Browse Source

Big update, lots of stuff, formatting is probably off, will update ATT&CK soon

pull/9/head
root 5 years ago
parent
commit
e8cc288363
47 changed files with 6680 additions and 9205 deletions
  1. +130
    -206
      Draft/AnonOpsecPrivacy.md
  2. +100
    -160
      Draft/BIOS UEFI Attacks Defenses.md
  3. +34
    -91
      Draft/Building A Pentest Lab.md
  4. +59
    -84
      Draft/CTFs_Wargames.md
  5. +1
    -1
      Draft/Cheat sheets reference pages Checklists -.md
  6. +18
    -27
      Draft/Conferences.md
  7. +19
    -28
      Draft/Counter_Surveillance.md
  8. +75
    -115
      Draft/Courses_Training.md
  9. +13
    -17
      Draft/CryptoCurrencies.md
  10. +121
    -182
      Draft/Cryptography & Encryption.md
  11. +12
    -18
      Draft/Darknets.md
  12. +52
    -65
      Draft/Data AnalysisVisualization.md
  13. +33
    -0
      Draft/Defense.md
  14. +15
    -22
      Draft/Disclosure.md
  15. +16
    -24
      Draft/Disinformation.md
  16. +60
    -95
      Draft/Documentation & Reports -.md
  17. +8
    -1
      Draft/Drones.md
  18. +169
    -266
      Draft/Embedded Device & Hardware Hacking -.md
  19. +66
    -98
      Draft/Exfiltration.md
  20. +372
    -634
      Draft/Exploit Development.md
  21. +216
    -322
      Draft/Forensics Incident Response.md
  22. +133
    -229
      Draft/Fuzzing Bug Hunting.md
  23. +53
    -51
      Draft/Game Hacking.md
  24. +96
    -132
      Draft/Honeypots.md
  25. +328
    -552
      Draft/Interesting Things Useful stuff.md
  26. +7
    -11
      Draft/Mainframes.md
  27. +334
    -602
      Draft/Malware.md
  28. +533
    -629
      Draft/Network Attacks & Defenses.md
  29. +9
    -0
      Draft/Network Security Monitoring & Logging.md
  30. +16
    -1
      Draft/Open Source Intelligence.md
  31. +111
    -98
      Draft/Phishing.md
  32. +4
    -1
      Draft/Phyiscal Security.md
  33. +14
    -2
      Draft/Policy-Compliance.md
  34. +581
    -918
      Draft/Privilege Escalation & Post-Exploitation.md
  35. +234
    -421
      Draft/Programming - Languages Libs Courses References.md
  36. +287
    -326
      Draft/Red-Teaming.md
  37. +420
    -740
      Draft/Reverse Engineering.md
  38. +75
    -151
      Draft/SCADA.md
  39. +65
    -116
      Draft/Social Engineering.md
  40. +231
    -361
      Draft/System Internals Windows and Linux Internals Reference.md
  41. +25
    -40
      Draft/UX Design - Because we all know how sexy pgp is.md
  42. +669
    -662
      Draft/Web & Browsers.md
  43. +246
    -388
      Draft/Wireless Networks & RF.md
  44. +1
    -1
      Draft/help.md
  45. +1
    -0
      Draft/readme.md
  46. +610
    -259
      Draft/things-added.md
  47. +8
    -58
      README.md

