From f57a5435430d952d1dc607bda26e3ceb28af65bc Mon Sep 17 00:00:00 2001 From: rmusser01 Date: Fri, 9 Aug 2019 18:29:14 -0700 Subject: [PATCH] Stuff _ --- Draft/ADA.md | 2 +- Draft/AnonOpSecPrivacy.md | 29 + Draft/Basic.md | 122 ++- Draft/Building_A_Lab.md | 24 +- Draft/CTFs_Wargames.md | 4 +- Draft/Career.md | 191 ++++- Draft/Cars.md | 4 +- Draft/Cheats.md | 6 +- Draft/Containers.md | 253 ++++++ Draft/Courses_Training.md | 2 + Draft/Crypto_Encrypt.md | 34 + Draft/DFIR.md | 32 +- Draft/DataVis.md | 6 + Draft/Defense.md | 153 +++- Draft/Docs_and_Reports.md | 46 +- Draft/Embedded.md | 24 + Draft/Exfiltration.md | 8 +- Draft/Exploit_Dev.md | 51 ++ Draft/Fuzzing.md | 23 + Draft/Games.md | 7 + Draft/Interesting_Things.md | 113 +-- Draft/L-SM-TH.md | 71 ++ Draft/Malware.md | 37 +- Draft/Network_Attacks.md | 238 +++++- Draft/Osint.md | 42 +- Draft/P_C.md | 82 -- Draft/Passwords.md | 25 + Draft/Phishing.md | 158 ++++ Draft/Physical_Security.md | 2 + Draft/Policy_Compliance.md | 89 ++ Draft/PrivescPostEx.md | 1042 +++++++++++++++++++++--- Draft/Programming_Language_Security.md | 72 ++ Draft/RE.md | 31 +- Draft/RT.md | 100 ++- Draft/Rootkits.md | 19 + Draft/SCA.md | 3 + Draft/SCADA.md | 4 +- Draft/SE.md | 3 +- Draft/UX.md | 16 + Draft/Web.md | 289 ++++++- Draft/Wireless.md | 47 +- Draft/bios_uefi.md | 20 + Draft/containers.md | 9 - Draft/honeypot.md | 7 +- Draft/sysinternals.md | 182 +++++ Draft/threatmodel.md | 24 + 46 files changed, 3367 insertions(+), 379 deletions(-) create mode 100644 Draft/Containers.md delete mode 100755 Draft/P_C.md delete mode 100644 Draft/containers.md diff --git a/Draft/ADA.md b/Draft/ADA.md index 24267ab..598f352 100755 --- a/Draft/ADA.md +++ b/Draft/ADA.md @@ -29,7 +29,7 @@ #### Sort * Redo formatting - +https://github.com/sensepost/kwetza diff --git a/Draft/AnonOpSecPrivacy.md b/Draft/AnonOpSecPrivacy.md index 22dcc67..8b4e010 100755 --- a/Draft/AnonOpSecPrivacy.md +++ b/Draft/AnonOpSecPrivacy.md @@ -32,9 +32,37 @@ + +https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/ +https://citizenlab.ca/2018/08/cant-picture-this-an-analysis-of-image-filtering-on-wechat-moments/ + +Remove hidden data and personal information by inspecting documents, presentations, or workbooks +https://support.office.com/en-us/article/remove-hidden-data-and-personal-information-by-inspecting-documents-presentations-or-workbooks-356b7b5d-77af-44fe-a07f-9aa4d085966f + +https://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-division/911-services/general/location-accuracy-indoor-benchmarks +https://www.wsj.com/articles/SB105546175751598400 +https://opaque.link/post/dropgang/ +https://github.com/ctrlaltdev/LMGTFY-queries + +* [A DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House - Craig Silverman(BuzzFeed News)](https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube#.dnqv2lQJr) + +* [Opting Out Like A Boss - The OSINT Way (Part 1) - learnallthethings.net](https://www.learnallthethings.net/blog/2018/1/23/opting-out-like-a-boss-the-osint-way) +https://electricalstrategies.com/about/in-the-news/spies-in-the-xerox-machine/ +https://discover.cobbtechnologies.com/blog/the-soviet-union-and-the-photocopier + +https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/privacy/manage-windows-1809-endpoints.md + +* [Creating Your Own Citizen Database - Aiganysh Aidarbekova](https://www.bellingcat.com/resources/how-tos/2019/02/14/creating-your-own-citizen-database/) + + * [Manage connections from Windows operating system components to Microsoft services - docs.ms](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) * [Cookies – what does ‘good’ look like? - UK Information Comissioner's Office - Ali Shah](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/) https://www.freehaven.net/anonbib/ +http://computer-outlines.over-blog.com/article-windows-ipv6-privacy-addresses-118018020.html + +https://blog.superuser.com/2011/02/11/did-you-know-that-ipv6-may-include-your-mac-address-heres-how-to-stop-it/ + +https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales * [Ghostbuster: Detecting the Presence of Hidden Eavesdroppers](https://synrg.csl.illinois.edu/papers/ghostbuster-mobicom18.pdf) @@ -42,6 +70,7 @@ https://www.freehaven.net/anonbib/ * [Project Feels: How USA Today, ESPN and The New York Times are targeting ads to mood - digiday](https://digiday.com/media/project-feels-usa-today-espn-new-york-times-targeting-ads-mood/) * [The New York Times Advertising & Marketing Solutions Group Introduces ‘nytDEMO’: A Cross-Functional Team Focused on Bringing Insights and Data Solutions to Brands(2018)](https://investors.nytco.com/press/press-releases/press-release-details/2018/The-New-York-Times-Advertising--Marketing-Solutions-Group-Introduces-nytDEMO-A-Cross-Functional-Team-Focused-on-Bringing-Insights-and-Data-Solutions-to-Brands/default.aspx) +* [A DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House - Craig Silverman](https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube#.dnqv2lQJr) * [Toward an Information Operations Kill Chain - Bruce Schneier](https://www.lawfareblog.com/toward-information-operations-kill-chain) diff --git a/Draft/Basic.md b/Draft/Basic.md index a77bea7..243e718 100755 --- a/Draft/Basic.md +++ b/Draft/Basic.md @@ -5,11 +5,72 @@ * [How to Suck at Information Security – A Cheat Sheet](https://zeltser.com/suck-at-security-cheat-sheet/) * [How not to Infosec - Dan Tentler](https://www.youtube.com/watch?v=S5O47gemMNQ) * +https://blog.usejournal.com/regular-expressions-a-complete-beginners-tutorial-c7327b9fd8eb?gi=8702ae6f23be + + +Cognitive Fallacies +Intro to statistics +intro to networking +Intro to X + + + +* [Towards Improving CVSS - J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shick - CMU](https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf) + +* [Designing Security for Billions - Facebook](https://newsroom.fb.com/news/2019/01/designing-security-for-billions/) +* [Passwords in a file - erratasec](https://blog.erratasec.com/2019/01/passwords-in-file.html) + +* [Keyboard shortcuts in Windows - support.ms](https://support.microsoft.com/en-us/help/12445/windows-keyboard-shortcuts) + +claude shannon + +* [MarkOfTheWeb: How a Forgetful Russian Agent Left a Trail of Breadcrumbs - Yonathan Klijnsma](https://www.riskiq.com/blog/labs/markoftheweb/) + +* [Normalization of deviance - Dan Luu](https://danluu.com/wat/) +* [One week of bugs - Dan Luu](http://danluu.com/everything-is-broken/) + +* [Apache and Let's Encrypt Best Practices for Security - aaronhorler.com](https://aaronhorler.com/articles/apache.html) + +* [Operation Luigi: How I hacked my friend without her noticing](https://www.youtube.com/watch?v=ZlNkIFipKZ4&feature=youtu.be) + * My friend gave me permission to "hack all her stuff" and this is my story. It's about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM. + * [Blogpost](https://mango.pdf.zone/operation-luigi-how-i-hacked-my-friend-without-her-noticing) + +* [Welcome to Infosec (Choose your own Adventure) - primarytyler](https://docs.google.com/presentation/d/1_PjLGP28AH3HXbkwRkzGFeVPBmbBhp05mg7T6YofzRA/mobilepresent#slide=id.p) +* [Choose Your Own Red Team Adventure - Tim Malcomvetter](https://medium.com/@malcomvetter/choose-your-own-red-team-adventure-f87d6a3b0b76) + +http://super-memory.com/articles/20rules.htm +* [When to Test and How to Test It - Bruce Potter - Derbycon7](https://www.youtube.com/watch?v=Ej97WyEMRkI) + * “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity. + + +https://www.fastcompany.com/3060820/every-ted-talk-ever-in-one-brutal-parody + +https://en.wikipedia.org/wiki/The_Power_of_the_Powerless +https://en.wikipedia.org/wiki/Eight-circuit_model_of_consciousness +* [No Silver Bullet - fmiljang.co.uk](http://www.fmjlang.co.uk/blog/NoSilverBullet.html) +* [The Asshole Filter - Siderea](https://siderea.livejournal.com/1230660.html) + + +https://www.businessballs.com/self-awareness/personality-theories-and-types-156/ +https://danluu.com/wat/ +https://danluu.com/everything-is-broken + +https://danluu.com/sounds-easy/ +http://www.catb.org/jargon/html/Z/Zero-One-Infinity-Rule.html + +* [Structured Text Tools](https://github.com/dbohdan/structured-text-tools) + * The following is a list of text-based file formats and command line tools for manipulating each. +https://github.com/nsacyber/WALKOFF +https://github.com/alcor/itty-bitty/ -### General Information +* [Bedford and the Normalization of Deviance - Ron Rapp](https://www.rapp.org/archives/2015/12/normalization-of-deviance/) +https://github.com/swisskyrepo/PayloadsAllTheThings + +### General Information * **101** + * [Ten Simple Rules for Doing Your Best Research, According to Hamming](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2041981/) * [Learning the Ropes 101: Introduction - zsec.uk](https://blog.zsec.uk/101-intro/) * [InfoSec Newbie List by Mubix](https://gist.github.com/mubix/5737a066c8845d25721ec4bf3139fd31) * [infosec_getting_started](https://github.com/gradiuscypher/infosec_getting_started) @@ -17,16 +78,6 @@ * [Salted Hash Ep 34: Red Team vs. Vulnerability Assessments - CSO Online](https://www.csoonline.com/article/3286604/security/salted-hash-ep-34-red-team-vs-vulnerability-assessments.html#tk.twt_cso) * Words matter. This week on Salted Hash, we talk to Phil Grimes about the differences