Browse Source

Fixing README

pull/8/head
rmusser01 5 years ago
parent
commit
c24dac1de2
10 changed files with 230 additions and 167 deletions
  1. +2
    -1
      Draft/Exploit Development.md
  2. +4
    -0
      Draft/Interesting Things Useful stuff.md
  3. +2
    -1
      Draft/Malware.md
  4. +23
    -18
      Draft/Network Attacks & Defenses.md
  5. +119
    -89
      Draft/Privilege Escalation & Post-Exploitation.md
  6. +23
    -27
      Draft/Social Engineering.md
  7. +13
    -0
      Draft/System Internals Windows and Linux Internals Reference.md
  8. +31
    -29
      Draft/Web & Browsers.md
  9. +11
    -0
      Draft/Wireless Networks & RF.md
  10. +2
    -2
      README.md

+ 2
- 1
Draft/Exploit Development.md View File

@ -63,7 +63,7 @@ TOC
https://repo.zenk-security.com/Reversing%20.%20cracking/Bypassing%20SEHOP.pdf
[Crash Course in DLL Hijacking](https://blog.fortinet.com/2015/12/10/a-crash-course-in-dll-hijacking)
[gargoyle, a memory scanning evasion technique](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
@ -109,6 +109,7 @@ Security Applications](http://bitblaze.cs.berkeley.edu/papers/diffslicing_oaklan
[INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT SPRAYING](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
[Crafting Mac OS Rootkits](https://www.zdziarski.com/blog/wp-content/uploads/2017/02/Crafting-macOS-Root-Kits.pdf)
https://github.com/NoviceLive/bintut


+ 4
- 0
Draft/Interesting Things Useful stuff.md View File

@ -38,6 +38,10 @@ http://www.securitywizardry.com/radar.htm
#### To Sort
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)
[Alexsey’s TTPs](https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551#.y2krgov7t)
* Short writeup on large breaches(Short: Shit ain't secure.)
[Internet Timeline](https://www.zakon.org/robert/internet/timeline/)


+ 2
- 1
Draft/Malware.md View File

@ -28,7 +28,8 @@ http://www.malwarearchaeology.com/mmf/
https://motherboard.vice.com/read/preserving-the-ancient-art-of-getting-pwned
http://www.exposedbotnets.com/?m=0
[Malware Guard Extension: Using SGX to Conceal Cache Attacks](https://arxiv.org/abs/1702.08719)
* In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes.
#####END Sort


+ 23
- 18
Draft/Network Attacks & Defenses.md View File

@ -7,7 +7,7 @@ TOC
*Cull
*[Attacking Windows Networks](#attackw)
* [Attacking Windows Networks](#attackw)
* [Tools](#tools)
* [Writeups](#writeup)
* [Presentations/Talks](#talks)
@ -15,30 +15,21 @@ TOC
* [IPv6 info](#ipv6)
* [IDS/IPS Evasion](#evasion)
* [UPNP](#upnp)
* [Other(stuff that doesn't fit elswewher)](#other)
#####To be sorted
##### To be sorted
[Simple domain fronting PoC with GAE C2 server](https://www.securityartwork.es/2017/01/31/simple-domain-fronting-poc-with-gae-c2-server/)
* In this entry we continue with domain fronting; on this occasion we will explore how to implement a simple PoC of a command and control and exfiltration server on Google App Engine (GAE), and we will see how to do the domain fronting from Windows, with a VBS or PowerShell script, to hide interactions with the C2 server.
[More on HNAP - What is it, How to Use it,How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
[Modbus interface tutorial](https://www.lammertbies.nl/comm/info/modbus.html)
[Post Exploitation Using netNTLM Downgrade attacks - Fishnet/Archive.org](https://web.archive.org/web/20131023064257/http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks)
[iv-wrt](https://github.com/iv-wrt/iv-wrt)
* An Intentionally Vulnerable Router Firmware Distribution[
http://www.pentest-standard.org/index.php/Intelligence_Gathering
##### sort end
[Break Fast Serial](https://github.com/GoSecure/break-fast-serial)
* A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
#####sort end
@ -46,6 +37,8 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
### General
[A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/#corporate-http-proxy-as-a-way-out)
[NMAP - Port-Scanning: A Practical Approach Modified for better](https://www.exploit-db.com/papers/35425/)
[A Curated list of assigned ports relevant to pen testing](http://www.vulnerabilityassessment.co.uk/ports.htm)
@ -129,7 +122,9 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[CiscoRouter - tool](https://github.com/ajohnston9/ciscorouter)
* CiscoRouter is a tool for scanning Cisco-based routers over SSH. Rules can be created using accompanying CiscoRule application (see this repo) and stored in the "rules" directory.
[UPnP Pentest Toolkit](https://github.com/nccgroup/UPnP-Pentest-Toolkit)
[PowerShell-AD-Recon](https://github.com/PyroTek3/PowerShell-AD-Recon)
* AD PowerShell Recon Scripts
[NbtScan](http://www.unixwiz.net/tools/nbtscan.html)
* This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. It is based on the functionality of the standard Windows tool nbtstat, but it operates on a range of addresses instead of just one. I wrote this tool because the existing tools either didn't do what I wanted or ran only on the Windows platforms: mine runs on just about everything.
@ -334,7 +329,7 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[Bitsquatting: DNS Hijacking without exploitation](http://dinaburg.org/bitsquatting.html)
[Hunting Bugs in AIX : Pentesting writeup](https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/)
@ -410,14 +405,24 @@ TCPDump
###<a name="upnp">UPNP</a>
Ufuzz - https://github.com/phikshun/ufuzz
UFuzz, or Universal Plug and Fuzz, is an automatic UPnP fuzzing tool. It will enumerate all UPnP endpoints on the network, find the available services and fuzz them. It also has the capability to fuzz HTTP using Burp proxy logs.
miranda-upnp - https://github.com/0x90/miranda-upnp
[Ufuzz](https://github.com/phikshun/ufuzz)
* UFuzz, or Universal Plug and Fuzz, is an automatic UPnP fuzzing tool. It will enumerate all UPnP endpoints on the network, find the available services and fuzz them. It also has the capability to fuzz HTTP using Burp proxy logs.
[miranda-upnp](https://github.com/0x90/miranda-upnp)
[UPnP Pentest Toolkit](https://github.com/nccgroup/UPnP-Pentest-Toolkit)
###<a name="other">Other</a>
[exitmap](https://github.com/NullHypothesis/exitmap)
* A fast and modular scanner for Tor exit relays. http://www.cs.kau.se/philwint/spoiled_onions/
[More on HNAP - What is it, How to Use it,How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
[Modbus interface tutorial](https://www.lammertbies.nl/comm/info/modbus.html)

