Browse Source

First add of actual ATT&CK stuff

root 5 years ago
11 changed files with 535 additions and 403 deletions
  1. +7
      Draft/Building A Pentest
  2. +1
      Draft/CTFs & Wargames
  3. +39
      Draft/Cheat sheets reference pages Checklists
  4. +11
  5. +5
      Draft/Programming - Languages Libs Courses
  6. +1
      Draft/Web &
  7. +14
  8. +373
  9. +5
  10. +2
  11. +77

+ 7
- 3
Draft/Building A Pentest View File

@ -109,13 +109,17 @@ Windows Server 2003
Windows XP
Windows Vista
Windows 7
Windows Server 2008r2
Windows Server 2012r2
Windows 8
Windows Server 2008
Windows Server 2012
Windows 10
Windows Server 2016
Centos 6.5
Debian 7
Debian 8
Ubuntu 14.04
Ubuntu 16.04
That gives you a fair amount of variation in environments as well as allowing you to create specific environments you might see. I list the three most common Distros and all windows going back to XP since, Windows is everywhere.

+ 1
- 1
Draft/CTFs & Wargames View File

@ -79,7 +79,7 @@ Making/Hosting your own CTF
### <a name="vulnvm">Vulnerable Virtual Machines</a>
[The Hacker Games](
* VM Setup to practice VM breakouts/defense. Hack the VM before it hacks you!

+ 39
- 43
Draft/Cheat sheets reference pages Checklists View File

@ -1,8 +1,7 @@
##Cheat Sheets & Reference Pages
## Cheat Sheets & Reference Pages
* Cull
#### TOC
* [General](#General)
* [ASM(x86/64/ARM)](#ASM)
* [Android](#Android)
@ -23,38 +22,24 @@ TOC
[Penetration Testing Tools Cheat Sheet](
| **tmux Cheat Sheet** |
* IDA Pro Full Instruction Reference Plugin - It's like auto-comments but useful.
[Assembler Language Instructions](
#### CULL
[SiLK Toolsuite Quick Reference Guide](
[SSRF Bible Cheatsheet](
#### end cull
[Management Frames Reference Sheet](
[Radare2 Cheat sheet](
## General
[How to Suck at Information Security](
[Windows Privilege Escalation Cheat Sheet/Tricks](
[SiLK Toolsuite Quick Reference Guide](
###<a name="General">General Cheat Sheets</a>
### <a name="General">General Cheat Sheets</a>
[Tips for Troubleshooting Human Communications](
@ -64,10 +49,15 @@
[General Tricks](
[Penetration Testing Tools Cheat Sheet](
[tmux Cheat Sheet](
###<a name="ASM">x86/64/ARM</a>
### <a name="ASM">x86/64/ARM</a>
[x86 opcode structure and instruction overview](
@ -75,23 +65,23 @@
[Reading ASM](
[Assembler Language Instructions](
###<a name="Android">Android Cheat Sheets</a>
### <a name="Android">Android Cheat Sheets</a>
[Android ADB cheat sheet](
###<a name="ios">iOS Cheat Sheets</a>
### <a name="ios">iOS Cheat Sheets</a>
###<a name="Linux">Linux Cheat Sheets</a>
### <a name="Linux">Linux Cheat Sheets</a>
[Linux Syscall Table](
* Complete listing of all Linux Syscalls
@ -99,13 +89,13 @@
###<a name="Windows">Windows Cheat Sheets</a>
### <a name="Windows">Windows Cheat Sheets</a>
[Windows Startup Application Database](
###<a name="Exploitation">Exploitation Cheat Sheets</a>
### <a name="Exploitation">Exploitation Cheat Sheets</a>
[Linux - Breaking out of shells](
@ -114,16 +104,21 @@
[RootVG - Website Dedicated to AIX](
[Windows Privilege Escalation Cheat Sheet/Tricks](
###<a name="Exploitation">Exploit Dev Cheat Sheets</a>
### <a name="Exploitation">Exploit Dev Cheat Sheets</a>
[x86 opcode structure and instruction overview](
[Nasm x86 reference](
### <a name="Metasploit">Metasploit Cheat Sheets</a>
[Metasploit 4.2 documentation](
@ -134,7 +129,7 @@
[Tips & Tricks](
###<a name="For">Forensics/IR Cheat Sheets</a>
### <a name="For">Forensics/IR Cheat Sheets</a>
[File Signature Table](
@ -150,16 +145,16 @@
###<a name="Malware">Malware Cheat Sheet</a>
### <a name="Malware">Malware Cheat Sheet</a>
[Reverse Engineering Malware Cheat Sheet](
[Analyzing Malicious Documents Cheat Sheet](
###<a name="RE">Reverse Engineering Cheat Sheets</a>
### <a name="RE">Reverse Engineering Cheat Sheets</a>
[Radare2 Cheat-Sheet](
[Radare2 Cheat-Sheet](
[WinDbg Cheat Sheet/mindmap](
@ -167,12 +162,12 @@
[Arm instruction set](
* IDA Pro Full Instruction Reference Plugin - It's like auto-comments but useful.
###<a name="Web">Web Cheat Sheets</a>
### <a name="Web">Web Cheat Sheets</a>
[WebAppSec Testing Checklist](
@ -184,15 +179,16 @@
[Securing Web Application Technologies Checklist](
[SSRF Bible Cheatsheet](
### Wireless Cheat Sheet
[Management Frames Reference Sheet](
### <a name="DB">Database Cheat Sheets</a>
###<a name="DB">Database Cheat Sheets</a>
[Checklist for mongodb](
[Checklist for mongodb](