between full Red Team engagements and vulnerability assessments * [Encoding vs. Encryption vs. Hashing vs. Obfuscation - Daniel Messler](https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/) - * [Ask Good Questions: Deep Dive - Yousef Kazerooni](https://medium.com/@YousefKazerooni/ask-good-questions-deep-dive-dacd8dddc247) -* **Security 101** - * [Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/) - * [Access control best practices](https://srlabs.de/acs/) -* **General Good Stuff** - * [Words Have Meanings - Dan Tentler - CircleCityCon 2017] - * [(Deliberate) practice makes perfect: how to become an expert in anything - Aytekin Tank](https://medium.com/swlh/deliberate-practice-makes-perfect-how-to-become-an-expert-in-anything-ec30e0c1314e) -* **Learning the Command Line** - * [explainshell.com](https://github.com/idank/explainshell) - * explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page. * **Careers in Information Security** * **Educational/Informational** * [Navigating Career Choices in InfoSec - Fernando Montenegro - BSides Detroit2017](https://www.youtube.com/watch?v=yM2xCjrQSY4) @@ -55,24 +106,51 @@ * [So you think you want to be a penetration tester - Defcon24](https://www.youtube.com/watch?v=be7bvZkgFmY) * So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun. * [Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk) -* **Interview Prep** - * [offensiveinterview - WebBreacher](https://github.com/WebBreacher/offensiveinterview) - * Interview questions to screen offensive (red team/pentest) candidates +* **Cognitive Bias** + * [List of cognitive biases - Wikipedia](https://en.wikipedia.org/wiki/List_of_cognitive_biases) + * [58 cognitive biases that screw up everything we do - Business Insider](https://www.businessinsider.com/cognitive-biases-2015-10) +* **Critical Thinking** + * [How to Apply Critical Thinking Using Paul-Elder Framework - designorate](https://www.designorate.com/critical-thinking-paul-elder-framework/) + * [Paul-Elder Critical Thinking Framework - University of Louisville](https://louisville.edu/ideastoaction/about/criticalthinking/framework) * **General** * [Mozilla Enterprise Information Security](https://infosec.mozilla.org/) * [Rating Infosec Relevant Masters Programs - netsecfocus](https://netsecfocus.com/training/development/certifications/2017/03/08/rating_infosec_masters.html) -* **Non-Technical Skills** - * [Relearning the Art of Asking Questions - HBR](https://hbr.org/2015/03/relearning-the-art-of-asking-questions) +* **General Good Stuff** + * [Words Have Meanings - Dan Tentler - CircleCityCon 2017] + * [(Deliberate) practice makes perfect: how to become an expert in anything - Aytekin Tank](https://medium.com/swlh/deliberate-practice-makes-perfect-how-to-become-an-expert-in-anything-ec30e0c1314e) +* **How to Ask Better Questions** * [How To Ask Questions The Smart Way - Eric Raymond](http://www.catb.org/esr/faqs/smart-questions.html) + * [Socratic questioning - Wikipedia](https://en.wikipedia.org/wiki/Socratic_questioning) + * [The Six Types Of Socratic Questions - umich.edu](http://www.umich.edu/~elements/probsolv/strategy/cthinking.htm) + * [Ask Good Questions: Deep Dive - Yousef Kazerooni](https://medium.com/@YousefKazerooni/ask-good-questions-deep-dive-dacd8dddc247) + * [Relearning the Art of Asking Questions - HBR](https://hbr.org/2015/03/relearning-the-art-of-asking-questions) + * [How To Ask Questions The Smart Way - wiki.c2.com](http://wiki.c2.com/?HowToAskQuestionsTheSmartWay) +* **Learning:** + * **Excel** + * [You Suck at Excel with Joel Spolsky(2015)](https://www.youtube.com/watch?v=0nbkaYsR94c&feature=youtu.be) + * The way you are using Excel causes errors, creates incomprehensible spaghetti spreadsheets, and makes me want to stab out my own eyes. Enough of the =VLOOKUPs with the C3:$F$38. You don't even know what that means. + * [Notes](https://trello.com/b/HGITnpih/you-suck-at-excel) + * **The Command Line** + * [explainshell.com](https://github.com/idank/explainshell) + * explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page. + * [A little collection of cool unix terminal/console/curses tools](https://kkovacs.eu/cool-but-obscure-unix-tools) + * **New Skills** + * [The Paradox of Choice: Learning new skills in InfoSec without getting overwhelmed - AzeriaLabs](https://azeria-labs.com/paradox-of-choice/) +* **Problem Solving** + * [Software Problem Solving Cheat Sheet - Florian Roth](https://www.nextron-systems.com/wp-content/uploads/2018/06/Software-Problem-Solving-Cheat-Sheet.pdf) + * [The XY Problem](http://xyproblem.info/) + * The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help. + * [The AZ Problem](http://azproblem.info/) + * This website introduces the AZ Problem: a generalization of the XY Problem. To wit, if we agree that the XY Problem is a problem, than the AZ Problem is a metaproblem. And while the XY Problem is often technical, the AZ Problem is procedural. The AZ Problem is when business requirements are misunderstood or decontextualized. These requirements end up being the root cause of brittle, ill-suited, or frivolous features. An AZ Problem will often give rise to several XY Problems. +* **Security 101** + * [Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/) + * [Access control best practices](https://srlabs.de/acs/) * **Skill-Testing/Question Prep** * [test-your-admin-skills](https://github.com/trimstray/test-your-sysadmin-skills) * A collection of \*nix Sysadmin Test Questions with Answers for Interview/Exam (2018 Edition). - - - -### Tools +* **The Web** + * [Web Architecture 101 - Jonathan Fulton](https://engineering.videoblocks.com/web-architecture-101-a3224e126947?gi=d79a0aa34949) * **Tools you should probably know exist** * [Introduction To Metasploit – The Basics](http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/) * [Shodan](http://www.shodanhq.com/help) -* **Learning New Tools** - * [A little collection of cool unix terminal/console/curses tools](https://kkovacs.eu/cool-but-obscure-unix-tools) \ No newline at end of file + diff --git a/Draft/Building_A_Lab.md b/Draft/Building_A_Lab.md index f06281b..d0bb5b0 100755 --- a/Draft/Building_A_Lab.md +++ b/Draft/Building_A_Lab.md @@ -11,19 +11,36 @@ +https://github.com/foxlet/macOS-Simple-KVM +Building a defensive Lab +https://blog.secureideas.com/2019/05/automating-red-team-homelabs-part-2-build-pentest-destroy-and-repeat.html +https://systemoverlord.com/2017/10/24/building-a-home-lab-for-offensive-security-basics.html +https://github.com/digininja/leakyrepo +https://github.com/chryzsh/DarthSidious +* https://github.com/brimstone/windows-ova/blob/master/README.md +https://github.com/DrDonk/unlocker + * https://github.com/DefectDojo/django-DefectDojo +* [Hashicorp at Home part 2](https://www.mockingbirdconsulting.co.uk/blog/2019-01-08-hashicorp-at-home-part-2/) +* [Hashicorp at Home - Code](https://github.com/mockingbirdconsulting/HashicorpAtHome) -------------------------- -### General -* This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your "physical" machine. +https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/ + +https://github.com/RhinoSecurityLabs/cloudgoat +------------------------- +### General +* This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your "physical" machine. + + + ------------------------- ### Virtual Machines * **101** @@ -49,7 +66,6 @@ * [Set up your own malware analysis lab with VirtualBox, INetSim and Burp - Christophe Tafani-Dereeper](https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/) * [CyRIS: Cyber Range Instantiation System](https://github.com/crond-jaist/cyris) * CyRIS is a tool for facilitating cybersecurity training by automating the creation and management of the corresponding training environments (a.k.a, cyber ranges) based on a description in YAML format. CyRIS is being developed by the Cyber Range Organization and Design (CROND) NEC-endowed chair at the Japan Advanced Institute of Science and Technology (JAIST). - * **VMs Designed to be Attacked** * [List of VMs that are preconfigured virtual machines](http://www.amanhardikar.com/mindmaps/PracticeUrls.html) * [The Hacker Games - Hack the VM before it hacks you](http://www.scriptjunkie.us/2012/04/the-hacker-games/) diff --git a/Draft/CTFs_Wargames.md b/Draft/CTFs_Wargames.md index 50865ae..a1475a4 100755 --- a/Draft/CTFs_Wargames.md +++ b/Draft/CTFs_Wargames.md @@ -19,7 +19,9 @@ - +https://www.counterhackchallenges.com/ +https://labs.nettitude.com/blog/derbycon-2018-ctf-write-up/ +http://ctfhacker.com/reverse/2018/09/16/flareon-2018-wasabi.html ----- ### General * **General** diff --git a/Draft/Career.md b/Draft/Career.md index c3b5153..883eee4 100644 --- a/Draft/Career.md +++ b/Draft/Career.md @@ -1,31 +1,69 @@ # Career/Job Related Stuff +----------------------------------- ## Table of Contents -- [Career Information](#career-info) - - [Careers in Information Security](#infosec-careers) - - [Choosing a Job/Looking for Work](#looking) - - [Compensation & Equity](#comp) - - [Independent Work](#Independent) - - [Interview Preparation](#interview) -- [General Information](#general) +- [101](#101) +- [Business](#business) +- [Career Growth/Progression](#growth) +- [Careers in InfoSec](#infosec-careers) +- [Choosing a Job/Looking for Work](#looking) +- [Company