports




 [Penetration tests done by cure53, good examples of how a report should be done.](https://cure53.de/#publications )

 [Offensive Security 2013 Demo report](http://www.offensive-security.com/offsec/penetration-test-report-2013/)

 [Writing a Penetration Testing Report by SANS](https://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343)

 [Excellent blog post breaking down the various parts, a must read](http://wwwwebsecuritywatch.com/the-penetration-testing-report/)

 [Report Template from vulnerabilityassessment.co.uk](http://www.vulnerabilityassessment.co.uk/report%20template.html)

 [Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting)

 [security-assessment-rfp-cheat-sheet](http://zeltser.com/security-assessments/security-assessment-rfp-cheat-sheet.html)

 [Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/)
 [SANS InfoSec Policy Templates](https://www.sans.org/security-resources/policies/)

 ###Meta
 [What is Markdown?](http://daringfireball.net/projects/markdown/syntax)

 [Using markdown](https://guides.github.com/features/mastering-markdown/)

 [Markdown Syntax](http://daringfireball.net/projects/markdown/syntax)

 [Markdown basics](https://help.github.com/articles/markdown-basics/)

 [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)




 ###Video Recording

 [Open Broadcaster Software OBS](https://obsproject.com/)
 * Open Broadcaster Software is free and open source software for video recording and live streaming.
 * Cross Platform, Windows/OsX/Linux



--- a/Draft/Draft/Embedded
+++ b/Draft/Draft/Embedded
@ -38,6 +38,18 @@ Papers



 Chameleon Mini 
 * [Chameleon: A Versatile Emulator for Contactless Smartcards - Paper](https://www.ei.rub.de/media/crypto/veroeffentlichungen/2011/11/16/chameleon.pdf)
 * [Milking the Digital Cash Cow [29c3] Video Presentation](https://www.youtube.com/watch?v=Y1o2ST03O8I)
 * [ChameleonMini Hardware](https://github.com/emsec/ChameleonMini/wiki)



 [Introduction to Trusted Execution  Environments - Steven J. Murdoch](https://www.cl.cam.ac.uk/~sjm217/talks/rhul14tee.pdf)
 [U-Boot -- the Universal Boot Loader](http://www.denx.de/wiki/U-Boot)
 * Very popular on embedded devices open source bootloader for linux
 * [Manual/Documentation](http://www.denx.de/wiki/DULG/Manual)

 [Anti-Evil Maid](http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1)


@ -138,7 +150,8 @@ TR-069
 * The Logic Pirate is an inexpensive, yet capable open source logic analyzer. It is designed to support the SUMP logic analyzer protocol. Costs $30. Recommended to me by those who use it.
 * [Blog Post about it](http://dangerousprototypes.com/2014/04/15/new-prototype-logic-pirate-8-channel-256k-sample-60msps-logic-analyzer/)


 [JTAGulator](http://www.grandideastudio.com/portfolio/jtagulator/)
 * JTAGulator is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device.


 ###General Hardware Hacking
@ -268,6 +281,11 @@ BadUSB
 * This project's goal is to turn PS2303-based USB flash drive into a cheap USB 3.0 development platform (i.e. fast USB 3.0 to FPGA bridge).


 ###SIM Cards
 [Rooting SIM cards](https://www.youtube.com/watch?v=BR0yWjQYnhQ)






@ -291,7 +309,8 @@ Embedded Systems](http://www.cs.dartmouth.edu/~sws/pubs/bgjss12.pdf)
 [Implementation and Implications of a Stealth Hard-Drive Backdoor](https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf) 
 * Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial o-the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to ex-filtrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diffculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.


 [Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors](https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf)
 * Abstract. Memory isolation is a key property of a reliable and secure computing system — an access to one memory ad- dress should not have unintended side e ects on data stored in other addresses. However, as DRAM process technology scales down to smaller dimensions, it becomes more di  cult to prevent DRAM cells from electrically interacting with each other. In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses. We induce errors in most DRAM modules (110 out of 129) from three major DRAM manufacturers. From this we conclude that many deployed systems are likely to be at risk. We identify the root cause of disturbance errors as the repeated toggling of a DRAM row’s wordline, which stresses inter-cell coupling e ects that accelerate charge leakage from nearby rows. We provide an extensive characterization study of disturbance errors and their behavior using an FPGA-based testing plat- form. Among our key findings, we show that (i) it takes as few as 139K accesses to induce an error and (ii) up to one in every 1.7K cells is susceptible to errors. After examining var- ious potential ways of addressing the problem, we propose a low-overhead solution to prevent the errors.