+ 119
- 89
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -15,35 +15,16 @@
* [Pivoting](#pivot)
* [Pass-the-Hash](#pth)
* [Avoiding AV](#AV)
* [Exfiltration](#exfil)
###CULL
[Common Windows Privilege Escalation Vectors](https://toshellandback.com/2015/11/24/ms-priv-esc/)
[Detecting DLL Hijacking on Windows](http://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/)
Antimalware Scan Interface Reference
- prevents certain kinds of powershell attacks
https://msdn.microsoft.com/en-us/library/windows/desktop/dn889588
https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/
https://github.com/fdiskyou/PowerOPS
http://seclist.us/jsrat-is-a-simple-js-reverse-shell-over-http-for-windows.html
http://blog.fortinet.com/post/a-crash-course-in-dll-hijacking
##### to do:
* sort things into kerberos section
* section for dll hijacking
* Add section for powershell stuff specifically
#### CULL
http://www.irongeek.com/i.php?page=videos/derbycon4/t109-et-tu-kerberos-christopher-campbell
http://www.irongeek.com/i.php?page=videos/derbycon4/t120-attacking-microsoft-kerberos-kicking-the-guard-dog-of-hades-tim-medin
http://www.irongeek.com/i.php?page=videos/derbycon4/t213-active-directory-real-defense-for-domain-admins-jason-lang
[BSidesSF 109 Sedating the Watchdog Abusing Security Products to Bypass Windows Protections Tomer Bit](https://www.youtube.com/watch?v=7RKHux8QJfU)
https://odzhan.wordpress.com/2015/11/19/dllpic-injection-on-windows-from-wow64-process/
@ -51,77 +32,15 @@ https://odzhan.wordpress.com/2015/11/19/dllpic-injection-on-windows-from-wow64-p
https://warroom.securestate.com/index.php/dll-injection-part-2-createremotethread-and-more/
http://securityxploded.com/dll-injection-and-hooking.php
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
[exitmap
](https://github.com/NullHypothesis/exitmap)
* A fast and modular scanner for Tor exit relays. http://www.cs.kau.se/philwint/spoiled_onions/
https://github.com/NullHypothesis/exitmap/issues/37
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent Asynchronous-And-Fileless-Backdoor-wp.pdf
http://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez
http://room362.com/post/2016/wpad-persistence/
Pompem - https://github.com/rfunix/Pompem
Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database ...
http://sdb.tools/talks.html
Shimming for Post Exploitation(blog)
http://www.sdb.tools/
https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/12/packet-sniffing-with-powershell-getting-started/
Windows - Application Shims
https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx
Defending against mimikatz
https://jimshaver.net/2016/02/14/defending-against-mimikatz/
Unofficial Guide to Mimikatz
https://adsecurity.org/?page_id=1821
PowerMemory - https://github.com/giMini/PowerMemory
Exploit the credentials present in files and memory
[Learn how to hide your trojans, backdoors, etc from anti virus.](https://www.hellboundhackers.org/articles/read-article.php?article_id=842)
[No one expect command execution!](http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html)
[twittor - twitter based backdoor](https://github.com/PaulSec/twittor)
* A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.
[Pupy](https://github.com/n1nj4sec/pupy)
* Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
| **Black hat talk on Windows Privilege Escalation** | http://www.slideshare.net/riyazwalikar/windows-privilege-escalation
| **PowerUp - Windows Privilege Escalation through Powershell** | https://n0where.net/windows-local-privilege-escalation-powerup/
[Abusing Kerberos](https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don%27t-Get-It-wp.pdf)
[PowerShell-AD-Recon](https://github.com/PyroTek3/PowerShell-AD-Recon)
* AD PowerShell Recon Scripts
http://www.slideshare.net/harmj0y/derbycon-passing-the-torch
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#escalating
@ -131,10 +50,14 @@ http://www.leonteale.co.uk/decrypting-windows-2008-gpp-user-passwords-using-gppr
http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html
http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
[Detecting DLL Hijacking on Windows](http://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/)
##### end sort
Article Explaining what the KRBTGT account in AD is:
http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-environment
###<a name="generalpriv">General Privilege Escalation</a>
@ -142,6 +65,13 @@ http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-
[Execute ShellCode Using Python](http://www.debasish.in/2012/04/execute-shellcode-using-python.html)
* In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.
[Pompem](https://github.com/rfunix/Pompem)
* Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database ...
###<a name="linpriv">Privilege Escalation - Linux</a>
@ -162,10 +92,15 @@ http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-
[Unix Privilege Escalation Checker](https://code.google.com/p/unix-privesc-check/)
* Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).
[Chw00t: Breaking Unixes’ Chroot Solutions](https://www.youtube.com/watch?v=1A7yJxh-fyc)
###<a name="privescwin">Privilege Escalation - Windows</a>
[Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
[Common Windows Privilege Escalation Vectors](https://toshellandback.com/2015/11/24/ms-priv-esc/)
[Windows Exploit Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
* [Blogpost]https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html
* This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
@ -178,8 +113,12 @@ http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-
[How to own any windows network with group policy hijacking attacks](https://labs.mwrinfosecurity.com/blog/2015/04/02/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/)
[Post Exploitation Using netNTLM Downgrade attacks - Fishnet/Archive.org](https://web.archive.org/web/20131023064257/http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks)
[Hacking windows through the WIndows API; delves into windows api, how it can break itself](http://www.irongeek.com/i.php?page=videos/derbycon4/t122-getting-windows-to-play-with-itself-a-pen-testers-guide-to-windows-api-abuse-brady-bloxham)
[BSidesSF 109 Sedating the Watchdog Abusing Security Products to Bypass Windows Protections Tomer Bit](https://www.youtube.com/watch?v=7RKHux8QJfU)
[Analyzing local privilege escalations in win32k](http://uninformed.org/?v=all&a=45&t=sumry)
* This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025. The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third vulnerability concerns how win32k handles system menu functions. Their discovery and exploitation are covered.
@ -195,6 +134,15 @@ http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-
[All roads lead to SYSTEM](https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf)
[Dump Windows password hashes efficiently - Part 1](bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)
[Crash Course in DLL Hijacking](https://blog.fortinet.com/2015/12/10/a-crash-course-in-dll-hijacking)
###<a name="osxprivesc">Privilege Escalation - OS X</a>
[Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/)