Culture](#culture) +- [Compensation](#comp) +- [Contracting & Consulting](#contract) +- [Difficult Conversations](#difficult) +- [Employee Attrition](#attrition) +- [General(Miscellaneous)](#general) +- [Hiring](#hiring) +- [Imposter Syndrome](#imposter) +- [Independent Business](#independent) +- [Informal Laws & Principles](#laws) +- [Interview Prep](#interview) +- [Interviewing](#interviewing) - [Management](#mgmt) +- [Meetings](#meetings) - [Mental Health](#mentalh) +- [Mentoring](#mentor) +- [Metrics](#metrics) +- [Networking(social)](#networking) +- [Non-Competes](#noncomp) - [Non-Technical Skills](#non-tech) -- [Performance Review](#perf-review) +- [Organizational Theory](#orgtheory) +- [Performance Reviews](#perf) +- [Post-Mortems](#postmort) +- [Project Management](#projm) - [Resume](#resume) -- [Taking Tests](#testing) +- [Testing](#testing) +- [Other](#other) +- [Industry](#industry) + + ------------------------------------------------------ ### Career Information -* [‘Thought Leader’ gives talk that will inspire your thoughts | CBC Radio (Comedy/Satire Skit)](https://www.youtube.com/watch?v=_ZBKX-6Gz6A) - * Self proclaimed “thought leader,” Pat Kelly gives his talk on “thought leadership” at the annual This Is That Talks in Whistler, B.C. In the seminar, Kelly covers: How to talk with your hands, how to get a standing ovation, and how to inspire people by saying nothing at all. -* [Why are large companies so difficult to rescue (regarding bad internal technology) - Lawrence Krubner](http://www.smashcompany.com/business/why-are-large-companies-so-difficult-to-rescue-regarding-bad-internal-technology) -* **Business** - * [Servant leadership - Wikipedia](https://en.wikipedia.org/wiki/Servant_leadership) +* **101** + * [Ten Simple Rules for Doing Your Best Research, According to Hamming](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2041981/) + * [‘Thought Leader’ gives talk that will inspire your thoughts | CBC Radio (Comedy/Satire Skit)](https://www.youtube.com/watch?v=_ZBKX-6Gz6A) + * Self proclaimed “thought leader,” Pat Kelly gives his talk on “thought leadership” at the annual This Is That Talks in Whistler, B.C. In the seminar, Kelly covers: How to talk with your hands, how to get a standing ovation, and how to inspire people by saying nothing at all. + * [Lack of progress exposed by the Canary MacGuffin - rachelbythebay](https://rachelbythebay.com/w/2018/10/23/idle/) + * [Strategy Letter I: Ben and Jerry’s vs. Amazon - Joel on Software](https://www.joelonsoftware.com/2000/05/12/strategy-letter-i-ben-and-jerrys-vs-amazon/) + * [Defining The Corporate Hierarchy - Erik Dietrich](https://daedtech.com/defining-the-corporate-hierarchy/) + * [The Beggar CEO and Sucker Culture - Erik Dietrich](https://daedtech.com/the-beggar-ceo-and-sucker-culture/) +* **Business** * [When Everything That Counts Can’t Be Counted - Joshua M. Brown](https://thereformedbroker.com/2019/06/13/when-everything-that-counts-cant-be-counted/) * [The Trillion-Dollar Vision of Dee Hock - Mitchell Waldrop(FastCompany)](https://www.fastcompany.com/27333/trillion-dollar-vision-dee-hock) + * [The Longest Yard: Reorganizing IT for Success - Bruce F. Webster](http://brucefwebster.com/2008/04/14/the-longest-yard-reorganizing-it-for-success/) + * [How Complex Systems Fail - Richard I. Cook](http://web.mit.edu/2.75/resources/random/How%20Complex%20Systems%20Fail.pdf) + * [Big companies v. startups - Dan Luu](https://danluu.com/startup-tradeoffs/) + * [The Innovation Equation - Safi Bahcall](https://hbr.org/2019/03/the-innovation-equation) +* **Career Growth/Progression** + * [How Developers Stop Learning: Rise of the Expert Beginner - Erik Dietrich](https://daedtech.com/how-developers-stop-learning-rise-of-the-expert-beginner/) + * [Your Job Title of Tomorrow: Efficiencer - Erik Dietrich](https://daedtech.com/your-job-title-of-tomorrow-efficiencer/) + * [Things I Learnt The Hard Way (in 30 Years of Software Development) - juliobiason.net](https://blog.juliobiason.net/thoughts/things-i-learnt-the-hard-way/) + * [Recommended Reading for Developers(2015) - blog.codinghorror.com] * **Careers in Information Security** * [NICE Cybersecurity Workforce Framework - NICCS.us-cert.gov](https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework) + * [Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models](https://www.usenix.org/conference/usenixsecurity18/presentation/mickens) + * Some people enter the technology industry to build newer, more exciting kinds of technology as quickly as possible. My keynote will savage these people and will burn important professional bridges, likely forcing me to join a monastery or another penance-focused organization. In my keynote, I will explain why the proliferation of ubiquitous technology is good in the same sense that ubiquitous Venus weather would be good, i.e., not good at all. Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits. At some point, my microphone will be cut off, possibly by hotel management, but possibly by myself, because microphones are technology and we need to reclaim the stark purity that emerges from amplifying our voices using rams’ horns and sheets of papyrus rolled into cone shapes. I will explain why papyrus cones are not vulnerable to buffer overflow attacks, and then I will conclude by observing that my new start-up papyr.us is looking for talented full-stack developers who are comfortable executing computational tasks on an abacus or several nearby sticks. * **Educational/Informational** * [Navigating Career Choices in InfoSec - Fernando Montenegro - BSides Detroit2017](https://www.youtube.com/watch?v=yM2xCjrQSY4) * Making career choices can be intimidating and stressful. Perhaps this presentation can help. The tidal forces affecting technology impact our careers as well. If we're not actively managing them, we're leaving decisions to chance (or to others), and may not like the outcomes. This presentation describes a framework I've used over the past few years to evaluate both ongoing job satisfaction as well as new opportunities as they appear. I'm happy with the outcomes I've obtained with it, and have used this same framework when providing advice to others, and it has been well received. Hopefully it can help others as well. @@ -33,11 +71,14 @@ * In this presentation we'll will be going over introductions to the various focuses in information security and demoing the most common tools that are used in operational security, both offense and defense. You'll leave with an idea on how to freely obtain and use these tools so that you can have what you need for that first interview: experience and a passion for security. This is a green talk for people who don't have a clue on what offensive and defensive people do operationally, from a tool perspective. * [So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics) * [How to Get Any Job You Want (even if you’re unqualified) - Raghav Haran](https://medium.com/the-mission/how-to-get-any-job-you-want-even-if-you-re-unqualified-6f49a65f5491) + * [Getting Hired: A Few Tips - Mubix](https://malicious.link/post/2018/getting-hired-a-few-tips/) * **Interview Preparation** * [How to prepare for an infosec interview - Timothy DeBlock](http://www.timothydeblock.com/eis/135) * **Relevant Standards** * [NICE Cybersecurity Workforce Framework](https://www.nist.gov/itl/applied-cybersecurity/national-initiative-cybersecurity-education-nice/nice-cybersecurity) * The NICE Framework, NIST Special Publication 800-181, establishes taxonomy and common lexicon that is to be used to describe all cybersecurity work and workers irrespective of where or for whom the work is performed. The NICE Framework is intended to be applied in the public, private, and academic sectors. (USA Focused) + * **Autonomous Vehicles** + * [Want to become an autonomous vehicle engineer? - Kyle Martin](https://becomeautonomous.com/) * **Data Scientist** * [What Data Scientists Really Do, According to 35 Data Scientists - HBR](https://hbr.org/2018/08/what-data-scientists-really-do-according-to-35-data-scientists?mc_cid=f8f788d39e&mc_eid=f956a0c5ca) * [How to Become a Data Scientist - On your own - Zeeshan Usmani](https://www.datasciencecentral.com/profiles/blogs/how-to-become-a-data-scientist-for-free) @@ -72,25 +113,71 @@ * [Pushing Left, Like a Boss: Part 1 - SheHacksPurple](https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95) * [The Secret Rules For Getting Hired - Terence Eden](https://shkspr.mobi/blog/2019/04/the-secret-rules-for-getting-hired/) * [How To Land A Job In Infosec](https://www.secjuice.com/getting-a-job-in-infosec/) + * [How to Get a Programming Job without a Degree - Erik Dietrich](https://daedtech.com/programming-job-without-degree/) * **Startups** * [20 Questions To Ask Before Joining A Startup - Harrison Harnisch](https://hharnisc.github.io/2018/11/25/twenty-questions-to-ask-before-joining-a-startup.html) * [How to Choose a Startup to Work For by Thinking Like An Investor - Harj Taggar(TripleByte)](https://triplebyte.com/blog/how-to-choose-a-startup-to-work-for) +* **Company Culture** + * [American Cultural Assumption - wiki.c2.com](http://wiki.c2.com/?AmericanCulturalAssumption) + * [Containers Will Not Fix Your Broken Culture (and Other Hard Truths) - Complex