--- a/Draft/Draft/Exploit
+++ b/Draft/Draft/Exploit
@ -34,11 +34,23 @@ Exploit dev -




 ###Cull
 [The Userland Exploits of Pangu 8](http://blog.pangu.io/wp-content/uploads/2015/03/CanSecWest2015_Final.pdf)



 [The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations](https://www.syscan.org/index.php/download/get/aef11ba81927bf9aa02530bab85e303a/SyScan15%20Yuki%20Chen%20-%20The%20Birth%20of%20a%20Complete%20IE11%20Exploit%20Under%20the%20New%20Exploit%20Mitigations.pdf)


 []()
 * GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development.
 * Why not PEDA?
 *	Yes ! Why not ?! PEDA is a fantastic tool to do the same, but is only to be used for x86-32 or x86-64. On the other hand, GEF supports all the architecture supported by GDB (x86, ARM, MIPS, PowerPC, SPARC, and so on).

 [The Wallstreet of Windows Binaries - Marion Marschalek, Joseph Moti](https://www.youtube.com/watch?v=8zlTv7fRjV8)
 * [Wallstreet - Github Repository](https://github.com/pinkflawd/Wallstreet)
 * Wallstreet of Windows binaries 7, 8, 9 err 10 sorry 


 [OllyDbg Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/)
@ -95,7 +107,7 @@ http://blogs.msdn.com/b/pfedev/archive/2008/09/26/all-the-ways-to-capture-a-dump
 http://blogs.technet.com/b/askperf/archive/2007/05/29/basic-debugging-of-an-application-crash.aspx
 http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx


 [Shellcode Debugging with OllyDbg](https://blackc0.de/2014/06/shellcode-debugging-ollydbg/)


 [Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
--- a/Draft/Draft/Forensics
+++ b/Draft/Draft/Forensics
@ -17,10 +17,13 @@ OS Forensics



 Better security - Mean time to detect/Mean time to respond


 ###CULL


 [Triaging Malware Incidents](http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html)
 * Good writeup/blogpost from Journey into Incidence Response

 applexaminer.com

--- a/Draft/Draft/Forensics
+++ b/Draft/Draft/Forensics
@ -7,6 +7,12 @@
 * NSA 70-page writeup on windows event log monitoring
 [Forensics on Amazon’s EC2](https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html)


 [Analysis of a Romanian Botnet](http://www.politoinc.com/2015/04/analysis-of-a-romanian-botnet/)
 * Going from first sighting in logs to tracing attackers to their C2 IRC room



 [How to Pull passwords from a memory dump](https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/)

 [Investigating PowerShell Attacks - Ryan Kazanciyan and Matt Hastings - DEFCON22](https://www.youtube.com/watch?v=qF06PFcezLs)
@ -22,6 +28,14 @@
 * Real-time Transfer Protocol (RTP) is used by nearly all Voice-over-IP systems to provide the audio channel for calls. As such, it provides ample opportunity for the creation of a covert communication channel due to its very nature. While use of steganographic techniques with various audio cover-medium has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This paper details a common technique for the use of steganography with audio data cover-medium, outlines the problem issues that arise when attempting to use such techniques to establish a full-duplex communications channel within audio data transmitted via an unreliable streaming protocol, and documents solutions to these problems. An implementation of the ideas discussed entitled SteganRTP is included in the reference materials. 


 [Bootkit Disk Forensics
 [Part 1](http://www.malwaretech.com/2015/02/bootkit-disk-forensics-part-1.html)
 [Part 2](http://www.malwaretech.com/2015/03/bootkit-disk-forensics-part-2.html)


 [Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
 * A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine


 [Windows Memory Analysis Checklist](http://www.dumpanalysis.org/windows-memory-analysis-checklist)

--- a/Draft/Draft/Frameworks.md
+++ b/Draft/Draft/Frameworks.md
@ -108,53 +108,40 @@ Windows exploitation framework composed of Powershell modules


 ###Veil Framework
 [Veil-Evasion](https://www.github.com/Veil-Framework/Veil-Evasion/) * Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. 
 [Veil-Ordnance](https://github.com/Veil-Framework/Veil-Ordnance)
 * Veil-Ordnance is a tool that can be used to quickly generate valid stager shellcode.