+ 11
- 11
Draft/Exploit View File

@ -303,7 +303,7 @@ I have tried to order the articles by technique and chronology.
* [Exploiting format string vulnerabilities, scut / Team-TESO, 2001](
*[Advances in format string exploitation, gera, 2002](
* [An alternative method in format string exploitation, K-sPecial, 2006](
* [An alternative method in format string exploitation, K-sPecial, 2006](
* [Maximum Overkill Two - From Format String Vulnerability to Remote Code Execution](
* [Exploiting Format Strings: Getting the Shell](
@ -363,21 +363,21 @@ I have tried to order the articles by technique and chronology.
### <a name="aslr"> ASLR:</a>
* [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](
* [Aslr Smack and Laugh Reference](
* [Advanced Buffer Overflow Methods](http:/
* [Advanced Buffer Overflow Methods - http:/ ] \\ Link doesn't render
* [Smack the Stack](
* [Exploiting the random number generator to bypass ASLR](
[Wikipedia on ASLR](
* [Bypassing Memory Protections: The Future of Exploitation](
* [On the Effectiveness of Address-Space Randomization](
* [Exploiting with](
* [Circumventing the VA kernel patch For Fun and Profit](
* [Defeating the Matasano C++ Challenge](
* [Bypassing PaX ASLR protection](
* [Thoughts about ASLR, NX Stack and format string attacks](
* [Wikipedia on ASLR](
* [Bypassing Memory Protections: The Future of Exploitation](
* [On the Effectiveness of Address-Space Randomization](
* [Exploiting with](
* [Circumventing the VA kernel patch For Fun and Profit](
* [Defeating the Matasano C++ Challenge](
* [Bypassing PaX ASLR protection](
* [Thoughts about ASLR, NX Stack and format string attacks](
* [Return-into-libc without Function Calls](
* [Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes](
* [Fun With Info-Leaks(DEP+ASLR bypass)](
..* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.
..* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it's quite nice what can be done with the bug.
* [Exploiting Buffer Overflows On Kernels With Aslr Enabled Using Brute Force On The Stack Layer](
* [Bypassing The Linux Kernel Aslr And Exploiting A Buffer Overflow Vulnerable Application With Ret2esp](
* This video tutorial illustrates how to exploit an application vulnerable to buffer overflow under a modern 2.6 Linux kernel with ASLR, bypassing stack layer randomization by search a jmp *%esp inside the executable file and forcing our program to jump there.

+ 5
- 5
Draft/Programming - Languages Libs Courses View File

@ -20,7 +20,7 @@ Cull
* [Ruby](#ruby)
* [Papers](#papers)
### Cull
@ -38,7 +38,7 @@
###<a name="general">General</a>
### <a name="general">General</a>
[Secure Coding Standards - Android](
@ -292,7 +292,7 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
[Python For Beginners]()
* Welcome! Are you completely new to programming? If not then we presume you will be looking for information about why and how to get started with Python. Fortunately an experienced programmer in any programming language (whatever it may be) can pick up Python very quickly. It's also easy for beginners to use and learn, so jump in!
#### Reference
@ -328,7 +328,7 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
###Useful Libraries/programs
### Useful Libraries/programs
* Tiny snippet of code that pulls ASCII shellcode from pastebin and executes it. The purpose of this is to have a minimal amount of benign code so AV doesn't freak out, then it pulls down the evil stuff. People have been doing this kind of stuff for years so I take no credit for the concept. That being said, this code (or similar code) works surprisingly often during pentests when conventional malware fails.
@ -342,7 +342,7 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
###<a name="papers">Papers</a>
### <a name="papers">Papers</a>
[Mov is turing complete](

+ 1
- 1
Draft/Web & View File

@ -221,7 +221,7 @@ As seen on:
[Server Side Template Injection](
[Server-Side Template Injection: RCE for the modern webapp](

+ 14
- 0
Draft/ View File

@ -0,0 +1,14 @@
Windows Lateral Movement
## Remote Desktop Protocol(RDP)
[RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation](