socio-technical systems are hard; film at 11. - Bridget Kromhout](https://queue.acm.org/detail.cfm?id=3185224) * **Compensation/Equity** * [The Holloway Guide to Equity Compensation](https://www.holloway.com/g/equity-compensation) * Stock options, RSUs, job offers, and taxes—a detailed reference, including hundreds of resources, explained from the ground up and made to be improved over time. * [Salary strategies everyone in tech already knows — but you don't - Candor](https://teamcandor.com/salary/guide/) * [H1B Salary Database - h1bdata.info](https://h1bdata.info/index.php) +* **Contracting & Consulting** + * [Why A Billable Hours Model Does not Work in Consulting - firmsconsulting.com](https://www.firmsconsulting.com/quarterly/billable-hours-strategy-consulting/) + * [How To Build Your Own Infosec Company - Mario Heiderich (BSides Lisbon 2018: Keynote)](https://www.youtube.com/watch?reload=9&v=UE5xS7-kFjE) + * [Not A Full Timer: Slight difference from Pro to cattle - Mohamed Hayibor](https://mohamedhayibor.github.io/blog/post/Not-A-Full-Timer/) +* **Difficult Conversations** + * [Our 6 Must Reads for Cutting Through Conflict and Tough Conversations - firstround.com](https://firstround.com/review/our-6-must-reads-for-cutting-through-conflict-and-tough-conversations/) + * [7 Tips for Difficult Conversations - Daisy Wademan Dowling(HBR)](https://hbr.org/2009/03/7-tips-for-difficult-conversat) + * [How to Have Difficult Conversations When You Don’t Like Conflict - Joel Garfinkle(HBR)](https://hbr.org/2017/05/how-to-have-difficult-conversations-when-you-dont-like-conflict) + * **Books** + * [Difficult Conversations How to Discuss What Matters Most By Douglas Stone, Bruce Patton and Sheila Heen](https://www.penguinrandomhouse.com/books/331191/difficult-conversations-by-douglas-stone-bruce-patton-and-sheila-heen/9780143118442/) +* **Employee Attrition** + * [How To Keep Your Best Programmers - Erik Dietrich](https://daedtech.com/how-to-keep-your-best-programmers/) + * [The Wetware Crisis: the Dead Sea effect - Bruce Webster](http://brucefwebster.com/2008/04/11/the-wetware-crisis-the-dead-sea-effect/) + * [The Elves Leave Middle Earth – Sodas Are No Longer Free - Steve Blank](https://steveblank.com/2009/12/21/the-elves-leave-middle-earth-%E2%80%93-soda%E2%80%99s-are-no-longer-free/) * **General** * [Mozilla Enterprise Information Security](https://infosec.mozilla.org/) * [Rating Infosec Relevant Masters Programs - netsecfocus](https://netsecfocus.com/training/development/certifications/2017/03/08/rating_infosec_masters.html) * [Career advice I wish I’d been given when I was young - 8000 Hours](https://80000hours.org/2019/04/career-advice-i-wish-id-been-given-when-i-was-young/) * [In Nobel Prize lecture, lessons for managing employee incentives - Kara Baskin(MIT Sloan)](https://mitsloan.mit.edu/ideas-made-to-matter/nobel-prize-lecture-lessons-managing-employee-incentives) -* **Hiring** +* **Hiring** + * [What I Learned Doing 250 Interviews at Google - Moishe Lettvin](https://www.youtube.com/watch?v=r8RxkpUvxK0) * [F*** You, I Quit — Hiring Is Broken - Sahat Yalkabov](https://medium.com/@evnowandforever/f-you-i-quit-hiring-is-broken-bb8f3a48d324) * [Hiring is Broken And Yours Is Too - RajivPrab.com](https://software.rajivprab.com/2019/07/27/hiring-is-broken-and-yours-is-too/amp/) + * [In Head-Hunting, Big Data May Not Be Such a Big Deal - Adam Bryant](https://www.nytimes.com/2013/06/20/business/in-head-hunting-big-data-may-not-be-such-a-big-deal.html) + * "This interview with Laszlo Bock, senior vice president of people operations at Google, was conducted and condensed by Adam Bryant." + * [Here's Google's Secret To Hiring The Best People - Lazlo Bock(Wired - 2015)](https://www.wired.com/2015/04/hire-like-google/) + * [Hiring is Broken… And It Isn’t Worth Fixing - Erik Dietrich](https://daedtech.com/hiring-is-broken/) + * [A Players Don’t Hire A Players — They Partner with A Players - Erik Dietrich](https://daedtech.com/a-players-dont-hire-a-players-they-partner-with-a-players/) + * [The Hiring Post - sockpuppet.org](https://sockpuppet.org/blog/2015/03/06/the-hiring-post/) + * [On Secretly Terrible Engineers - Danny Crichton](https://techcrunch.com/2015/03/08/on-secretly-terrible-engineers/) +* **Impostor Syndrome** + * [Would the real imposter please stand up? - Dr. Jessica Barker(SteelCon2016)](https://www.youtube.com/watch?v=tGyBFOWsFbk&feature=share) + * [Dark Matter Developers: The Unseen 99%(2012) - Scott Hanselman](https://www.hanselman.com/blog/DarkMatterDevelopersTheUnseen99.aspx) * **Independent Business** * [Why You Should Charge Clients More Than You Think You’re Worth - Dorie Clark(HBR)](https://hbr.org/2017/10/why-you-should-charge-clients-more-than-you-think-youre-worth) * [How to Write a Statement of Work - Mary K Pratt](https://www.computerworld.com/article/2555324/how-to-write-a-statement-of-work.html) +* **Informal Laws & Principles** + * [The Gervais Principle - RibbonFarm](https://www.ribbonfarm.com/the-gervais-principle/) + * [Peter Principle - Wikipedia](https://en.wikipedia.org/wiki/Peter_principle) + * The Peter principle is a concept in management developed by Laurence J. Peter, which observes that people in a hierarchy tend to rise to their "level of incompetence". In other words, employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent, as skills in one job do not necessarily translate to another. The concept was enunciated in the 1969 book The Peter Principle by Peter and Raymond Hull. + * It was originally written as a satire. + * [Dilbert Principle - Wikipedia](https://en.wikipedia.org/wiki/Dilbert_principle) + * The Dilbert principle refers to a 1990s theory by Dilbert cartoonist Scott Adams stating that companies tend to systematically promote their least competent employees to management (generally middle management), to limit the amount of damage they are capable of doing. + * [The Iron Law of Bureaucracy](https://www.jerrypournelle.com/reports/jerryp/iron.html) + * Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people": + * `First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.` + * `Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.` + * The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization. + * [Robustness Principle - Wikipedia](https://en.m.wikipedia.org/wiki/Robustness_principle) + * [Golden Hammer - wiki.c2.com](http://wiki.c2.com/?GoldenHammer) + * [The Shirky Principle - Technium](https://kk.org/thetechnium/the-shirky-prin/) + * “Institutions will try to preserve the problem to which they are the solution.” — Clay Shirky + * [Law #8: The Law of Duality - ericsink.com](https://ericsink.com/laws/Law_08.html) * **Interview Prep** * [offensiveinterview - WebBreacher](https://github.com/WebBreacher/offensiveinterview) * Interview questions to screen offensive (red team/pentest) candidates @@ -98,8 +185,27 @@ * [test-your-admin-skills](https://github.com/trimstray/test-your-sysadmin-skills) * A collection of \*nix Sysadmin Test Questions with Answers for Interview/Exam (2018 Edition). * [Linux System Administrator/DevOps Interview Questions - chassing](https://github.com/chassing/linux-sysadmin-interview-questions/blob/master/README.md) + * [Tech Interview Handbook - yangshun.github.io](https://yangshun.github.io/tech-interview-handbook/) + * [Ten Rules for Negotiating a Job Offer - Haseeb Qureshi](https://haseebq.com/my-ten-rules-for-negotiating-a-job-offer/) + * [How Not to Bomb Your Offer Negotiation - Haseeb Qureshi](https://haseebq.com/farewell-app-academy-hello-airbnb-part-i/) + * [Deploying Guerrilla Tactics to Combat Stupid Tech Interviews - Erik Dietrch](https://daedtech.com/deploying-guerrilla-tactics-combat-stupid-tech-interviews/) +* **Interviewing** + * [What I Learned Doing 250 Interviews at Google - Moishe Lettvin](https://www.youtube.com/watch?v=r8RxkpUvxK0) + * [Raising the Bar - The Unconventional Interview Method That Really Works - socialtalent](https://www.socialtalent.com/blog/recruitment/raising-the-bar-unconventional-interview-method-really-works) + * [The Trouble With "Culture Fit" - Rich Moy](https://www.stackoverflowbusiness.com/blog/the-trouble-with-culture-fit) + * [Salary Negotiations: Win by Losing - Erik Dietrich](https://daedtech.com/salary-negotiations-win-by-losing/) +* **Management** + * [Up Or Out: Solving The IT Turnover Crisis - Alex Papadimoulis](http://thedailywtf.com/articles/Up-or-Out-Solving-the-IT-Turnover-Crisis) + * [The Wetware Crisis: the Dead Sea effect - Bruce F. Webster](http://brucefwebster.com/2008/04/11/the-wetware-crisis-the-dead-sea-effect/) + * [The Tyranny of Structurelessness - Jo freeman](https://www.jofreeman.com/joreen/tyranny.htm) + * [Vitality Curve](https://en.m.wikipedia.org/wiki/Vitality_curve) + * [Servant leadership - Wikipedia](https://en.wikipedia.org/wiki/Servant_leadership) * **Management Skills** * [Managers - rework.withgoogle.com](https://rework.withgoogle.com/subjects/managers/) + * [Manager Tools](https://www.manager-tools.com/) +* **Meetings** + * [Reaching Peak Meeting Efficiency: Meetings are a critical tool for building a diverse, high-performance team with shared values - Steven Sinofsky](https://medium.learningbyshipping.com/reaching-peak-meeting-efficiency-f8e47c93317a) + * [Maker's Schedule, Manager's