Browse Source

more updates/cleaning(not really)

pull/8/head
root 6 years ago
parent
commit
c8743dca7e
30 changed files with 913 additions and 433 deletions
  1. +26
    -7
      Draft/Anonymity Opsec Privacy -.md
  2. +18
    -9
      Draft/Attacking Defending Android -.md
  3. +7
    -3
      Draft/Attacking Defending iOS -.md
  4. +1
    -0
      Draft/Building A Pentest Lab.md
  5. +22
    -3
      Draft/Car Hacking.md
  6. +5
    -0
      Draft/Courses & Training -.md
  7. +2
    -0
      Draft/Cryptography & Encryption.md
  8. +49
    -0
      Draft/Defense
  9. +0
    -0
      Draft/Drones.md
  10. +12
    -2
      Draft/Embedded Device & Hardware Hacking -.md
  11. +20
    -4
      Draft/Exploit Development.md
  12. +60
    -0
      Draft/Fuzzing Bug Hunting.md
  13. +54
    -33
      Draft/Interesting Things Useful stuff.md
  14. +0
    -0
      Draft/Mainframes.md
  15. +3
    -0
      Draft/Malware.md
  16. +32
    -14
      Draft/Network Attacks & Defenses.md
  17. +22
    -0
      Draft/Network Security Monitoring & Logging.md
  18. +8
    -16
      Draft/Open Source Intelligence.md
  19. +21
    -1
      Draft/Password Bruting and Hashcracking.md
  20. +0
    -0
      Draft/Policy-Compliance.md
  21. +112
    -20
      Draft/Privilege Escalation & Post-Exploitation.md
  22. +31
    -19
      Draft/Programming - Languages Libs Courses References.md
  23. +4
    -0
      Draft/Reverse Engineering.md
  24. +28
    -7
      Draft/Social Engineering.md
  25. +8
    -0
      Draft/System Internals Windows and Linux Internals Reference.md
  26. +0
    -0
      Draft/Things added since last update.md
  27. +2
    -0
      Draft/Threat Modeling.md
  28. +35
    -4
      Draft/Web & Browsers.md
  29. +17
    -0
      Draft/Wireless Networks & RF.md
  30. +314
    -291
      Draft/things-added.md

+ 26
- 7
Draft/Anonymity Opsec Privacy -.md View File

@ -14,16 +14,12 @@
| OS X Security and Privacy Guide | https://github.com/drduh/OS-X-Security-and-Privacy-Guide |
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
### Cull
| Title | Link
| -------- | --------- |
https://github.com/NullHypothesis/exitmap/issues/37
@ -54,6 +50,14 @@ https://github.com/NullHypothesis/exitmap/issues/37
[How to Spot a Spook](https://cryptome.org/dirty-work/spot-spook.htm)
[China travel laptop setup](https://mricon.com/i/travel-laptop-setup.html?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&iid=88d246896d384d5292f51df954a2c8ba&uid=150127534&nid=244+272699400)
[Operational Security and the Real World - The Grugq](https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8)
[Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
### <a name="how-tos"How-Tos</a>
@ -128,4 +132,19 @@ https://github.com/NullHypothesis/exitmap/issues/37
[exitmap](https://github.com/NullHypothesis/exitmap)
* Exitmap is a fast and modular Python-based scanner for Tor exit relays. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays. Modules can perform any TCP-based networking task; fetching a web page, uploading a file, connecting to an SSH server, or joining an IRC channel.
[OnionCat - an Anonymous VPN adapter](https://www.onioncat.org/about-onioncat/)
[OnionCat - an Anonymous VPN adapter](https://www.onioncat.org/about-onioncat/)
[howmanypeoplearearound](https://github.com/schollz/howmanypeoplearearound)
* Count the number of people around you 👨‍👨‍👦 by monitoring wifi signals 📡

+ 18
- 9
Draft/Attacking Defending Android -.md View File

@ -37,19 +37,12 @@ Cull
### Cull/Sort
[Dex Education 201 - Anti-Emulation.pdf](https://github.com/strazzere/anti-emulator/blob/master/slides/Dex%20Education%20201%20-%20Anti-Emulation.pdf)
[Appie – Android Pentesting Portable Integrated Environment](https://manifestsecurity.com/appie/)
https://github.com/ucsb-seclab/baredroid
[Stunneller](https://github.com/ultramancool/Stunneler)
* Android app for easy stunnel usage
https://blog.gdssecurity.com/labs/2015/2/18/when-efbfbd-and-friends-come-knocking-observations-of-byte-a.html
[Mobile self-defense - Karsten Nohl](https://www.youtube.com/watch?v=GeCkO0fWWqc)
[Appie – Android Pentesting Portable Integrated Environment](https://manifestsecurity.com/appie/)
http://nelenkov.blogspot.com
[Add Security Exception to APK](https://github.com/levyitay/AddSecurityExceptionAndroid)
@ -75,8 +68,8 @@ http://nelenkov.blogspot.com
| **Android Forensics Class** - Free - This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.| http://opensecuritytraining.info/AndroidForensics.html)
| **Android Hardening Guide by the TOR developers** - This blog post describes the installation and configuration of a prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support. ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently. The SIP client we recommend also supports dialing normal telephone numbers if you have a SIP gateway that provides trunking service. Aside from a handful of binary blobs to manage the device firmware and graphics acceleration, the entire system can be assembled (and recompiled) using only FOSS components. However, as an added bonus, we will describe how to handle the Google Play store as well, to mitigate the two infamous Google Play Backdoors.| https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy)
| **Android 4.0+ Hardening Guide/Checklist by University of Texas** | https://wikis.utexas.edu/display/ISO/Google+Android+Hardening+Checklist)
[Mobile self-defense - Karsten Nohl](https://www.youtube.com/watch?v=GeCkO0fWWqc)
#### Applications
| Title | Link |
@ -94,6 +87,9 @@ Personal favorite for making backups. Backups are stored locally or automaticall
[Helium Backup(Root Not Required)](https://play.google.com/store/apps/details?id=com.koushikdutta.backup&hl=en)
* Backs up data locally or to various cloud services. Local client available for backups directly to PC.
[Stunneller](https://github.com/ultramancool/Stunneler)
* Android app for easy stunnel usage
### Encryption
Check the Encryption section of the overall guide for more information.
@ -215,6 +211,10 @@ Check the Encryption section of the overall guide for more information.
| **Manifesto** - PoC framework for APK obfuscation, used to demonstrate some of the obfuscation examples from http://maldr0id.blogspot.com. It supports plugins (located in processing directory) that can do different obfuscation techniques. Main gist is that you run manifesto on the APK file and it produces an obfuscated APK file. |https://github.com/maldroid/manifesto
| **Android Hacker Protection Level 0** - DEF CON 22 - Tim Strazzere and Jon Sawyer - Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire. | https://www.youtube.com/watch?v=vLU92bNeIdI
[kwetza](https://github.com/sensepost/kwetza)
* Python script to inject existing Android applications with a Meterpreter payload.
### **<a name="RE">Reverse Engineering Android</a>**
| Title | Link |
@ -243,6 +243,15 @@ Check the Encryption section of the overall guide for more information.
[Hacking Android apps with FRIDA I](https://www.codemetrix.net/hacking-android-apps-with-frida-1/)
[Want to break some Android apps? - Android Crackmes- Carnal0wnage](http://carnal0wnage.attackresearch.com/2013/08/want-to-break-some-android-apps.html)
[Dex Education 201 - Anti-Emulation.pdf](https://github.com/strazzere/anti-emulator/blob/master/slides/Dex%20Education%20201%20-%20Anti-Emulation.pdf)
[List of Android Crackmes](https://forum.tuts4you.com/topic/33057-android-hackmes/)
[baredroid](https://github.com/ucsb-seclab/baredroid)
* BareDroid allows for bare-metal analysis on Android devices.
* [Paper](https://www.cs.ucsb.edu/%7Evigna/publications/2015_ACSAC_Baredroid.pdf)