+ 373
- 0
Draft/ View File

@ -0,0 +1,373 @@
External Remote Services
System Firmware
Valid Accounts
Web Shells
# Windows Persistence
## Accessibility Features
* Replace the windows accessibilty applications with desired binary to be ran instead. Sticky-Keys backdoor.
* Debugger trick -
[Sticky Keys to the Kingdom](
[Walk through of making such a backdoor by crowdstrike](
[Privilege Escalation via "Sticky" Keys](
## AppInit DLLs
[Working with the AppInit_DLLs registry value](
* (All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.)
[LoadDLLViaAppInit - Didier Stevens](
* Selectively Load DLLs with AppInit
[AppInit DLLs and Secure Boot](
## Application Shimming
[Understanding Shims](
[Secrets of the Application Compatilibity Database (SDB) – Part 1](
[Secrets of the Application Compatilibity Database (SDB) – Part 2](
[Secrets of the Application Compatilibity Database (SDB) – Part 3](
[Secrets of the Application Compatilibity Database (SDB) – Part 4](
[Malicious Application Compatibility Shims](
[Post Exploitation Persistence With Application Shims (Intro)](
[Windows 0wn3d By Default - Mark Baggett - Derbycon 2013](
* Description: “In this talk we will discuss API Hooking, Process Execution Redirection, Hiding Registry keys and hiding directories on the hard drive. We must be talking about rootkits, right? Well yes, but not in the way you think. The Windows family of operating systems has all of these capabilities built right in! Using nothing but tools and techniques distributed and documented by Microsoft we can implement all of these rootkit functions. During this exciting talk I will present new attacks against Windows operating system that provide rootkit like functionality with built-in OS tools. In session, we’ll demonstrate how to leverage the Microsoft Application Compatibility Toolkit to help hide an attacker’s presence on your system. The Application Compatibility Toolkit allows you to create application shims that intercept and redirect calls from applications to the operating system. This native rootkit like capability is intended to make the Windows operating system compatible with very old or poorly written applications. Do DEP, ASLR, UAC, and Windows Resource Protection, File system ACLS and other modern OS security measures get it your way? No problem. Turn them off! Do you want to hide files and registry keys and from the user? The Application Compatibility toolkit allows you to create a virtual world for any application and hide resources from view. If someone inspects the registry with regedit they will see exactly what the attacker wants them to see and not what the OS sees when it launches programs. Did they patch your target so your exploit doesn’t work? Guess what, making applications backwards compatible is what this tool is intended to do. Make your favorite applications “old exploit compatible” insuring you can re-exploit the target with this awesome untapped resource. Everything you need to subvert windows applications is built right into the windows kernel. Come learn how to use the application compatibility toolkit to tap this great resource.”
## Authentication Package
[Authentication Package - ATT&CK](
* Adversaries can use the autostart mechanism provided by LSA Authentication Packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. (from
[Authentication Packages](
* Authentication packages are contained in dynamic-link libraries. The Local Security Authority (LSA) loads authentication packages by using configuration information stored in the registry. Loaded at OS start.
## Bootkit
[Bootkit - ATT&CK](
* A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).
* Not going to list much here. If you're doing this, you don't need this.
## Change Default File Association
[Change Default File Association - ATT&CK](
* When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access.
[Change which programs Windows 7 uses by default](
* Win 7,8,10: Open Control Panel > Control Panel Home > Default Programs > Set Associations
## Component Firmware
[Component Firmware - ATT&CK](
## Component Object Model Hijacking
[Component Object Model Hijacking - ATT&CK](
[The Component Object Model](
[COM Object hijacking: the discreet way of persistence](
## DLL Search Order Hijacking
[DLL Search Order Hijacking - ATT&CK](
[Dynamic-Link Library Search Order](
## External Remote Services
[External Remote Services - ATT&CK](
* VPN/RDP/Citrix Hijacking
## File System Permissions Weakness
[File System Permissions Weakness - ATT&CK](
* Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
[Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege](
## Hidden Files and Directories
[Hidden Files and Directories - ATT&CK](
* Users can mark specific files as hidden by using the attrib.exe binary. Simply do attrib +h filename to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.
[ What is a Hidden File? ](
## Hypervisor
[Hypervisor - ATT&CK](
[An Introduction to Hardware-Assisted Virtual Machine (HVM) - pdf](
## Local Port Monitor
[Local Port Monitor - ATT&CK](
* A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The spoolsv.exe process also runs under SYSTEM level permissions.
[AddMonitor function](
## Logon Scripts
[Logon Scripts - ATT&CK](
* Windows allows logon scripts to be run whenever a specific user or group of users log into a system.
[Introduction Logon Scripts - With VBScript](
[Login Scripts - Creating and Using Login Scripts](
## modify Existing Service
[Modify Existing Service - ATT&CK](
* Windows service configuration information, including the file path to the service's executable, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg. Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
[Install a Persistant Backdoor in Windows Using Netcat ](
## Netsh Helper DLL
[Netsh Helper DLL - ATT&CK](
* Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe.
[Using Netsh](