Schedule - Paul Graham(2009)](http://www.paulgraham.com/makersschedule.html) * **Mental Health** * **Burnout** * [13 Surprising Signs of Burnout You May Be Missing - thriveglobal](https://thriveglobal.com/stories/13-surprising-signs-of-burnout-you-may-be-missing/) @@ -115,25 +221,64 @@ * **Stress** * [Stress management - Mayo Clinic](https://www.mayoclinic.org/healthy-lifestyle/stress-management/in-depth/stress/art-20046037) * [Understanding chronic stress - American Psychological Association](https://www.apa.org/helpcenter/understanding-chronic-stress) - * [Chronic Stress and a Life: How Stress Almost Killed Me - Sergio Caltagirone](http://www.activeresponse.org/chronic-stress-and-a-life-how-stress-almost-killed-me/) + * [Chronic Stress and a Life: How Stress Almost Killed Me - Sergio Caltagirone](http://www.activeresponse.org/chronic-stress-and-a-life-how-stress-almost-killed-me/) * **Abusive Behaviour** * [Sick systems: How to keep someone with you forever - Issendai](https://issendai.livejournal.com/572510.html) +* **Mentoring** + * [How to get coaching, mentoring, and attention - Jake Seliger](https://jakeseliger.com/2010/10/02/how-to-get-your-professors%E2%80%99-attention-or-how-to-get-the-coaching-and-mentorship-you-need/) +* **Metrics** + * [Be Careful What You Measure - Mark Graham Brown](https://corporater.com/en/the-chicken-kpi-be-careful-of-what-you-measure/) +* **Networking** + * [That’s still not my RJ 45 Jack - IRL Networking for Humans Pt 2 - Johnny Xmas](https://www.irongeek.com/i.php?page=videos/converge2015/%22track112-how-to-dress-like-a-human-being-irl-networking-for-humans-pt-2-johnny-xmas%22) + * We're smart. We're incredibly tech savvy. We can rock some mad OSINT with our Google-Fu. We're 85% +-10% sure which part of the body a hat goes on. We think you can never have enough beard. WE THINK THAT'S ACCEPTABLE. The second in his multi-part series on building social prowess, this talk will focus on the inconvenient truth of your book always, always, always being judged by its cover, and how to deal with that with minimal effort so you can get back to sewing more pockets on your utilikilt. This talk covers both male and female situations, though it is primarily unisex. We'll get you set up with a core wardrobe and hygenic skillset so you'll be able to roll out of bed, spend minimal time "getting ready," rock the dreaded client-facing meeting or industry meetup, and get you back home where you can safely take your pants off. +* **Non-Competes** + * [Why I Turned Down an AWS Job Offer - Corey Quinn](https://www.lastweekinaws.com/blog/why-i-turned-down-an-aws-job-offer/) * **Non-Technical Skills** * [Relearning the Art of Asking Questions - HBR](https://hbr.org/2015/03/relearning-the-art-of-asking-questions) * [How To Ask Questions The Smart Way - Eric Raymond](http://www.catb.org/esr/faqs/smart-questions.html) +* **Organizational Theory** + * [Organizational Theory - Wikipedia](https://en.wikipedia.org/wiki/Organizational_theory) + * [The normalization of deviance in healthcare delivery - John Banja](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2821100/) + * [Resilience Engineering: Part I - Kitchen Soap](https://www.kitchensoap.com/2011/04/07/resilience-engineering-part-i/) + * [Bureaucratic drift - Wikipedia](https://en.wikipedia.org/wiki/Bureaucratic_drift) + * [Why are large companies so difficult to rescue (regarding bad internal technology) - Lawrence Krubner](http://www.smashcompany.com/business/why-are-large-companies-so-difficult-to-rescue-regarding-bad-internal-technology) + * [The normalization of deviance in healthcare delivery - John Banja](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2821100/) + * [Bedford and the Normalization of Deviance - Ron Rapp](https://www.rapp.org/archives/2015/12/normalization-of-deviance/) + * [Resilience In Complex Adaptive Systems - Richard Cook(Velocity NY 2013)](https://www.youtube.com/watch?v=PGLYEDpNu60) * **Performance Reviews** * [A Beginner’s Guide to Giving Performance Reviews - Advice for new managers on the most effective way to deliver feedback(Rebecca Fishbein)](https://medium.com/s/story/a-beginners-guide-to-giving-performance-reviews-963aba23bd) +* **Post-Mortems** + * [A List of Post-mortems! - Dan Luu](https://github.com/danluu/post-mortems) +* **Project Management** + * [Anatomy of a runaway IT project - Bruce F. Webster](http://brucefwebster.com/2008/06/16/anatomy-of-a-runaway-it-project/) + * [Why “Agile” and especially Scrum are terrible - Michael O. Church](https://michaelochurch.wordpress.com/2015/06/) + * [Article Comments](https://michaelochurch.wordpress.com/2015/06/06/why-agile-and-especially-scrum-are-terrible/#comments) + * [Minimal Project Management - Hilton Lipschitz](https://hiltmon.com/blog/2016/03/05/minimal-project-management/) * **Resume** * [17 things that make this the perfect résumé - Áine Cain and Shayanne Gal(BusinessInsider)](https://www.businessinsider.com/why-this-is-an-excellent-resume-2013-11) + * [résumés - PracticalTypography](https://practicaltypography.com/resumes.html) + * [Become a Software Specialist with the Help of Your Resume - Erik Dietrich](https://daedtech.com/become-software-specialist-help-resume/) + * [How to Prepare Your Resume (Your Resume Stinks!) (Hall Of Fame Guidance) - ManagerTools](https://www.manager-tools.com/2005/10/your-resume-stinks) + * [Resume Update 2019 - Part 1 - ManagerTools](https://www.manager-tools.com/2019/06/resume-update-2019-part-1) + * [Impossible is Nothing - Resume](https://en.m.wikipedia.org/wiki/Impossible_Is_Nothing_(video_r%C3%A9sum%C3%A9)) * **Testing(Certifications/Exams)** * [Better GIAC Testing with Pancakes - H4cks4panckakes](https://tisiphone.net/2015/08/18/giac-testing/) -* **Other** +* **Other** * [What senior engineers do: fix knowledge holes - Dan Moore](http://www.mooreds.com/wordpress/archives/3232) * Worthwhile for the first comment in response to the article: "I don’t see anything “senior” about it, or even “engineer”. Seeing problems and solving them is what everyone does. Documenting the solution is one part of solving a problem. An apprentice carpenter does these things, too, and so does a farmer, and a waiter. Unfortunately, it’s not what most software companies reward, or how they operate. Whenever I did this, my manager, at every software company I’ve worked for, would say: “That’s cool, but you’re supposed to add the FooBar feature, and it needs to be done this Friday. Don’t waste time with reverse-engineering, or documentation. Just add one new field to the protocol somewhere. We can clean it up Later(TM).” This is Conway’s Law at work. What sort of company encourages the creation of two critical components which are completely undocumented? The sort of company which doesn’t reward documentation of critical components. That’s not likely to change because the engineer that created them happened to leave. (It took more time to reverse-engineer the protocol than it would have to document it when the knowledge was fresh.) The PM and QA who allowed this to happen are still there, right? What “Senior Engineer” really means is someone who’s spent enough time in the trenches to have earned a job title that allows them the latitude to make these sorts of improvements, and not have a PM question why they aren’t, instead, doing exactly what they were assigned. Look back at the story. Did the “senior engineer” go through proper channels to schedule a “reverse-engineer and document network protocol” task? No, he clearly didn’t trust that it would happen. Or maybe it was already there, but lowest priority (way below “fix CSS on IE”, of course). What was his actual responsibility that week? The story doesn’t say, but I don’t see any remarks about a PM breathing down his neck asking about the CSS fix he asked for (because that PM is the only user of the system, anywhere, of course, who uses IE and sees that particular bug). Documentation is not on this week’s “Sprint”! The process is fundamentally broken. We hear fables like this about how life would be better if we all did something one way (you’ll get promoted to Senior Engineer!), while in practice we’re punished for doing so." - * [The Shirky Principle - Technium](https://kk.org/thetechnium/the-shirky-prin/) - * “Institutions will try to preserve the problem to which they are the solution.” — Clay Shirky - * [Law #8: The Law of Duality - ericsink.com](https://ericsink.com/laws/Law_08.html) - * [Apple’s Software “Problem” and “Fixing” It (via twitter)](https://medium.learningbyshipping.com/apples-software-problem-and-fixing-it-via-twitter-c941a905ba20) * [Revisiting L0pht testimony – 20yrs later -Space Rogue](https://www.spacerogue.net/wordpress/?p=709) -* **Industry History** - * [15 Months of Fresh Hell Inside Facebook - Nicholas Thompson and Fred Vogelstein](https://www.wired.com/story/facebook-mark-zuckerberg-15-months-of-fresh-hell/) \ No newline at end of file + * [My Canons on (ISC)² Ethics - Such as They Are(2011)](http://infosecisland.com/blogview/15450-My-Canons-on-ISC-Ethics-Such-as-They-Are.html) + * [Apple’s Software “Problem” and “Fixing” It (via twitter)](https://medium.learningbyshipping.com/apples-software-problem-and-fixing-it-via-twitter-c941a905ba20) + * **Job Hunting Experiences** + * [Farewell, App