@ -205,6 +153,11 @@ http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-
[Privilege Escalation on OS X below 10.0](https://code.google.com/p/google-security-research/issues/detail?id=121)
###<a name="generalpost">General Post-Exploitation</a>
[File Server Triage on Red Team Engagements](http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/)
@ -231,6 +184,12 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
###<a name="winpost">Post-Exploitation Windows</a>
[Abusing Active Directory in Post-Exploitation](https://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez)
* Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
[PowerOPS: PowerShell for Offensive Operations](https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/)
* [PowerOPS Github page](https://github.com/fdiskyou/PowerOPS)
[Dumping user passwords in plaintext on Windows 8.1 and Server 2012](http://www.labofapenetrationtester.com/2015/05/dumping-passwords-in-plain-on-windows-8-1.html)
[PShell Script: Extract All GPO Set Passwords From Domain](http://www.nathanv.com/2012/07/04/pshell-script-extract-all-gpo-set-passwords-from-domain/)
@ -241,12 +200,19 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
[I Hunt Sysadmins 2.0](http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20)
* It covers various ways to hunt for users in Windows domains, including using PowerView.
[Crash Course in DLL Hijacking](https://blog.fortinet.com/2015/12/10/a-crash-course-in-dll-hijacking)
[Abusing Active Directory in Post-Exploitation - Carlos Perez - Derbycon 2014](http://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez)
* Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
[WPAD Persistence](http://room362.com/post/2016/wpad-persistence/)
[15 Ways to bypass Powershell execution-policy settings](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
* Does what it says on the tin. Overall, its clear that execution-policy was not meant as a security method. Or if it was, someone was drinking a bit too much.
[PowerMemory](https://github.com/giMini/PowerMemory)
* Exploit the credentials present in files and memory
[Post-Exploitation on Windows using ActiveX Controls](http://uninformed.org/?v=all&a=3&t=sumry)
[WMI Shell Tool](https://github.com/secabstraction/Create-WMIshell)
@ -254,6 +220,22 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
[Dirty Powershell Webserver](http://obscuresecurity.blogspot.com/2014/05/dirty-powershell-webserver.html)
[Windows - Application Shims](https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx)
####<a namee="grabbing">Grabbing Goodies</a>
[Dumping Windows Credentials](https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
@ -264,6 +246,28 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
[Post exploitation trick - Phish users for creds on domains, from their own box](https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)
[Shimming for Post Exploitation(blog)](http://www.sdb.tools/)
[Learn how to hide your trojans, backdoors, etc from anti virus.](https://www.hellboundhackers.org/articles/read-article.php?article_id=842)
[No one expect command execution!](http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html)
[twittor - twitter based backdoor](https://github.com/PaulSec/twittor)
* A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.
[Pupy](https://github.com/n1nj4sec/pupy)
* Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
[Defending against mimikatz](https://jimshaver.net/2016/02/14/defending-against-mimikatz/)
[Unofficial Guide to Mimikatz](https://adsecurity.org/?page_id=1821)
[Abusing Kerberos](https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don%27t-Get-It-wp.pdf)
[Et tu - Kerberos?](https://www.irongeek.com/i.php?page=videos/derbycon4/t109-et-tu-kerberos-christopher-campbell)
* For over a decade we have been told that Kerberos is the answer to Microsoft’s authentication woes and now we know that isn’t the case. The problems with LM and NTLM are widely known- but the problems with Kerberos have only recently surfaced. In this talk we will look back at previous failures in order to look forward. We will take a look at what recent problems in Kerberos mean to your enterprise and ways you could possibly mitigate them. Attacks such as Spoofed-PAC- Pass-the-Hash- Golden Ticket- Pass-the-Ticket and Over-Pass-the-Ticket will be explained. Unfortunately- we don’t really know what is next – only that what we have now is broken.
@ -276,6 +280,15 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
[Domain Trusts: Why You Should Care](http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/)
* [Trusts You Might Have Missed](http://www.harmj0y.net/blog/redteaming/trusts-you-might-have-missed/)
[PowerShell-AD-Recon](https://github.com/PyroTek3/PowerShell-AD-Recon)
* AD PowerShell Recon Scripts
[Packet sniffing with powershell](https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/12/packet-sniffing-with-powershell-getting-started/)
###<a name="persistence">Persistence Techniques</a>
@ -284,6 +297,10 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
[Windows Event Log Driven Backdoors](http://blakhal0.blogspot.com/2015/03/windows-event-log-driven-back-doors.html)
[List of low-level attacks/persistence techniques. HIGHLY RECOMMENDED!](http://timeglider.com/timeline/5ca2daa6078caaf4)
[JSRAT](http://seclist.us/jsrat-is-a-simple-js-reverse-shell-over-http-for-windows.html)
* JSRAT is a Simple JS Reverse Shell over HTTP for Windows.
###<a name="winpersist">Windows</a>
@ -316,6 +333,13 @@ Start-Process -WindowStyle hidden -FilePath
Startup folder on Win8
* C:\Users\YOURUSER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor](https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf)
###<a name="linpersist">Linux</a>
Linux cron tab
@ -338,6 +362,7 @@ Linux cron tab
###<a name="pivot">Pivoting:</a>
[A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/#corporate-http-proxy-as-a-way-out)
[Socat Cheatsheet](http://www.blackbytes.info/2012/07/socat-cheatsheet/)
@ -394,9 +419,14 @@ http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/
###<a name="kerberos">Kerberos Related</a>
[Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades](https://www.irongeek.com/i.php?page=videos/derbycon4/t120-attacking-microsoft-kerberos-kicking-the-guard-dog-of-hades-tim-medin)
* Kerberos- besides having three heads and guarding the gates of hell- protects services on Microsoft Windows Domains. Its use is increasing due to the growing number of attacks targeting NTLM authentication. Attacking Kerberos to access Windows resources represents the next generation of attacks on Windows authentication.In this talk Tim will discuss his research on new attacks against Kerberos- including a way to attack the credentials of a remote service without sending traffic to the service as well as rewriting tickets to access systems.He will also examine potential countermeasures against Kerberos attacks with suggestions for mitigating the most common weaknesses in Windows Kerberos deployments.
####<a name="exfil">Exfiltration</a>
[Data Exfiltration (Tunneling) Attacks against Corporate Network](https://pentest.blog/data-exfiltration-tunneling-attacks-against-corporate-network/)