 From: https://www.veil-framework.com/framework/veil-evasion/
 [Veil-Framework](https://github.com/Veil-Framework/Veil)
 * 

 Veil Projects:
 Veil-Evasion
 Veil-Ordnance
 Veil-Catapult
 Veil-Pillage
 Veil-PowerView

 Veil-Evasion
 Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. Veil-Evasion’s code is located at https://www.github.com/Veil-Framework/Veil-Evasion/ and it’s a part of the Veil super project at https://github.com/Veil-Framework/Veil which we recommend mosts users clone and install.”
 [Veil-Catapult](https://www.veil-framework.com/category/veil-catapult/)
 * Veil-Catapult is a payload delivery tool that integrates with Veil-Evasion for payload generation. 
 * [Github](https://github.com/Veil-Framework/Veil-Catapult/)

 Veil-Ordnance
 Veil-Ordnance is a tool that can be used to quickly generate valid stager shellcode.
 https://github.com/Veil-Framework/Veil-Ordnance

 Veil-Catapult
 eil-Catapult is a payload delivery tool that integrates with Veil-Evasion for payload generation. Veil-Catapult’s code is located at https://github.com/Veil-Framework/Veil-Catapult/
 https://www.veil-framework.com/category/veil-catapult/

 [Veil-Pillage](https://github.com/Veil-Framework/Veil-Pillage)
 Veil-Pillage is a modular post-exploitation framework that integrates with Veil-Evasion for payload generation.

 Veil-Pillage
 Veil-Pillage is a modular post-exploitation framework that integrates with Veil-Evasion for payload generation. Veil-Pillage’s code is located at https://github.com/Veil-Framework/Veil-Pillage
 [Veil Power-View[](https://github.com/Veil-Framework/Veil-PowerView/)
 * Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. Veil-PowerView’s code is located at 
 [DomainTrustExplorer](https://github.com/sixdub/DomainTrustExplorer)
 * Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output. The graph output will represent access direction (opposite of trust direction) 

 Veil Power-View
 Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. Veil-PowerView’s code is located at https://github.com/Veil-Framework/Veil-PowerView/
 Text Tutorials:
 Framework Usage Tutorial
 https://www.veil-framework.com/veil-tutorial/

 Payload Creation Tutorial
 https://www.veil-framework.com/tutorial-veil-payload-development/

 Customizing backdoors with Veil
 https://www.veil-framework.com/how-to-customize-backdoor-factory-payloads-within-veil/

 Video Tutorial: 
 Creating a windows payload
 https://www.youtube.com/watch?v=v1OXNP_bl8U
 Veil Tutorials:
 * [Framework Usage Tutorial](https://www.veil-framework.com/veil-tutorial/)
 * [Payload Creation Tutorial](https://www.veil-framework.com/tutorial-veil-payload-development/)
 * [Customizing backdoors with Veil](https://www.veil-framework.com/how-to-customize-backdoor-factory-payloads-within-veil/)
 * [Creating a windows payload](https://www.youtube.com/watch?v=v1OXNP_bl8U)

 More videos: 
 https://www.veil-framework.com/guidesvideos/



 Talks on Veil: https://www.youtube.com/watch?v=53qQfCkVM_o
 Adventures in Asymmetric Warfare by Will Schroeder
 	Using Veil you can achieve 
 Talks on Veil 

 [Adventures in Asymmetric Warfare by Will Schroeder](https://www.youtube.com/watch?v=53qQfCkVM_o)
--- a/Draft/Draft/Fuzzing
+++ b/Draft/Draft/Fuzzing
@ -10,43 +10,23 @@ Books
 Miscellaneous


 [Quick explanation of fuzzing and various fuzzers](http://whoisjoe.info/?p=16)


 ###Cull



 [afl-dyninst ; AFL Fuzzing blackbox binaries](https://github.com/vrtadmin/moflow/tree/master/afl-dyninst)
 * American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries  The tool has two parts. The instrumentation tool and the instrumentation  library. Instrumentation library has an initialization callback and basic  block callback functions which are designed to emulate what AFL is doing with afl-gcc/afl-g++/afl-as.  Instrumentation tool (afl-dyninst) instruments the supplied binary by inserting callbacks for each basic block and an initialization  callback either at _init or at specified entry point.


 http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf

 [browserfuzz](https://bitbucket.org/blackaura/browserfuzz)
 * A very simple browser fuzzer based on tornado.