Academy. Hello, Airbnb. (Part I) - Haseeb Qureshi](https://haseebq.com/farewell-app-academy-hello-airbnb-part-i/) +* **Industry** + * **Shady things** + * [How Google Protected Andy Rubin, the ‘Father of Android’ - Daisuke Wakabayashi and Katie Benner(NYT)](https://www.nytimes.com/2018/10/25/technology/google-sexual-harassment-andy-rubin.html) + * **Wages** + * [Techtopus - Pando](https://pando.com/tag/techtopus/) + * [Newly unsealed documents show Steve Jobs' brutal response after getting a Google employee fired - Mark Ames](https://pando.com/2014/03/25/newly-unsealed-documents-show-steve-jobs-brutally-callous-response-after-getting-a-google-employee-fired/) + + + + + diff --git a/Draft/Cars.md b/Draft/Cars.md index 7899e9b..952b2c6 100755 --- a/Draft/Cars.md +++ b/Draft/Cars.md @@ -9,7 +9,9 @@ #### Sort #### End Sort - +https://www.pentestpartners.com/security-blog/vehicle-telematics-security-getting-it-right/ +https://console-cowboys.blogspot.com/2019/04/hacking-all-cars-part-2.html +https://becomeautonomous.com/ ------------------ ### General * **Seriously check this first --->** [Awesome Vehicle Security List(github awesome lists)](https://github.com/jaredthecoder/awesome-vehicle-security) diff --git a/Draft/Cheats.md b/Draft/Cheats.md index 02f5dfb..db38cb2 100755 --- a/Draft/Cheats.md +++ b/Draft/Cheats.md @@ -1,7 +1,9 @@ # Cheat Sheets & Reference Pages - +https://github.com/SadProcessor/Cheats +https://github.com/chrisallenlane/cheat +* [PowerShell Remoting Cheatsheet - Scott Sutherland](https://blog.netspi.com/powershell-remoting-cheatsheet/) ### Cheat Sheets * **General Cheat Sheets** @@ -94,6 +96,8 @@ * [Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php) * [Windows CMD Reference - ms](https://www.microsoft.com/en-us/download/details.aspx?id=56846) * [Windows Command Line cheatsheet (part 2): WMIC - andreafortuna](https://www.andreafortuna.org/dfir/windows-command-line-cheatsheet-part-2-wmic/) + * [Windows CLI gems. Tweets of @wincmdfu](https://github.com/madhuakula/wincmdfu#list-missing-updates) + * Windows one line commands that make life easier, shortcuts and command line fu. * **Wireless Cheat Sheets** * [Management Frames Reference Sheet](http://download.aircrack-ng.org/wiki-files/other/managementframes.pdf) * **DB Cheat Sheets** diff --git a/Draft/Containers.md b/Draft/Containers.md new file mode 100644 index 0000000..aa8a7e7 --- /dev/null +++ b/Draft/Containers.md @@ -0,0 +1,253 @@ +# Containers + + +--------------------- +## Table of contents +- []() +- []() +- []() +- []() + +-------------------- + + +* [Static Analysis of Docker image vulnerabilities with Clair - Petr Kohut](https://www.nearform.com/blog/static-analysis-of-docker-image-vulnerabilities-with-clair/) + +* [Docker Security Best Practices: Part 3 – Securing Container Images - Jeremy Valance](https://anchore.com/docker-security-best-practices-part-3-securing-container-images/) + +* [How to implement Docker image scanning with open source tools - Mateo Burillo](https://sysdig.com/blog/docker-image-scanning/) + +https://www.digitalocean.com/community/tutorials/an-introduction-to-kubernetes +https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/AtredisPartners_Attacking_Kubernetes-v1.0.pdf + +http://blog.sevagas.com/IMG/pdf/exploiting_capabilities_the_dark_side.pdf + +https://blog.hansenpartnership.com/containers-and-cloud-security/ + +https://github.com/gravitational/gravity +https://github.com/rexray/rexray +https://wiki.unraid.net/UnRAID_6/Overview#Containers + +* [How to Lose a Container in 10 Minutes - Sarah Young(BSidesSF 2019)](https://www.youtube.com/watch?v=fSj6_WgDATE&list=PLbZzXF2qC3RvGRbNQwKcf2KVaTCjzOB8o&index=4) + * Moving to the cloud and deploying containers? In this talk I will discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We'll also look at what happens to a container that's been left open to the Internet for the duration of the talk. + + +Understanding and HardeningLinux Containers - NCCGroup + +https://storageos.com/why-containers-miss-a-major-mark-solving-persistent-data-in-docker/ + +https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability-cve-2018-1002105-3150d97b24bb?gi=da5afbcc2d73 + +https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf +https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ +https://www.reddit.com/r/docker/comments/439a8h/exploiting_your_system_using_docker/ +https://github.com/ProfessionallyEvil/harpoon +https://github.com/P3GLEG/Whaler +https://samaritan.ai/blog/reversing-docker-images-into-dockerfiles/ +http://ifeanyi.co/posts/linux-namespaces-part-1/ +http://ifeanyi.co/posts/linux-namespaces-part-2/ +* [Docker Your Command & Control (C2) - obscuritylabs](https://blog.obscuritylabs.com/docker-command-controll-c2/) +* [Vulnerable Docker VM - notsosecure](https://www.notsosecure.com/vulnerable-docker-vm/) +http://www.friedhoff.org/posixfilecaps.html + +https://www.redhat.com/en/blog/architecting-containers-part-1-why-understanding-user-space-vs-kernel-space-matters + +Mesos + https://stackoverflow.com/questions/47769570/what-does-apache-mesos-do-that-kubernetes-cant-do-and-vice-versa?rq=1 + https://stackoverflow.com/questions/26705201/whats-the-difference-between-apaches-mesos-and-googles-kubernetes?noredirect=1 + https://stackoverflow.com/questions/28094147/what-does-apache-mesos-actually-do + http://mesos.apache.org/documentation/latest/architecture/ + http://mesos.apache.org/documentation/latest/ + https://en.wikipedia.org/wiki/Apache_Mesos + +https://www.notsosecure.com/vulnerable-docker-vm/ + +https://null-byte.wonderhowto.com/how-to/create-reusable-burner-os-with-docker-part-1-making-ubuntu-hacking-container-0175328/ +https://null-byte.wonderhowto.com/how-to/create-reusable-burner-os-with-docker-part-2-customizing-our-hacking-container-0175353/ + + +https://blog.docker.com/2017/09/day-life-docker-admin/ +Peter Benjamins blogposts +https://www.youtube.com/playlist?list=PLKDRii1YwXnLmd8ngltnf9Kzvbja3DJWx +http://carnal0wnage.attackresearch.com/2019/01/kubernetes-master-post.html?m=1 +https://www.youtube.com/watch?v=fVqCAUJiIn0&feature=youtu.be +https://www.youtube.com/watch?v=UwBshgfnAGA + +https://www.youtube.com/watch?v=ru7GicI5iyI +https://docs.google.com/presentation/d/1u6S1ycs8DURORf6S9XYKjP56oszJpouOca6xlkH9ILs/edit#slide=id.p +https://sysdig.com/blog/docker-image-scanning/ + +https://cloud.google.com/solutions/best-practices-for-operating-containers +https://sysdig.com/blog/oss-container-security-runtime/ +https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/august/tools-and-methods-for-auditing-kubernetes-rbac-policies/ +http://sven.stormbind.net/blog/posts/docker_from_30_to_230/ + + +https://www.redhat.com/en/blog/architecting-containers-part-1-why-understanding-user-space-vs-kernel-space-matters +[Docker] +https://zeltser.com/security-risks-and-benefits-of-docker-application/ +https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ +http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-security +https://www.blackhat.com/docs/eu-15/materials/eu-15-Bettini-Vulnerability-Exploitation-In-Docker-Container-Environments-wp.pdf +https://www.sumologic.com/blog-security/securing-docker-containers/ +https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-10pdf/ + + + + + + +https://github.com/genuinetools/img + + +* [Scanning Docker images with CoreOS Clair - wdijkerman](https://werner-dijkerman.nl/2019/01/28/scanning-docker-images-with-coreos-clair/amp/) +https://medium.com/cruise/building-a-container-platform-at-cruise-part-1-507f3d561e6f +* [One of the original developers of cgroups on why it was created](https://news.ycombinator.com/item?id=20599672) + +### Containers +* **cgroups** + * **101** + * **Articles/Blogposts/Writeups** + * **Securing** + * **Tools** +* **Docker** + * **101** + * **Articles/Blogposts/Writeups** + * **Securing** + * **Tools** +* **Jails** +* **Kubernetes** + * **101** + * **Articles/Blogposts/Writeups** + * **Securing** + * **Tools** +* **RunC** + * **101** + * **Articles/Blogposts/Writeups** + * **Securing** + * **Tools** +* **Mesos** + * **101** + * **Articles/Blogposts/Writeups** + * **Securing** + * **Tools** + + + +https://github.com/coreos/clair +https://github.com/freach/kubernetes-security-best-practice +https://cloudplatform.googleblog.com/2018/03/exploring-container-security-an-overview.html?m=1 +https://itnext.io/kubernetes-hardening-d24bdf7adc25 +https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/ + + * https://github.com/argoproj/argo + +* [hardening-kubernetes from-scratch](https://github.com/hardening-kubernetes/from-scratch) + * A hands-on walkthrough for creating an extremely insecure Kubernetes cluster and then hardening it, step by step. +https://www.pentestpartners.com/security-blog/docker-for-hackers-a-pen-testers-guide/ +https://www.stackrox.com/post/2017/08/hardening-docker-containers-and-hosts-against-vulnerabilities-a-security-toolkit/ +* [xkcd on containers](https://xkcd.com/1988/) + +* https://github.com/hawkeyesec/scanner-cli + +* [Install and run a SPIRE Server and Agent locally on a Kubernetes cluster](https://spiffe.io/spire/getting-started-k8s/) + * This tutorial walks you through getting a SPIRE Server and SPIRE Agent running in a Kubernetes cluster, and configuring a workload container