+ 23
- 27
Draft/Social Engineering.md View File

@ -15,43 +15,18 @@ CULL
###Cull
Pwning People Personally
http://www.irongeek.com/i.php?page=videos/derbycon5/break-me08-pwning-people-personally-josh-schwartz
#### sort
| **I Will Kill You** - Chris Rock(Defcon23)| https://www.youtube.com/watch?v=9FdHq3WfJgs
[BSidesSF 2016 - The Art of the Jedi Mind Trick (Jeff Man) ](https://www.youtube.com/watch?v=3L5_Kaps5t4)
[PG01 Dropping hell0days Business Interaction for Security Professionals Or Anyone Else Elliot Johnso ](https://www.youtube.com/watch?v=COyN3NwY1v0)
[king-phisher](https://github.com/securestate/king-phisher)
* Phishing Campaign Toolkit
[gophish documentation](https://getgophish.com/documentation/)
[Area41 2016: Dominique-Cédric Brack: Professional Social Engineering](https://youtu.be/NcpmhsSVzuM)
| **Pwning People Personally** - Josh Schwartz | https://www.youtube.com/watch?v=T2Ha-ZLZTz0
[The Social Engineering Framework](http://www.social-engineer.org/framework/general-discussion/)
* The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering.
[DiSC Overview](https://www.discprofile.com/what-is-disc/overview/)
* DiSC is a personal assessment tool used to improve work productivity, teamwork and communication. DiSC is non-judgmental and helps people discuss their behavioral differences.
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/
#### end sort
###<a name="articles">Articles
@ -61,6 +36,13 @@ http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/
[List of the 48 Laws of Power](http://cgt411.tech.purdue.edu/covey/48_laws_of_power.htm)
[Influence: Book notes](http://www.2uo.de/influence/)
[DiSC Overview](https://www.discprofile.com/what-is-disc/overview/)
* DiSC is a personal assessment tool used to improve work productivity, teamwork and communication. DiSC is non-judgmental and helps people discuss their behavioral differences.
[The Social Engineering Framework](http://www.social-engineer.org/framework/general-discussion/)
* The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering.
###<a name="books">Books</a>
Paul Ekmans research
@ -108,6 +90,9 @@ Influence Without Authority
[Steal Everything, Kill Everyone, Cause Total Financial Ruin!](https://www.youtube.com/watch?v=JsVtHqICeKE)
* This is not a presentation where I talk about how I would get in or the things I might be able to do. This is a talk where I am already in and I show you pictures from actual engagements that I have been on. They say one picture is worth a thousand words I show you how one picture cost a company a million dollars and maybe even a few lives. In a community where we focus so much on the offensive I also make sure with every attack I highlight. I spend time discussing what would have stopped me. We need to know the problems but we need more talks providing solutions and that is what I hope people will get from this. I show the dangers of Social engineering and how even an employee with no SE experience can be an eBay James Bond which can cause total financial ruin to a company. These Security threats are real. So are these stories!
[PG01 Dropping hell0days Business Interaction for Security Professionals Or Anyone Else Elliot Johnso ](https://www.youtube.com/watch?v=COyN3NwY1v0)
[Social Engineering: The Gentleman Thief - Apollo Robins - Defcon21](https://www.youtube.com/watch?v=1kkOKvPrdZ4)
[Go With the Flow Strategies for Successful Social Engineering - Chris Silvers](https://www.youtube.com/watch?v=Lfm1mBrcuhY&feature=player_embedded)
@ -122,6 +107,10 @@ Influence Without Authority
[Beyond Social Engineering: Tools for Reinventing Yourself - Defcon14](https://www.youtube.com/watch?v=S-FPJ6lpRYU)
* Managing multiple modular identities is not a trivial task. But that's what the technologies and politics of Now demand. These tools will enable you to create personas at a deep level, then link them into a seamless life.
| **Pwning People Personally** - Josh Schwartz | https://www.youtube.com/watch?v=T2Ha-ZLZTz0
[Area41 2016: Dominique-Cédric Brack: Professional Social Engineering](https://youtu.be/NcpmhsSVzuM)
[Social Engineering: When the Phone is More Dangerous than Malware](https://www.youtube.com/watch?v=fui9AVpp1wo)
* Is social engineering (SE) the most dangerous security threat to your business? The Social-Engineer team will analyze current trends in social engineering through the official (and unofficial) results from the DefCon 21 Social Engineering Capture the Flag event. They will reveal how these attacks work, the latest social engineering research and how to use this information to protect organizations.
@ -142,6 +131,13 @@ Influence Without Authority
[The Future of Social Engineering - Sharon Conheady - DeepSec2010](https://www.youtube.com/watch?v=aVIq9mdVHlc&index=11&list=PL_At9BlHdC-_764ciDVexbJL0hwsCzqLK)
* Social engineering is hitting the headlines more than ever. As computer security becomes more sophisticated, hackers are combining their technical expertise with social engineering to gain access to IT infrastructures and critical information. In any security programme people are the weakest link. It can often be easier and quicker to target the end user than using technical hacking techniques. When you combine both social engineering and traditional hacking techniques, you have an extremely dangerous attack. So what's next on the social engineering agenda? What are the emerging trends and what social engineering techniques might we expect to see in the future? In this talk, I will give an overview of the types of social engineering attacks people have used throughout the ages, from tricks used by the classic conmen of the past to the phishing attacks that are at an all time high, and the proliferation of social networking and how useful this is to social engineers. I will describe some of the new social engineering techniques and trends that are emerging and discuss war stories from my experience of social engineering, describing techniques I have used to gain access to sensitive information
[BSidesSF 2016 - The Art of the Jedi Mind Trick (Jeff Man) ](https://www.youtube.com/watch?v=3L5_Kaps5t4)
[Pwning People Personally](http://www.irongeek.com/i.php?page=videos/derbycon5/break-me08-pwning-people-personally-josh-schwartz)
[Disguise - Appearance Hacking](http://www.irongeek.com/i.php?page=videos/derbycon2/valerie-thomas-appearance-hacking-101-the-art-of-everyday-camouflage)
* [Transcript](http://www.ted.com/talks/amy_cuddy_your_body_language_shapes_who_you_are/transcript)
My notes from it:


+ 13
- 0
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -5,6 +5,7 @@ CULL
* [General Internals](#general)
* [Windows Internals](#winternals)
* [Kerberos / Related](#kerberos)
* [Linux Internals](#linux)
* [Windows Reference](#windowsref)
* [Linux Reference](#linuxref)
@ -17,9 +18,15 @@ To Do:
* Clear Cull List
* Split sections into reference material and writeup material(quick vs long reference)
#### Sort
http://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/?utm_content=buffere95dc&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
[Windows - Application Shims](https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx)
[Antimalware Scan Interface Reference](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889588]
* prevents certain kinds of powershell attacks
http://duartes.org/gustavo/blog/post/memory-translation-and-segmentation/
@ -35,10 +42,13 @@ https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/
[Windows Filtering Platform: Persistent state under the hood](http://blog.quarkslab.com/windows-filtering-platform-persistent-state-under-the-hood.html)
https://tribalchicken.com.au/technical/recovering-bitlocker-keys-on-windows-8-1-and-10/
[Article Explaining what the KRBTGT account in AD is](http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-environment)
[Intel SGX Explained](https://eprint.iacr.org/2016/086.pdf)
* This paper analyzes Intel SGX, based on the 3 pa- pers [ 14 , 78 , 137 ] that introduced it, on the Intel Software Developer’s Manual [ 100 ] (which supersedes the SGX manuals [ 94 , 98 ]), on an ISCA 2015 tutorial [ 102 ], and on two patents [ 108 , 136 ]. We use the papers, reference manuals, and tutorial as primary data sources, and only draw on the patents to fill in missing information. This paper’s contributions are a summary of the Intel-specific architectural and micro-architectural details needed to understand SGX, a detailed and structured pre- sentation of the publicly available information on SGX, a series of intelligent guesses about some important but undocumented aspects of SGX, and an analysis of SGX’s security properties.
@ -151,6 +161,9 @@ WinPrefetchView is a small utility that reads the Prefetch files stored in your
####<a name="kerberos">Kerberos Related</a>
[Kerberos Delegation, SPNs and More...](https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more)