+ 7
- 3
Draft/Attacking Defending iOS -.md View File

@ -35,7 +35,8 @@
[iOS Application Security Review Methodology](http://research.aurainfosec.io/ios-application-security-review-methodology/#snapshot)
* aurainfosec
[Secure iOS application development](https://github.com/felixgr/secure-ios-app-dev)
* This guide is a collection of the most common vulnerabilities found in iOS applications. The focus is on vulnerabilities in the applications’ code and only marginally covers general iOS system security, Darwin security, C/ObjC/C++ memory safety, or high-level application security. Nevertheless, hopefully the guide can serve as training material to iOS app developers that want to make sure that they ship a more secure app. Also, iOS security reviewers can use it as a reference during assessments.
@ -97,7 +98,8 @@
| **idb - iOS Blackbox Pentesting - Daniel A Meyer** | http://matasano.com/research/Introducing_idb_-_Simplified_Blackbox_iOS_App_Pentesting.pdf
| **idb github page** | https://github.com/dmayer/idb
[needle](https://github.com/mwrlabs/needle)
* Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps.
@ -108,7 +110,7 @@
| Title | Link |
| -------- | ------------------------ |
[Write-up for alloc8: untethered bootrom exploit for iPhone 3GS](https://github.com/axi0mX/alloc8)
@ -145,6 +147,8 @@
| The iPhone Wiki** - The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices. | http://theiphonewiki.com/wiki/Main_Page
| **OWASP Jailbreaking Cheat Sheet** | https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet
[ipwndfu](https://github.com/axi0mX/ipwndfu)
* open-source jailbreaking tool for older iOS devices


+ 1
- 0
Draft/Building A Pentest Lab.md View File

@ -14,6 +14,7 @@
### General
[Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)


+ 22
- 3
Draft/Car Hacking.md View File

@ -16,8 +16,6 @@ http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
### End cull
@ -29,17 +27,37 @@ http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
[Intro to Automotive Security - Ariel Zentner](https://www.youtube.com/watch?v=yAzqFhq06_E)
[The OpenXC Platform](http://openxcplatform.com/)
* OpenXC™ is a combination of open source hardware and software that lets you extend your vehicle with custom applications and pluggable modules.
## Writeups/Blogposts/How-To
[Broadcasting Your Attack: Security Testing DAB Radio In Cars](https://www.youtube.com/watch?v=ryNtz1nxmO4)
[Tesla Model S JSON API (unofficial RE post)](http://docs.timdorr.apiary.io/#reference/vehicles)
## Talks & Presentations
[Hacking Cars with Python -Eric Evenchick PyCon 2017](https://www.youtube.com/watch?v=3bZNhMcv4Y8&app=desktop)
* Modern cars are networks of computers, and a high end vehicle could have nearly 100 different computers inside. These devices control everything from the engine to the airbags. By understanding how these systems work, we can interface with vehicles to read data, perform diagnostics, and even modify operation. In this talk, we'll discuss pyvit, the Python Vehicle Interface Toolkit. This library, combined with some open source hardware, allows developers to talk to automotive controllers from Python. We will begin with an introduction to automotive networks, to provide a basis for understanding the tools. Next, we will look at the tools and show the basics of using them. Finally, we'll discuss real world applications of these tools, and how they're being used in the automotive world today.
[Adventures in Automotive Networks and Control Units](https://www.youtube.com/watch?v=MEYCU62yeYk&app=desktop)
* Charlie Miller & Chris Valasek
## Tools
@ -55,7 +73,8 @@ http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
[canspy](https://github.com/manux81/canspy)
* Very simple tool for users who need to interface with a device based on CAN (CAN/CANopen/J1939/NMEA2000/DeviceNet) such as motors, sensors and many other devices.
[CBM - The Bicho](https://github.com/UnaPibaGeek/CBM)
* For the first time, a hardware backdoor tool is presented having several advanced features, such as: remote control via SMS commands, automated launch of attack payloads at a GPS location or when a specific car status is reached; and a configuration interface that allows users to create attack payloads in an easy manner. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Now it's possible :-)


+ 5
- 0
Draft/Courses & Training -.md View File

@ -56,6 +56,11 @@ These classes are all focused on computer/information security. If you're lookin
### General Classes
[Learning How to Learn](https://www.coursera.org/learn/learning-how-to-learn)
* Free Coursera Course
* About this course: This course gives you easy access to the invaluable learning techniques used by experts in art, music, literature, math, science, sports, and many other disciplines. We’ll learn about the how the brain uses two very different learning modes and how it encapsulates (“chunks”) information. We’ll also cover illusions of learning, memory techniques, dealing with procrastination, and best practices shown by research to be most effective in helping you master tough subjects.
[ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.


+ 2
- 0
Draft/Cryptography & Encryption.md View File

@ -49,6 +49,8 @@ http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/
[Matsano Crypto Challenges](Cryptopals.co)
* Go through a series of increasingly difficult challenges while learning all about cryptography. Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
[A Graduate Course in Applied Cryptography - Dan Boneh and Victor Shoup](http://toc.cryptobook.us/)
* Version 0.3 - posted Dec. 9, 2016


+ 49
- 0
Draft/Defense View File

@ -0,0 +1,49 @@
Defense:
[Simple WMI Trace Viewer in PowerShell](https://chentiangemalc.wordpress.com/2017/03/24/simple-wmi-trace-viewer-in-powershell/)
[Active Directory: Real Defense for Domain Admins](https://www.irongeek.com/i.php?page=videos/derbycon4/t213-active-directory-real-defense-for-domain-admins-jason-lang)
* Did your AD recently get owned on a pentest? It’s always fun to see an unknown entry show up in your Domain Admins group (#fail). Come learn how to truly protect your organization’s IT crown jewels from some of the most popular AD attacks. If you’re stuck trying to figure out what to do with null sessions, pass the hash techniques, or protecting your Domain Admins, then you will want to be here.
[Active Directory Design Best Practices](https://krva.blogspot.com/2008/04/ad-design-best-practices.html)
[Application Whitelisting Using Microsoft AppLocker](https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm)
[Just Enough Administration Samples and Resources](https://github.com/PowerShell/JEA)
* Just Enough Administration (JEA) is a PowerShell security technology that provides a role based access control platform for anything that can be managed with PowerShell. It enables authorized users to run specific commands in an elevated context on a remote machine, complete with full PowerShell transcription and logging. JEA is included in PowerShell version 5 and higher on Windows 10 and Windows Server 2016, and older OSes with the Windows Management Framework updates.
[Detecting DLL Hijacking
on Windows](http://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/)
[BEAMGUN](https://github.com/JLospinoso/beamgun)
* A rogue-USB-device defeat program for Windows.
[Powershell Security at Enterprise Customers](https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/)
[AIL framework - Analysis Information Leak framework](https://github.com/CIRCL/AIL-framework)
* AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.
[Linux workstation security checklist](https://github.com/lfit/itpol/blob/master/linux-workstation-security.md)
[What would a real hacker do to your Active Directory](https://www.youtube.com/watch?v=DH3v8bO-NCs)
[Mozilla's OpenSSH Configuration guide](https://wiki.mozilla.org/Security/Guidelines/OpenSSH)
Use Invoke-HoneyCreds to distribute fake cred throughout environment as "legit" service account and monitor for use of creds
[SMB Packet Signing](https://technet.microsoft.com/en-us/library/cc180803.aspx)
[Public:Windows Event Log Zero 2 Hero Slides](https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit#slide=id.g21acf94f3f_2_27)