+ 130
- 206
Draft/AnonOpsecPrivacy.md View File

@ -19,23 +19,17 @@
#### Cull
[Technical analysis of client identification mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
[Client Identification Mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
#### end cull
--------------
### <a name="general"></a>General
[OS X Security and Privacy Guide](https://github.com/drduh/OS-X-Security-and-Privacy-Guide)
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
[Mobile Phone Data lookup](https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024)
* [OS X Security and Privacy Guide](https://github.com/drduh/OS-X-Security-and-Privacy-Guide)
* [Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
* [Mobile Phone Data lookup](https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024)
@ -49,67 +43,49 @@
--------------
### <a name="blog"></a>Blogposts
[De-Anonymizing Alt.Anonymous.Messages](https://ritter.vg/blog-deanonymizing_amm.html)
[Defeating and Detecting Browser Spoofing - Browserprint](https://browserprint.info/blog/defeatingSpoofing)
[Invasion of Privacy - HackerFactor](http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html)
[Trawling Tor Hidden Service – Mapping the DHT](https://donncha.is/2013/05/trawling-tor-hidden-services/)
Blogposts
* [De-Anonymizing Alt.Anonymous.Messages](https://ritter.vg/blog-deanonymizing_amm.html)
* [Defeating and Detecting Browser Spoofing - Browserprint](https://browserprint.info/blog/defeatingSpoofing)
* [Invasion of Privacy - HackerFactor](http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html)
* [Trawling Tor Hidden Service – Mapping the DHT](https://donncha.is/2013/05/trawling-tor-hidden-services/)
* [China travel laptop setup](https://mricon.com/i/travel-laptop-setup.html?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&iid=88d246896d384d5292f51df954a2c8ba&uid=150127534&nid=244+272699400)
* [Operational Security and the Real World - The Grugq](https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8)
* [CIA Vault7 Development Tradecraft DOs and DON'Ts](https://wikileaks.org/ciav7p1/cms/page_14587109.html)
* [Dutch-Russian cyber crime case reveals how police tap the internet - ElectroSpaces](http://electrospaces.blogspot.de/2017/06/dutch-russian-cyber-crime-case-reveals.html?m=1)
* [Deanonymizing Windows users and capturing Microsoft and VPN accounts](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
* [The Paranoid's Bible: An anti-dox effort.](https://paranoidsbible.tumblr.com/)
* [Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide)
* This is a step-by-step guide to configuring and managing a domain, remote server and hosted services, such as VPN, a private and obfuscated Tor bridge, and encrypted chat, using the Debian GNU/Linux operating system and other free software.
* [Reminder: Oh, Won't You Please Shut Up? - USA](https://www.popehat.com/2011/12/01/reminder-oh-wont-you-please-shut-up/)
[China travel laptop setup](https://mricon.com/i/travel-laptop-setup.html?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&iid=88d246896d384d5292f51df954a2c8ba&uid=150127534&nid=244+272699400)
[Operational Security and the Real World - The Grugq](https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8)
[CIA Vault7 Development Tradecraft DOs and DON'Ts](https://wikileaks.org/ciav7p1/cms/page_14587109.html)
[Dutch-Russian cyber crime case reveals how police tap the internet - ElectroSpaces](http://electrospaces.blogspot.de/2017/06/dutch-russian-cyber-crime-case-reveals.html?m=1)
[Deanonymizing Windows users and capturing Microsoft and VPN accounts](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
[The Paranoid's Bible: An anti-dox effort.](https://paranoidsbible.tumblr.com/)
[Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide)
* This is a step-by-step guide to configuring and managing a domain, remote server and hosted services, such as VPN, a private and obfuscated Tor bridge, and encrypted chat, using the Debian GNU/Linux operating system and other free software.
[Reminder: Oh, Won't You Please Shut Up? - USA](https://www.popehat.com/2011/12/01/reminder-oh-wont-you-please-shut-up/)
--------------
### <a name="Articles">Articles</a>
[De-anonymizing facebook users through CSP](http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis)
[Anonymous’s Guide to OpSec](http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf)
[Cat Videos and the Death of Clear Text](https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/)
[How to Spot a SpoCTok](https://cryptome.org/dirty-work/spot-spook.htm)
[China travel laptop setup](https://mricon.com/i/travel-laptop-setup.html?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&iid=88d246896d384d5292f51df954a2c8ba&uid=150127534&nid=244+272699400)
[Operational Security and the Real World - The Grugq](https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8)
[Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
[Detect Tor Exit doing sniffing by passively detecting unique DNS query (via HTML & PCAP parsing/viewing)](https://github.com/NullHypothesis/exitmap/issues/37)
[Managing Pseudonyms with Compartmentalization: Identity Management of Personas](https://www.alienvault.com/blogs/security-essentials/managing-pseudonyms-with-compartmentalization-identity-management-of-personas)
* [De-anonymizing facebook users through CSP](http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis)
* [Anonymous’s Guide to OpSec](http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf)
* [Cat Videos and the Death of Clear Text](https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/)
* [How to Spot a SpoCTok](https://cryptome.org/dirty-work/spot-spook.htm)
* [China travel laptop setup](https://mricon.com/i/travel-laptop-setup.html?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&iid=88d246896d384d5292f51df954a2c8ba&uid=150127534&nid=244+272699400)
* [Operational Security and the Real World - The Grugq](https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8)
* [Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
* [Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
* [Detect Tor Exit doing sniffing by passively detecting unique DNS query (via HTML & PCAP parsing/viewing)](https://github.com/NullHypothesis/exitmap/issues/37)
* [Managing Pseudonyms with Compartmentalization: Identity Management of Personas](https://www.alienvault.com/blogs/security-essentials/managing-pseudonyms-with-compartmentalization-identity-management-of-personas)
* [Data release: list of websites that have third-party “session replay” scripts ](https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html)
* [No boundaries: Exfiltration of personal data by session-replay scripts](https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/)
--------------
### <a name="howtos"How-Tos</a>
[How to stop Firefox from making automatic connections](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections)
* [How to stop Firefox from making automatic connections](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections)
@ -120,62 +96,43 @@
--------------
### <a name="Papers">Papers</a>
[Protocol Misidentification Made Easy with Format-Transforming Encryption](https://eprint.iacr.org/2012/494.pdf)
* Deep packet inspection DPI technologies provide much- needed visibility and control of network traffic using port- independent protocol identification, where a network ow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the most comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic primitive called format-transforming encryption FTE, which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbi- trary application-layer traffic, and we experimentally show that this forces misidentification for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demonstrate that it evades real-world censorship by the Great Firewall of China.
['I've Got Nothing to Hide' and Other Misunderstandings of Privacy](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)
* We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.
[Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring** - Defcon22](https://www.youtube.com/watch?v=_KyfJW2lHtk&spfreload=1)
* Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny. Format-Transforming Encryption FTE can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden. However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings. We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis.
* [Slides](https://www.portalmasq.com/portal-defcon.pdf)
[The NSA: Capabilities and Countermeasures** - Bruce Schneier - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
* Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on. I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on.
[You're Leaking Trade Secrets - Defcon22 Michael Schrenk](https://www.youtube.com/watch?v=JTd5TL6_zgY)
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
[Deep-Spying: Spying using Smartwatch and Deep Learning - Tony Beltramelli](https://arxiv.org/pdf/1512.05616v1.pdf)
[HORNET: High-speed Onion Routing at the Network Layer](http://arxiv.org/pdf/1507.05724v1.pdf)
[Decoy Routing: Toward Unblockable Internet Communication](https://www.usenix.org/legacy/events/foci11/tech/final_files/Karlin.pdf)
* We present decoy routing, a mechanism capable of cir- cumventing common network filtering strategies. Unlike other circumvention techniques, decoy routing does not require a client to connect to a specific IP address (which is easily blocked) in order to provide circumvention. We show that if it is possible for a client to connect to any unblocked host/service, then decoy routing could be used to connect them to a blocked destination without coop- eration from the host. This is accomplished by placing the circumvention service in the network itself – where a single device could proxy traffic between a significant fraction of hosts – instead of at the edge.
[obfs4 (The obfourscator)](https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt)
* This is a protocol obfuscation layer for TCP protocols. Its purpose is to keep a third party from telling what protocol is in use based on message contents. Unlike obfs3, obfs4 attempts to provide authentication and data integrity, though it is still designed primarily around providing a layer of obfuscation for an existing authenticated protocol like SSH or TLS.
[obfs3 (The Threebfuscator)](https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3/obfs3-protocol-spec.txt)
* This is a protocol obfuscation layer for TCP protocols. Its purpose is to keep a third party from telling what protocol is in use based on message contents. Like obfs2, it does not provide authentication or data integrity. It does not hide data lengths. It is more suitable for providing a layer of obfuscation for an existing authenticated protocol, like SSH or TLS.
[StegoTorus: A Camouflage Proxy for the Tor Anonymity System](https://research.owlfolio.org/pubs/2012-stegotorus.pdf)
* Internet censorship by governments is an increasingly common practice worldwide. Internet users and censors are locked in an arms race: as users find ways to evade censorship schemes, the censors develop countermeasures for the evasion tactics. One of the most popular and effective circumvention tools, Tor, must regularly adjust its network traffic signature to remain usable. We present StegoTorus, a tool that comprehensively disguises Tor from protocol analysis. To foil analysis of packet contents, Tor’s traffic is steganographed to resemble an innocuous cover protocol, such as HTTP. To foil analysis at the transport level, the Tor circuit is distributed over many shorter-lived connections with per-packet characteristics that mimic cover-protocol traffic. Our evaluation demonstrates that StegoTorus improves the resilience of Tor to fingerprinting attacks and delivers usable performance.
[SkypeMorph: Protocol Obfuscation for Tor Bridges](https://www.cypherpunks.ca/~iang/pubs/skypemorph-ccs.pdf)
* The Tor network is designed to provide users with low- latency anonymous communications. Tor clients build circuits with publicly listed relays to anonymously reach their destinations. However, since the relays are publicly listed, they can be easily blocked by censoring adversaries. Consequently, the Tor project envisioned the possibility of unlisted entry points to the Tor network, commonly known as bridges. We address the issue of preventing censors from detecting the bridges by observing the communications between them and nodes in their network. We propose a model in which the client obfuscates its messages to the bridge in a widely used protocol over the Inter- net. We investigate using Skype video calls as our target protocol and our goal is to make it difficult for the censor- ing adversary to distinguish between the obfuscated bridge connections and actual Skype calls using statistical compar- isons. We have implemented our model as a proof-of-concept pluggable transport for Tor, which is available under an open-source licence. Using this implementation we observed the obfuscated bridge communications and compared it with those of Skype calls and presented the results.
[Protocol Misidentification Made Easy with Format-Transforming Encryption](https://kpdyer.com/publications/ccs2013-fte.pdf)
* Deep packet inspection (DPI) technologies provide much needed visibility and control of network traffic using port- independent protocol identification, where a network flow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the first comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic prim- itive called format-transforming encryption (FTE), which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbitrary application-layer traffic, and we experimentally show that this forces misidentification for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demon- strate that it evades real-world censorship by the Great Fire- wall of China
[Cirripede: Circumvention Infrastructure using Router Redirection with Plausible Deniability](http://hatswitch.org/~nikita/papers/cirripede-ccs11.pdf)
* Many users face surveillance of their Internet communications and a significant fraction suffer from outright blocking of certain destinations. Anonymous communication systems allow users to conceal the destinations they communicate with, but do not hide the fact that the users are using them. The mere use of such systems may invite suspicion, or access to them may be blocked. We therefore propose Cirripede, a system that can be used for unobservable communication with Internet destinations. Cirripede is designed to be deployed by ISPs; it intercepts connections from clients to innocent-looking desti- nations and redirects them to the true destination requested by the client. The communication is encoded in a way that is indistinguishable from normal communications to anyone without the master secret key, while public-key cryptogra- phy is used to eliminate the need for any secret information that must be shared with Cirripede users. Cirripede is designed to work scalably with routers that handle large volumes of traffic while imposing minimal over- head on ISPs and not disrupting existing traffic. This allows Cirripede proxies to be strategically deployed at central lo- cations, making access to Cirripede very difficult to block. We built a proof-of-concept implementation of Cirripede and performed a testbed evaluation of its performance proper- ties
[TapDance: End-to-Middle Anticensorship without Flow Blocking](https://jhalderm.com/pub/papers/tapdance-sec14.pdf)
* In response to increasingly sophisticated state-sponsored Internet censorship, recent work has proposed a new ap- proach to censorship resistance: end-to-middle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of the network, at large ISPs outside the censoring country. In this paper, we focus on two technical obstacles to the deployment of certain end-to-middle schemes: the need to selectively block flows and the need to observe both directions of a connection. We propose a new construction, TapDance, that removes these require- ments. TapDance employs a novel TCP-level technique that allows the anticensorship station at an ISP to function as a passive network tap, without an inline blocking com- ponent. We also apply a novel steganographic encoding to embed control messages in TLS ciphertext, allowing us to operate on HTTPS connections even under asymmetric routing. We implement and evaluate a TapDance proto- type that demonstrates how the system could function with minimal impact on an ISP’s network operations.
[Chipping Away at Censorship Firewalls with User-Generated Content](https://www.usenix.org/legacy/event/sec10/tech/full_papers/Burnett.pdf)
* Oppressive regimes and even democratic governments restrict Internet access. Existing anti-censorship systems often require users to connect through proxies, but these systems are relatively easy for a censor to discover and block. This paper offers a possible next step in the cen- sorship arms race: rather than relying on a single system or set of proxies to circumvent censorship firewalls, we explore whether the vast deployment of sites that host user-generated content can breach these firewalls. To explore this possibility, we have developed Collage, which allows users to exchange messages through hidden chan- nels in sites that host user-generated content. Collage has two components: a message vector layer for embedding content in cover traffic; and a rendezvous mechanism to allow parties to publish and retrieve messages in the cover traffic. Collage uses user-generated content (e.g. , photo-sharing sites) as “drop sites” for hidden messages. To send a message, a user embeds it into cover traffic and posts the content on some site, where receivers retrieve this content using a sequence of tasks. Collage makes it difficult for a censor to monitor or block these messages by exploiting the sheer number of sites where users can exchange messages and the variety of ways that a mes- sage can be hidden. Our evaluation of Collage shows that the performance overhead is acceptable for sending small messages (e.g. , Web articles, email). We show how Collage can be used to build two applications: a direct messaging application, and a Web content delivery sys- tem
[Unblocking the Internet: Social networks foil censors](http://kscope.news.cs.nyu.edu/pub/TR-2008-918.pdf)
* Many countries and administrative domains exploit control over their communication infrastructure to censor online content. This paper presents the design, im plementation and evaluation of Kaleidoscope , a peer-to-peer system of relays that enables users within a censored domain to access blocked content. The main challenge facing Kaleidoscope is to resist the cens or’s efforts to block the circumvention system itself. Kaleidoscope achieves blocking-resilienc e using restricted service discovery that allows each user to discover a small set of unblocked relays while only exposing a small fraction of relays to the censor. To restrict service discovery, Kaleidoscope leverages a trust network where links reflects real-world social relationships among users and uses a limited advertisement protocol based on random routes to disseminate relay addresses along the trust netwo rk; the number of nodes reached by a relay advertisement should ideally be inversely proportional to the maximum fraction of infiltration and is independent of the network size. To increase service availa bility in large networks with few exit relay nodes, Kaleidoscope forwards the actual data traffic across multiple relay hops without risking exposure of exit relays. Using detailed analysis and simulations, we show that Kalei doscope provides > 90% service availability even under substantial infiltration (close to 0.5% of edges) and when only 30% of the relay nodes are online. We have implemented and deployed our system on a small scale serving over 100,000 requests to 40 censored users (relatively small user base to realize Kaleidoscope’s anti-blocking guarantees) spread across different countries and administrative domains over a 6-month period
[A Technical Description of Psiphon](https://psiphon.ca/en/blog/psiphon-a-technical-description)
* [Protocol Misidentification Made Easy with Format-Transforming Encryption](https://eprint.iacr.org/2012/494.pdf)
* Deep packet inspection DPI technologies provide much- needed visibility and control of network traffic using port- independent protocol identification, where a network ow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the most comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic primitive called format-transforming encryption FTE, which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbi- trary application-layer traffic, and we experimentally show that this forces misidentification for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demonstrate that it evades real-world censorship by the Great Firewall of China.
* ['I've Got Nothing to Hide' and Other Misunderstandings of Privacy](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)
* We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.
* [Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring** - Defcon22](https://www.youtube.com/watch?v=_KyfJW2lHtk&spfreload=1)
* Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny. Format-Transforming Encryption FTE can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden. However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings. We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis.
* [Slides](https://www.portalmasq.com/portal-defcon.pdf)
* [The NSA: Capabilities and Countermeasures** - Bruce Schneier - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
* Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on. I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on.
* [You're Leaking Trade Secrets - Defcon22 Michael Schrenk](https://www.youtube.com/watch?v=JTd5TL6_zgY)
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
* [Deep-Spying: Spying using Smartwatch and Deep Learning - Tony Beltramelli](https://arxiv.org/pdf/1512.05616v1.pdf)
* [HORNET: High-speed Onion Routing at the Network Layer](http://arxiv.org/pdf/1507.05724v1.pdf)
* [Decoy Routing: Toward Unblockable Internet Communication](https://www.usenix.org/legacy/events/foci11/tech/final_files/Karlin.pdf)
* We present decoy routing, a mechanism capable of cir- cumventing common network filtering strategies. Unlike other circumvention techniques, decoy routing does not require a client to connect to a specific IP address (which is easily blocked) in order to provide circumvention. We show that if it is possible for a client to connect to any unblocked host/service, then decoy routing could be used to connect them to a blocked destination without coop- eration from the host. This is accomplished by placing the circumvention service in the network itself – where a single device could proxy traffic between a significant fraction of hosts – instead of at the edge.