+ 31
- 29
Draft/Web & Browsers.md View File

@ -10,18 +10,19 @@
* [NO/SQL](#sql)
* [L/RFI](#lrfi)
* [Different Types of Web based attacks](#difatk)
..* [Abuse of Functionality[#
..* [Data Structure Attacks](#
..* [Embedded Malicious Code](#
..* [Exploitation of Authentication](#
..* [Injection Based Attacks
..* [Path Traversal Attacks
..* [Probabilistic Attacks
..* [Protocol Manipulation
..* [Resource Depletion](#
..* [Resource Manipulation
..* [Sniffing Based](#
..* [Spoofing Based](#
..* [Abuse of Functionality](#)
..* [Data Structure Attacks](#)
..* [Embedded Malicious Code](#emc)
..* [Exploitation of Authentication](#eoa)
..* [Injection Based Attacks](#ija)
..* [Java Deserialization Attacks](#jsa)
..* [Path Traversal Attacks](#pta)
..* [Probabilistic Attacks](#pa)
..* [Protocol Manipulation](#pm)
..* [Resource Depletion](#rd)
..* [Resource Manipulation](#rm)
..* [Sniffing Based](#sb)
..* [Spoofing Based](#spb)
* [CMSs](#cms)
* [Client Web Proxies](#webproxy)
* [Javascript](#javascript)
@ -112,20 +113,20 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
#####<a name="Embedded Malicious Code](#
#####<a name="emc">Embedded Malicious Code</a>
#####<a name="Exploitation of Authentication](#
#####<a name="eoa">Exploitation of Authentication</a>
#####<a name="Injection Based Attacks(#injection)
##### <a name="ija">Injection Based Attacks</a>
##### Java Serialization Attacks
##### <a name="jsa">Java Serialization Attacks</a>
[Break Fast Serial](https://github.com/GoSecure/break-fast-serial)
* A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
@ -147,8 +148,9 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
* Automated All-in-One OS Command Injection and Exploitation Tool
#####<a name="Path Traversal Attacks
[Exploiting PHP File Inclusion – Overview](https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/)
##### <a name="pta">Path Traversal Attacks</a>
[Exploiting PHP File Inclusion – Overview](https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/)
#####<a name="Probabilistic Attacks
#####<a name="Protocol Manipulation
@ -174,7 +176,7 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
[Various forms of encoding/decoding web app](http://yehg.net/encoding/)
[Javascript De-Obfuscation Tools Redux](http://www.kahusecurity.com/2014/javascript-deobfuscation-tools-redux/)
* Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against todays obfuscated scripts with the least amount of intervention.
* Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention.
@ -217,7 +219,7 @@ As seen on: https://www.owasp.org/index.php/Category:Attack
* Probe LAN devices from a web browser.
[OWASP Mantra](http://www.getmantra.com/hackery/)
* “OWASP Mantra is a powerful set of tools to make the attacker's task easier”
* “OWASP Mantra is a powerful set of tools to make the attacker's task easier�
@ -427,7 +429,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
[Hacking with Pictures - Syscan2015](http://www.slideshare.net/saumilshah/hacking-with-pictures-syscan-2015)
[Relative Path Overwrite Explanation/Writeup](http://www.thespanner.co.uk/2014/03/21/rpo/)
* RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesnt specify a domain or protocol and uses the existing destination to determine the protocol and domain.
* RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
[Attacking Adobe ColdFusion](http://jumpespjump.blogspot.com/2014/03/attacking-adobe-coldfusion.html)
@ -489,7 +491,7 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
[Pen Testing MongoDB](http://www.irongeek.com/i.php?page=videos/derbycon4/t408-making-mongo-cry-attacking-nosql-for-pen-testers-russell-butturini)
[Laduanum](http://laudanum.sourceforge.net/)
* Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.
* “Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.�
[Making Mongo Cry Attacking NoSQL for Pen Testers Russell Butturini](https://www.youtube.com/watch?v=NgsesuLpyOg)
@ -579,22 +581,22 @@ Secondary channel extraction
###<a name="papers">Papers
[The Spy in the Sandbox Practical Cache Attacks in Javascript](http://iss.oy.ne.ro/SpyInTheSandbox.pdf)
* We present the first micro-architectural side-channel at- tack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim’s machine – to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled con- tent. This makes the attack model highly scalable and ex- tremely relevant and practical to todays web, especially since most desktop browsers currently accessing the In- ternet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al. [23], allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required counter- measures can exact an impractical cost on other benign uses of the web browser and of the computer.
[The Spy in the Sandbox – Practical Cache Attacks in Javascript](http://iss.oy.ne.ro/SpyInTheSandbox.pdf)
* We present the first micro-architectural side-channel at- tack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim’s machine – to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled con- tent. This makes the attack model highly scalable and ex- tremely relevant and practical to today’s web, especially since most desktop browsers currently accessing the In- ternet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al. [23], allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required counter- measures can exact an impractical cost on other benign uses of the web browser and of the computer.
[Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)
* Abstract Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attackers domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
* Abstract —Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration� attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
[The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines](http://users.ics.forth.gr/~elathan/papers/ndss15.pdf)
* Abstract Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at run-time, is much harder. Attackers have already started exploiting Just-in-Time (JIT) engines, available in all modern browsers, to introduce their (shell)code (either native code or re-usable gadgets) during JIT compilation, and then taking advantage of it. Recognizing this immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this paper, we show that—no matter the employed defenses—JIT engines are still exploitable using solely dynamically generated gadgets. We demonstrate that dynamic ROP payload construction is possible in two modern web browsers without using any of the available gadgets contained in the browser binary or linked libraries. First, we exploit an open source JIT engine (Mozilla Firefox) by feeding it malicious JavaScript, which once processed generates all re- quired gadgets for running any shellcode successfully. Second, we exploit a proprietary JIT engine, the one in the 64-bit Microsoft Internet Explorer, which employs many undocumented, specially crafted defenses against JIT exploitation. We manage to bypass all of them and create the required gadgets for running any shellcode successfully. All defensive techniques are documented in this paper to assist other researchers. Furthermore, besides showing how to construct ROP gadgets on-the-fly, we also show how to discover them on-the-fly, rendering current randomization schemes ineffective. Finally, we perform an analysis of the most important defense currently employed, namely constant blinding , which shields all three-byte or larger immediate values in the JIT buffer for hindering the construction of ROP gadgets. Our analysis suggests that extending constant blinding to all immediate values (i.e., shielding 1-byte and 2-byte constants) dramatically decreases the JIT engines performance, introducing up to 80% additional instructions.