+ 0
- 0
Draft/Drones.md View File


+ 12
- 2
Draft/Embedded Device & Hardware Hacking -.md View File

@ -69,8 +69,6 @@ http://greatscottgadgets.com/infiltrate2013/
### <a name="generalhw">General Hardware Hacking</a>
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
@ -96,6 +94,14 @@ http://greatscottgadgets.com/infiltrate2013/
* Interested in hardware hacking but not quite sure where to start? Does the thought of soldering thrill you (or scare you)? Come check out this talk to see just how easy it is to jump into this exciting field of research! Many people and companies use similar models of hardware. Unlike software, these devices rarely receive security updates. Sometimes, used devices are sold without clearing the configurations and important data is left behind. After this talk, you will know how to find hidden interfaces on these devices, start searching for vulnerabilities and sensitive information, and have irresistible urges to go home and tear apart all your old networking equipment. Did we mention...live demo?
[ThunderGate](http://thundergate.io/)
* ThunderGate is a collection of tools for the manipulation of Tigon3 Gigabit Ethernet controllers, with special emphasis on the Broadcom NetLink 57762, such as is found in Apple Thunderbolt Gigabit Ethernet adapters.
### <a name="routers">Attacking Routers</a>
@ -168,7 +174,11 @@ http://greatscottgadgets.com/infiltrate2013/
[Modbus Protocol Overview](https://www.lammertbies.nl/comm/info/modbus.html)
[ISO/IEC 7816](https://en.wikipedia.org/wiki/ISO/IEC_7816)
[ISO/IEC 15693](https://en.wikipedia.org/wiki/ISO/IEC_15693)
[ISO/IEC 14443](https://en.wikipedia.org/wiki/ISO/IEC_14443)


+ 20
- 4
Draft/Exploit Development.md View File

@ -66,9 +66,6 @@ Corelan Exploit Series
[Patcherex](https://github.com/shellphish/patcherex)
* Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
[BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks](http://cd80.ca/files/bubble.pdf)
* Abstract. Web browsers that support a safe language such as Javascript are becoming a platform of great interest for security attacks. One such attack is a heap-spraying attack: a new kind of attack that combines the notoriously hard to reliably exploit heap-based buffer overflow with the use of an in-browser script- ing language for improved r eliability. A typical heap-s praying attack allocates a high number of objects containing the attacker’s code on the heap, dramatically increasing the probability that the contents of one of these objects is executed. In this paper we present a lightweight approach that makes heap-spraying attacks in Javascript significantly harder. Our prototype, which is implemented in Firefox, has a negligible performance and memory overhead while effectively protecting against heap-spraying attacks.
[DotNetToJScript](https://github.com/tyranid/DotNetToJScript)
* A tool to create a JScript file which loads a .NET v2 assembly from memory.
@ -78,6 +75,14 @@ Corelan Exploit Series
[Trampolines in x64](http://www.ragestorm.net/blogs/?p=107)
[AV_Kernel_Vulns](https://github.com/bee13oy/AV_Kernel_Vulns)
* Pocs for Antivirus Software‘s Kernel Vulnerabilities
[GEF](https://github.com/hugsy/gef)
* GEF is a kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC to make GDB cool again for exploit dev. It is aimed to be used mostly by exploiters and reverse-engineers, to provide additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development.
#### end sort
@ -664,7 +669,9 @@ https://www.exploit-db.com/docs/18482.pdf
[Writing Exploits for Win32 Systems from Scratch](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/)
[Strengthening the Microsoft Edge Sandbox](https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/#Y6ziSVVBqc1TPHFp.97)
[Mitigating arbitrary native code execution in Microsoft Edge](https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/#fAlvade7vV0bQrWs.97)
@ -1003,6 +1010,8 @@ Metasploit
### <a name="writeups">Miscellaneous Exploit Writeups</a>
[MALLOC DES-MALEFICARUM - blackngel](http://phrack.org/issues/66/10.html)
@ -1125,4 +1134,11 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
[XiphosResearch PoC Exploits](https://github.com/XiphosResearch/exploits)
* Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
[exploit-db.org](https://www.exploit-db.org)
[exploit-db.org](https://www.exploit-db.org)
### Anti-Exploit Development
[BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks](http://cd80.ca/files/bubble.pdf)
* Abstract. Web browsers that support a safe language such as Javascript are becoming a platform of great interest for security attacks. One such attack is a heap-spraying attack: a new kind of attack that combines the notoriously hard to reliably exploit heap-based buffer overflow with the use of an in-browser script- ing language for improved r eliability. A typical heap-s praying attack allocates a high number of objects containing the attacker’s code on the heap, dramatically increasing the probability that the contents of one of these objects is executed. In this paper we present a lightweight approach that makes heap-spraying attacks in Javascript significantly harder. Our prototype, which is implemented in Firefox, has a negligible performance and memory overhead while effectively protecting against heap-spraying attacks.

+ 60
- 0
Draft/Fuzzing Bug Hunting.md View File

@ -6,6 +6,7 @@ TOC
* [Techniques](#tech)
* [Methodologies](#method)
* [Write-ups](#writeup)
* [Training](#training)
* [Tools](#tools)
* [Papers](#papers)
* [Presentations](#presen)
@ -18,12 +19,21 @@ TOC
#### sort
https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
#### end sort
##### To Do
* Add Descriptions/generals to types of fuzzing
### General
[Symbolic execution timeline](https://github.com/enzet/symbolic-execution)
* Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.
[15 minute guide to fuzzing](https://www.mwrinfosecurity.com/our-thinking/15-minute-guide-to-fuzzing/)
[Fuzzing basics...how to break software - grid - Scott M](http://www.irongeek.com/i.php?page=videos/derbycon6/411-fuzzing-basicshow-to-break-software-grid-aka-scott-m)
* Ever wanted to break software? You know you want to...it's fun! In this talk, I will share some tools & techniques I've used to improve software by breaking it.
@ -31,6 +41,15 @@ TOC
[Basic fuzzing framework](https://www.cert.org/vulnerability-analysis/tools/bff-download.cfm)
[Fuzzing 101 (Part 1)]()
[Fuzzing 101 (Part 2)](https://vimeo.com/5237484)
[Fuzzing workflows; a fuzz job from start to finish](https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/)
[Youtube Playlist of Fuzzing Videos](https://www.youtube.com/playlist?list=PLtPrYlwXDImiO_hzK7npBi4eKQQBgygLD)
### Blogposts
@ -141,6 +160,7 @@ TOC
[Fuzzing Object s d’ART Digging Into the New Android L Runtime Internals](http://census-labs.com/media/Fuzzing_Objects_d_ART_hitbsecconf2015ams_WP.pdf)
[Browser bug hunting - Memoirs of a last man standing, Atte Kettunen](https://vimeo.com/109380793)
[Unusual bugs - 23C3](https://www.youtube.com/watch?v=qj79Qdmw0Pk) * In this presentation I'll present a series of unusual security bugs. Things that I've ran into at some point and went "There's gotta be some security consequence here". None of these are really a secret, and most of them are even documented somewhere. But apparently most people don't seem to know about them. What you'll see in this presentation is a list of bugs and then some explanation of how these could be exploited somehow. Some of the things I'll be talking about are (recursive) stack overflow, NULL pointer dereferences, regular expressions and more.
@ -155,7 +175,11 @@ TOC
### Training
[Modern fuzzing of C/C++ Projects - Slides](https://docs.google.com/presentation/d/1pbbXRL7HaNSjyCHWgGkbpNotJuiC4O7L_PDZoGqDf5Q/edit#slide=id.p4)
[libfuzzer-workshop](https://github.com/Dor1s/libfuzzer-workshop)
* Materials of "Modern fuzzing of C/C++ Projects" workshop.
### <a name="tools">Tools</a>
@ -193,13 +217,35 @@ TOC
[Kitty][https://github.com/cisco-sas/kitty]
* Fuzzing framework written in python(Not a fuzzer)
[IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - The best disassembler
[binnavi](https://github.com/google/binnavi) - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code.
[Capstone](https://github.com/aquynh/capstone) - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
[KernelFuzzer](https://github.com/mwrlabs/KernelFuzzer)
* Cross Platform Kernel Fuzzer Framework.
[honggfuzz](http://google.github.io/honggfuzz/)
* A general-purpose, easy-to-use fuzzer with interesting analysis options.
[Hodor Fuzzer](https://github.com/nccgroup/hodor)
* Yet Another general purpose fuzzer.
[libFuzzer](http://libfuzzer.info)
* In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
[Fuzzapi](https://github.com/lalithr95/fuzzapi)
* Fuzzapi is rails application which uses API_Fuzzer and provide UI solution for gem.
[ansvif](https://oxagast.github.io/ansvif/)
* An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
[Nightmare](https://github.com/joxeankoret/nightmare)
* A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols.
[rage_fuzzer](https://github.com/deanjerkovich/rage_fuzzer)
* A dumb protocol-unaware packet fuzzer/replayer.
@ -228,6 +274,14 @@ TOC
[Google - AddressSanitizer, ThreadSanitizer, MemorySanitizer, LeaksSanitizer](https://github.com/google/sanitizers)
* This project is the home for Sanitizers: AddressSanitizer, MemorySanitizer, ThreadSanitizer, LeakSanitizer. The actual code resides in the LLVM repository. Here we keep extended documentation, bugs and some helper code.
[syzkaller](https://github.com/google/syzkaller)
* Distributed, unsupervised, coverage-guided Linux syscall fuzzer.
#### Android Specific
[MFFA - Media Fuzzing Framework for Android](https://github.com/fuzzing/MFFA)
@ -250,6 +304,12 @@ Fuzzing with Peach tutorial
* [Fuzzing Vulnserver with Peach 3](http://rockfishsec.blogspot.com/2014/01/fuzzing-vulnserver-with-peach-3.html)
### Taint Analysis
[PANDA ( Platform for Architecture-Neutral Dynamic Analysis )](https://github.com/moyix/panda)
[QIRA (QEMU Interactive Runtime Analyser)](http://qira.me/)
### <a name="misc">Misc</a>