* [obfs4 (The obfourscator)](https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt)
* This is a protocol obfuscation layer for TCP protocols. Its purpose is to keep a third party from telling what protocol is in use based on message contents. Unlike obfs3, obfs4 attempts to provide authentication and data integrity, though it is still designed primarily around providing a layer of obfuscation for an existing authenticated protocol like SSH or TLS.
* [obfs3 (The Threebfuscator)](https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3/obfs3-protocol-spec.txt)
* This is a protocol obfuscation layer for TCP protocols. Its purpose is to keep a third party from telling what protocol is in use based on message contents. Like obfs2, it does not provide authentication or data integrity. It does not hide data lengths. It is more suitable for providing a layer of obfuscation for an existing authenticated protocol, like SSH or TLS.
* [StegoTorus: A Camouflage Proxy for the Tor Anonymity System](https://research.owlfolio.org/pubs/2012-stegotorus.pdf)
* Internet censorship by governments is an increasingly common practice worldwide. Internet users and censors are locked in an arms race: as users find ways to evade censorship schemes, the censors develop countermeasures for the evasion tactics. One of the most popular and effective circumvention tools, Tor, must regularly adjust its network traffic signature to remain usable. We present StegoTorus, a tool that comprehensively disguises Tor from protocol analysis. To foil analysis of packet contents, Tor’s traffic is steganographed to resemble an innocuous cover protocol, such as HTTP. To foil analysis at the transport level, the Tor circuit is distributed over many shorter-lived connections with per-packet characteristics that mimic cover-protocol traffic. Our evaluation demonstrates that StegoTorus improves the resilience of Tor to fingerprinting attacks and delivers usable performance.
* [SkypeMorph: Protocol Obfuscation for Tor Bridges](https://www.cypherpunks.ca/~iang/pubs/skypemorph-ccs.pdf)
* The Tor network is designed to provide users with low- latency anonymous communications. Tor clients build circuits with publicly listed relays to anonymously reach their destinations. However, since the relays are publicly listed, they can be easily blocked by censoring adversaries. Consequently, the Tor project envisioned the possibility of unlisted entry points to the Tor network, commonly known as bridges. We address the issue of preventing censors from detecting the bridges by observing the communications between them and nodes in their network. We propose a model in which the client obfuscates its messages to the bridge in a widely used protocol over the Inter- net. We investigate using Skype video calls as our target protocol and our goal is to make it difficult for the censor- ing adversary to distinguish between the obfuscated bridge connections and actual Skype calls using statistical compar- isons. We have implemented our model as a proof-of-concept pluggable transport for Tor, which is available under an open-source licence. Using this implementation we observed the obfuscated bridge communications and compared it with those of Skype calls and presented the results.
* [Protocol Misidentification Made Easy with Format-Transforming Encryption](https://kpdyer.com/publications/ccs2013-fte.pdf)
* Deep packet inspection (DPI) technologies provide much needed visibility and control of network traffic using port- independent protocol identification, where a network flow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the first comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic prim- itive called format-transforming encryption (FTE), which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbitrary application-layer traffic, and we experimentally show that this forces misidentification for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demon- strate that it evades real-world censorship by the Great Fire- wall of China
* [Cirripede: Circumvention Infrastructure using Router Redirection with Plausible Deniability](http://hatswitch.org/~nikita/papers/cirripede-ccs11.pdf)
* Many users face surveillance of their Internet communications and a significant fraction suffer from outright blocking of certain destinations. Anonymous communication systems allow users to conceal the destinations they communicate with, but do not hide the fact that the users are using them. The mere use of such systems may invite suspicion, or access to them may be blocked. We therefore propose Cirripede, a system that can be used for unobservable communication with Internet destinations. Cirripede is designed to be deployed by ISPs; it intercepts connections from clients to innocent-looking desti- nations and redirects them to the true destination requested by the client. The communication is encoded in a way that is indistinguishable from normal communications to anyone without the master secret key, while public-key cryptogra- phy is used to eliminate the need for any secret information that must be shared with Cirripede users. Cirripede is designed to work scalably with routers that handle large volumes of traffic while imposing minimal over- head on ISPs and not disrupting existing traffic. This allows Cirripede proxies to be strategically deployed at central lo- cations, making access to Cirripede very difficult to block. We built a proof-of-concept implementation of Cirripede and performed a testbed evaluation of its performance proper- ties
* [TapDance: End-to-Middle Anticensorship without Flow Blocking](https://jhalderm.com/pub/papers/tapdance-sec14.pdf)
* In response to increasingly sophisticated state-sponsored Internet censorship, recent work has proposed a new ap- proach to censorship resistance: end-to-middle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of the network, at large ISPs outside the censoring country. In this paper, we focus on two technical obstacles to the deployment of certain end-to-middle schemes: the need to selectively block flows and the need to observe both directions of a connection. We propose a new construction, TapDance, that removes these require- ments. TapDance employs a novel TCP-level technique that allows the anticensorship station at an ISP to function as a passive network tap, without an inline blocking com- ponent. We also apply a novel steganographic encoding to embed control messages in TLS ciphertext, allowing us to operate on HTTPS connections even under asymmetric routing. We implement and evaluate a TapDance proto- type that demonstrates how the system could function with minimal impact on an ISP’s network operations.
* [Chipping Away at Censorship Firewalls with User-Generated Content](https://www.usenix.org/legacy/event/sec10/tech/full_papers/Burnett.pdf)
* Oppressive regimes and even democratic governments restrict Internet access. Existing anti-censorship systems often require users to connect through proxies, but these systems are relatively easy for a censor to discover and block. This paper offers a possible next step in the cen- sorship arms race: rather than relying on a single system or set of proxies to circumvent censorship firewalls, we explore whether the vast deployment of sites that host user-generated content can breach these firewalls. To explore this possibility, we have developed Collage, which allows users to exchange messages through hidden chan- nels in sites that host user-generated content. Collage has two components: a message vector layer for embedding content in cover traffic; and a rendezvous mechanism to allow parties to publish and retrieve messages in the cover traffic. Collage uses user-generated content (e.g. , photo-sharing sites) as “drop sites” for hidden messages. To send a message, a user embeds it into cover traffic and posts the content on some site, where receivers retrieve this content using a sequence of tasks. Collage makes it difficult for a censor to monitor or block these messages by exploiting the sheer number of sites where users can exchange messages and the variety of ways that a mes- sage can be hidden. Our evaluation of Collage shows that the performance overhead is acceptable for sending small messages (e.g. , Web articles, email). We show how Collage can be used to build two applications: a direct messaging application, and a Web content delivery sys- tem
* [Unblocking the Internet: Social networks foil censors](http://kscope.news.cs.nyu.edu/pub/TR-2008-918.pdf)
* Many countries and administrative domains exploit control over their communication infrastructure to censor online content. This paper presents the design, im plementation and evaluation of Kaleidoscope , a peer-to-peer system of relays that enables users within a censored domain to access blocked content. The main challenge facing Kaleidoscope is to resist the cens or’s efforts to block the circumvention system itself. Kaleidoscope achieves blocking-resilienc e using restricted service discovery that allows each user to discover a small set of unblocked relays while only exposing a small fraction of relays to the censor. To restrict service discovery, Kaleidoscope leverages a trust network where links reflects real-world social relationships among users and uses a limited advertisement protocol based on random routes to disseminate relay addresses along the trust netwo rk; the number of nodes reached by a relay advertisement should ideally be inversely proportional to the maximum fraction of infiltration and is independent of the network size. To increase service availa bility in large networks with few exit relay nodes, Kaleidoscope forwards the actual data traffic across multiple relay hops without risking exposure of exit relays. Using detailed analysis and simulations, we show that Kalei doscope provides > 90% service availability even under substantial infiltration (close to 0.5% of edges) and when only 30% of the relay nodes are online. We have implemented and deployed our system on a small scale serving over 100,000 requests to 40 censored users (relatively small user base to realize Kaleidoscope’s anti-blocking guarantees) spread across different countries and administrative domains over a 6-month period
* [A Technical Description of Psiphon](https://psiphon.ca/en/blog/psiphon-a-technical-description)
* * [Discovering Browser Extensions via Web Accessible Resources - Chalmers security lab](http://www.cse.chalmers.se/research/group/security/publications/2017/extensions/codaspy-17-full.pdf)
@ -191,55 +148,33 @@
--------------
### <a name="Talks">Talks & Videos(& Presentations)</a>
[Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
[Because Jail is for WUFTPD - Legendary talk, a must watch.](https://www.youtube.com/watch?v=9XaYdCdwiWU)
[The Gruqgs blog](http://grugq.tumblr.com/)
[COMSEC: Beyond encryption](https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf)
[DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data](https://www.youtube.com/watch?v=NjuhdKUH6U4)
[Detecting and Defending Against a Surveillance State - DEFCON 22 - Robert Rowley](https://www.youtube.com/watch?v=d5jqV06Yijw)
[Detecting and Defending Against a Surveillance State - Robert Rowley - DEF CON 22](https://www.youtube.com/watch?v=d5jqV06Yijw)
[The NSA: Capabilities and Countermeasures - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
[Blinding The Surveillance State - Christopher Soghoian - DEF CON 22](https://www.youtube.com/watch?v=pM8e0Dbzopk)
[Client Identification Mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
[Can you track me now? - Defcon20](https://wEww.youtube.com/watch?v=DxIF66Tcino)
[Phones and Privacy for Consumers - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer)](http://www.irongeek.com/i.php?page=videos/grrcon2015/submerssion-therapy05-phones-and-privacy-for-consumers-matt-hoy-mattrix-and-david-khudaverdyan-deltaflyerhttps://ritter.vg/blog-deanonymizing_amm.html)
[Retail Surveillance / Retail Countersurveillance 50 most unwanted retail surveillance technologies / 50 most wanted countersurveillance technologies](https://media.ccc.de/v/33c3-8238-retail_surveillance_retail_countersurveillance#video&t=1993)
[OPSEC Concerns in Using Crypto](https://www.slideshare.net/JohnCABambenek/defcon-crypto-village-opsec-concerns-in-using-crypto)
[De-Anonymizing Alt.Anonymous. Messages - Defcon21 - Tom Ritter](https://www.youtube.com/watch?v=_Tj6c2Ikq_E)
[PISSED: Privacy In a Surveillance State Evading Detection - Joe Cicero - CYPHERCON11 ](https://www.youtube.com/watch?v=keA3WcKwZwA)
[What Happens Next Will Amaze You](http://idlewords.com/talks/what_happens_next_will_amaze_you.htm#six_fixes)
[Wifi Tracking: Collecting the (probe) Breadcrumbs - David Switzer](https://www.youtube.com/watch?v=HzQHWUM8cNo)
* Wifi probes have provided giggles via Karma and Wifi Pineapples for years, but is there more fun to be had? Like going from sitting next to someone on a bus, to knowing where they live and hang out? Why try to MITM someone’s wireless device in an enterprise environment where they may notice — when getting them at their favorite burger joint is much easier. In this talk we will review ways of collecting and analyzing probes. We’ll use the resulting data to figure out where people live, their daily habits, and discuss uses (some nice, some not so nice) for this information. We’ll also dicuss how to make yourself a little less easy to track using these methods. Stingrays are price prohibitive, but for just tracking people’s movements.. this is cheap and easy.
[How Tor Users Got Caught - Defcon 22](https://www.youtube.com/watch?v=7G1LjQSYM5Q)
* [Part 2](https://www.youtube.com/watch?v=TQ2bk9kMneI)
* [Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* [Because Jail is for WUFTPD - Legendary talk, a must watch.](https://www.youtube.com/watch?v=9XaYdCdwiWU)
* [The Gruqgs blog](http://grugq.tumblr.com/)
* [COMSEC: Beyond encryption](https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf)
* [DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data](https://www.youtube.com/watch?v=NjuhdKUH6U4)
* [Detecting and Defending Against a Surveillance State - DEFCON 22 - Robert Rowley](https://www.youtube.com/watch?v=d5jqV06Yijw)
* [Detecting and Defending Against a Surveillance State - Robert Rowley - DEF CON 22](https://www.youtube.com/watch?v=d5jqV06Yijw)
* [The NSA: Capabilities and Countermeasures - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
* [Blinding The Surveillance State - Christopher Soghoian - DEF CON 22](https://www.youtube.com/watch?v=pM8e0Dbzopk)
* [Client Identification Mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
* [Can you track me now? - Defcon20](https://wEww.youtube.com/watch?v=DxIF66Tcino)
* [Phones and Privacy for Consumers - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer)](http://www.irongeek.com/i.php?page=videos/grrcon2015/submerssion-therapy05-phones-and-privacy-for-consumers-matt-hoy-mattrix-and-david-khudaverdyan-deltaflyerhttps://ritter.vg/blog-deanonymizing_amm.html)
* [Retail Surveillance / Retail Countersurveillance 50 most unwanted retail surveillance technologies / 50 most wanted countersurveillance technologies](https://media.ccc.de/v/33c3-8238-retail_surveillance_retail_countersurveillance#video&t=1993)
* [OPSEC Concerns in Using Crypto](https://www.slideshare.net/JohnCABambenek/defcon-crypto-village-opsec-concerns-in-using-crypto)
* [De-Anonymizing Alt.Anonymous. Messages - Defcon21 - Tom Ritter](https://www.youtube.com/watch?v=_Tj6c2Ikq_E)
* [PISSED: Privacy In a Surveillance State Evading Detection - Joe Cicero - CYPHERCON11 ](https://www.youtube.com/watch?v=keA3WcKwZwA)
* [What Happens Next Will Amaze You](http://idlewords.com/talks/what_happens_next_will_amaze_you.htm#six_fixes)
* [Wifi Tracking: Collecting the (probe) Breadcrumbs - David Switzer](https://www.youtube.com/watch?v=HzQHWUM8cNo)
* Wifi probes have provided giggles via Karma and Wifi Pineapples for years, but is there more fun to be had? Like going from sitting next to someone on a bus, to knowing where they live and hang out? Why try to MITM someone’s wireless device in an enterprise environment where they may notice — when getting them at their favorite burger joint is much easier. In this talk we will review ways of collecting and analyzing probes. We’ll use the resulting data to figure out where people live, their daily habits, and discuss uses (some nice, some not so nice) for this information. We’ll also dicuss how to make yourself a little less easy to track using these methods. Stingrays are price prohibitive, but for just tracking people’s movements.. this is cheap and easy.
* [How Tor Users Got Caught - Defcon 22](https://www.youtube.com/watch?v=7G1LjQSYM5Q)
* [Part 2](https://www.youtube.com/watch?v=TQ2bk9kMneI)
* [Article - How Tor Users Got Caught by Government Agencies](http://se.azinstall.net/2015/11/how-tor-users-got-caught.html)
[You Are Being Tracked: How License Plate Readers Are Being Used to Record Americans' Movements - ACLU](https://www.aclu.org/other/you-are-being-tracked-how-license-plate-readers-are-being-used-record-americans-movements?redirect=technology-and-liberty/you-are-being-tracked-how-license-plate-readers-are-being-used-record)
[David Goulet - Deep Dive Into Tor Onion Services](https://www.youtube.com/watch?v=AkoyCLAXVsc)
[Winning and Quitting the Privacy Game What it REALLY takes to have True Privacy in the 21st Century - Derbycon 7](https://www.youtube.com/watch?v=bxQSu06yuZc)
* [You Are Being Tracked: How License Plate Readers Are Being Used to Record Americans' Movements - ACLU](https://www.aclu.org/other/you-are-being-tracked-how-license-plate-readers-are-being-used-record-americans-movements?redirect=technology-and-liberty/you-are-being-tracked-how-license-plate-readers-are-being-used-record)
* [Deep Dive Into Tor Onion Services - David Goulet](https://www.youtube.com/watch?v=AkoyCLAXVsc)
* [Winning and Quitting the Privacy Game What it REALLY takes to have True Privacy in the 21st Century - Derbycon 7](https://www.youtube.com/watch?v=bxQSu06yuZc)
@ -255,45 +190,34 @@
--------------
### <a name="Tools">Tools</a>
[FakeNameGenerator](http://www.fakenamegenerator.com/)
[MAT: Metadata Anonymisation Toolkit](https://mat.boum.org/)
* MAT is a toolbox composed of a GUI application, a CLI application and a library.
[fteproxy](https://fteproxy.org/about)
* fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro, YAF, nProbe, l7-filter, and appid, as well as closed-source commercial DPI systems
[Streisand](https://github.com/jlund/streisand)
* Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
[exitmap](https://github.com/NullHypothesis/exitmap)
* Exitmap is a fast and modular Python-based scanner for Tor exit relays. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays. Modules can perform any TCP-based networking task; fetching a web page, uploading a file, connecting to an SSH server, or joining an IRC channel.
[OnionCat - an Anonymous VPN adapter](https://www.onioncat.org/about-onioncat/)
[howmanypeoplearearound](https://github.com/schollz/howmanypeoplearearound)
* Count the number of people around you 👨‍👨‍👦 by monitoring wifi signals 📡
[Decentraleyes](https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/)
* Protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.
[Decentraleyes - Github](https://github.com/Synzvato/decentraleyes)
* A web browser extension that emulates Content Delivery Networks to improve your online privacy. It intercepts traffic, finds supported resources locally, and injects them into the environment. All of this happens automatically, so no prior configuration is required.
[Destroy-Windows-10-Spying](https://github.com/Nummer/Destroy-Windows-10-Spying)
* Destroy Windows Spying tool
[meek](https://github.com/Yawning/meek)
* meek is a blocking-resistant pluggable transport for Tor. It encodes a data stream as a sequence of HTTPS requests and responses. Requests are reflected through a hard-to-block third-party web server in order to avoid talking directly to a Tor bridge. HTTPS encryption hides fingerprintable byte patterns in Tor traffic.sek
* [FakeNameGenerator](http://www.fakenamegenerator.com/)
* [MAT: Metadata Anonymisation Toolkit](https://mat.boum.org/)
* MAT is a toolbox composed of a GUI application, a CLI application and a library.
* [fteproxy](https://fteproxy.org/about)
* fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro, YAF, nProbe, l7-filter, and appid, as well as closed-source commercial DPI systems
* [Streisand](https://github.com/jlund/streisand)
* Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
* [exitmap](https://github.com/NullHypothesis/exitmap)
* Exitmap is a fast and modular Python-based scanner for Tor exit relays. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays. Modules can perform any TCP-based networking task; fetching a web page, uploading a file, connecting to an SSH server, or joining an IRC channel.
* [OnionCat - an Anonymous VPN adapter](https://www.onioncat.org/about-onioncat/)
* [howmanypeoplearearound](https://github.com/schollz/howmanypeoplearearound)
* Count the number of people around you 👨‍👨‍👦 by monitoring wifi signals 📡
* [Decentraleyes](https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/)
* Protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.
* [Decentraleyes - Github](https://github.com/Synzvato/decentraleyes)
* A web browser extension that emulates Content Delivery Networks to improve your online privacy. It intercepts traffic, finds supported resources locally, and injects them into the environment. All of this happens automatically, so no prior configuration is required.
* [Destroy-Windows-10-Spying](https://github.com/Nummer/Destroy-Windows-10-Spying)
* Destroy Windows Spying tool
* [meek](https://github.com/Yawning/meek)
* meek is a blocking-resistant pluggable transport for Tor. It encodes a data stream as a sequence of HTTPS requests and responses. Requests are reflected through a hard-to-block third-party web server in order to avoid talking directly to a Tor bridge. HTTPS encryption hides fingerprintable byte patterns in Tor traffic.sek
* [HTTPLeaks](https://github.com/cure53/HTTPLeaks)
* HTTPLeaks - All possible ways, a website can leak HTTP requests
--------------
### <a name="misc"></a>Misc
[.NET Github: .NET core should not SPY on users by default #3093](https://github.com/dotnet/cli/issues/3093)
[.NET Github: Revisit Telemetry configuration #6086 ](https://github.com/dotnet/cli/issues/6086)
* [.NET Github: .NET core should not SPY on users by default #3093](https://github.com/dotnet/cli/issues/3093)
* [.NET Github: Revisit Telemetry configuration #6086 ](https://github.com/dotnet/cli/issues/6086)