[Netshell - Matthew Demaske](
## New Service
[New Service - ATT&CK](
* When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.
## Office Application Startup
[Office Application Startup - ATT&CK](
* Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.
[Change the Normal template (Normal.dotm)](
* The Normal.dotm template opens whenever you start Microsoft Word, and it includes default styles and customizations that determine the basic look of a document.
[Getting Started with VBA in Office](
[Maintaining Access with Normal.dotm - enigma0x3](
[Beyond good ol’ Run key, Part 62 - Hexacorn](
* Takeaway: Dropping any macro sheet inside the XLSTART folder and opening it from there will not show the macro warning
[Add or remove add-ins](
* Add-ins provide optional commands and features for Microsoft Excel. By default, add-ins are not immediately available in Excel, so you must first install and (in some cases) activate these add-ins so that you can use them.
## Path Interception
[Path Interception - ATT&CK](
* Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target.
* There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
#### Unqouted Paths
* Service paths (stored in Windows Registry keys)2 and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program.
[CurrentControlSet\Services Subkey Entries](
* This article contains registry entries for the CurrentControlSet\Services subkeys. There are no subgroups.
[Unquoted Service Paths - commonexploits](
[PrivEsc: Unquoted Service Path - gracefulsecurity](
[Practical Guide to exploiting the unquoted service path vulnerability in Windows - TrustFoundry](
[Help eliminate unquoted path vulnerabilities](
#### PATH Environment Variable Misconfiguration
* The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
* For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
[The $env:PATH Less Traveled: Subverting Trust with 3rd-Party Applications - obscuresec](
#### Search Order Hijacking
Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
* For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "" in the same directory as "net.exe", then cmd.exe /C net user will execute "" instead of "net.exe" due to the order of executable extensions defined under PATHEXT.
[WinExec function](
[Launching Apps from NT cmd shell](
[CreateProcess function](
[Environment Property](
## Redundant Access
* Don't just use one backdoor. Use multiple avenues of exfil. Plan ahead and exepct observation/discovery. Prepare backup solutions ready to go in case SHTF.
## Registry Run Key/ Start Folder
[Registry Run Keys / Start Folder - ATT&CK](
* Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. The program will be executed under the context of the user and will have the account's associated permissions level.
[Run and RunOnce Registry Keys - MSDN](
* Run and RunOnce registry keys cause programs to run each time that a user logs on.
[Beyond good ol’ Run key – All parts](
* Here are the links to all the ‘Beyond good ol’ Run key’ posts so far.
## Scheduled Tasks
[Scheduled Tasks - ATT&CK](
* Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. The account used to create the task must be in the Administrators group on the local system. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.
[Schedule a Task - MSDN](
[Schtasks.exe - MSDN](
* Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. Running Schtasks.exe without arguments displays the status and next run time for each registered task.
[At - MSDN](
* Schedules commands and programs to run on a computer at a specified time and date. You can use at only when the Schedule service is running. Used without parameters, at lists scheduled commands.
[How To Use the AT Command to Schedule Tasks - MS](
## Security Support Provider
[Security Support Provider - ATT&CK](
* Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.
[Analysis of Malicious Security Support Provider DLLs](
[Security Support Provider Interface - Wikipedia](
[The Security Support Provider Interface - MSDN](
## Service Registry Permissions Weakness
[Service Registry Permissions Weakness - ATT&CK](
* Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions.
* If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
[Registry Key Security and Access Rights - MSDN](
## Shortcut Modification
[Shortcut Modification - ATT&CK](
* Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
[How to create shortcuts for apps, files, folders and web pages in Windows](
## System Firmware
[System Firmware - ATT&CK](
* The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.
* System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
## Valid Accounts
[Valid Accounts - ATT&CK](
## Web Shell
[Web Shell - ATT&CK](
* A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
## Windows Management Instrumentation(WMI) Event Subscription
[Windows Management Instrumentation Event Subscription - ATT&CK](
* Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts. Examples of events that may be subscribed to are the wall clock time or the computer's uptime.
[Windows Management Instrumentation (WMI) Offense, Defense, and Forensics](
[A Novel WMI Persistence Implementation - SecureWorks](
[PowerShell and Events: Permanent WMI Event Subscriptions](
[Receiving a WMI Event](
* An example of how to use permanent WMI event subscriptions to log a malicious action to the event log
[ A fileless infection using WMI to hijack your Browser](
[Creeping on Users with WMI Events: Introducing PowerLurk](
[List all WMI Permanent Event Subscriptions](
[Use PowerShell to Create a Permanent WMI Event to Launch a VBScript](
## Winlogon Helper DLL
[Winlogon Helper DLL - ATT&CK](
* Winlogon is a part of some Windows versions that performs actions at logon. In Windows systems prior to Windows Vista, a Registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup for persistence.
* Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.