+ 54
- 33
Draft/Interesting Things Useful stuff.md View File

@ -8,6 +8,38 @@ TOC
* [Interesting & Useful Write-ups](#writeup)
#### To Sort
https://www.youtube.com/watch?v=h92vmwg9Tyc
| **ClearImage Free Online Barcode Reader / Decoder** | http://online-barcode-reader.inliteresearch.com/
http://spth.virii.lu/articles.htm
[LuxBase](https://github.com/kienankb/LuxBase)
| **Simplifying the Business Bar Coded Boarding Pass Implementation Guide** | http://www.iata.org/whatwedo/stb/documents/bcbp_implementation_guidev4_jun2009.pdf
| **What’s contained in a boarding pass barcode?** | https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc | http://www.legroom.net/software/uniextract
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
## Attribution
[Cyber Attack Attribution Report](http://whohackedus.com/)
@ -25,6 +57,7 @@ TOC
[Timeline/List of low-level attacks/persistence techniques. HIGHLY RECOMMENDED!](http://timeglider.com/timeline/5ca2daa6078caaf4)
[Timeline of Software/Timing Attestation papers](http://timeglider.com/timeline/be11d685a7c4374d)
http://www.securitywizardry.com/radar.htm
@ -49,52 +82,28 @@ http://www.securitywizardry.com/radar.htm
[What happens when…](https://github.com/alex/what-happens-when)
* An attempt to answer the age old interview question "What happens when you type google.com into your browser and press enter?"
#### Tamper Evidence
[How to Steal a Nuclear Warhead Without Voiding Your XBox Warranty (paper)](https://www.scribd.com/document/47334072/How-to-Steal-a-Nuclear-Warhead-Without-Voiding-Your-XBox-Warranty-paper)
[Encyclopedia of things considered harmful](http://harmful.cat-v.org/)
[Manuals Library](https://www.manualslib.com/)
[THE BASIC LAWS OF HUMAN STUPIDITY - Carlo M. Cipolia](http://harmful.cat-v.org/people/basic-laws-of-human-stupidity/)
[The S stands for Simple](http://harmful.cat-v.org/software/xml/soap/simple)
* Satire(Only it's not) of a conversation about SOAP
#### To Sort
#### Tamper Evidence
[How to Steal a Nuclear Warhead Without Voiding Your XBox Warranty (paper)](https://www.scribd.com/document/47334072/How-to-Steal-a-Nuclear-Warhead-Without-Voiding-Your-XBox-Warranty-paper)
https://www.youtube.com/watch?v=h92vmwg9Tyc
[chipmachine](https://github.com/sasq64/chipmachine)
[List of hacker sites](http://link-base.org/)
| **ClearImage Free Online Barcode Reader / Decoder** | http://online-barcode-reader.inliteresearch.com/
[Foreign LINUX](https://github.com/wishstudio/flinux)
*Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools. It now runs a large bunch of console applications and some GUI applications.
[Hide data inside pointers](http://arjunsreedharan.org/post/105266490272/hide-data-inside-pointers)
http://spth.virii.lu/articles.htm
[LuxBase](https://github.com/kienankb/LuxBase)
| **Simplifying the Business Bar Coded Boarding Pass Implementation Guide** | http://www.iata.org/whatwedo/stb/documents/bcbp_implementation_guidev4_jun2009.pdf
| **What’s contained in a boarding pass barcode?** | https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc | http://www.legroom.net/software/uniextract
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
[Unicorn-Engine](http://www.unicorn-engine.org/)
* Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.
[#OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI](https://doublepulsar.com/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0)
##### Regex for credit cards
* [Link](http://www.regular-expressions.info/creditcard.html)
@ -166,7 +175,7 @@ http://spth.virii.lu/articles.htm
* This project consists of the hardware and software necessary to hijack wired network communications. The hardware allows an attacker to splice into live network cabling without ever breaking the physical connection. This allows the traffic on the line to be passively tapped and examined. Once the attacker has gained enough knowledge about the data being sent, the device switches to an active tap topology, where data in both directions can be modified on the fly. Through our custom implementation of the network stack, we can accurately mimic the two devices across almost all OSI layers.
* We have developed several applications for this technology. Most notable is the editing of live video streams to produce a “camera loop,” that is, hijacking the feed from an Ethernet surveillance camera so that the same footage repeats over and over again. More advanced video transformations can be applied if necessary. This attack can be executed and activated with practically no interruption in service, and when deactivated, is completely transparent.
[#OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI](https://doublepulsar.com/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0)
@ -313,6 +322,9 @@ http://spth.virii.lu/articles.htm
[algo](https://github.com/trailofbits/algo)
* 1-click IPSEC VPN in the Cloud
[Unicorn-Engine](http://www.unicorn-engine.org/)
* Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.
@ -335,7 +347,13 @@ http://spth.virii.lu/articles.htm
### Interesting Programming
[Hide data inside pointers](http://arjunsreedharan.org/post/105266490272/hide-data-inside-pointers)
Underhanded Crypto
Underhanded C
@ -445,6 +463,9 @@ http://spth.virii.lu/articles.htm
http://www.mmoviper.com/
[chipmachine](https://github.com/sasq64/chipmachine)
[moflow](https://github.com/vrtadmin/moflow)
* Release Branches for MoFlow
* Release Branches for MoFlow
[List of hacker sites](http://link-base.org/)