+ 100
- 160
Draft/BIOS UEFI Attacks Defenses.md View File

@ -20,110 +20,82 @@ TOC
#### Sort
http://www.stoned-vienna.com/
#### End Sort
----------------
### What is This Stuff?
[Official UEFI Site - Specs](http://www.uefi.org/specsandtesttools)
[UEFI - OSDev Wiki](http://wiki.osdev.org/UEFI)
[Extensible Firmware Interface (EFI) and Unified EFI (UEFI)](http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html)
#### End Sort
[Understanding AMT, UEFI BIOS and Secure boot relationships](https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2013/08/11/understanding-amt-uefi-bios-and-secure-boot-relationships)
[Introduction to UEFI](http://x86asm.net/articles/introduction-to-uefi/)
[What is Intel Mangement Engine?](http://me.bios.io/ME:About)
----------------
### What is This Stuff?
* [Official UEFI Site - Specs](http://www.uefi.org/specsandtesttools)
* [UEFI - OSDev Wiki](http://wiki.osdev.org/UEFI)
* [Extensible Firmware Interface (EFI) and Unified EFI (UEFI)](http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html)
* [Understanding AMT, UEFI BIOS and Secure boot relationships](https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2013/08/11/understanding-amt-uefi-bios-and-secure-boot-relationships)
* [Introduction to UEFI](http://x86asm.net/articles/introduction-to-uefi/)
* [What is Intel Mangement Engine?](http://me.bios.io/ME:About)
-----------------
### <a name="general">General</a>
[Timeline of Low level software and hardware attack papers](http://timeglider.com/timeline/5ca2daa6078caaf4)
[Technical Overview of Windows UEFI Startup Process](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
[Windows UEFI startup – A technical overview](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
* Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.
[Intel ME (Manageability engine) Huffman algorithm](http://io.smashthestack.org/me/)
[LEGBACORE Research/Publicatoins](http://www.legbacore.com/Research.html)
[Dr Sergei Skorobogatov - Researcher in hardware based attacks, good stuff](https://www.cl.cam.ac.uk/~sps32/)
[Disabling Intel ME 11 via undocumented mode - ptsecurity](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)
* [Timeline of Low level software and hardware attack papers](http://timeglider.com/timeline/5ca2daa6078caaf4)
* [Technical Overview of Windows UEFI Startup Process](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
* [Windows UEFI startup – A technical overview](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
* Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.
* [Intel ME (Manageability engine) Huffman algorithm](http://io.smashthestack.org/me/)
* [LEGBACORE Research/Publicatoins](http://www.legbacore.com/Research.html)
* [Dr Sergei Skorobogatov - Researcher in hardware based attacks, good stuff](https://www.cl.cam.ac.uk/~sps32/)
* [Disabling Intel ME 11 via undocumented mode - ptsecurity](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)
* [Advanced Threat Research - Intel](http://www.intelsecurity.com/advanced-threat-research/index.html)
-----------------
## <a name="exploit"></a>Exploitation
[CHIPSEC module that exploits UEFI boot script table vulnerability](https://github.com/Cr4sh/UEFI_boot_script_expl)
* [CHIPSEC module that exploits UEFI boot script table vulnerability](https://github.com/Cr4sh/UEFI_boot_script_expl)
[System Management Mode Hack Using SMM for "Other Purposes](http://phrack.org/issues/65/7.html))
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
[A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers - Filip Wecherowski](http://phrack.org/issues/66/11.html#article)
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
[Exploiting UEFI boot script table vulnerability](http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html)
[Attacking Intel ® Trusted Execution Technology Rafal Wojtczuk and Joanna Rutkowska](https://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rutkowska/BlackHat-DC-09-Rutkowska-Attacking-Intel-TXT-slides.pdf)
[Attacking UEFI Boot Script](https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf)
* Abstract—UEFI Boot Script is a data structure interpreted by UEFI firmware during S3 resume. We show that on many systems, an attacker with ring0 privileges can alter this data structure. As a result, by forcing S3 suspend/resume cycle, an attacker can run arbitrary code on a platform that is not yet fully locked. The consequences include ability to overwrite the flash storage and take control over SMM.
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
[20 Ways Past Secure Boot - Job de Haas - Troopers14](https://www.youtube.com/watch?v=74SzIe9qiM8)
[Building reliable SMM backdoor for UEFI based platforms](http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html)
[ThinkPwn](https://github.com/Cr4sh/ThinkPwn)
* Lenovo ThinkPad System Management Mode arbitrary code execution exploit
[From SMM to userland in a few bytes](https://scumjr.github.io/2016/01/10/from-smm-to-userland-in-a-few-bytes/)
[Getting Physical: Extreme abuse of Intel based Paging Systems - Part 1](https://blog.coresecurity.com/2016/05/10/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-1/)
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
* [A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers - Filip Wecherowski](http://phrack.org/issues/66/11.html#article)
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
* [Exploiting UEFI boot script table vulnerability](http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html)
* [Attacking Intel ® Trusted Execution Technology Rafal Wojtczuk and Joanna Rutkowska](https://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rutkowska/BlackHat-DC-09-Rutkowska-Attacking-Intel-TXT-slides.pdf)
* [Attacking UEFI Boot Script](https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf)
* Abstract—UEFI Boot Script is a data structure interpreted by UEFI firmware during S3 resume. We show that on many systems, an attacker with ring0 privileges can alter this data structure. As a result, by forcing S3 suspend/resume cycle, an attacker can run arbitrary code on a platform that is not yet fully locked. The consequences include ability to overwrite the flash storage and take control over SMM.
* [Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
* [20 Ways Past Secure Boot - Job de Haas - Troopers14](https://www.youtube.com/watch?v=74SzIe9qiM8)
* [Building reliable SMM backdoor for UEFI based platforms](http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html)
* [ThinkPwn](https://github.com/Cr4sh/ThinkPwn)
* Lenovo ThinkPad System Management Mode arbitrary code execution exploit
* [From SMM to userland in a few bytes](https://scumjr.github.io/2016/01/10/from-smm-to-userland-in-a-few-bytes/)
* [Getting Physical: Extreme abuse of Intel based Paging Systems - Part 1](https://blog.coresecurity.com/2016/05/10/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-1/)
------------------------
### <a name="firmware"></a>Firmware Analysis
[An Introduction to Firmware Analysis[30c3]** - This talk gives an introduction to firmware analysis: It starts with how to retrieve the binary, e.g. get a plain file from manufacturer, extract it from an executable or memory device, or even sniff it out of an update process or internal CPU memory, which can be really tricky. After that it introduces the necessary tools, gives tips on how to detect the processor architecture, and explains some more advanced analysis techniques, including how to figure out the offsets where the firmware is loaded to, and how to start the investigation. | https://www.youtube.com/watch?v=kvfP7StmFxY
[Analyzing and Running binaries from Firmware Images - Part 1](http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html)
[Binwalk](https://github.com/devttys0/binwalk)
* Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
[SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics](http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html)
[hw0lat_detector](http://ftp.dei.uc.pt/pub/linux/kernel/people/jcm/hwlat_detector/hwlat-detector-1.0.0.patch)
* A system hardware latency detector -Linux Kernel Module** - This patch introduces a new hardware latency detector module that can be used to detect high hardware-induced latencies within the system. It was originally written for use in the RT kernel, but has wider applications.
* [An Introduction to Firmware Analysis[30c3](https://www.youtube.com/watch?v=kvfP7StmFxY)
* This talk gives an introduction to firmware analysis: It starts with how to retrieve the binary, e.g. get a plain file from manufacturer, extract it from an executable or memory device, or even sniff it out of an update process or internal CPU memory, which can be really tricky. After that it introduces the necessary tools, gives tips on how to detect the processor architecture, and explains some more advanced analysis techniques, including how to figure out the offsets where the firmware is loaded to, and how to start the investigation.
* [Analyzing and Running binaries from Firmware Images - Part 1](http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html)
* [Binwalk](https://github.com/devttys0/binwalk)
* Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
* [SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics](http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html)
* [hw0lat_detector](http://ftp.dei.uc.pt/pub/linux/kernel/people/jcm/hwlat_detector/hwlat-detector-1.0.0.patch)
* A system hardware latency detector Linux Kernel Module. This patch introduces a new hardware latency detector module that can be used to detect high hardware-induced latencies within the system. It was originally written for use in the RT kernel, but has wider applications.
Reverse Engineering Router Firmware walk through
* [Part 1](http://www.secforce.com/blog/2014/04/reverse-engineer-router-firmware-part-1/)
* [Part 2](http://www.secforce.com/blog/2014/07/reverse-engineer-router-firmware-part-2/)
[Debug Methodology Under UEFI](http://www.uefi.org/sites/default/files/resources/UEFI_Plugfest_2011Q4_P8_PHX.pdf)
[Reverse Engineering UEFI Firmware](https://jbeekman.nl/blog/2015/03/reverse-engineering-uefi-firmware/)
[Intel® System Studio – UEFI BIOS Debugging](https://software.intel.com/en-us/articles/intel-system-studio-2014-uefi-bios-debugging)
[Debug SPI BIOS after Power Up Sequence](https://software.intel.com/en-us/articles/debug-spi-bios-after-power-up-sequence)
[me-tools](https://github.com/skochinsky/me-tools)
* Tools for working with Intel ME
* Reverse Engineering Router Firmware Writeup - secforce
* [Part 1](http://www.secforce.com/blog/2014/04/reverse-engineer-router-firmware-part-1/)
* [Part 2](http://www.secforce.com/blog/2014/07/reverse-engineer-router-firmware-part-2/)
* [Debug Methodology Under UEFI](http://www.uefi.org/sites/default/files/resources/UEFI_Plugfest_2011Q4_P8_PHX.pdf)
* [Reverse Engineering UEFI Firmware](https://jbeekman.nl/blog/2015/03/reverse-engineering-uefi-firmware/)
* [Intel® System Studio – UEFI BIOS Debugging](https://software.intel.com/en-us/articles/intel-system-studio-2014-uefi-bios-debugging)
* [Debug SPI BIOS after Power Up Sequence](https://software.intel.com/en-us/articles/debug-spi-bios-after-power-up-sequence)
* [me-tools](https://github.com/skochinsky/me-tools)
* Tools for working with Intel ME
@ -135,9 +107,7 @@ Reverse Engineering Router Firmware walk through
----------------------
### <a name="programming"></a>Programming
[UEFI Programming - First Steps](http://x86asm.net/articles/uefi-programming-first-steps/)
* [UEFI Programming - First Steps](http://x86asm.net/articles/uefi-programming-first-steps/)
@ -147,100 +117,70 @@ Reverse Engineering Router Firmware walk through
-----------------
### <a name="talks"></a>Talks & Presentations
[BIOS Chronomancy: Fixing the Core Root of Trust for Measurement - BlackHat 2013](https://www.youtube.com/watch?v=NbYZ4UCN9GY)
[Hacking Measured Boot and UEFI - Defcon20](https://www.youtube.com/watch?v=oiqcog1sk2E)
* There's been a lot buzz about UEFI Secure Booting, and the ability of hardware and software manufacturers to lock out third-party loaders (and rootkits). Even the NSA has been advocating the adoption of measured boot and hardware-based integrity checks. But what does this trend mean to the open source and hacker communities? In this talk I'll demonstrate measured boot in action. I'll also be releasing my new Measured Boot Tool which allows you to view Trusted Platform Module (TPM) boot data and identify risks such as unsigned early-boot drivers. And, I'll demonstrate how measured boot is used for remote device authentication. Finally, I'll discuss weaknesses in the system (hint: bootstrapping trust is still hard), what this technology means to the consumerization trend in IT, and what software and services gaps exist in this space for aspiring entrepreneurs.
[Hardware Backdooring is Practical -Jonathan Brossard](https://www.youtube.com/watch?v=umBruM-wFUw)
[Attacking “secure” chips](https://www.youtube.com/watch?v=w7PT0nrK2BE)
[Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)
[Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)
[Attacks on UEFI Security - Rafal Wojtczuk&Corey Kallenberg](https://bromiumlabs.files.wordpress.com/2015/01/attacksonuefi_slides.pdf)
[The Empire Strikes Back Apple – how your Mac firmware security is completely broken](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
* Writeup on compromise of UEFI on apple hardware.
[Bootkit Threats: In Depth Reverse Engineering & Defense- Eugene Rodionov&Aleksandr Matrosov](https://www.eset.com/fileadmin/Images/US/Docs/Business/presentations/conference_papers/REcon2012.pdf)
[Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer](https://media.ccc.de/browse/congress/2014/31c3_-_6129_-_en_-_saal_2_-_201412282030_-_attacks_on_uefi_security_inspired_by_darth_venamis_s_misery_and_speed_racer_-_rafal_wojtczuk_-_corey_kallenberg.html#video)
* On modern Intel based computers there exists two powerful and protected code regions: the UEFI firmware and System Management Mode (SMM). UEFI is the replacement for conventional BIOS and has the responsibility of initializing the platform. SMM is a powerful mode of execution on Intel CPUs that is even more privileged than a hypervisor. Because of their powerful positions, SMM and UEFI are protected by a variety of hardware mechanisms. In this talk, Rafal Wojtczuk and Corey Kallenberg team up to disclose several prevalent vulnerabilities that result in SMM runtime breakin as well as arbitrary reflash of the UEFI firmware.
[Attacking and Defending BIOS in 2015](http://www.intelsecurity.com/advanced-threat-research/content/AttackingAndDefendingBIOS-RECon2015.pdf)
[CansecWest2016 Getting Physical: Extreme Abuse of Intel Based Paging Systems](https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems)
[Stoned Bootkit - BH USA09](https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf)
[Attacking Intel BIOS - BHUSA09](https://www.blackhat.com/presentations/bh-usa-09/WOJTCZUK/BHUSA09-Wojtczuk-AtkIntelBios-SLIDES.pdf)
[#root via SMS: 4G access level security assessment](https://conference.hitb.org/hitbsecconf2015ams/materials/D1T1%20-%20T.%20Yunusov%20K.%20Nesterov%20-%20Bootkit%20via%20SMS.pdf)
[Using Intel TXT to Attack BIOSes](https://vimeo.com/117156508)
* [BIOS Chronomancy: Fixing the Core Root of Trust for Measurement - BlackHat 2013](https://www.youtube.com/watch?v=NbYZ4UCN9GY)
* [Hacking Measured Boot and UEFI - Defcon20](https://www.youtube.com/watch?v=oiqcog1sk2E)
* There's been a lot buzz about UEFI Secure Booting, and the ability of hardware and software manufacturers to lock out third-party loaders (and rootkits). Even the NSA has been advocating the adoption of measured boot and hardware-based integrity checks. But what does this trend mean to the open source and hacker communities? In this talk I'll demonstrate measured boot in action. I'll also be releasing my new Measured Boot Tool which allows you to view Trusted Platform Module (TPM) boot data and identify risks such as unsigned early-boot drivers. And, I'll demonstrate how measured boot is used for remote device authentication. Finally, I'll discuss weaknesses in the system (hint: bootstrapping trust is still hard), what this technology means to the consumerization trend in IT, and what software and services gaps exist in this space for aspiring entrepreneurs.
* [Hardware Backdooring is Practical -Jonathan Brossard](https://www.youtube.com/watch?v=umBruM-wFUw)
* [Attacking “secure” chips](https://www.youtube.com/watch?v=w7PT0nrK2BE)
* [Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)
* [Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)
* [Attacks on UEFI Security - Rafal Wojtczuk&Corey Kallenberg](https://bromiumlabs.files.wordpress.com/2015/01/attacksonuefi_slides.pdf)
* [The Empire Strikes Back Apple – how your Mac firmware security is completely broken](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
* Writeup on compromise of UEFI on apple hardware.
* [Bootkit Threats: In Depth Reverse Engineering & Defense- Eugene Rodionov&Aleksandr Matrosov](https://www.eset.com/fileadmin/Images/US/Docs/Business/presentations/conference_papers/REcon2012.pdf)
* [Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer](https://media.ccc.de/browse/congress/2014/31c3_-_6129_-_en_-_saal_2_-_201412282030_-_attacks_on_uefi_security_inspired_by_darth_venamis_s_misery_and_speed_racer_-_rafal_wojtczuk_-_corey_kallenberg.html#video)
* On modern Intel based computers there exists two powerful and protected code regions: the UEFI firmware and System Management Mode (SMM). UEFI is the replacement for conventional BIOS and has the responsibility of initializing the platform. SMM is a powerful mode of execution on Intel CPUs that is even more privileged than a hypervisor. Because of their powerful positions, SMM and UEFI are protected by a variety of hardware mechanisms. In this talk, Rafal Wojtczuk and Corey Kallenberg team up to disclose several prevalent vulnerabilities that result in SMM runtime breakin as well as arbitrary reflash of the UEFI firmware.
* [Attacking and Defending BIOS in 2015](http://www.intelsecurity.com/advanced-threat-research/content/AttackingAndDefendingBIOS-RECon2015.pdf)
* [CansecWest2016 Getting Physical: Extreme Abuse of Intel Based Paging Systems](https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems)
* [Stoned Bootkit - BH USA09](https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf)
* [Attacking Intel BIOS - BHUSA09](https://www.blackhat.com/presentations/bh-usa-09/WOJTCZUK/BHUSA09-Wojtczuk-AtkIntelBios-SLIDES.pdf)
* [#root via SMS: 4G access level security assessment](https://conference.hitb.org/hitbsecconf2015ams/materials/D1T1%20-%20T.%20Yunusov%20K.%20Nesterov%20-%20Bootkit%20via%20SMS.pdf)
* [Using Intel TXT to Attack BIOSes](https://vimeo.com/117156508)
* [Detecting BadBIOS, Evil Maids, Bootkits and Other Firmware Malware - Paul English and Lee Fisher](https://archive.org/details/seagl-2017)
* For attackers, platform firmware is the new Software. Most systems include hundreds of firmwares - UEFI or BIOS, PCIe expansion ROMs, USB controller drivers, storage controller host and disk/SSD drivers. Firmware-level hosted malware, bare-metal or virtualized, is nearly invisible to normal security detection tools, has full control of your system, and can often continue running even when the system is "powered off". Security Firms (eg, "Hacking Team" sell UEFI 0days to the highest bidder), and government agencies include firmware-level malware (eg, Wikileak'ed Vault7 CIA EFI malware). Defenders need to catch-up, and learn to defend their systems against firmware-level malware. In this presentation, we'll cover the NIST SP (147,147b,155,193) secure firmware guidance, for citizens, rather than vendors/enterprises. We'll discuss the problem of firmware-level malware, and cover some open source tools (FlashROM, CHIPSEC, etc.) to help detect malware on your system. We'll be discussing a new open source tool we've just released to help make it easier for you to do this check. You'll also get a nice paper tri-fold copy of our CHIPSEC Quick Reference for Sysadmins [note: we're all sysadmins for our own personal systems(!)], and some scary looking BadBIOS stickers for your laptop.
--------------------
### <a name="tools"></a>Tools
[WindSLIC SLIC injectors](https://github.com/untermensch/WindSLIC)
* includes UEFI, NTFS, bootmgr SLIC injectors and installers.
[UEFI Firmware Parser](https://github.com/theopolis/uefi-firmware-parser)
* The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials.
[Firmware Modifcation kit](https://code.google.com/p/firmware-mod-kit/)
* This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images.
[Debug Agent Based UEFI Debugging](https://software.intel.com/en-us/articles/xdb-agent-based-uefi-debug)
* The Intel® System Debugger now supports non-JTAG based debug of UEFI BIOS, this requires the use of a target-side debug agent and a USB or serial connection to the debug agent. This article takes you through the steps necessary and the the debug methodology used bey the Intel® System Debugger to use this method to supplement the pure JTAG based UEFI debug method it also supports
[ida-uefiutils](https://github.com/snare/ida-efiutils/)
* Some scripts for IDA Pro to assist with reverse engineering EFI binaries
[VisualUEFI](https://github.com/ionescu007/VisualUefi)
* A project for allowing EDK-II Development with Visual Studio
[UDKToolbox](https://github.com/smwikipedia/UDKToolbox)
* An toolbox to help adopt Visual Studio for UEFI development.
[Hyper-V backdoor for UEFI](https://gist.github.com/Cr4sh/55a54e7f3c113316efd2d66457df68dd)
[UEFITool](https://github.com/LongSoft/UEFITool)
* UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.
* [WindSLIC SLIC injectors](https://github.com/untermensch/WindSLIC)
* includes UEFI, NTFS, bootmgr SLIC injectors and installers.
* [UEFI Firmware Parser](https://github.com/theopolis/uefi-firmware-parser)
* The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials.
* [Firmware Modifcation kit](https://code.google.com/p/firmware-mod-kit/)
* This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images.
* [Debug Agent Based UEFI Debugging](https://software.intel.com/en-us/articles/xdb-agent-based-uefi-debug)
* The Intel® System Debugger now supports non-JTAG based debug of UEFI BIOS, this requires the use of a target-side debug agent and a USB or serial connection to the debug agent. This article takes you through the steps necessary and the the debug methodology used bey the Intel® System Debugger to use this method to supplement the pure JTAG based UEFI debug method it also supports
* [ida-uefiutils](https://github.com/snare/ida-efiutils/)
* Some scripts for IDA Pro to assist with reverse engineering EFI binaries
* [VisualUEFI](https://github.com/ionescu007/VisualUefi)
* A project for allowing EDK-II Development with Visual Studio
* [UDKToolbox](https://github.com/smwikipedia/UDKToolbox)
* An toolbox to help adopt Visual Studio for UEFI development.
* [Hyper-V backdoor for UEFI](https://gist.github.com/Cr4sh/55a54e7f3c113316efd2d66457df68dd)
* [UEFITool](https://github.com/LongSoft/UEFITool)
* UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.
-----------------------
### <a name="papers"></a>Papers & Writeups
[Security Evaluation of Intel's Active Management Technology](http://people.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf)
[Easily create UEFI applications using Visual Studio 2013](http://pete.akeo.ie/2015/01/easily-create-uefi-applications-using.html)
[SMM Rootkits:A New Breed of OS Independent Malware](http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf)
* The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine based rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode based rootkit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits. In this paper, we present our development of a proof of concept SMM rootkit. In it, we explore the potential of System Management Mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP. The rootkit hides its memory footprint and requires no changes to the existing Operating System. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware.
[How to develop your own Boot Loader](https://www.codeproject.com/Articles/36907/How-to-develop-your-own-Boot-Loader)
[Disabling Intel ME 11 via undocumented mode - ptsecurity](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)
* [Security Evaluation of Intel's Active Management Technology](http://people.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf)
* [Easily create UEFI applications using Visual Studio 2013](http://pete.akeo.ie/2015/01/easily-create-uefi-applications-using.html]
* [SMM Rootkits:A New Breed of OS Independent Malware](http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf)
* The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine based rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode based rootkit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits. In this paper, we present our development of a proof of concept SMM rootkit. In it, we explore the potential of System Management Mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP. The rootkit hides its memory footprint and requires no changes to the existing Operating System. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware.
* [How to develop your own Boot Loader](https://www.codeproject.com/Articles/36907/How-to-develop-your-own-Boot-Loader)
* [Disabling Intel ME 11 via undocumented mode - ptsecurity](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)
-------------
### <a name="other"></a>Other
[Notes on Intel Microcode Updates](http://hireme.geek.nz/Intel_x86_NSA_Microcode_Updates.pdf)
[BIOS Mods - mydigitallife](https://forums.mydigitallife.net/forums/bios-mods.25/)
[MDL Projects and Applications](https://forums.mydigitallife.net/forums/mdl-projects-and-applications.34/)
[Advice for writing a Bootloader? - reddit](https://www.reddit.com/r/lowlevel/comments/30toah/advices_for_a_bootloader/)
* [Notes on Intel Microcode Updates](http://hireme.geek.nz/Intel_x86_NSA_Microcode_Updates.pdf)
* [BIOS Mods - mydigitallife](https://forums.mydigitallife.net/forums/bios-mods.25/)
* [MDL Projects and Applications](https://forums.mydigitallife.net/forums/mdl-projects-and-applications.34/)
* [Advice for writing a Bootloader? - reddit](https://www.reddit.com/r/lowlevel/comments/30toah/advices_for_a_bootloader/)