 [Zulu Fuzzer](https://github.com/nccgroup/Zulu)
 * The Zulu fuzzer 
 [Quick explanation of fuzzing and various fuzzers](http://whoisjoe.info/?p=16)

 http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf

 ###General Writeups
 [Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
 * Is what it says on the tin.


 [!exploitable Crash Analyzer](https://msecdbg.codeplex.com/)
 * !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.










 ###Techniques
@ -63,7 +43,7 @@ http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at




 w

 #####Papers

@ -91,6 +71,8 @@ http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at

 [Walkthrough of setting up CERT’s FOE fuzzer and fuzzing irfanview](http://www.singlehop.com/blog/lets-fuzz-irfanview/)



 ###Papers

 [Effective Bug Discovery](http://uninformed.org/?v=all&a=27&t=sumry)
@ -102,6 +84,8 @@ http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at

 [*THE* Book on fuzzing](http://fuzzing.org/)



 ###Tools


@ -109,6 +93,9 @@ http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at
 * American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive testing regimes down the road. 
 * It was made by lcamtuf. What more do you need?

 [afl-dyninst ; AFL Fuzzing blackbox binaries](https://github.com/vrtadmin/moflow/tree/master/afl-dyninst)
 * American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries  The tool has two parts. The instrumentation tool and the instrumentation  library. Instrumentation library has an initialization callback and basic  block callback functions which are designed to emulate what AFL is doing with afl-gcc/afl-g++/afl-as.  Instrumentation tool (afl-dyninst) instruments the supplied binary by inserting callbacks for each basic block and an initialization  callback either at _init or at specified entry point.

 [Grinder - Fuzzer](https://github.com/stephenfewer/grinder)
 * Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.

@ -116,8 +103,16 @@ http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at
 [CERT’s Failure Observation Engine (FOE)](https://www.cert.org/vulnerability-analysis/tools/foe.cfm)
 * The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.

 [Zulu Fuzzer](https://github.com/nccgroup/Zulu)
 * The Zulu fuzzer
 [Radamsa](https://code.google.com/p/ouspg/wiki/Radamsa)
 * Radamsa is a test case generator for robustness testing, aka a fuzzer. It can be used to test how well a program can stand malformed and potentially malicious inputs. It operates based on given sample inputs and thus requires minimal effort to set up. The main selling points of radamsa are that it is easy to use, contains several old and new fuzzing algorithms, is easy to script from command line and has already been used to find a slew of bugs in programs that actually matter. 
 [browserfuzz](https://bitbucket.org/blackaura/browserfuzz)
 * A very simple browser fuzzer based on tornado.

 [!exploitable Crash Analyzer](https://msecdbg.codeplex.com/)
 * !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.

 ####Peach Fuzzer
 * [Peach Documentation](http://old.peachfuzzer.com/Introduction.html)
 * [Creating Custom Peach Fuzzer Publishers](http://blog.opensecurityresearch.com/2014/01/creating-custom-peach-fuzzer-publishers.html)
--- a/Draft/Draft/Google
+++ b/Draft/Draft/Google
@ -22,4 +22,9 @@ https://en.wikipedia.org/wiki/Google_hacking



 [Google Hacking for Penetration Testers](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)
 [Google Hacking for Penetration Testers](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)




 [Github dorks - finding vulns](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html)
--- a/Draft/Draft/Home
+++ b/Draft/Draft/Home
@ -3,4 +3,24 @@
 Anchored window covers


 [Home Alone with localhost - Automating Home Defense - Chris Littlebury Defcon22](https://www.youtube.com/watch?v=9Tbft190x3Q)
 [Home Alone with localhost - Automating Home Defense - Chris Littlebury Defcon22](https://www.youtube.com/watch?v=9Tbft190x3Q)


 [Physical Home Security Options - DiabloHorn](https://diablohorn.wordpress.com/2014/07/13/physical-home-security-options/#more-984)

















--- a/Draft/Draft/Honeypots
+++ b/Draft/Draft/Honeypots
@ -16,6 +16,7 @@ Write-ups

 ###Cull


 http://www.cuckoosandbox.org/

 https://www.shadowserver.org/wiki/pmwiki.php/Information/Honeypots
@ -28,10 +29,14 @@ https://en.wikipedia.org/wiki/Honeypot_%28computing%29



 [elastichoney](https://github.com/jordan-wright/elastichoney)0
 * Elastichoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch.