+ 0
- 0
Draft/Mainframes.md View File


+ 3
- 0
Draft/Malware.md View File

@ -27,6 +27,9 @@ https://motherboard.vice.com/read/preserving-the-ancient-art-of-getting-pwned
http://www.exposedbotnets.com/?m=0
[malboxes](https://github.com/GoSecure/malboxes)
* Builds malware analysis Windows VMs so that you don't have to.
[PlugBot-C2C](https://github.com/redteamsecurity/PlugBot-C2C)
* This is the Command & Control component of the PlugBot project


+ 32
- 14
Draft/Network Attacks & Defenses.md View File

@ -22,22 +22,16 @@ TOC
##### To be sorted
http://www.pentest-standard.org/index.php/Intelligence_Gathering
[a](https://github.com/fmtn/a)
* ActiveMQ CLI testing and message management
[PiTap](https://github.com/williamknows/PiTap)
* Automatic bridge creation and packet capture (plug-and-capture) on a battery-powered Raspberry Pi with multiple network interfaces.
* [Blogpost]()
[sshuttle](https://github.com/apenwarr/sshuttle)
* Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
[Use DHCP to detect UEFI or Legacy BIOS system and PXE boot to SCCM](http://www.itfaq.dk/2016/07/27/use-dhcp-to-detect-uefi-or-legacy-bios-system-and-pxe-boot-to-sccm/)
[RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing](https://tools.ietf.org/html/rfc2827)
##### sort end
@ -230,6 +224,9 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
* Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even
when directory browsing is turned off.
[sshuttle](https://github.com/apenwarr/sshuttle)
* Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
@ -245,7 +242,8 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[SSLsplit - transparent and scalable SSL/TLS interception](https://www.roe.ch/SSLsplit)
* SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing. SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6.
[Seth](https://github.com/SySS-Research/Seth)
* Seth is a tool written in Python and Bash to MitM RDP connections. It attempts to downgrade the connection and extract clear text credentials.
@ -262,6 +260,8 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[WPScan](https://github.com/wpscanteam/wpscan)
* WPScan is a black box WordPress vulnerability scanner.
[dns-discovery](https://github.com/mafintosh/dns-discovery)
* Discovery peers in a distributed system using regular dns and multicast dns.
[Enumerator](https://pypi.python.org/pypi/enumerator/0.1.4)
* enumerator is a tool built to assist in automating the often tedious task of enumerating a target or list of targets during a penetration test.
@ -303,6 +303,18 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[ssh-audit](https://github.com/arthepsy/ssh-audit)
* SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
[Knockpy](https://github.com/guelfoweb/knock)
* Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.
[sub6](https://github.com/YasserGersy/sub6)
* subdomain take over detector and crawler
[CloudFail](https://github.com/m0rtem/CloudFail)
* CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server.
[AQUATONE](https://github.com/michenriksen/aquatone)
* AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
@ -351,6 +363,11 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[ C3CM: Defeating the Command - Control - and Communications of Digital Assailants](http://www.irongeek.com/i.php?page=videos/derbycon4/t206-c3cm-defeating-the-command-control-and-communications-of-digital-assailants-russ-mcree)
* C3CM: the acronym for command- control- and communi - cations countermeasures. Ripe for use in the information security realm, C3CM takes us past C2 analysis and to the next level. Initially, C3CM was most often intended to wreck the command and control of enemy air defense networks, a very specific military mission. We’ll apply that mindset in the context of combating bots and other evil. Our version of C3CM therefore is to identify, interrupt, and counter the command, control, and communications capabilities of our digital assailants. The three phases of C3CM will utilize: Nfsight with Nfdump, Nfsen, and fprobe to conduct our identification phase, Bro with Logstash and Kibana for the interruption phase, and ADHD for the counter phase. Converge these on one useful platform and you too might have a chance deter those who would do you harm. We’ll discuss each of these three phases (identify, interrupt, and counter) with tooling and tactics, complete with demonstrations and methodology attendees can put to use in their environments. Based on the three part ISSA Journal Toolsmith series: http://holisticinfosec. blogspot.com/search?q=c3cm&max-results=20&by-date=true
[DNS Dark Matter Discovery Theres Evil In Those Queries - Jim Nitterauer](https://www.youtube.com/watch?v=-A2Wqagz73Y)
[Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon](https://vimeo.com/108775823)
* Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
@ -375,8 +392,9 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[Simple domain fronting PoC with GAE C2 server](https://www.securityartwork.es/2017/01/31/simple-domain-fronting-poc-with-gae-c2-server/)
* In this entry we continue with domain fronting; on this occasion we will explore how to implement a simple PoC of a command and control and exfiltration server on Google App Engine (GAE), and we will see how to do the domain fronting from Windows, with a VBS or PowerShell script, to hide interactions with the C2 server.
[State of IP Spoofing](https://spoofer.caida.org/summary.php)
[Use DHCP to detect UEFI or Legacy BIOS system and PXE boot to SCCM](http://www.itfaq.dk/2016/07/27/use-dhcp-to-detect-uefi-or-legacy-bios-system-and-pxe-boot-to-sccm/)


+ 22
- 0
Draft/Network Security Monitoring & Logging.md View File

@ -22,6 +22,9 @@ Cull
#### Cull
[SweetSecurity](https://github.com/TravisFSmith/SweetSecurity)
* Scripts to setup and install Bro IDS, Elastic Search, Logstash, Kibana, and Critical Stack on a Raspberry Pi 3 device.
[laikaboss](https://github.com/lmco/laikaboss)
@ -37,6 +40,25 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
[](http://www.appliednsm.com/introducing-flowbat/)
* Awesome flow tool, SiLK backend
[Stenographer](https://github.com/google/stenographer)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[ROCK NSM](http://rocknsm.io/)
[Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
[PCAPDB](https://github.com/dirtbags/pcapdb)
* PcapDB is a distributed, search-optimized open source packet capture system. It was designed to replace expensive, commercial appliances with off-the-shelf hardware and a free, easy to manage software system. Captured packets are reorganized during capture by flow (an indefinite length sequence of packets with the same src/dst ips/ports and transport proto), indexed by flow, and searched (again) by flow. The indexes for the captured packets are relatively tiny (typically less than 1% the size of the captured data).
[Aktaion: Open Source Tool For "Micro Behavior Based" Exploit Detection and Automated GPO Policy Generation](https://github.com/jzadeh/Aktaion)
* Aktaion is a lightweight JVM based project for detecting exploits (and more generally attack behaviors). The project is meant to be a learning/teaching tool on how to blend multiple security signals and behaviors into an expressive framework for intrusion detection. The cool thing about the project is it provides an expressive mechanism to add high level IOCs (micro beahviors) such as timing behavior of a certain malware family.
[Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon](https://vimeo.com/108775823)
* Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
[Public:Windows Event Log Zero 2 Hero Slides](https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit#slide=id.g21acf94f3f_2_27)
#### End Cull


+ 8
- 16
Draft/Open Source Intelligence.md View File

@ -12,30 +12,16 @@
#### Cull
[LinkedIn Gatherer](https://github.com/DisK0nn3cT/linkedin-gatherer )
[OSINT Mantra](http://www.getmantra.com/hackery/osint.html)
http://computercrimeinfo.com/cleaningid.html
[OSINT - onstrat](http://www.onstrat.com/osint/)
[OSINT Resources - greynetwork2](https://sites.google.com/site/greynetwork2/home/osint-resources)
[Fantastic OSINT and where to find it - blindseeker/malware focused](http://archive.is/sYzcP#selection-62.0-62.1)
http://toddington.com/resources/
www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
#### End cull
@ -65,7 +51,7 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
[Email Reconnaissance and Phishing Template Generation Made Simple](https://cybersyndicates.com/2016/05/email-reconnaissance-phishing-template-generation-made-simple/)
[OSINT Resources - greynetwork2](https://sites.google.com/site/greynetwork2/home/osint-resources)
@ -204,6 +190,12 @@ Reference Site: http://osintinsight.com/shared.php?expand=169,175&folderid=0&use
[DataSploit](https://github.com/DataSploit/datasploit)
A tool to perform various OSINT techniques, aggregate all the raw data, and give data in multiple formats.
[LinkedIn Gatherer](https://github.com/DisK0nn3cT/linkedin-gatherer )
[PowerMeta](https://github.com/dafthack/PowerMeta)
* PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
[OSINT Mantra](http://www.getmantra.com/hackery/osint.html)