+ 34
- 91
Draft/Building A Pentest Lab.md View File

@ -11,53 +11,43 @@
-----
### <a name="general"></a>General
[Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
[Pentest Environment Deployer](https://github.com/Sliim/pentest-env)
* This repo provides an easy way to deploy a clean and customized pentesting environment with Kali linux using vagrant and virtualbox.
[DumpsterFire](https://github.com/TryCatchHCF/DumpsterFire)
* [Slides](https://github.com/TryCatchHCF/DumpsterFire/raw/master/CactusCon_2017_Presentation/DumpsterFire_CactusCon_2017_Slides.pdf)
* The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
* [Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
* [Pentest Environment Deployer](https://github.com/Sliim/pentest-env)
* This repo provides an easy way to deploy a clean and customized pentesting environment with Kali linux using vagrant and virtualbox.
* [DumpsterFire](https://github.com/TryCatchHCF/DumpsterFire)
* [Slides](https://github.com/TryCatchHCF/DumpsterFire/raw/master/CactusCon_2017_Presentation/DumpsterFire_CactusCon_2017_Slides.pdf)
* The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
-----
### Resources for VMs
[Internet Explorer Windows XP and Vista Virtual Machines](https://github.com/mikescott/ie-virtual-machines/blob/master/README.md)
* [Internet Explorer Windows XP and Vista Virtual Machines](https://github.com/mikescott/ie-virtual-machines/blob/master/README.md)
-----
### <a name="vm"></a>VMs Designed to be Attacked
[Vulnhub](https://www.Vulnhub.com)
* Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
[iv-wrt](https://github.com/iv-wrt/iv-wrt)
* An Intentionally Vulnerable Router Firmware Distribution
[List of VMs that are preconfigured virtual machines](http://www.amanhardikar.com/mindmaps/PracticeUrls.html)
[The Hacker Games - Hack the VM before it hacks you](http://www.scriptjunkie.us/2012/04/the-hacker-games/)
* I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures. In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game. To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run.
* [Vulnhub](https://www.Vulnhub.com)
* Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
* [iv-wrt](https://github.com/iv-wrt/iv-wrt)
* An Intentionally Vulnerable Router Firmware Distribution
* [List of VMs that are preconfigured virtual machines](http://www.amanhardikar.com/mindmaps/PracticeUrls.html)
* [The Hacker Games - Hack the VM before it hacks you](http://www.scriptjunkie.us/2012/04/the-hacker-games/)
* I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures. In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game. To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run.
-----
### Installing Active Directory
[Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
* [Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
@ -66,67 +56,20 @@
-----
### <a name="building"></a>Guides to setting up a Pen test lab:
[Home Lab with pfSense & VMware Workstation - sysadmin perspective](http://itpro.outsidesys.com/2015/02/19/home-lab-with-pfsense-workstation/)
* I wanted to build a virtual lab environment at home that would emulate an office environment. My requirements were to have separate network segments for Clients & Servers, and two DMZ networks. I also wanted my home network, which is external to the virtual lab environment, to emulate the Internet, even though it really isn’t. The following is how I created multiple “named” LAN segments within VMware Workstation, and routed between them using a VM running pfSense, which is an open source firewall.
[Setting Up a Pentest/Hacking Lab with Hyper-V](http://cyberthreathunt.com/2017/04/01/setting-up-a-pentest-lab-with-hyper-v/)
[Windows Server 2016: Build a Windows Domain Lab at Home for Free](https://social.technet.microsoft.com/wiki/contents/articles/36438.windows-server-2016-build-a-windows-domain-lab-at-home-for-free.aspx#Download)
* Microsoft Technet tutorial
[Pentest Home Lab - 0x2 - Building Your AD Lab on Premises-SethSec](https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html)
[Building A Lab on AWS - 0x1 SethSec](https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html)
[Building an Effective Active Directory Lab Environment for Testing](https://adsecurity.org/?p=2653)
[Hack Yourself: Building a Test Lab - David Boyd](https://www.youtube.com/watch?v=rgdX-hn0xXU)
[Hack-Yourself: Building a pentesting lab for fun & profit](https://www.slideshare.net/DavidBoydCISSP/hack-yourself-building-a-pentesting-lab-for-fun-and-profit)
[Setting up a Windows Lab Environment](http://thehackerplaybook.com/Windows_Domain.htm)
[Setting Up A Penetration Testing Lab - Rapid7](https://kb.help.rapid7.com/docs/setting-up-a-penetration-testing-lab)
[Building a Pentest Lab - stan.gr](http://www.stan.gr/2013/03/building-pentest-lab.html)
[SANS Webcast: Building Your Own Super Duper Home Lab](https://www.youtube.com/watch?v=uzqwoufhwyk&app=desktop)
### Personal rant on how to build one
So, I’m biased. That said, two ways to build a lab, local and online. With todays online services, you don’t have to have a powerful server sitting in your house. You can use amazon’s AWS to host VMs and pay only for time used. For some, this may be preferable for the cost/space. Otherwise, if you’re looking for a local solution, Oracle’s Virtualbox and VMWare’s Workstation/Parallels is where its at for local machine VM usage, for dedicated hardware, proxmox, esxi, and Xen can all be solutions.
That being said, skip virtualbox. Get VMware ESXi if you have a spare box laying around, if not, grab VMWare Workstation. It works on linux/win and Parallels for OSX. ESXi is a virtualization platform that runs bare metal. If you have hardware for it, I recommend that. Otherwise, Workstation works wonderfully.
Acquiring a copy of Virtualbox/Workstation is also easy. Virtualbox is free and Workstation has 30 day trials.
So, assuming you now have a virtualization platform, whether through a dedicated machine or simply from your lap/desktop, you probably want some machines on it.
```
I recommend the following boxes:
Windows Server 2003
Windows XP
Windows Vista
Windows 7
Windows Server 2008r2
Windows Server 2012r2
Windows 8
Windows 10
Windows Server 2016
for
Centos 6.5
Debian 8
Ubuntu 14.04
Ubuntu 16.04
```
That gives you a fair amount of variation in environments as well as allowing you to create specific environments you might see. I list the three most common Distros and all windows going back to XP since, Windows is everywhere.
i
The Linux distros can be downloaded from their respective sites, and Trials exist for the windows images.
To download applications, simply visit oldapps.com to download the respective version you wish to attempt vulnerabilities on.
* [Home Lab with pfSense & VMware Workstation - sysadmin perspective](http://itpro.outsidesys.com/2015/02/19/home-lab-with-pfsense-workstation/)
* I wanted to build a virtual lab environment at home that would emulate an office environment. My requirements were to have separate network segments for Clients & Servers, and two DMZ networks. I also wanted my home network, which is external to the virtual lab environment, to emulate the Internet, even though it really isn’t. The following is how I created multiple “named” LAN segments within VMware Workstation, and routed between them using a VM running pfSense, which is an open source firewall.
* [Setting Up a Pentest/Hacking Lab with Hyper-V](http://cyberthreathunt.com/2017/04/01/setting-up-a-pentest-lab-with-hyper-v/)
* [Windows Server 2016: Build a Windows Domain Lab at Home for Free](https://social.technet.microsoft.com/wiki/contents/articles/36438.windows-server-2016-build-a-windows-domain-lab-at-home-for-free.aspx#Download)
* Microsoft Technet tutorial
* [Pentest Home Lab - 0x2 - Building Your AD Lab on Premises-SethSec](https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html)
* [Building A Lab on AWS - 0x1 SethSec](https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html)
* [Building an Effective Active Directory Lab Environment for Testing](https://adsecurity.org/?p=2653)
* [Hack Yourself: Building a Test Lab - David Boyd](https://www.youtube.com/watch?v=rgdX-hn0xXU)
* [Hack-Yourself: Building a pentesting lab for fun & profit](https://www.slideshare.net/DavidBoydCISSP/hack-yourself-building-a-pentesting-lab-for-fun-and-profit)
* [Setting up a Windows Lab Environment](http://thehackerplaybook.com/Windows_Domain.htm)
* [Setting Up A Penetration Testing Lab - Rapid7](https://kb.help.rapid7.com/docs/setting-up-a-penetration-testing-lab)
* [Building a Pentest Lab - stan.gr](http://www.stan.gr/2013/03/building-pentest-lab.html)
* [SANS Webcast: Building Your Own Super Duper Home Lab](https://www.youtube.com/watch?v=uzqwoufhwyk&app=desktop)