+ 5
- 0
Draft/ View File

@ -0,0 +1,5 @@
"title": "InfoSec Reference",
"tagline": "An Infosec reference that doesn't suck.",
"image": "mspaint.png"

+ 2
- 0
Draft/ View File

@ -0,0 +1,2 @@
# Readme

+ 77
- 339
Draft/ View File

@ -1,103 +1,88 @@
### Things added since last update:
###### Some phrack articles?
* [cryptexec: Next-generation runtime binary encryption using on-demand function extraction](
* [Defeating Sniffers and Intrusion Detection Systems](
* Armouring the ELF: Binary Encryption on the UNIX Platform - grugq, scut, 12/28/2001
* Runtime Process Infection - anonymous, 07/28/2002
* Polymorphic Shellcode Engine Using Spectrum Analysis - theo detristan et al, 08/13/2003
* Stealth Hooking: Another Way to Subvert the Windows Kernel - mxatone, ivanlef0u, 04/11/2008
* Mystifying the Debugger for Ultimate Stealthness - halfdead, 04/11/2008
* Binary Mangling with Radare - pancake, 06/11/2009
[What Happens Next Will Amaze You](
[Advice for writing a Bootloader? - reddit](
* A report to synthesize findings from the Defcon 25 Voting Machine Hacking Village
## Android
?## politics
## Anonymity/OPSEC
[Guccifer 2.0: Game Over - Six Months In](
[PISSED: Privacy In a Surveillance State Evading Detection - Joe Cicero - CYPHERCON11 ](
[The Paranoid's Bible: An anti-dox effort.](
[Flipping Bits and Opening Doors: Reverse Engineering the Linear Wireless Security DX Protocol](
## Attacking Android
## Anonymity
[Hacking Android phone. How deep the rabbit hole goes.](
* Protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.
[Mobile Application Penetration Testing Cheat Sheet](
* Destroy Windows Spying tool
## Attacking iOS
[What Happens Next Will Amaze You](
[Mobile Application Penetration Testing Cheat Sheet](
## Basic Security
## Attacking/Defending Android
* DonkeyGuard allows you a fine-grained tuning of access to your private data. It currently supports 41 restrictions which can be applied for every application. Specifically, it is a Privacy service provider which implements a set of modifications to the Android Framework to allow you to interact with applications which are trying to access your private data.
[Advice for writing a Bootloader? - reddit](
## Building a Lab
## Basic Security Info
[Mitigate threats by using Windows 10 security features](
## Car Hacking
[Broadcasting your attack: Security testing DAB radio in cars - Andy Davis](
## Building a Lab
## Car Hacking
[Broadcasting your attack: Security testing DAB radio in cars - Andy Davis](
## Courses
## CTF
* [Sample](
## Crypto
[Top 10 Developer Crypto Mistakes](
[OMEMO Multi-End Message and Object Encryption](
* OMEMO is an XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption. It is an open standard based on a Double Ratchet and PEP which can be freely used and implemented by anyone. The protocol has been audited by a third party.
## Crypto Currencies
* Overview of top cryptocurrencies
@ -118,87 +103,40 @@
## Embedded Devices/Hardware
[Multiple Vulnerabilities in BHU WiFi “uRouter”](
[Jackson Thuraisamy & Jason Tran - Hacking POS PoS Systems](
[Introduction to Glitch Attacks](
* This advanced tutorial will demonstrate clock glitch attacks using the ChipWhisperer system. This will introduce you to many required features of the ChipWhisperer system when it comes to glitching. This will be built on in later tutorials to generate voltage glitching attacks, or when you wish to attack other targets.
## Exploit Dev
* Add use-after-free section
[Bypass Control Flow Guard Comprehensively](
[A brief history of Exploitation - Devin Cook](
[ Shellcode Time: Come on Grab Your Friends](
* Packed shellcode is a common deterrent against reverse engineering. Mainstream software will use it in order to protect intellectual property or prevent software cracking. Malicious binaries and Capture the Flag (CTF) challenges employ packed shellcode to hide their intended functionality. However, creating these binaries is an involved process requiring significant experience with machine language. Due to the complexity of creating packed shellcode, the majority of samples are painstakingly custom-created or encoded with very simple mechanisms, such as a single byte XOR. In order to aid in the creation of packed shellcode and better understand how to reverse engineer it, I created a tool to generate samples of modular packed shellcode. During this talk, I will demonstrate the use of the shellcode creation tool and how to reverse engineer the binaries it creates. I will also demonstrate an automated process for unpacking the binaries that are created.
[Writing my first shellcode - iptables -P INPUT ACCEPT](
[Blind Return Oriented Programming](
[Blind Return Oriented Programming (BROP) Attack (1)](
[Blind Return Oriented Programming (BROP) Attack (2)](
[English Shellcode](
* History indicates that the security community commonly takes a divide-and-conquer approach to battling malware threats: identify the essential and inalienable components of an attack, then develop detection and prevention techniques that directly target one or more of the essential components. This abstraction is evident in much of the literature for buffer overflow attacks including, for instance, stack protection and NOP sled detection. It comes as no surprise then that we approach shellcode detection and prevention in a similar fashion. However, the common belief that components of polymorphic shellcode (e.g., the decoder) cannot reliably be hidden suggests a more implicit and broader assumption that continues to drive contemporary research: namely, that valid and complete representations of shellcode are fundamentally different in structure than benign payloads. While the first tenet of this assumption is philosoph- ically undeniable (i.e., a string of bytes is either shellcode or it is not), truth of the latter claim is less obvious if there exist encoding techniques capable of producing shellcode with features nearly indistinguishable from non-executable content. In this paper, we challenge the assumption that shellcode must conform to superficial and discernible representations. Specifically, we demonstrate a technique for automatically producing English Shellcode, transforming arbitrary shellcode into a representation that is superficially similar to English prose. The shellcode is completely self-contained - i.e., it does not require an external loader and executes as valid IA32 code)—and can typically be generated in under an hour on commodity hardware. Our primary objective in this paper is to promote discussion and stimulate new ideas for thinking ahead about preventive measures for tackling evolutions in code-injection attacks
[Breaking the links: Exploiting the linker](
[QuickZip Stack BOF 0day: a box of chocolates](
[Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube](
[Exploit writing tutorial part 11 : Heap Spraying Demystified](
[Part 9: Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack](
[An Introduction to Use After Free Vulnerabilities](
* [Windows Kernel Shellcode on Windows 10 – Part 1](
* [Windows Kernel Shellcode on Windows 10 – Part 2](
* [Windows Kernel Shellcode on Windows 10 – Part 3](
* [Windows Kernel Shellcode on Windows 10 – Part 4 - There is No Code](
* Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
* x86 and x64 assembly "read-eval-print loop" shell for Windows
* Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017)
[Modern Windows Exploit Development](
## Forensics
* Roll anti into this.
[An Anti-Forensics Primer - Jason Andress](
* This talk will cover the basics of anti-forensics, the tools and techniques that can be used to make life harder for computer forensic examiners. We will cover some of the basic methods that are used (disk wiping, time stomping, encryption, etc…) and talk about which of these methods might actually work and which are easily surmounted with common forensic tools.
[OpenPuff Steganography](