+ 21
- 1
Draft/Password Bruting and Hashcracking.md View File

@ -14,7 +14,8 @@ Cull
* [Write-ups/Guides](#writeup)
* [Miscellaneous](#misc)
* [Wordlists](#wordlist)
* [Wordlist Generation](#
* [Wordlist Generation](#)
* [Talks & Presentations](#)
* [Papers](#papers)
@ -26,6 +27,8 @@ http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
* Wordlists sorted by popularity originally created for password generation and testing
### End cull
@ -34,6 +37,11 @@ http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
### <a name="general">General</a>
[HashView](https://github.com/hashview/hashview)
* Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. Hashview is a web application that manages hashcat (https://hashcat.net) commands. Hashview strives to bring constiency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports.
[Hashtag](http://www.smeegesec.com/2013/11/hashtag-password-hash-identification.html)
* Password hash identification tool written in python
@ -183,6 +191,18 @@ Hashcat attacks
[Crack Me if You Can - Defcon 2010](http://contest-2010.korelogic.com/wordlists.html)
[BEWGor](https://github.com/berzerk0/BEWGor)
* Bull's Eye Wordlist Generator
[Probable-Wordlists](https://github.com/berzerk0/Probable-Wordlists)
* Wordlists sorted by probability originally created for password generation and testing
### Talks & Presentations
[Cracking Corporate Passwords Exploiting Password Policy Weaknesses - Minga Rick Redm - Derbycon3](https://www.youtube.com/watch?v=qR-qRUbeKAo)


+ 0
- 0
Draft/Policy-Compliance.md View File


+ 112
- 20
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -23,6 +23,7 @@
* Add section for powershell stuff specifically
* Add section for attacking Active Directory
* Section
* Sort sections so they make sense i.e. (WinPrivEsc Tools, Techniques, Things that may be handy..etc
@ -64,6 +65,12 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Pyekaboo](https://github.com/SafeBreach-Labs/pyekaboo)
* Pyekaboo is a proof-of-concept program that is able to to hijack/hook/proxy Python module(s) thanks to $PYTHONPATH variable. It's like "DLL Search Order Hijacking" for Python.
[OPSEC Considerations for Beacon Commands - CobaltStrike](https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-commands/)
#### General Tools
@ -166,11 +173,19 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Level Up! - Practical Windows Privilege Escalation](https://www.slideshare.net/jakx_/level-up-practical-windows-privilege-escalation)
[Bypassing UAC on Windows 10 using Disk Cleanup](https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/)
#### Powershell Things
#### <a name="powershell-stuff">Powershell Things</a>
[PowerUp](https://github.com/HarmJ0y/PowerUp) * PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.
[PowerOPS: PowerShell for Offensive Operations](https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/)
@ -218,6 +233,8 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[mimikittenz](https://github.com/putterpanda/mimikittenz/)
* A post-exploitation powershell tool for extracting juicy info from memory.
[nps - Not PowerShell](https://github.com/Ben0xA/nps)
* Execute powershell without powershell.exe
@ -299,7 +316,8 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[CredCrack](https://github.com/gojhonny/CredCrack)
* CredCrack is a fast and stealthy credential harvester. It exfiltrates credentials recusively in memory and in the clear. Upon completion, CredCrack will parse and output the credentials while identifying any domain administrators obtained. CredCrack also comes with the ability to list and enumerate share access and yes, it is threaded!
[MemoryModule](https://github.com/fancycode/MemoryModule)
* MemoryModule is a library that can be used to load a DLL completely from memory - without storing on the disk first.
@ -316,19 +334,8 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
### <a name="winpost">Post-Exploitation Windows</a>
[Abusing Active Directory in Post-Exploitation](https://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez)
* Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
[Dumping user passwords in plaintext on Windows 8.1 and Server 2012](http://www.labofapenetrationtester.com/2015/05/dumping-passwords-in-plain-on-windows-8-1.html)
[I Hunt Sysadmins 2.0](http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20)
* It covers various ways to hunt for users in Windows domains, including using PowerView.
[Abusing Active Directory in Post-Exploitation - Carlos Perez - Derbycon 2014](http://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez)
* Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
[Post-Exploitation on Windows using ActiveX Controls](http://uninformed.org/?v=all&a=3&t=sumry)
[WMI Shell Tool](https://github.com/secabstraction/Create-WMIshell)
@ -336,11 +343,6 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Windows - Application Shims](https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx)
[pywerview](https://github.com/the-useless-one/pywerview)
* A (partial) Python rewriting of PowerSploit's PowerView
[Advanced Targeted Attack. PoC Golden Ticket Attack - BSides Tampa 17](https://www.irongeek.com/i.php?page=videos/bsidestampa2017/102-advanced-targeted-attack-andy-thompson)
@ -363,6 +365,57 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[DeathStar](https://github.com/byt3bl33d3r/DeathStar)
* DeathStar is a Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techinques.
[Pen Testing Active Directory Series](https://blog.varonis.com/binge-read-pen-testing-active-directory-series/)
[Offensive Active Directory with Powershell](https://www.youtube.com/watch?v=cXWtu-qalSs)
[Abusing Active Directory in Post-Exploitation](https://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez)
* Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
[pywerview](https://github.com/the-useless-one/pywerview)
* A (partial) Python rewriting of PowerSploit's PowerView
[Advanced Targeted Attack. PoC Golden Ticket Attack - BSides Tampa 17](https://www.irongeek.com/i.php?page=videos/bsidestampa2017/102-advanced-targeted-attack-andy-thompson)
[I Hunt Sysadmins 2.0](http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20)
* It covers various ways to hunt for users in Windows domains, including using PowerView.
[Nodal Analysis of Domain Trusts – Maximizing the Win!](http://www.sixdub.net/?p=285)
[Derivative Local Admin](http://www.sixdub.net/?p=591)
[GoFetch](https://github.com/GoFetchAD/GoFetch)
* GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. GoFetch first loads a path of local admin users and computers generated by BloodHound and converts it to its own attack plan format. Once the attack plan is ready, GoFetch advances towards the destination according to plan step by step, by successively applying remote code execution techniques and compromising credentials with Mimikatz.
[5 Ways to Find Systems Running Domain Admin Processes](https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/)
[DomainTrustExplorer](https://github.com/sixdub/DomainTrustExplorer)
* Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output.
[Faster Domain Escalation using LDAP ](https://blog.netspi.com/faster-domain-escalation-using-ldap/)
[“I Hunt Sys Admins”](http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/)
[SessionGopher](https://github.com/fireeye/SessionGopher)
* SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
[Invoke-HostRecon](https://github.com/dafthack/HostRecon)
* This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.
[Invoke-ProcessScan](https://github.com/vysec/Invoke-ProcessScan)
* Gives context to a system. Uses EQGRP shadow broker leaked list to give some descriptions to processes.
[Invoke-VNC](https://github.com/artkond/Invoke-Vnc)
* Powershell VNC injector
[AutoRuns PowerShell Module](https://github.com/p0w3rsh3ll/AutoRuns)
* AutoRuns module was designed to help do live incident response and enumerate autoruns artifacts that may be used by legitimate programs as well as malware to achieve persistence.
[7Zip4Powershell](https://github.com/thoemmi/7Zip4Powershell) * Powershell module for creating and extracting 7-Zip archives
[LyncSniper](https://github.com/mdsecresearch/LyncSniper)
* A tool for penetration testing Skype for Business and Lync deployments
* [Blogpost/Writeup](https://www.mdsec.co.uk/2017/04/penetration-testing-skype-for-business-exploiting-the-missing-lync/)
@ -382,7 +435,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Outlook and Exchange for the Bad Guys Nick Landers](https://www.youtube.com/watch?v=cVhc9VOK5MY)
[#OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI](https://doublepulsar.com/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0)
@ -409,6 +462,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
* Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
[Defending against mimikatz](https://jimshaver.net/2016/02/14/defending-against-mimikatz/)
[Unofficial Guide to Mimikatz](https://adsecurity.org/?page_id=1821)
@ -624,8 +678,46 @@ Startup folder on Win8
### AV Avoidance
[Sacred Cash Cow Tipping 2017 - BlackHills Infosec](https://www.youtube.com/watch?v=SVwv1dZCtWM)
* We're going to bypass most of the major antivirus programs. Why? 1) Because it's fun. 2) Because it'll highlight some of the inherent weaknesses in our environments today.
[avet framework](https://github.com/govolution/avet)
* AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques. In version 1.1 lot of stuff was introduced, for a complete overview have a look at the CHANGELOG file. Now 64bit payloads can also be used, for easier usage I hacked a small build tool (avet_fabric.py).
[Practical Anti-virus Evasion - Daniel Sauder](https://govolutionde.files.wordpress.com/2014/05/avevasion_pentestmag.pdf)
[Why Anti-Virus Software Fails](https://deepsec.net/docs/Slides/2014/Why_Antivirus_Fails_-_Daniel_Sauder.pdf)
[Don't Kill My Cat (DKMC)](https://github.com/Mr-Un1k0d3r/DKMC)
* Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool rely on PowerShell the execute the final shellcode payload.
#### <a name="exfil">Exfiltration</a>
[Data Exfiltration (Tunneling) Attacks against Corporate Network](https://pentest.blog/data-exfiltration-tunneling-attacks-against-corporate-network/)
[Data Exfiltration (Tunneling) Attacks against Corporate Network](https://pentest.blog/data-exfiltration-tunneling-attacks-against-corporate-network/)
### Payloads/Stuff/Idk
[genHTA](https://github.com/vysec/GenHTA)
* Generates anti-sandbox analysis HTA files without payloads
[morpHTA](https://github.com/vysec/MorphHTA)
* Morphing Cobalt Strike's evil.HTA
[KeeThief](https://github.com/HarmJ0y/KeeThief)
* Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.
[pyrasite](https://github.com/lmacken/pyrasite)
* Tools for injecting arbitrary code into running Python processes.
[WsgiDAV](https://github.com/mar10/wsgidav)
* WsgiDAV is a generic WebDAV server written in Python and based on WSGI.