+ 59
- 84
Draft/CTFs_Wargames.md View File

@ -12,13 +12,11 @@
#### Cull
[CTF Scripts and PyInstaller (.py > .exe) ](http://www.primalsecurity.net/ctf-scripts-and-pyinstaller-py-exe/)
[Greenhorn](https://github.com/trailofbits/greenhorn)
* Greenhorn is a Windows Pwnable released during CSAW Quals 2014. It's meant to be an introduction to modern Windows binary exploitation.
hackthebox
sec-gen
pentestit
@ -32,6 +30,7 @@ root-me
#### end cull
-----
### <a name="general">General</a>
[ctf-time](https://ctftime.org/)
@ -54,34 +53,29 @@ root-me
-----
### <a name="wargames">Wargames</a>
[Ringzer0 team CTF](http://ringzer0team.com/)
Description: RingZer0 Team's online CTF offers you tons of challenges designed to test and improve your hacking skills thru hacking challenge. Register and get a flag for every challenges.
[pwn0 Wargame](https://pwn0.com/)
* “pwn0 is a network where (almost) anything goes. Just sign up, connect to the VPN, and start hacking. pwn0 on freenode “
[Microcorruption](https://microcorruption.com/login)
* Awesome wargame.
[OverTheWire Wargames](http://overthewire.org/wargames/)
* OverTheWire provides several wargames publicly/freely available. All very good quality. Highly recommended.
[Smash the Stack Wargames](http://smashthestack.org/)
* Smash the stack hosts several public wargames of very good quality for free use. Highly recommended.
Making/Hosting your own CTF
[CTFd](https://github.com/isislab/CTFd)
* CTFd is a CTF in a can. Easily modifiable and has everything you need to run a jeopardy style CTF.
[iCTF Framwork](https://github.com/ucsb-seclab/ictf-framework)
* This is the framework that the UC Santa Barbara Seclab uses to host the iCTF, and that can be used to create your own CTFs at http://ictf.cs.ucsb.edu/framework. The framework creates several VMs: one for the organizers and one for every team.
* [Ringzer0 team CTF](http://ringzer0team.com/)
* Description: RingZer0 Team's online CTF offers you tons of challenges designed to test and improve your hacking skills thru hacking challenge. Register and get a flag for every challenges.
* [pwn0 Wargame](https://pwn0.com/)
* “pwn0 is a network where (almost) anything goes. Just sign up, connect to the VPN, and start hacking. pwn0 on freenode “
* [Microcorruption](https://microcorruption.com/login)
* Awesome wargame.
* [OverTheWire Wargames](http://overthewire.org/wargames/)
* OverTheWire provides several wargames publicly/freely available. All very good quality. Highly recommended.
* [Smash the Stack Wargames](http://smashthestack.org/)
* Smash the stack hosts several public wargames of very good quality for free use. Highly recommended.
-----
### Making/Hosting your own CTF
* [CTFd](https://github.com/isislab/CTFd)
* CTFd is a CTF in a can. Easily modifiable and has everything you need to run a jeopardy style CTF.
* [iCTF Framwork](https://github.com/ucsb-seclab/ictf-framework)
* This is the framework that the UC Santa Barbara Seclab uses to host the iCTF, and that can be used to create your own CTFs at http://ictf.cs.ucsb.edu/framework. The framework creates several VMs: one for the organizers and one for every team.
-----
### <a name="vulnvm">Vulnerable Virtual Machines</a>
[Vulnhub](https://www.Vulnhub.com)
@ -93,68 +87,49 @@ Making/Hosting your own CTF
[VulnInjector](https://github.com/g0tmi1k/VulnInjector)
* Generates a 'vulnerable' machine using the end users own setup files & product keys.
-----
### <a name="challenge">Challenge Sites</a>
Wechall
* An amazing site. Tracks, lists, scores, various challenge sites. If you’re looking for a challenge or two, and not a wargame, this is the site you want to hit up first.
[XSS Challenge Wiki](https://github.com/cure53/xss-challenge-wiki/wiki)
* A wiki that contains various xss challenges.
[Halls of Valhalla](http://halls-of-valhalla.org/beta/challenges)
[EnigmaGroup](http://www.enigmagroup.org/)
[cmdchallenge](https://github.com/jarv/cmdchallenge)
* This repo holds the challenges for cmdchallenge.com
* command-line challenges - can add your own/modify existing challenges
[Canyouhackit](http://canyouhack.it/)
* Can You Hack It is a Hacking Challenge site designed to not only allow you to test and improve your skills in a wide variety of categories but to socialise both on the forums and on our IRC channel with other security enthusiasts.
[Tasteless](http://chall.tasteless.se/)
[Hack This](https://www.hackthis.co.uk/)
[XSS Challenge Wiki](https://github.com/cure53/xss-challenge-wiki/wiki)
* [List without spoilers:](https://github.com/cure53/xss-challenge-wiki/wiki/Older-Challenges-and-Write-Ups)
* [HacktheBox.eu](https://www.hackthebox.eu/)
* [Wechall](http://wechall.net/)
* An amazing site. Tracks, lists, scores, various challenge sites. If you’re looking for a challenge or two, and not a wargame, this is the site you want to hit up first.
* [XSS Challenge Wiki](https://github.com/cure53/xss-challenge-wiki/wiki)
* A wiki that contains various xss challenges.
* [Halls of Valhalla](http://halls-of-valhalla.org/beta/challenges)
* [EnigmaGroup](http://www.enigmagroup.org/)
* [cmdchallenge](https://github.com/jarv/cmdchallenge)
* This repo holds the challenges for cmdchallenge.co - command-line challenges - can add your own/modify existing challenges
* [Canyouhackit](http://canyouhack.it/)
* Can You Hack It is a Hacking Challenge site designed to not only allow you to test and improve your skills in a wide variety of categories but to socialise both on the forums and on our IRC channel with other security enthusiasts.
* [Tasteless](http://chall.tasteless.se/)
* [Hack This](https://www.hackthis.co.uk/)
* [XSS Challenge Wiki](https://github.com/cure53/xss-challenge-wiki/wiki)
* [List without spoilers:](https://github.com/cure53/xss-challenge-wiki/wiki/Older-Challenges-and-Write-Ups)
-----
### <a name="puzzle">One-off Challenges and Puzzles</a>
[Forensics Contest](http://forensicscontest.com/)
[List of themed Hacker challenges](http://counterhack.net/Counter_Hack/Challenges.html)
[Sans Community Forensics Challenges](https://www.digital-forensics.sans.org/community/challenges)
* [Forensics Contest](http://forensicscontest.com/)
* [List of themed Hacker challenges](http://counterhack.net/Counter_Hack/Challenges.html)
* [Sans Community Forensics Challenges](https://www.digital-forensics.sans.org/community/challenges)
-----
### Tools handy for CTFs
[pngcheck](http://www.libpng.org/pub/png/apps/pngcheck.html)
* pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs [checksums] and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.
* [pngcheck](http://www.libpng.org/pub/png/apps/pngcheck.html)
* pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs [checksums] and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.
-----
### <a name="make"></a>Making Your Own CTF
[AppJailLauncher](https://github.com/trailofbits/AppJailLauncher)
* CTF Challenge Framework for Windows 8 and above
[NightShade](https://github.com/UnrealAkama/NightShade)
* NightShade is a simple security capture the flag framework that is designed to make running your own contest as easy as possible.
[Mellivora](https://github.com/Nakiami/mellivora)
* Mellivora is a CTF engine written in PHP
[SecGen](https://github.com/SecGen/SecGen)
* SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques.
* [AppJailLauncher](https://github.com/trailofbits/AppJailLauncher)
* CTF Challenge Framework for Windows 8 and above
* [NightShade](https://github.com/UnrealAkama/NightShade)
* NightShade is a simple security capture the flag framework that is designed to make running your own contest as easy as possible.
* [Mellivora](https://github.com/Nakiami/mellivora)
* Mellivora is a CTF engine written in PHP
* [SecGen](https://github.com/SecGen/SecGen)
* SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques.

+ 1
- 1
Draft/Cheat sheets reference pages Checklists -.md View File

@ -24,7 +24,7 @@
#### CULL
[SiLK Toolsuite Quick Reference Guide](https://tools.netsa.cert.org/silk/silk-quickref.pdf)
* [MS "reg" commandreference](http://www.computerhope.com/reg.htm)
http://www.amanhardikar.com/mindmaps.html
http://www.amanhardikar.com/mindmaps/Practice.html
#### end cull