[Forensics Impossible: Self-Destructing Thumb Drives - Brandon Wilson](
## Fuzzing
[Practical File Format Fuzzing](
* File format fuzzing has been very fruitful at discovering exploitable vulnerabilities. Adversaries take advantage of these vulnerabilities to conduct spear-phishing attacks. This talk will cover the basics of file format fuzzing and show you how to use CERT’s fuzzing frameworks to discovery vulnerabilities in file parsers.
## Game Hacking
[Improving security with Fuzzing and Sanitizers](
* A bug in Gstreamer could be used to own a Linux Desktop system. TCPDump released a security update fixing 42 CVEs. We have far too many security critical bugs in the free and open source software stack. But we have powerful tools to find them - we just have to use them.
[Gotta catch-em-all worldwide - Pokemon GO GPS spoofing](
[The Multibillion dollar industry that's ignored](
[ The Multibillion Dollar Industry That's Ignored - Jason Montgomery and Ryan Sevey](
* Video games are something that a lot of us enjoy playing to escape the realities of the world- and to just relax and have fun. What’s unknown to many gamers who work hard to up their skills- they often are losing to cheaters who can dominate them with low skills by subscribing to a ~$10 a month cheat service (which often requires disabling UAC, DEP, and AV).This talk will examine some of the security issues facing the gaming industry and the cheating marketplace, and will include a deep dive into how game “hacks” such as aimbots and extrasensory perception (ESP) work in current gaming engines. We’ll explore current anti-cheat technologies and techniques attackers use to easily bypass them, as well as how the cheats themselves are protected from being discovered. Finally we conclude with proposing new anti-cheat techniques including Machine Learning/Artificial Intelligence giving the legit gamers an enjoyable experience again.
## Game Hacking
@ -208,52 +146,26 @@
## Honeypots
# iOS- ANYCON 2017
## Interesting Things
[Hacks, Lies, & Nation States - Mario DiNatale - ANYCON 2017](
* A hilarious and non-technical skewering of the current state of Cybersecurity, the Cybersecurity
[CyberChef - GCHQ](
* CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.
[Your Project from Idea to Reality](
[Beyond Information Warfare: You aint seen nothing yet - Winn Scwartau](
[Bootstrapping A Security Research Project Andrew Hay](
* It has become increasingly common to see a headline in the mainstream media talking about the latest car, television, or other IoT device being hacked (hopefully by a researcher). In each report, blog, or presentation, we learn about the alarming lack of security and privacy associated with the device's hardware, communications mechanisms, software/app, and hosting infrastructure in addition to how easy it might be for an attacker to take advantage of one, or multiple, threat vectors. The truth is, anyone can perform this kind of research if given the right guidance. To many security professionals, however, the act of researching something isn,t the's what to research, how to start, and when to stop. Academics think nothing of researching something until they feel it's "done" (or their funding/tenure runs out). Security professionals, however, often do not have that luxury. This session will discuss how to research, well, ANYTHING. Proven methods for starting, continuing, ending, leading, and collaborating on reproducible research will be discussed - taking into account real-world constraints such as time, money, and a personal life. We will also discuss how to generate data, design your experiments, analyze your results, and present (and in some cases defend) your research to the public.
[Killing you softly Josh Bressers](
* The entire security industry has a serious skill problem. We,re technically able, but we have no soft skills. We can,t talk to normal people at all. We can barely even talk to each other, and it's killing our industry. Every successful industry relies on the transfer of skills from the experienced to the inexperienced. Security lacks this today. If I asked you how you learned what you know about security, what would your answer be? In most cases you learned everything you know on your own. There was minimal learning from someone else. This has left us with an industry full of magicians, but even worse it puts us in a place where there is no way to transfer skill and knowledge from one generation to the next. Magicians don,t scale. If we think about this in the context of how we engage non security people it's even worse! Most non security people have no idea what security is, what security does, or even why security is important. It's easy to laugh at the horrible security problems almost everything has today, but in reality we,re laughing at ourselves. Historically we,ve blamed everything else for this problem when in reality it's 100% our fault. One of the our great weaknesses is failing to get the regular people to understand security and why it's important. This isn,t a surprise if you think about how the industry communicates. We can barely talk to each other, how can we possibly talk to someone who doesn,t know anything about security? Normal people are confused and scared, they want to do the right thing but they have no idea what that is. The future leaders in security are going to have to be able to teach and talk to their security peers, but more importantly they will have to engage everyone else. Security is being paid attention to like never before, and yet we have nothing to say to anyone. What has changed in the last few years? If we don,t do our jobs, someone else will do them for us, and we,re not going to like the results. Security isn,t a technical problem, technical problems are easy, security is a communication problem. Communications problems are difficult. Let's figure out how we can fix that.
* WizTree is a disk space analyzer that will quickly scan your entire hard drive and shows you which files and folders are using the most disk space. WizTree obtains information by directly scanning the MFT file, so it can only work with local (directly attached) drives formatted with the NTFS file system. It won't work with network drives, substituted drives or non-NTFS formatted drives. We may add support for other drive types in the future if there's enough demand.
[Medical Device Law: Compliance Issues, Best Practices and Trends - American Bar Association](
[U.S. Department of Health and Human Services Office for Civil Rights Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information](
[Virtualization Based Security - Part 2: kernel communications](
* Create high-fidelity, interactive web archives of any web site you browse
[NSARCHIVE - The Cyber Vault](
* An online resource documenting cyber activities of the U.S. and foreign governments as well as international organizations.
[How to Steal a Nuclear Warhead Without Voiding Your XBox Warranty (paper)](
[A Look In the Mirror: Attacks on Package Managers](
[“Considered Harmful” Essays Considered Harmful](
[Detecting Automation of Twitter Accounts:Are You a Human, Bot, or Cyborg](
* Extract Sense out of Gibberish stuff
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
@ -261,25 +173,9 @@
## Malware
[Usermode Sandboxing](
[Advanced Desktop Application Sandboxing via AppContainer](
[The Economics of Exploit Kits & E-Crime](
* I will discuss how the market for exploit kits has been changing, in techniques, marketing and prices. I argue that the competitiveness between exploit kits shows a maturing market, but will leverage economic theory to demonstrate the limits to which that market will continue to mature. This should allow us to understand how exploit kits affect (and are affected by) the rest of the greater market for hacker services, from malware (as an input) to nation-state level attacks (e.g. trickle down from Hacking Team). I hope to provide a better understanding of how exploit kits work and how their sold as well as how this market can teach us about the rational choice to engage in criminal activity and how we might dissuade them.