+ 31
- 19
Draft/Programming - Languages Libs Courses References.md View File

@ -23,28 +23,10 @@ Cull
###Cull
http://www.irongeek.com/i.php?page=videos/derbycon4/t205-code-insecurity-or-code-in-security-mano-dash4rk-paul
[Counterfeit Object-oriented Programming](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf)
#####G etting Started with WindDbg Series - OpenSecurity Research
* [Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
[An Introduction to Debugging the Windows Kernel with WinDbg](http://www.contextis.com/resources/blog/introduction-debugging-windows-kernel-windbg/)
[Hide data inside pointers](http://arjunsreedharan.org/post/105266490272/hide-data-inside-pointers)
[Reflective DLL Injection](http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf)
http://en.cppreference.com/w/c
[rr]()
* rr is a lightweight tool for recording and replaying execution of applications (trees of processes and threads). More information about the project, including instructions on how to install, run, and build rr, is at http://rr-project.org.
https://github.com/mozilla/rr
[Record and Replay Debugging with Firefox](https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Record_and_Replay_Debugging_Firefox)
#### End Cull
@ -56,6 +38,8 @@ https://github.com/mozilla/rr
###<a name="general">General</a>
[Secure Coding Standards - Android](https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535)
[Secure Coding Cheat Sheet - OWASP](https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet)
@ -71,9 +55,25 @@ https://github.com/mozilla/rr
[Hyperpolyglot](http://hyperpolyglot.org/)
[App Ideas - Stuff to build out ot improve your programming skills](https://github.com/tastejs/awesome-app-ideas)
### Articles
[Counterfeit Object-oriented Programming](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf)
[Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)
[An Introduction to Debugging the Windows Kernel with WinDbg](http://www.contextis.com/resources/blog/introduction-debugging-windows-kernel-windbg/)
[Hide data inside pointers](http://arjunsreedharan.org/post/105266490272/hide-data-inside-pointers)
[Record and Replay Debugging with Firefox](https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Record_and_Replay_Debugging_Firefox)
[rr](https://github.com/mozilla/rr)
* rr is a lightweight tool for recording and replaying execution of applications (trees of processes and threads). More information about the project, including instructions on how to install, run, and build rr, is at http://rr-project.org.
###<a name="sca">Source Code Analysis</a>
@ -90,6 +90,8 @@ Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code
[Graudit](http://www.justanotherhacker.com/projects/graudit.html)
* Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
[PumaScan](https://github.com/pumasecurity/puma-scan)
* provides real time, continuous source code analysis
@ -300,3 +302,13 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
[Mov is turing complete](http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf)
### Talks & Presentations
[Simple Made Easy](https://www.infoq.com/presentations/Simple-Made-Easy)
* Rich Hickey emphasizes simplicity’s virtues over easiness’, showing that while many choose easiness they may end up with complexity, and the better way is to choose easiness along the simplicity path.
#### Other
[A successful Git branching model](http://nvie.com/posts/a-successful-git-branching-model/)

+ 4
- 0
Draft/Reverse Engineering.md View File

@ -32,7 +32,11 @@ To be sorted
### To be sorted
[Symbolic execution timeline](https://github.com/enzet/symbolic-execution)
* Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.
[bingrep](https://github.com/m4b/bingrep)
* Greps through binaries from various OSs and architectures, and colors them.
http://stunnix.com/prod/cxxo/


+ 28
- 7
Draft/Social Engineering.md View File

@ -17,18 +17,21 @@ CULL
#### sort
| **I Will Kill You** - Chris Rock(Defcon23)| https://www.youtube.com/watch?v=9FdHq3WfJgs
| **I Will Kill You** - Chris Rock(Defcon23)| https://www.youtube.com/watch?v=9FdHq3WfJg
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/
#### end sort
[king-phisher](https://github.com/securestate/king-phisher)
* Phishing Campaign Toolkit
[gophish documentation](https://getgophish.com/documentation/)
[For The Win Tools Techniques to Maximize Effectiveness of Your Social Engineering Attacks - Joe Gray](https://www.youtube.com/watch?v=Jh9Kl4JAdEA)
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/
#### end sort
### <a name="articles">Articles
@ -44,6 +47,8 @@ http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/
[The Social Engineering Framework](http://www.social-engineer.org/framework/general-discussion/)
* The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering.
[Phishing Family Tree Now: A Social Engineering Odyssey](https://www.blackhillsinfosec.com/?p=5629)
### <a name="books">Books</a>
@ -92,6 +97,7 @@ Paul Ekmans research
[Steal Everything, Kill Everyone, Cause Total Financial Ruin!](https://www.youtube.com/watch?v=JsVtHqICeKE)
* This is not a presentation where I talk about how I would get in or the things I might be able to do. This is a talk where I am already in and I show you pictures from actual engagements that I have been on. They say one picture is worth a thousand words I show you how one picture cost a company a million dollars and maybe even a few lives. In a community where we focus so much on the offensive I also make sure with every attack I highlight. I spend time discussing what would have stopped me. We need to know the problems but we need more talks providing solutions and that is what I hope people will get from this. I show the dangers of Social engineering and how even an employee with no SE experience can be an eBay James Bond which can cause total financial ruin to a company. These Security threats are real. So are these stories!
[For The Win Tools Techniques to Maximize Effectiveness of Your Social Engineering Attacks - Joe Gray](https://www.youtube.com/watch?v=Jh9Kl4JAdEA)
[PG01 Dropping hell0days Business Interaction for Security Professionals Or Anyone Else Elliot Johnso ](https://www.youtube.com/watch?v=COyN3NwY1v0)
@ -137,6 +143,12 @@ Paul Ekmans research
[Pwning People Personally](http://www.irongeek.com/i.php?page=videos/derbycon5/break-me08-pwning-people-personally-josh-schwartz)
[Security Guards LOL Brent White Tim Roberts - Nolacon2017](https://www.youtube.com/watch?v=yIQ-7ZSwrYw)
@ -175,3 +187,12 @@ Paul Ekmans research
### Tools
[CatMyFish](https://github.com/Mr-Un1k0d3r/CatMyFish)
* Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. It relies on expireddomains.net to obtain a list of expired domains. The domain availability is validated using checkdomain.com
[king-phisher](https://github.com/securestate/king-phisher)
* Phishing Campaign Toolkit
[gophish documentation](https://getgophish.com/documentation/)