+ 18
- 27
Draft/Conferences.md View File

@ -3,45 +3,36 @@
-----
### General
[You and Your Research - Haroon Meer](https://www.youtube.com/watch?v=JoVx_-bM8Tg)
* What does it take to do quality research? What stops you from being a one-hit wonder? Is there an age limit to productive hackery? What are the key ingredients needed and how can you up your chances of doing great work? In a talk unabashedly stolen from far greater minds we hope to answer these questions and discuss their repercussions.
[A talk about (info-sec) talks - Haroon Meer ](https://www.youtube.com/watch?v=BlVjdUkrSFY)
* Last year there was an Information Security conference taking place for almost every day of the year. This translates to about 15 information security talks per day, every day. The question is, is this a bad thing? Even niche areas of the info-sec landscape have their own dedicated conference these days. Is this a good thing?
[List of Conferences](https://infosec-conferences.com/)
* [You and Your Research - Haroon Meer](https://www.youtube.com/watch?v=JoVx_-bM8Tg)
* What does it take to do quality research? What stops you from being a one-hit wonder? Is there an age limit to productive hackery? What are the key ingredients needed and how can you up your chances of doing great work? In a talk unabashedly stolen from far greater minds we hope to answer these questions and discuss their repercussions.
* [A talk about (info-sec) talks - Haroon Meer ](https://www.youtube.com/watch?v=BlVjdUkrSFY)
* Last year there was an Information Security conference taking place for almost every day of the year. This translates to about 15 information security talks per day, every day. The question is, is this a bad thing? Even niche areas of the info-sec landscape have their own dedicated conference these days. Is this a good thing?
* [List of Conferences](https://infosec-conferences.com/)
-----
### Archives of Talks
* [IronGeek - Chances are he has it archived here](https://www.irongeek.com/)
* [31st Chaos Communication Congress Archive](http://cdn.media.ccc.de/congress/31C3/)
* [Shmoocon 2015 Videos](https://archive.org/details/shmoocon-2015-videos-playlist)
* [Defcon Media Archive](https://media.defcon.org/)
* [Archive of security conference videos](http://wipkip.nikhef.nl/events/)
* [Trooper Conference - 2015](https://www.youtube.com/channel/UCPY5aUREHmbDO4PtR6AYLfQ)
* [Derbycon 2017 Videos](https://www.irongeek.com/i.php?page=videos/derbycon7/mainlist)
[IronGeek - Chances are he has it archived here](https://www.irongeek.com/)
[31st Chaos Communication Congress Archive](http://cdn.media.ccc.de/congress/31C3/)
[Shmoocon 2015 Videos](https://archive.org/details/shmoocon-2015-videos-playlist)
[Defcon Media Archive](https://media.defcon.org/)
[Archive of security conference videos](http://wipkip.nikhef.nl/events/)
[Trooper Conference - 2015](https://www.youtube.com/channel/UCPY5aUREHmbDO4PtR6AYLfQ)
[Derbycon 2017 Videos](https://www.irongeek.com/i.php?page=videos/derbycon7/mainlist)
-----
### Conferences/Events
-----
### Slides/PDFs
[CanSecWest Vancouver 2015 Slides](https://cansecwest.com/csw15archive.html)
[SyScan2015 Slides](https://www.syscan.org/index.php/download)
* [CanSecWest Vancouver 2015 Slides](https://cansecwest.com/csw15archive.html)
* [SyScan2015 Slides](https://www.syscan.org/index.php/download)


+ 19
- 28
Draft/Counter_Surveillance.md View File

@ -14,45 +14,36 @@ I am not a professional and may be a twelve year old child. Be wary.
### Cull
-----
### <a name="guides">Guides/Write-ups</a>
* Detecting Surveillance - Spiderlabs blog
* [1 Hardware Implants](http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html)
* [2 Radio Frequency Exfiltration](http://blog.spiderlabs.com/2014/03/detecting-a-surveillance-state-part-2-radio-frequency-exfiltration.html)
* [3 Infected Firmware](http://blog.spiderlabs.com/2014/04/detecting-a-surveillance-state-part-3-infected-firmware.html)
* [A Simple Guide to TSCM Sweeps](http://www.international-intelligence.co.uk/tscm-sweep-guide.html)
Detecting Surveillance - Spiderlabs blog
* [1 Hardware Implants](http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html)
* [2 Radio Frequency Exfiltration](http://blog.spiderlabs.com/2014/03/detecting-a-surveillance-state-part-2-radio-frequency-exfiltration.html)
* [3 Infected Firmware](http://blog.spiderlabs.com/2014/04/detecting-a-surveillance-state-part-3-infected-firmware.html)
[A Simple Guide to TSCM Sweeps](http://www.international-intelligence.co.uk/tscm-sweep-guide.html)
-----
### <a name="videos">Videos</a>
[F*ck These Guys: Practical Countersurveillance Lisa Lorenzin - BsidesSF15](http://www.irongeek.com/i.php?page=videos/bsidessf2015/201-fck-these-guys-practical-countersurveillance-lisa-lorenzin)
* We've all seen the steady stream of revelations about the NSA's unconstitutional, illegal mass surveillance. Seems like there's a new transgression revealed every week! I'm getting outrage fatigue. So I decided to fight back... by looking for practical, realistic, everyday actions I can take to protect my privacy and civil liberties on the Internet, and sharing them with my friends. Join me in using encryption and privacy technology to resist eavesdropping and tracking, and to start to opt out of the bulk data collection that the NSA has unilaterally decided to secretly impose upon the world. Let's take back the Internet, one encrypted bit at a time.
[Dr. Philip Polstra - Am I Being Spied On?](https://www.youtube.com/watch?v=Bc7WoDXhcjM)
* Talk on cheap/free counter measures
[DNS May Be Hazardous to Your Health - Robert Stucke](https://www.youtube.com/watch?v=ZPbyDSvGasw)
* Great talk on attacking DNS
[CounterStrike Lawful Interception](https://www.youtube.com/watch?v=7HXLaRWk1SM)
* This short talk will cover the standards, devices and implementation of a mandatory part of our western Internet infrastructure. The central question is whether an overarching interception functionality might actually put national Internet infrastructure at a higher risk of being attacked successfully. The question is approached in this talk from a purely technical point of view, looking at how LI functionality is implemented by a major vendor and what issues arise from that implementation. Routers and other devices may get hurt in the process.
* [Slides](http://phenoelit.org/stuff/CSLI.pdf)
* [F*ck These Guys: Practical Countersurveillance Lisa Lorenzin - BsidesSF15](http://www.irongeek.com/i.php?page=videos/bsidessf2015/201-fck-these-guys-practical-countersurveillance-lisa-lorenzin)
* We've all seen the steady stream of revelations about the NSA's unconstitutional, illegal mass surveillance. Seems like there's a new transgression revealed every week! I'm getting outrage fatigue. So I decided to fight back... by looking for practical, realistic, everyday actions I can take to protect my privacy and civil liberties on the Internet, and sharing them with my friends. Join me in using encryption and privacy technology to resist eavesdropping and tracking, and to start to opt out of the bulk data collection that the NSA has unilaterally decided to secretly impose upon the world. Let's take back the Internet, one encrypted bit at a time.
* [Dr. Philip Polstra - Am I Being Spied On?](https://www.youtube.com/watch?v=Bc7WoDXhcjM)
* Talk on cheap/free counter measures
* [DNS May Be Hazardous to Your Health - Robert Stucke](https://www.youtube.com/watch?v=ZPbyDSvGasw)
* Great talk on attacking DNS
* [CounterStrike Lawful Interception](https://www.youtube.com/watch?v=7HXLaRWk1SM)
* This short talk will cover the standards, devices and implementation of a mandatory part of our western Internet infrastructure. The central question is whether an overarching interception functionality might actually put national Internet infrastructure at a higher risk of being attacked successfully. The question is approached in this talk from a purely technical point of view, looking at how LI functionality is implemented by a major vendor and what issues arise from that implementation. Routers and other devices may get hurt in the process.
* [Slides](http://phenoelit.org/stuff/CSLI.pdf)
-----
### <a name="papers">Papers</a>
[Exploiting Lawful Intercept to Wiretap the Internet](https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)
* This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.
* [Exploiting Lawful Intercept to Wiretap the Internet](https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)
* This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.


+ 75
- 115
Draft/Courses_Training.md View File

@ -29,50 +29,36 @@ BVWA
#### End Cull
-----
## Heads Up
These classes are all focused on computer/information security. If you're looking for online courses to learn material other than the mentioned, check out "coursera.com", Standford's online classes or MIT's online courses.
[Coursera](https://www.coursera.org/)
[MIT OpenCourseware](https://ocw.mit.edu/courses/)
[Standford](http://online.stanford.edu/courses)
[Udemy](https://www.udemy.com/courses/)
* [Coursera](https://www.coursera.org/)
* [MIT OpenCourseware](https://ocw.mit.edu/courses/)
* [Standford](http://online.stanford.edu/courses)
* [Udemy](https://www.udemy.com/courses/)
-----
### <a name="repo"></a>General Sources/Repository of Classes
[Hackr.io](http://hackr.io/)
* Share and discover the best programming tutorials and courses online.
[Open Security Training](https://www.opensecuritytraining.info)
[Class Central](https://www.class-central.com/)
* Search engine for MooCs
* [Hackr.io](http://hackr.io/)
* Share and discover the best programming tutorials and courses online.
* [Open Security Training](https://www.opensecuritytraining.info
* [Class Central](https://www.class-central.com/)
* Search engine for MooCs
### <a name="general"></a>General Classes
[Learning How to Learn](https://www.coursera.org/learn/learning-how-to-learn)
* Free Coursera Course
* About this course: This course gives you easy access to the invaluable learning techniques used by experts in art, music, literature, math, science, sports, and many other disciplines. We’ll learn about the how the brain uses two very different learning modes and how it encapsulates (“chunks”) information. We’ll also cover illusions of learning, memory techniques, dealing with procrastination, and best practices shown by research to be most effective in helping you master tough subjects.
[ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.
[SEEDLabs](http://www.cis.syr.edu/~wedu/seed/all_labs.html)
* People learn from mistakes. In security education, we study mistakes that lead to software vulnerabilities. Studying mistakes from the past not only help students understand why systems are vulnerable, why a "seemly-benign" mistake can turn into a disaster, and why many security mechanisms are needed. More importantly, it also helps students learn the common patterns of vulnerabilities, so they can avoid making similar mistakes in the future. Moreover, using vulnerabilities as case studies, students can learn the principles of secure design, secure programming, and security testing.
[Teach Yourself Computer Science](https://teachyourselfcs.com/)
[Technical Development Guide - Google](https://www.google.com/about/careers/students/guide-to-technical-development.html)
[OSS University - Computer Science](https://github.com/open-source-society/computer-science)
* Path to a free self-taught education in Computer Science!
* [Learning How to Learn](https://www.coursera.org/learn/learning-how-to-learn)
* Free Coursera Course
* About this course: This course gives you easy access to the invaluable learning techniques used by experts in art, music, literature, math, science, sports, and many other disciplines. We’ll learn about the how the brain uses two very different learning modes and how it encapsulates (“chunks”) information. We’ll also cover illusions of learning, memory techniques, dealing with procrastination, and best practices shown by research to be most effective in helping you master tough subjects.
* [ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.
* [SEEDLabs](http://www.cis.syr.edu/~wedu/seed/all_labs.html)
* People learn from mistakes. In security education, we study mistakes that lead to software vulnerabilities. Studying mistakes from the past not only help students understand why systems are vulnerable, why a "seemly-benign" mistake can turn into a disaster, and why many security mechanisms are needed. More importantly, it also helps students learn the common patterns of vulnerabilities, so they can avoid making similar mistakes in the future. Moreover, using vulnerabilities as case studies, students can learn the principles of secure design, secure programming, and security testing.
* [Teach Yourself Computer Science](https://teachyourselfcs.com/)
* [Technical Development Guide - Google](https://www.google.com/about/careers/students/guide-to-technical-development.html)
* [OSS University - Computer Science](https://github.com/open-source-society/computer-science)
* Path to a free self-taught education in Computer Science!
@ -89,12 +75,10 @@ These classes are all focused on computer/information security. If you're lookin
-----
### <a name="ir"></a>Incident Response/Forensics/NSM Training
[Android Forensics & Security Testing - OpenSecurityTraining.info](http://opensecuritytraining.info/AndroidForensics.html)
[CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)
* [Android Forensics & Security Testing - OpenSecurityTraining.info](http://opensecuritytraining.info/AndroidForensics.html)
* [CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)
@ -103,120 +87,96 @@ These classes are all focused on computer/information security. If you're lookin
-----
### <a name="pt"></a>Penetration Testing
[Pentester Lab](https://www.pentesterlab.com/)
* PentesterLab provides vulnerable systems that can be used to test and understand vulnerabilities.
[FSU Offensive Security 2014](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/)
* Florida State University Offensive Security 2014 Class materials
[FSU Offensive Security 2013](http://www.cs.fsu.edu/~redwood/OffensiveSecurity/)
* Florida State University Offensive Security 2013 Class materials
[HackSplaining](https://www.hacksplaining.com/faq)
* Security training aimed towards developers. Free.
* [Pentester Lab](https://www.pentesterlab.com/)
* PentesterLab provides vulnerable systems that can be used to test and understand vulnerabilities.
* [FSU Offensive Security 2014](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/)
* Florida State University Offensive Security 2014 Class materials
* [FSU Offensive Security 2013](http://www.cs.fsu.edu/~redwood/OffensiveSecurity/)
* Florida State University Offensive Security 2013 Class materials
* [HackSplaining](https://www.hacksplaining.com/faq)
* Security training aimed towards developers. Free.
-----
### <a name="prog"></a>Programming Classes/Courses
[asm - 0xAX](https://github.com/0xAX/asm)
* Learning assembly for linux-x64
[Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration](http://opensecuritytraining.info/IntroX86.html)
* This class serves as a foundation for the follow on Intermediate level x86 class. It teaches the basic concepts and describes the hardware that assembly code deals with. It also goes over many of the most common assembly instructions. Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations.
[Win32 ASM tutorials - Iczelion](http://win32assembly.programminghorizon.com/tutorials.html)
* [asm - 0xAX](https://github.com/0xAX/asm)
* Learning assembly for linux-x64
* [Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration](http://opensecuritytraining.info/IntroX86.html)
* This class serves as a foundation for the follow on Intermediate level x86 class. It teaches the basic concepts and describes the hardware that assembly code deals with. It also goes over many of the most common assembly instructions. Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations.
* [Win32 ASM tutorials - Iczelion](http://win32assembly.programminghorizon.com/tutorials.html)
-----
### <a name="re"></a>Reverse Engineering
[Binary Auditing Training - Thorsten Schneider](http://www.binary-auditing.com/)
* The training package includes all necessary files to run a complete lecture for Binary Auditing and Reverse Code Engineering at university. All files are well sorted by topics and with increasing difficulty. You need Windows XP, Windows Vista or Windows 7 to use this training package. The training package does NOT include runnable viruses!
[exrs - Binary Exploitation/Reverse Engineering Challenge training](https://github.com/wapiflapi/exrs)
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
[mammon_'s tales to his grandson - Reverse Engineering](https://mammon.github.io/tales/)
[Software Modeling and Verification - Static Analysis](http://www-i2.informatik.rwth-aachen.de/i2/spa12/)
[The Life of Binaries](http://opensecuritytraining.info/LifeOfBinaries.html)
* [Binary Auditing Training - Thorsten Schneider](http://www.binary-auditing.com/)
* The training package includes all necessary files to run a complete lecture for Binary Auditing and Reverse Code Engineering at university. All files are well sorted by topics and with increasing difficulty. You need Windows XP, Windows Vista or Windows 7 to use this training package. The training package does NOT include runnable viruses!
* [exrs - Binary Exploitation/Reverse Engineering Challenge training](https://github.com/wapiflapi/exrs)
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
* [mammon_'s tales to his grandson - Reverse Engineering](https://mammon.github.io/tales/)
* [Software Modeling and Verification - Static Analysis](http://www-i2.informatik.rwth-aachen.de/i2/spa12/)
* [The Life of Binaries](http://opensecuritytraining.info/LifeOfBinaries.html)
```
* Topics include but are not limited to:
* Scanning and tokenizing source code.
* Parsing a grammar.
* Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code).
* Linking object files together to create a well-formed binary.
* Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
* How an OS loads a binary into memory and links it on the fly before executing it.
*Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).
[Introduction to Reverse Engineering Software - Dartmouth](http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/)
[CSCI 4974 / 6974 Hardware Reverse Engineering](http://security.cs.rpi.edu/courses/hwre-spring2014/)
* How an OS loads a binary into memory and links it on the fly before executing it.
* Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).
```
* [Introduction to Reverse Engineering Software - Dartmouth](http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/)
* [CSCI 4974 / 6974 Hardware Reverse Engineering](http://security.cs.rpi.edu/courses/hwre-spring2014/)
-----
## <a name="exploit"></a>Exploit Development Training
[exrs - Binary Exploitation/Reverse Engineering Challenge training](https://github.com/wapiflapi/exrs)
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
[BFH Exploiting & Defense Course - Dobin Rutishauser](https://blog.compass-security.com/2017/05/bfh-exploiting-defense-course/)
[Modern Binary Exploitation - CSCI 4968 - Spring '15](http://security.cs.rpi.edu/courses/binexp-spring2015/)
* The course will start off by covering basic x86 reverse engineering, vulnerability analysis, and classical forms of Linux based userland binary exploitation. It will then transitionin to protections found on modern systems(Canaries, DEP, ASLR, RELRO, FortifySource, etc) and the techniques used to defeat them.Time permitting, the course will also cover other subjects in exploitation including kernel land and Windows based exploitation.
[armpwn](https://github.com/saelo/armpwn)
* Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team.
[BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
* [exrs - Binary Exploitation/Reverse Engineering Challenge training](https://github.com/wapiflapi/exrs)
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
* [BFH Exploiting & Defense Course - Dobin Rutishauser](https://blog.compass-security.com/2017/05/bfh-exploiting-defense-course/)
* [Modern Binary Exploitation - CSCI 4968 - Spring '15](http://security.cs.rpi.edu/courses/binexp-spring2015/)
* The course will start off by covering basic x86 reverse engineering, vulnerability analysis, and classical forms of Linux based userland binary exploitation. It will then transitionin to protections found on modern systems(Canaries, DEP, ASLR, RELRO, FortifySource, etc) and the techniques used to defeat them.Time permitting, the course will also cover other subjects in exploitation including kernel land and Windows based exploitation.
* [armpwn](https://github.com/saelo/armpwn)
* Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team.
* [BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
-----
### <a name="uefi"></a>UEFI/BIOS Training
[firmware-security-training](https://github.com/advanced-threat-research/firmware-security-training)
* [firmware-security-training](https://github.com/advanced-threat-research/firmware-security-training)
### <a name="web"></a>Web Security Focused Training
[Google Gruyere - Web Application Exploits and Defenses ](http://google-gruyere.appspot.com/)
* [Google Gruyere - Web Application Exploits and Defenses ](http://google-gruyere.appspot.com/)
### <a name="data"></a>Data Science
[CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)
* [CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)
-----
## <a name="resource"></a>Resources for Instructors and Trainers
[How To Give A Digital Security Training](https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40)
[LevelUP](https://www.level-up.cc/)
* Resources for the global digital safety training community.
[Be a Better Trainer](https://www.level-up.cc/you-the-trainer/be-a-better-trainer/)
[Teaching Evil - Chris Niemira](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t200-teaching-evil-chris-niemira)
[The Distribution of Users’ Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)
* [How To Give A Digital Security Training](https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40)
* [LevelUP](https://www.level-up.cc/)
* Resources for the global digital safety training community.
* [Be a Better Trainer](https://www.level-up.cc/you-the-trainer/be-a-better-trainer/)
* [Teaching Evil - Chris Niemira](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t200-teaching-evil-chris-niemira)
* [The Distribution of Users’ Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)