 Types:

 Zero
 Low
 Medium
 High
 HoneyData - Strings, shares/drives, etc.



@ -76,6 +81,41 @@ Beeswarm](http://www.beeswarm-ids.org/)
 [Thug - Python low-interaction honeyclient](https://buffer.github.io/thug/)
 * Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents. 

 [elastichoney](https://github.com/jordan-wright/elastichoney)0
 * Elastichoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch.

 [romanHunter](http://sourceforge.net/projects/romanhunter/)
 * romanHunter (router man Hunter) is a wireless honeypot or closer to a sinkhole that will bait a cracker, capture the MAC address, reset the WIFI password (effectively destroying their connection) and wait for the next authorized connection.  The password changes happen on a round robin basis from entries in the password file (pw_list.txt).

 [Wordpot](https://github.com/gbrindisi/wordpot)
 * Wordpot is a Wordpress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation.

 [Honeyagent](https://bitbucket.org/fkie_cd_dare/honeyagent)
 * HoneyAgent is a Java agent library that creates a Sandbox for Java applications and applets. Therefore, it uses the JVMTI as well as the JNI to intercept class loading and function calls. During runtime HoneyAgent traces function calls from the analysed application. It is displayed which class calles which function with which parameters. Reflected function calls are translated to the original function names for simpler reading.

 [HoneyBadger](https://bitbucket.org/LaNMaSteR53/honeybadger)
 * A framework for targeted geolocation.

 [Amun Honeypot](https://github.com/zeroq/amun)
 * [Amun Honeypot Paper](https://ub-madoc.bib.uni-mannheim.de/2595/1/amunhoneypot2.pdf)

 [phpmyadmin_honeypot](https://github.com/gfoss/phpmyadmin_honeypot)
 * Probably one of the smallest and simplest web honeypots out there...

 [Web Labyrinth](https://github.com/mayhemiclabs/weblabyrinth)
 * A simple tool that creates a maze of bogus web pages to  confuse web scanners. It's main goal is to delay and occupy malicious  scanners that scan websites in order for incident handlers to detected  and respond to them before damage is done.

 [Web Bug Server](http://sourceforge.net/p/adhd/wiki/Web%20Bug%20Server/)
 * Easily embed a web bug inside word processing documents. These bugs are hidden to the casual observer by using things like linked style sheets and 1 pixel images.

 [Truman](http://www.secureworks.com/cyber-threat-intelligence/tools/truman/)
 * Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin's Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware.


 ###Presentations
 [Honeypots for Active Defense - A Practical Guide to Deploying Honeynets Within the Enterprise - Greg Foss](http://www.irongeek.com/i.php?page=videos/centralohioinfosec2015/tech201-honeypots-for-active-defense-a-practical-guide-to-deploying-honeynets-within-the-enterprise-greg-foss)
 * InfoSec analysts are all somewhat familiar with honeypots. When they are given the proper attention, care and feeding, they produce invaluable information. This intelligence has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor -- how can an organization that is not focused on research gain valuable intelligence using honeypots and actively defend their network using the data obtained? The answer is honeypots for active defense. There are currently many open source security tool distributions that come pre-loaded with honeypots among other useful tools, however the honeypot software is often not deployed in an effective manner. This session will discuss techniques to deploy honeypots in ways that will not overburden the security team with massive logs to sift through and focuses on correlating active threat data observed in the honeypot with the production environment. When deploying honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network.



 ###Writeups
--- a/Draft/Draft/Interesting
+++ b/Draft/Draft/Interesting
@ -30,42 +30,6 @@ Interesting & Useful Write-ups

 ###CULL

 http://www.mmoviper.com/