[PyTrigger: A System to Trigger & Extract User-Activated Malware Behavior](
* Abstract: We introduce PyTrigger, a dynamic malware analy- sis system that automatically exercises a malware binary extract- ing its behavioral profile even when specific user activity or input is required. To accomplish this, we developed a novel user activity record and playback framework and a new behavior extraction approach. Unlike existing research, the activity recording and playback includes the context of every object in addition to traditional keyboard and mouse actions. The addition of the con- text makes the playback more accurate and avoids dependenciesand pitfalls that come with pure mouse and keyboard replay. Moreover, playback can become more efficient by condensing common activities into a single action. After playback, PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples
[VirtualBox Detection Via WQL Queries](
[Code Injection Techniques -2013](
[Injection on Steroids: Code-less Code Injections and 0-Day Techniques](
[BG00 Injection on Steroids Code less Code Injections and 0 Day Techniques Paul Schofield Udi Yavo](
* x86 Inline hooking engine (using trampolines)
## Mainframes
@ -287,43 +183,14 @@
## Network Scanning and Attacks
[ VLAN hopping, ARP Poisoning and Man-In-The-Middle Attacks in Virtualized Environments - Ronny L. Bull - ANYCON 2017](
* Cloud service providers and data centers offer their customers the ability to deploy virtual machines within multi-tenant environments. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. In this talk I will demonstrate the effects of VLAN hopping, ARP poisoning and Man-in-the-Middle attacks across every major hypervisor platform, including results of attacks originating from the physically connected network as well as within the virtual networks themselves. Each attack category that is discussed will be accompanied by a detailed proof of concept demonstration of the attack.
[LLMNR and NBT-NS Poisoning Using Responder](
## Network | Monitoring & Logging
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
* tinfoleak is a simple Python script that allow to obtain:
..* basic information about a Twitter user (name, picture, location, followers, etc.)
..* devices and operating systems used by the Twitter user
..* applications and social networks used by the Twitter user
..* place and geolocation coordinates to generate a tracking map of locations visited
..* show user tweets in Google Earth!
..* download all pics from a Twitter user
..* hashtags used by the Twitter user and when are used (date and time)
..* user mentions by the the Twitter user and when are occurred (date and time)
..* topics used by the Twitter user
* Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even
when directory browsing is turned off.
[ZOMG Its OSINT Heaven Tazz Tazz](
[Practical OSINT - Shane MacDougall](
* There’s more to life to OSINT than google scraping and social media harvesting. Learn some practical methods to automate information gathering, explore some of the most useful tools, and learn how to recognize valuable data when you see it. Not only will we explore various tools, attendees will get access to unpublished transforms they can use/modify for their own use.
## OS X
@ -341,65 +208,28 @@ when directory browsing is turned off.
## Post Exploitation/Privilege Escalation
[Noob 101: Practical Techniques for AV Bypass - Jared Hoffman - ANYCON 2017](
* The shortcomings of anti-virus (AV) solutions have been well known for some time. Nevertheless, both public and private organizations continue to rely on AV software as a critical component of their information security programs, acting as a key protection mechanism over endpoints and other information systems within their networks. As a result, the security posture of these organizations is significantly jeopardized by relying only on this weakened control.
[SYSTEM Context Persistence in GPO Startup Scripts](
* Creates a local or remote port forwarding through named pipes.
[Scanning Effectively Through a SOCKS Pivot with Nmap and Proxychains](
* [Script](
* Extracts passwords from a KeePass 2.x database, directly from memory.
* Collection of scripts to aid in delivering payloads via Office Macros.
* Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
* [Presentation](
[How to Bypass Anti-Virus to Run Mimikatz](
[Dragon: A Windows, non-binding, passive download / exec backdoor](
* Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
[Inject All the Things - Shut up and hack](
* Accompanying above project
[Windows Driver and Service enumeration with Python](
[Injection on Steroids: Code-less Code Injections and 0-Day Techniques](
[Injection on Steroids: Code less Code Injections and 0 Day Techniques - Paul Schofield Udi Yavo](
[PowerShell and Token Impersonation](
[Accessing the Windows API in PowerShell via internal .NET methods and reflection](
* It is possible to invoke Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker? You can call any Windows API function (exported or non-exported) entirely in memory. For those familiar with Metasploit internals, think of this as an analogue to railgun.
## Programming:
[How Attackers Dump Active Directory Database Credentials](
* x86 and x64 assembly "read-eval-print loop" shell for Windows
## Programming:
* A curated list of amazingly awesome PHP libraries, resources and shiny things.
## Policy and Compliance
## RE
[Hyper-V debugging for beginners](
[Software Hooking methods reveiw(2016)]((
[Deviare v2.0](
* The Deviare API has been developed to intercept any API calls, letting you get control of the flow of execution of any application.
[Reverse History Part Two – Research](
[SpyStudio Tutorials](
@ -410,70 +240,16 @@ when directory browsing is turned off.
## Red Team/Pentesting
[Adam Compton - Hillbilly Storytime - Pentest Fails](
* Whether or not you are just starting in InfoSec, it is always important to remember that mistakes happen, even to the best and most seasoned of analysts. The key is to learn from your mistakes and keep going. So, if you have a few minutes and want to talk a load off for a bit, come and join in as a hillbilly spins a yarn about a group unfortunate pentesters and their misadventures. All stories and events are true (but the names have been be changed to prevent embarrassment).
[Sniffing Sunlight - Erik Kamerling - ANYCON2017](
* Laser listening devices (laser microphones) are a well understood technology. They have historically been used in the surreptitious surveillance of protected spaces. Using such a device, an attacker bounces an infrared laser off of a reflective surface, and receives the ricocheted beam with a photoreceptor. If the beam is reflected from a surface that is vibrating due to sound (voice is a typical background target), that sound is subsequently modulated into the beam and can be demodulated at the receptor. This is a known attack method and will be briefly discussed. However, does this principle also hold for non-amplified or naturally concentrated light sources? Can one retrieve modulated audio from reflected sunlight? The idea of modulating voice with sunlight was pioneered by Alexander Graham Bell in 1880 with an invention called the Photophone. A Photophone uses the audio modulation concept now used in laser microphones, but relied on a concentrated beam of sunlight rather than a laser to communicate at distance. Considering that Bell proved that intentionally concentrated sunlight can be used to modulate voice, we will explore under what natural conditions modulated audio can be found in reflected ambient light. Using off the shelf solar-cells and handmade amplifiers, Erik will demonstrate the use of the receiver side of a historic Photophone to identify instances of modulated audio in reflected light under common conditions.