+ 13
- 17
Draft/CryptoCurrencies.md View File

@ -9,29 +9,25 @@ ToC
* [Talks & Presentations](#talks)
-----
### <a name="general"></a> General
* [cryptocurrency](https://github.com/kilimchoi/cryptocurrency)
* Overview of top cryptocurrencies
* [Blockchain Security research](https://gist.github.com/insp3ctre/403b8cb99eae2f52565874d8547fbc94)
* Open-source blockchain security research (contributions welcome!)
[cryptocurrency](https://github.com/kilimchoi/cryptocurrency)
* Overview of top cryptocurrencies
-----
### <a name="bitcoin"></a> Bitcoin
[Bitcointalk](https://bitcointalk.org/)
[/r/bitcoin](https://reddit.com/r/bitcoin)
* [Bitcointalk](https://bitcointalk.org/)
* [/r/bitcoin](https://reddit.com/r/bitcoin)
-----
### <a name="eth"></a>Ethereum
[The Ether Thief](https://www.bloomberg.com/features/2017-the-ether-thief/)
* [The Ether Thief](https://www.bloomberg.com/features/2017-the-ether-thief/)
-----
### <a name="talks"></a>Talks/Presentations
[Deanonymisation of Clients in Bitcoin P2P Network](http://orbilu.uni.lu/bitstream/10993/18679/1/Ccsfp614s-biryukovATS.pdf)
* We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or rewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-o by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.
* [Deanonymisation of Clients in Bitcoin P2P Network](http://orbilu.uni.lu/bitstream/10993/18679/1/Ccsfp614s-biryukovATS.pdf)
* We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or rewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-o by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.

+ 121
- 182
Draft/Cryptography & Encryption.md View File

@ -23,132 +23,93 @@ https://conversations.im/xeps/multi-end.html
### End Cull
-----
### <a name="general">General Information</a>
[Quick'n easy gpg cheatsheet](http://irtfweb.ifa.hawaii.edu/%7Elockhart/gpg/)
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
[Snake Oil Crypto Competition](https://snakeoil.cr.yp.to/)
[XOR Bitwise Operations Explained - Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography/ciphers/a/xor-bitwise-operation)
[Homomorphic encryption](https://en.wikipedia.org/wiki/Homomorphic_encryption)
[Differential Cryptanalysis for Dummies - Jon King](https://www.youtube.com/watch?v=xav-GUO_o4s&feature=youtu.be)
[Lifetimes of cryptographic hash functions](http://valerieaurora.org/hash.html)
[Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/amp/)
[SSL/TLS and PKI History ](https://www.feistyduck.com/ssl-tls-and-pki-history/)
* A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem. Based on Bulletproof SSL and TLS, by Ivan Ristić.
* [Quick'n easy gpg cheatsheet](http://irtfweb.ifa.hawaii.edu/%7Elockhart/gpg/)
* [Website detailing various crypto laws around world](http://www.cryptolaw.org/)
* [Snake Oil Crypto Competition](https://snakeoil.cr.yp.to/)
* [XOR Bitwise Operations Explained - Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography/ciphers/a/xor-bitwise-operation)
* [Homomorphic encryption](https://en.wikipedia.org/wiki/Homomorphic_encryption)
* [Differential Cryptanalysis for Dummies - Jon King](https://www.youtube.com/watch?v=xav-GUO_o4s&feature=youtu.be)
* [Lifetimes of cryptographic hash functions](http://valerieaurora.org/hash.html)
* [Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/amp/)
* [SSL/TLS and PKI History ](https://www.feistyduck.com/ssl-tls-and-pki-history/)
* A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem. Based on Bulletproof SSL and TLS, by Ivan Ristić.
* [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening)
* Best Current Practices regarding secure online communication and configuration of services using cryptography. https://bettercrypto.org
-----
### <a name="learn">Courses</a>:
Coursera Cryptography
[Matsano Crypto Challenges](https://www.Cryptopals.co)
* Go through a series of increasingly difficult challenges while learning all about cryptography. Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
[A Graduate Course in Applied Cryptography - Dan Boneh and Victor Shoup](http://toc.cryptobook.us/)
* Version 0.3 - posted Dec. 9, 2016
[Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
[Hyper-encryption - Wikipedia](https://en.wikipedia.org/wiki/Hyper-encryption)
* [Coursera Cryptography]()
* [Matsano Crypto Challenges](https://www.Cryptopals.co)
* Go through a series of increasingly difficult challenges while learning all about cryptography. Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
* [A Graduate Course in Applied Cryptography - Dan Boneh and Victor Shoup](http://toc.cryptobook.us/)
* Version 0.3 - posted Dec. 9, 2016
* [Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
* [Hyper-encryption - Wikipedia](https://en.wikipedia.org/wiki/Hyper-encryption)
-----
### <a name="write">Writeups</a>
[Attack of the week: FREAK (or 'factoring the NSA for fun and profit')](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html)
[An Empirical Study of Cryptographic Misuse in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)
[Widespread Weak Keys in Network Devices](https://factorable.net/)
[Secrets and LIE-abilities: The State of Modern Secret Management (2017)](https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d)
[How to Implement Crypto Poorly - Sean Cassidy](https://github.com/cxxr/talks/blob/master/2016/grrcon/How%20to%20Implement%20Crypto%20Poorly.pdf)
[CBC Byte Flipping Attack—101 Approach](http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/)
[Demystifying the Signal Protocol for End-to-End Encryption (E2EE)](https://medium.com/@justinomora/demystifying-the-signal-protocol-for-end-to-end-encryption-e2ee-ad6a567e6cb4)
[A Formal Security Analysis of the Signal Messaging Protocol - Oct2016](https://eprint.iacr.org/2016/1013.pdf)
[Automated Padding Oracle Attacks with PadBuster](https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html)
[PadBuster v0.3 and the .NET Padding Oracle Attack](https://blog.gdssecurity.com/labs/2010/10/4/padbuster-v03-and-the-net-padding-oracle-attack.html)
* [Attack of the week: FREAK (or 'factoring the NSA for fun and profit')](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html)
* [An Empirical Study of Cryptographic Misuse in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)
* [Widespread Weak Keys in Network Devices](https://factorable.net/)
* [Secrets and LIE-abilities: The State of Modern Secret Management (2017)](https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d)
* [How to Implement Crypto Poorly - Sean Cassidy](https://github.com/cxxr/talks/blob/master/2016/grrcon/How%20to%20Implement%20Crypto%20Poorly.pdf)
* [CBC Byte Flipping Attack—101 Approach](http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/)
* [Demystifying the Signal Protocol for End-to-End Encryption (E2EE)](https://medium.com/@justinomora/demystifying-the-signal-protocol-for-end-to-end-encryption-e2ee-ad6a567e6cb4)
* [A Formal Security Analysis of the Signal Messaging Protocol - Oct2016](https://eprint.iacr.org/2016/1013.pdf)
* [Automated Padding Oracle Attacks with PadBuster](https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html)
* [PadBuster v0.3 and the .NET Padding Oracle Attack](https://blog.gdssecurity.com/labs/2010/10/4/padbuster-v03-and-the-net-padding-oracle-attack.html)
-----
### <a name="blogs">Blogposts/Misc(doesnt explicitly fit in other sections)</a>
[Encrypting Strings in Android: Let's make better mistakes](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/)
[Poor Man's Guide to Troubleshooting TLS Failures](http://blogs.technet.com/b/tspring/archive/2015/02/23/poor-man-s-guide-to-troubleshooting-tls-failures.aspx)
[Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/)
[cr.yp.to blog](http://blog.cr.yp.to/index.html)
[Recovering BitLocker Keys on Windows 8.1 and 10](https://tribalchicken.io/recovering-bitlocker-keys-on-windows-8-1-and-10/)
[Crypto.is Blog](https://crypto.is/blog/)
* This blog series is intended to be a course on how remailers work, the theory behind them, and many of the choices that must be considered. Some of the topics we intended to dive deeply into in the future is how to have a directory of remailer nodes, how to handle messages that overflow the packet size, more details on Mixminion, as-yet-unimplemented Academic Papers (like Pynchon Gate and Sphinx), and more! Check out posts One, Two, Three, Four, and Five. The comments section should work, so please do leave comments if you have questions, insights, or corrections!
* [Encrypting Strings in Android: Let's make better mistakes](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/)
* [Poor Man's Guide to Troubleshooting TLS Failures](http://blogs.technet.com/b/tspring/archive/2015/02/23/poor-man-s-guide-to-troubleshooting-tls-failures.aspx)
* [Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/)
* [cr.yp.to blog](http://blog.cr.yp.to/index.html)
* [Recovering BitLocker Keys on Windows 8.1 and 10](https://tribalchicken.io/recovering-bitlocker-keys-on-windows-8-1-and-10/)
* [Crypto.is Blog](https://crypto.is/blog/)
* This blog series is intended to be a course on how remailers work, the theory behind them, and many of the choices that must be considered. Some of the topics we intended to dive deeply into in the future is how to have a directory of remailer nodes, how to handle messages that overflow the packet size, more details on Mixminion, as-yet-unimplemented Academic Papers (like Pynchon Gate and Sphinx), and more! Check out posts One, Two, Three, Four, and Five. The comments section should work, so please do leave comments if you have questions, insights, or corrections!
-----
### <a name="presentation">Presentations/Talks</a>
[Crypto: 48 Dirty Little Secrets Cryptographers Don’t Want You To Know - BlackHat2014](https://www.youtube.com/watch?v=mXdFHNJ6srY)
[SHA2017 Conference Videos](https://www.youtube.com/channel/UCHmPMdU0O9P_W6I1hNyvBIQ/videos)
[Hunting For Vulnerabilities In Signal - Markus Vervier - HITB 2017 AMS](https://www.youtube.com/watch?v=2n9HmllVftA