* Abstract —Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at run-time, is much harder. Attackers have already started exploiting Just-in-Time (JIT) engines, available in all modern browsers, to introduce their (shell)code (either native code or re-usable gadgets) during JIT compilation, and then taking advantage of it. Recognizing this immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this paper, we show that—no matter the employed defenses—JIT engines are still exploitable using solely dynamically generated gadgets. We demonstrate that dynamic ROP payload construction is possible in two modern web browsers without using any of the available gadgets contained in the browser binary or linked libraries. First, we exploit an open source JIT engine (Mozilla Firefox) by feeding it malicious JavaScript, which once processed generates all re- quired gadgets for running any shellcode successfully. Second, we exploit a proprietary JIT engine, the one in the 64-bit Microsoft Internet Explorer, which employs many undocumented, specially crafted defenses against JIT exploitation. We manage to bypass all of them and create the required gadgets for running any shellcode successfully. All defensive techniques are documented in this paper to assist other researchers. Furthermore, besides showing how to construct ROP gadgets on-the-fly, we also show how to discover them on-the-fly, rendering current randomization schemes ineffective. Finally, we perform an analysis of the most important defense currently employed, namely constant blinding , which shields all three-byte or larger immediate values in the JIT buffer for hindering the construction of ROP gadgets. Our analysis suggests that extending constant blinding to all immediate values (i.e., shielding 1-byte and 2-byte constants) dramatically decreases the JIT engine’s performance, introducing up to 80% additional instructions.
[Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* Abstract The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a users real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
* Abstract —The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
[SSL/TLS Interception Proxies and Transitive Trust](http://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-WP.pdf)
* Secure Sockets Layer (SSL) [ 1 ] and its successor Transport Layer Security (TLS) [ 2 ] have become key components of the modern Internet . The privacy, integrity, and authenticity [ 3 ] [ 4 ] provided by these protocols are critical to allowing sensitive communications to occur . Without these systems, e - commerce, online banking , and business - to - business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities . Advanced Persistent Threat ( APT ) attackers [ 5 ] , botnets [ 6 ] , and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end - to - end encrypted channels. Web proxies, data loss prevention ( DLP ) systems, spec ialized threat detection solutions, and network intrusion prevention systems ( N IPS ) offer functionality to intercept, inspect , and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surve illance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies ,” these solutions act as a “ man in the middle , ” violating the end - to - end security promises of SSL. This type of interception comes at a cost . Intercepti ng SSL - encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation . Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances
* Secure Sockets Layer (SSL) [ 1 ] and its successor Transport Layer Security (TLS) [ 2 ] have become key components of the modern Internet . The privacy, integrity, and authenticity [ 3 ] [ 4 ] provided by these protocols are critical to allowing sensitive communications to occur . Without these systems, e - commerce, online banking , and business - to - business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities . Advanced Persistent Threat ( APT ) attackers [ 5 ] , botnets [ 6 ] , and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end - to - end encrypted channels. Web proxies, data loss prevention ( DLP ) systems, spec ialized threat detection solutions, and network intrusion prevention systems ( N IPS ) offer functionality to intercept, inspect , and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surve illance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies ,� these solutions act as a “ man in the middle , � violating the end - to - end security promises of SSL. This type of interception comes at a cost . Intercepti ng SSL - encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation . Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances
[Scriptless Attacks Stealing the Pie Without Touching the Sill](http://www.syssec.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf)
[Scriptless Attacks – Stealing the Pie Without Touching the Sill](http://www.syssec.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf)
* Due to their high practical impact, Cross-Site Scripting (X SS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, ad- dressing the causes and effects of XSS vulnerabilities. As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scen arios. In this paper, we examine the attack surface that remains after XSS and similar scripting attacks are supposedly mit- igated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs JavaScript or similar functionality to perform attac ks aiming for information theft. The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive informati on from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrar y data displayed on a given website. We conclude this paper with a discussion of potential mit- igation techniques against this class of attacks. In additi on, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a de- tached view or pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.