+ 8
- 0
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -38,6 +38,9 @@ https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/
[x86 Disassembly/Windows Executable Files - WikiBooks](https://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files)
https://tribalchicken.com.au/technical/recovering-bitlocker-keys-on-windows-8-1-and-10/
[Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
@ -225,8 +228,13 @@ WinPrefetchView is a small utility that reads the Prefetch files stored in your
### Active Directory
[Active Directory Architecture](https://technet.microsoft.com/en-us/library/bb727030.aspx)
[Active Directory Control Paths](https://github.com/ANSSI-FR/AD-control-paths)
* Active Directory Control Paths auditing and graphing tools
#### <a name="kerberos">Kerberos Related</a>


+ 0
- 0
Draft/Things added since last update.md View File


+ 2
- 0
Draft/Threat Modeling.md View File

@ -35,6 +35,8 @@
* Accessible and client-side threat modeling tool
* [GIFs demonstrating usage](https://github.com/mozilla/seasponge/wiki/usage)[On Comparing Threat Intelligence Feeds](http://blogs.gartner.com/anton-chuvakin/2014/01/07/on-comparing-threat-intelligence-feeds/)
[ThreadFix](https://github.com/denimgroup/threadfix)
* ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.


+ 35
- 4
Draft/Web & Browsers.md View File

@ -57,10 +57,8 @@ Java Serialization papers/stuff
[Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
http://console-cowboys.blogspot.com/2011/05/web-hacking-video-series-1-automating.html
http://www.grymoire.com/Security/Hardware.html
prompt.ml
@ -71,6 +69,11 @@ Clickjacking attacks
[File scanner web app (Part 1 of 5): Stand-up and webserver](http://0xdabbad00.com/2013/09/02/file-scanner-web-app-part-1-of-5-stand-up-and-webserver/)
[timing_attack](https://github.com/ffleming/timing_attack)
* Perform timing attacks against web applications
[Wordpress Security Guide - WPBeginner](http://www.wpbeginner.com/wordpress-security/)
#### End Sort
@ -96,6 +99,8 @@ https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
[HTTP Evasion](http://noxxi.de/research/http-evader-explained-8-borderline-robustness.html)
[Learn REST: A Tutorial](http://rest.elkstein.org/)
### Talks & Presentations
@ -157,7 +162,8 @@ https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
[dvcs-ripper](https://github.com/kost/dvcs-ripper)
* Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
[htshells](https://github.com/wireghoul/htshells)
* Self contained web shells and other attacks via .htaccess files.
@ -359,6 +365,9 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
### Site/Webapp Scanners
[nikto]()
[skipfish](https://code.google.com/p/skipfish/)
* Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
@ -373,6 +382,19 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
[WhatWeb](https://github.com/urbanadventurer/WhatWeb)
* WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
[WATOBO](https://github.com/siberas/watobo)
* WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
[YASUO](https://github.com/0xsauby/yasuo)
* Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.
[WPSeku](https://github.com/m4ll0k/WPSeku)
* Wordpress Security Scanner
[wpscan](https://github.com/wpscanteam/wpscan)
[cms-explorer](https://github.com/FlorianHeigl/cms-explorer)
@ -397,7 +419,8 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
[TCP Catcher](http://www.tcpcatcher.org/)
* TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
[wssip](https://github.com/nccgroup/wssip)
* Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
@ -485,6 +508,9 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
[Shadow Daemon](https://shadowd.zecure.org/overview/introduction/)
* Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability. Shadow Daemon is free software. It is released under the license GPLv2, so its source code can be examined, modified and distributed by everyone.
[ftw](https://github.com/fastly/ftw)
* Framework for Testing WAFs (FTW!)
<a name="bwaf">Bypassing Web Application Firewalls</a>
@ -728,3 +754,8 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
[Burp Pro : Real-life tips and tricks](https://hackinparis.com/talk-nicolazs-gregoire)
[Behind enemy lines: Bug hunting with Burp Infiltrator](http://blog.portswigger.net/2017/06/behind-enemy-lines-bug-hunting-with.html)
[BurpSmartBuster](https://github.com/pathetiq/BurpSmartBuster)
* A Burp Suite content discovery plugin that add the smart into the Buster!

+ 17
- 0
Draft/Wireless Networks & RF.md View File

@ -33,6 +33,8 @@ Aircrack https://www.aircrack-ng.org/doku.php?id=links
Ubertooth
Scapy
[gr-lora](https://github.com/BastilleResearch/gr-lora)
* This is an open-source implementation of the LoRa CSS PHY, based on the blind signal analysis conducted by @matt-knight. The original research that guided this implementation may be found at https://github.com/matt-knight/research
##### End Cull
@ -83,6 +85,10 @@ This document describes IEEE 802.11 Wireless Local Area Network (WLAN) Standard.
[GSM/GPRS Traffic Interception for Penetration Testing Engagements](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/gsmgprs-traffic-interception-for-penetration-testing-engagements/)
[Intro to SDR and RF Signal Analysis](https://www.elttam.com.au/blog/intro-sdr-and-rf-analysis/)
[Cyberspectrum SDR Meetups](https://www.youtube.com/watch?v=MFBkX4CNb08&list=PLPmwwVknVIiXGzKhtimTMjhcyppeRRsnE&index=3)
@ -91,6 +97,10 @@ This document describes IEEE 802.11 Wireless Local Area Network (WLAN) Standard.
[The Vodafone Access Gateway / UMTS Femto cell / Vodafone Sure Signal](https://wiki.thc.org/vodafone)
[Ghosts from the Past: Authentication bypass and OEM backdoors in WiMAX routers](http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.html)
### <a name="retroreflectors">RF RetroReflectors</a>
@ -295,6 +305,12 @@ In this article, we proved the capabilities of an inexpensive wireless adapter a
[pixiewps](https://github.com/wiire/pixiewps)
* Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.
[eaphammer](https://github.com/s0lst1c3/eaphammer)
* EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:
@ -312,6 +328,7 @@ In the context of Dolev-Yao style analysis of security proto cols, we investigat
[RFIDiggity - Pentester Guide to Hacking HF/NFC and UHF RFID - Defcon23](https://www.youtube.com/watch?v=7o38hyQWw6g)
[NFC Frequently Asked Questions](https://www.securetechalliance.org/publications-nfc-frequently-asked-questions/)


+ 314
- 291
Draft/things-added.md
File diff suppressed because it is too large
View File


Loading…
Cancel
Save