[DIY Spy Covert Channels With Scapy And Python - Jen Allen - ANYCON 2017](
[Egressing Bluecoat with CobaltStike & Let's Encrypt](
[Expand Your Horizon Red Team – Modern SaaS C2](
[Expand Your Horizon Red Team – Modern SaaS C2 - Python WSGI C2](
[High-reputation Redirectors and Domain Fronting](
[Blocking-resistant communication through domain fronting](
[Camouflage at encryption layer: domain fronting](
[Domain Fronting - Infosec Institute](
* Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
[Inject All the Things - Shut up and hack](
[Pen Testing a City](
[Staying Persistent in Software Defined Networks](
[Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor](
[Hacking Corporate Em@il Systems - Nate Power](
* In this talk we will discuss current email system attack vectors and how these systems can be abused and leveraged to break into corporate networks. A penetration testing methodology will be discussed and technical demonstrations of attacks will be shown. Phases of this methodology include information gathering, network mapping, vulnerability identification, penetration, privilege escalation, and maintaining access. Methods for organizations to better protect systems will also be discussed.
[Code Injection Techniques -2013](
[Offensive Encrypted Data Storage](
[Offensive Encrypted Data Storage (DPAPI edition)](
[Injection on Steroids: Code-less Code Injections and 0-Day Techniques](
[Injection on Steroids: Code less Code Injections and 0 Day Techniques - Paul Schofield Udi Yavo](
* A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
[88MPH Digital tricks to bypass Physical security - ZaCon4 - Andrew MacPherson](
[Project Loki - Phrack 7-49](
* This whitepaper is intended as a complete description of the covert channel that exists in networks that allow ping traffic (hereon referred to in the more general sense of ICMP_ECHO traffic --see below) to pass.
[Remote Physical Damage 101 - Bread and Butter Attacks](
[Simulated Physics And Embedded Virtualization Integration (SPAEVI) - Overview](
@ -482,43 +258,12 @@ when directory browsing is turned off.
## Social Engineering
[Jedi Mind Tricks: People Skills for Security Pros - Alex DiPerma - 2017 ANYCON](
* People skills for security professionals but WAY MORE FUN!
[PG12 Classic Misdirection Social Engineering to Counter Surveillance Peter Clemenko III](
[Patching the Human Vulns - Leonard Isham](
* You are a hacker, you learn, you play, and you break. The very nature of a hacker is to question what is given to us and to play with the rules. However, most of us do not apply this methodology in all parts of our lives. Many take what is given to us about mood and health as fact and what are the results...overweight, depression, anxiety, and self esteem issues. In this presentation, we will show 2 hackers and their journey on how they addressed the issues mentioned above. Len and Moey followed two separate paths to losing over a combined 150 lbs, gaining confidence, and changing their outlook. The talk will not only cover the touchy feely portion of how to deal with weight, mood,and self esteem but will also be supported by the science behind diets, supplements and perspective. The talk will provide what worked for two hackers. YMMV.
[Cheat Codez: Level UP Your SE Game - Eric Smith (@InfoSecMafia)](
* Everyone knows what phishing is. Everyone realizes Java applets lead to massive storms of shells. Everyone accepts tailgating is the easiest way into your building. Everyone knows smoking (areas) are bad for you AND your business. Admit it, you paid for that EXACT assessment last year. I could write your report for you without even doing the job. So what’s the problem you ask? That’s EXACTLY the problem, I say. So how do we fix these issues that plague our industry and misalign business expectations? This talk will discuss the value of Social Engineering exercises when conducted with realistic goals yielding actionable results. Of course, that means putting in REAL work throughout the engagement, not “point, click, report, rinse and repeat”. We’ll discuss tips, techniques and secrets that the PROS don’t always blog about. *PRO TIP* – This won’t be a talk on how to use a particular framework or release of a tool (there are plenty of those already). So bring your work boots, it’s time to get dirty and UP your game.
## System Internals
[Windows Data Protection](
[AD Local Domain groups, Global groups and Universal groups.](
[Demystifying AppContainers in Windows 8 (Part I)](
[AppContainer Isolation](
[Evolution of Process Environment Block (PEB)](
[PEB32 and PEB64 in one definition](
[Unkillable Processes](
[Usermode Sandboxing](
[Advanced Desktop Application Sandboxing via AppContainer](
[VirtualAlloc function](
[BATTLE OF SKM AND IUM - How Windows 10 rewrites OS Architecture - Alex Ionescu](
[Exploring Windows virtual memory management](
@ -536,44 +281,37 @@ when directory browsing is turned off.
## Web:
* This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
* Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle, and a context menu to trigger scans from. It may also come in useful for avoiding detection.
[Backslash Powered Scanning: Hunting Unknown Vulnerability Classes](
* Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures - almost like an anti-virus. In this document, I'll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
[NodeJS: Remote Code Execution as a Service - Peabnuts123 – Kiwicon 2016](
[SAML Raider](
* SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.
[Server Side Template Injection](
[Turning LFI into RFI](
* When configured in a specific way the web application would load the JAR file and search within the file for a class. Interestingly enough, in Java classes you can define a static block that is executed upon the class being processed
[Hacking Jenkins Servers With No Password](
[Server-Side Template Injection](
* This paper defines a methodology for detecting and exploiting template injection, and shows it being applied to craft RCE zerodays for two widely deployed enterprise web applications. Generic exploits are demonstrated for five of the most popular template engines, including escapes from sandboxes whose entire purpose is to handle user-supplied templates in a safe way.
[Exploring SSTI in Flask/Jinja2](
[LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts](
* This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities.
* A wiki dedicated to JavaScript MVC security pitfalls
## Wireless Stuff
[ RCE using CCS](
[The unexpected dangers of preg_replace()](
[Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven](
[ If it fits - it sniffs: Adventures in WarShipping - Larry Pesce](
* There are plenty of ways to leverage known wireless attacks against our chosen victims. We've discovered a new WiFi discovery methodology that can give us insight into attack paths, internal distribution methods, internal policies and procedures as well as an opportunity to launch wireless attacks deep inside a facility without even stepping inside; no physical penetration test needed. How do we make that happen? Box it, tape it and slap an address on it: WARSHIPPING. Thanks FedEx, UPS and USPS for doing the heavy lifting for us. We‰'ve even got a new tool to do some of the heavy lifting for location lookups too!
[Funtenna - Transmitter: XYZ Embedded device + RF Funtenna Payload](
[The Wireless World of the Internet of Things - JP Dunning ".ronin"](
* The Internet of Things brings all the hardware are home together. Most of these devices are controlled through wireless command and control network. But what kind of wireless? And what are the security is in place? This talk with cover the wireless tech used by the Internet of Things and some of the risks to your home or corporate security.
####### Things I wanted to add but didn't get around to sorting