+ 11
- 0
Draft/Wireless Networks & RF.md View File

@ -33,6 +33,17 @@ Aircrack https://www.aircrack-ng.org/doku.php?id=links
Ubertooth
Scapy
[Using Software Defined radio to attack Smart home systems](https://www.sans.org/reading-room/whitepapers/threats/software-defined-radio-attack-smart-home-systems-35922)
[Software Defined Radio for Infosec People 101](http://garrettgee.com/appearances/software-defined-radio-for-infosec-people-101/)
[Sniffing GSM with RTL-SDR](https://www.youtube.com/watch?v=7OW0YOa6CYs)
[Introduction to SDR and the Wireless Village(Defcon)](https://www.youtube.com/watch?v=F9kKo190_oE)
[Capturing and Cracking GSM traffic using a rtl-sdr](https://www.youtube.com/watch?v=TOl4Q4lyJTI)
[Decoding the LoRa IoT Protocol with an RTL-SDR](http://www.rtl-sdr.com/decoding-the-iot-lora-protocol-with-an-rtl-sdr/)
###<a name="general">General</a>


+ 2
- 2
README.md View File

@ -2,13 +2,13 @@
Information Security Reference That Doesn't Suck
####Goal:
#### Goal:
* Make it informal, list of techniques by grouping, references, better version of RTFM
* End goal is for it to be a rich resource of infosec knowledge for anyone to browse through as a jumping off point for various niches within infosec, or as a reference/recall method for other things.
#####This page
##### This page
* This page has links to *some* of the content on here. This is still very much a WIP. More content is within the Draft folder. If you want to contribute, feel free.


Loading…
Cancel
Save