to access SPIRE. + +* [Optimising Docker Layers for Better Caching with Nix - Graham Christensen](https://grahamc.com/blog/nix-and-layered-docker-images) + +* [Hacking and Hardening Kubernetes Clusters by Example - Brad Geesaman(KubeCon 2017)](https://www.youtube.com/watch?v=vTgQLzeBfRU) + * "an eye-opening journey examining real compromises and sensitive data leaks that can occur inside a Kubernetes cluster, highlighting the configurations that allowed them to succeed, applying practical applications of the latest built-in security features and policies to prevent those attacks, and providing actionable steps for future detection." + +* [An Attacker Looks at Docker: Approaching Multi-Container Applications - Wesley McGrew](https://i.blackhat.com/us-18/Thu-August-9/us-18-McGrew-An-Attacker-Looks-At-Docker-Approaching-Multi-Container-Applications-wp.pdf) + +* [PaaSTA](https://github.com/Yelp/paasta) + * PaaSTA is a highly-available, distributed system for building, deploying, and running services using containers and Apache Mesos! + +* [Getting Towards Real Sandbox Containers - Jesse Frazelle(May2016)](https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/) + + +* [An Attacker Looks at Docker: Approaching Multi-Container Applications - Wesley McGrew](https://i.blackhat.com/us-18/Thu-August-9/us-18-McGrew-An-Attacker-Looks-At-Docker-Approaching-Multi-Container-Applications-wp.pdf) + +* [Kamus](https://github.com/Soluto/kamus) + * An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES). To learn more about Kamus, check out the blog post and slides. + +Docker +* https://github.com/wsargent/docker-cheat-sheet +* https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1.pdf +* https://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-security +* http://www.projectatomic.io/blog/2014/08/is-it-safe-a-look-at-docker-and-security-from-linuxcon/ +* https://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/ +* https://blog.docker.com/2016/02/docker-engine-1-10-security/ +* https://medium.com/@quayio/your-docker-image-ids-are-secrets-and-its-time-you-treated-them-that-way-f55e9f14c1a4 +* https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.adoc +* https://github.com/docker/docker-bench-security +* https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/ +* http://www.projectatomic.io/blog/2016/03/no-new-privs-docker/ +* https://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf +* https://github.com/genuinetools/bane +* https://raesene.github.io/blog/2016/02/04/Docker-User-Namespaces/ +* [On Docker security: 'docker' group considered harmful - Andreas Jung](https://www.zopyx.com/andreas-jung/contents/on-docker-security-docker-group-considered-harmful) +* [Securing The Docker Containers At CI/CD Pipeline Level - Alina Radu(BSidesBCN 2019)](https://www.youtube.com/watch?v=4whoQoNpu9Y&list=PLDuy2rk8e-D-foVf0ylfnHhSo2elmxRqy&index=10&t=0s) + + + + +### Docker +* [How to write excellent Dockerfiles - Jakub Skalecki](https://rock-it.pl/how-to-write-excellent-dockerfiles/) +* [Networking overview - docs.docker](https://docs.docker.com/network/) +* [Get Started, Part 1: Orientation and setup - docs.docker](https://docs.docker.com/get-started/) +* [Dockerfile reference - docs.docker.com](https://docs.docker.com/engine/reference/builder/) +* [Docker Image Specification v1.0.0](https://github.com/moby/moby/blob/master/image/spec/v1.md) +* [Docker security - docs.docker](https://docs.docker.com/engine/security/security/) +* [Reducing Deploy Risk With Docker’s Health Check Instruction - newrelic.com](https://blog.newrelic.com/engineering/docker-health-check-instruction/) +* [What is the purpose of VOLUME in Dockerfile - StackOverflow](https://stackoverflow.com/questions/34809646/what-is-the-purpose-of-volume-in-dockerfile) + + +[Dockerfiles - Jessie Frazelle](https://github.com/jessfraz/dockerfiles) + +---------------------- +### Containers +* **101** + * [LXC - Wikipedia](https://en.wikipedia.org/wiki/LXC) + * [Process Containers - lwn.net](https://lwn.net/Articles/236038/) + * [cgroups - wikipedia](https://en.wikipedia.org/wiki/Cgroups) + * [Everything you need to know about Jails - bsdnow.tv](http://www.bsdnow.tv/tutorials/jails) + * [Jails - FreeBSD handbook](https://www.freebsd.org/doc/handbook/jails.html) +* **Articles/Blogposts/Writeups** + * **Containers** + * [Controlling access to user namespaces - lwn.net](https://lwn.net/Articles/673597/) + * [Namespaces in operation, part 1: namespaces overview - lwn.net](https://lwn.net/Articles/531114/#series_index) + * [Linux LXC vs FreeBSD jail - Are there any notable differences between LXC (Linux containers) and FreeBSD's jails in terms of security, stability & performance? - unix.StackExchange](https://unix.stackexchange.com/questions/127001/linux-lxc-vs-freebsd-jail) + * **Docker** + * [Docker Security Best-Practices - Peter Benjamin](https://dev.to/petermbenjamin/docker-security-best-practices-45ih) + * [Is it possible to escalate privileges and escaping from a Docker container? - StackOverflow](https://security.stackexchange.com/questions/152978/is-it-possible-to-escalate-privileges-and-escaping-from-a-docker-container) + * [The Dangers of Docker.sock](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/) + * [Abusing Privileged and Unprivileged Linux Containers - nccgroup](https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/) + * [Understanding and Hardening Linux Containers - nccgroup](https://www.nccgroup.trust/uk/our-research/understanding-and-hardening-linux-containers/) + * Linux containers offer native OS virtualisation, segmented by kernel namespaces, limited through process cgroups and restricted through reduced root capabilities, Mandatory Access Control and user namespaces. This paper discusses these container features, as well as exploring various security mechanisms. Also included is an examination of attack surfaces, threats, and related hardening features in order to properly evaluate container security. Finally, this paper contrasts different container defaults and enumerates strong security recommendations to counter deployment weaknesses-- helping support and explain methods for building high-security Linux containers. Are Linux containers the future or merely a fad or fantasy? This paper attempts to answer that question. + * **Jails** + * [ezjail – Jail administration framework](https://erdgeist.org/arts/software/ezjail/) + * **Kubernetes** +* **Privilege Escalation** + * [Privilege Escalation via lxd - Josiah Beverton](https://reboare.github.io/lxd/lxd-escape.html) +* **Talks & Presentations** + * [Docker: Security Myths, Security Legends - Rory McCune](https://www.youtube.com/watch?v=uQigvjSXMLw) +* **Tools** + * **Containers** + * [nsjail](https://github.com/google/nsjail) + * A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters (with help of the kafel bpf language) + * [ezjail – Jail administration framework](https://erdgeist.org/arts/software/ezjail/) + * **Docker** + * [docker-layer2-icc](https://github.com/brthor/docker-layer2-icc) + * Demonstrating that disabling ICC in docker does not block raw packets between containers. + * [docker-bench-security](https://github.com/docker/docker-bench-security) + * The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. + * [Vulnerable Docker VM](https://www.notsosecure.com/vulnerable-docker-vm/) + * For practicing pen testing docker instances + * **Kubernetes** + * [Kubernetes Security Best-Practices - Peter Benjamin](https://dev.to/petermbenjamin/kubernetes-security-best-practices-hlk) + + + + + diff --git a/Draft/Courses_Training.md b/Draft/Courses_Training.md index 35d378c..abcd4c4 100755 --- a/Draft/Courses_Training.md +++ b/Draft/Courses_Training.md @@ -18,6 +18,8 @@ +https://maxkersten.nl/binary-analysis-course/ + ----- ### Classes & Training diff --git a/Draft/Crypto_Encrypt.md b/Draft/Crypto_Encrypt.md index 0015f4b..31bda6f 100755 --- a/Draft/Crypto_Encrypt.md +++ b/Draft/Crypto_Encrypt.md @@ -42,6 +42,40 @@ https://tls.ulfheim.net/ https://bearssl.org/ https://thecryptobible.co/protocols/tls.html +https://research.checkpoint.com/cryptographic-attacks-a-guide-for-the-perplexed/ +https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Eng.pdf + +* [A Diagram for Sabotaging Cryptosystems - @Jackson_T](https://web.archive.org/web/20180129010248/http://jackson.thuraisamy.me/crypto-backdoors.html) + +* [A Detailed Look at RFC 8446 (a.k.a. TLS 1.3) - Cloudflare](https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/) +* [Hash collisions and exploitations - Ange Albertini and Marc Stevens](https://github.com/corkami/collisions) + * The goal is to explore extensively existing attacks - and show on the way how weak MD5 is (instant collisions of any JPG, PNG, PDF, MP4, PE...) - and also explore in detail common file formats to determine how they can be exploited with present or with future attacks. Indeed, the same file format trick can be used on several hashes (the same JPG tricks were used for MD5, malicious SHA-1 and SHA1), as long as the collisions follow the same byte patterns. This document is not about new attacks (the most recent one was documented in 2012), but about new forms of exploitations of existing attacks. +https://blog.doyensec.com/2019/08/01/common-crypto-bugs.html + +https://github.com/corkami/collisions +* [SSL/TLS and PKI History](https://www.feistyduck.com/ssl-tls-and-pki-history/) + * A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem. +https://tls.ulfheim.net/ +https://asecuritysite.com/subjects/chapter58 +https://github.com/ashutosh1206/Crypton +https://thecryptobible.co/primitives/symmetric_encryption.html + +* [An Illustrated Guide to the BEAST Attack - Joshua Davies](http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art027) +* [SHATTERED](https://shattered.io/) + + +http://securityintelligence.com/cve-2014-0195-adventures-in-openssls-dtls-fragmented-land/ + +https://www.wst.space/ssl-part1-ciphersuite-hashing-encryption/ +https://wiki.mozilla.org/images/0/0b/Thunderbird-enigmail-report.pdf + + + +https://malicioussha1.github.io/ + + + + ----- ### General Information diff --git a/Draft/DFIR.md b/Draft/DFIR.md index 3b0a2e1..907b9c1 100755 --- a/Draft/DFIR.md +++ b/Draft/DFIR.md @@ -19,6 +19,13 @@ #### Sort +* [Firefed](https://github.com/numirias/firefed) + * Firefed is a command-line tool to inspect Firefox profiles. It can extract saved passwords, preferences, addons, history and more. You may use it for forensic analysis, to audit your config for insecure settings or just to quickly extract some data without starting up the browser. +* [Forensics: Monitor Active Directory Privileged Groups with PowerShell - Ashley McGlone](https://blogs.technet.microsoft.com/ashleymcglone/2014/12/17/forensics-monitor-active-directory-privileged-groups-with-powershell/) +https://zeltser.com/security-incident-questionnaire-cheat-sheet/ +https://zeltser.com/security-incident-survey-cheat-sheet/ +https://zeltser.com/security-incident-log-review-checklist/ +* [Touch Screen Lexicon Forensics (TextHarvester/WaitList.dat) - Barnaby Skeggs](https://b2dfir.blogspot.com/2016/10/touch-screen-lexicon-forensics.html?m=1) * Sort sections alphabetically * Update ToC * [National Incident Management System -USA](https://www.fema.gov/national-incident-management-system) @@ -31,6 +38,14 @@ * [Investigating CloudTrail Logs - ](https://medium.com/starting-up-security/investigating-cloudtrail-logs-c2ecdf578911) * [Who Fixes That Bug? - Part One: Them! - Ryan McGeehan](https://medium.com/starting-up-security/who-fixes-that-bug-d44f9a7939f2) https://medium.com/starting-up-security/who-fixes-that-bug-f17d48443e21 +https://www.sans.org/score/law-enforcement-faq/ +https://www.sans.org/score/incident-forms/ + +https://aboutdfir.com/ +https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/ + + +https://github.com/giMini/PowerMemory * [Sysmon - DFIR](https://github.com/MHaggis/sysmon-dfir) * A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories. @@ -41,15 +56,28 @@ https://medium.com/starting-up-security/who-fixes-that-bug-f17d48443e21 * [Hacking Exposed Daily Blog #440: Windows 10 Notifications Database](http://www.hecfblog.com/2018/08/daily-blog-440-windows-10-notifications.html) + +* [Data recovery on dead micro SD card - HDD Recovery Services](https://www.youtube.com/watch?v=jjB6wliyE_Y&feature=youtu.be) + + + + + + + + + * [SQLite-Parser](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser) * Script to recover deleted entries in an SQLite database * [Python Parser to Recover Deleted SQLite Database Data - az4n6]( https://az4n6.blogspot.com/2013/11/python-parser-to-recover-deleted-sqlite.html) - +https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180 https://github.com/demisto/COPS - +https://blog.1234n6.com/2018/10/available-artifacts-evidence-of.html https://www.incidentresponse.com/playbooks/ +https://windowsir.blogspot.com/2019/05/evtxecmd.html + https://cert.societegenerale.com/en/publications.html diff --git a/Draft/DataVis.md b/Draft/DataVis.md index 99dd8fa..72815e8 100755 --- a/Draft/DataVis.md +++ b/Draft/DataVis.md @@ -9,8 +9,14 @@ +* [Open Graph Viz Platform](https://gephi.org/) + * Gephi is the leading visualization and exploration software for all kinds of graphs and networks. Gephi is open-source and free. +* https://arxiv.org/abs/1901.01769 +https://www.blackhillsinfosec.com/pyfunnels-data-normalization-for-infosec-workflows/ +https://github.com/packetvitality/PyFunnels +https://www.sans.org/reading-room/whitepapers/OpenSource/pyfunnels-data-normalization-infosec-workflows-38785 ### To Do * Split into Data visualization/Working with data diff --git a/Draft/Defense.md b/Draft/Defense.md index 3b297d1..f3dd44a 100644 --- a/Draft/Defense.md +++ b/Draft/Defense.md @@ -6,6 +6,12 @@ +* [Vulnerability Management Program Best Practices – Irfahn Khimji](https://www.tripwire.com/state-of-security/vulnerability-management/vulnerability-management-program-best-practices-part-1/) +* [Using security policies to restrict NTLM traffic - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865668(v=ws.10)) + +https://blog.stealthbits.com/how-to-detect-overpass-the-hash-attacks/ + + * **To-Do** * User Awareness training @@ -16,6 +22,117 @@ * AWS Stuff * GCP Stuff +https://infosec.mozilla.org/guidelines/openssh +https://wiki.mozilla.org/Security/Server_Side_TLS +https://www.dhs.gov/stopthinkconnect-toolkit + + +https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/ +https://www.slideshare.net/HuyKha2/adsvs-v10-improving-the-security-of-active-directory + +https://avleonov.com/2016/08/02/nessus-v2-xml-report-format/ +https://avleonov.com/2017/01/25/parsing-nessus-v2-xml-reports-with-python/ +https://www.verifyit.nl/wp/?p=175591 +http://static.tenable.com/documentation/nessus_v2_file_format.pdf + +https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide +* https://medium.com/palantir/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e + +* [New feature in Office 2016 can block macros and help prevent infection](https://web.archive.org/web/20180527161910/https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/?source=mmpc) +* [Defensive Coding Strategies for a High-Security Environment - Matt Graeber - PowerShell Conference EU 2017](https://www.youtube.com/watch?reload=9&v=O1lglnNTM18) +* [What is conditional access in Azure Active Directory? - docs.ms](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) +* [Windows 10 Security Checklist Starter Kit - itprotoday](https://www.itprotoday.com/industry-perspectives/windows-10-security-checklist-starter-kit) +* [What is Active Directory Red Forest Design? - social.technet.ms](https://social.technet.microsoft.com/wiki/contents/articles/37509.what-is-active-directory-red-forest-design.aspx) +* [Securing Privileged Access Reference Material - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material) +* [Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowsecurity](https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1409) +* [Planting the Red Forest: Improving AD on the Road to ESAE - Jacques Louw and Katie Knowles](https://www.mwrinfosecurity.com/our-thinking/planting-the-red-forest-improving-ad-on-the-road-to-esae/) +* [MongoDB Security Checklist](https://docs.mongodb.com/manual/administration/security-checklist/) +* [kethash](https://github.com/cyberark/ketshash) + * A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs. +* [ERNW Repository of Hardening Guides](https://github.com/ernw/hardening) + * This repository contains various hardening guides compiled by ERNW for various purposes. Most of those guides strive to provide a baseline level of hardening and may lack certain hardening options which could increase the security posture even more (but may have impact on operations or required operational effort). +* [Planning for Compromise - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise) +* [Application Whitelist Auditor - airlockdigital](https://www.airlockdigital.com/application-whitelisting-auditor/) +* [iconSimple Software-Restriction Policy - iwrconsultancy](https://iwrconsultancy.co.uk/softwarepolicy) +* [Recon by Fire](https://github.com/HewlettPackard/reconbf) + * Recon is a tool for reviewing the security configuration of a local system. It can detect existing issues, known-insecure settings, existing strange behaviour, and options for further hardening. Recon can be used in existing systems to find out which elements can be improved and can provide some information about why the change is recommended. It can also be used to scan prepared system images to verify that they contain the expected protection. +* [How to Allow Non-Admin Users to Start/Stop Windows Service - woshub.com](http://woshub.com/set-permissions-on-windows-service/) +* [Protect your enterprise data using Windows Information Protection (WIP) - docs.ms](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) +* [Security WatchLock Up Your Domain Controllers - Steve Riley - docs.ms](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc160936(v=msdn.10)) +* [Creating a Secure Environment using PowerShell Desired State Configuration - blogs.ms](https://blogs.msdn.microsoft.com/powershell/2014/07/21/creating-a-secure-environment-using-powershell-desired-state-configuration/) +* [AuditScripts - CIS Critical Security Controls](https://www.auditscripts.com/free-resources/critical-security-controls/) + + + +https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/securing-privileged-access/securing-privileged-access-reference-material.md + + +* https://securitycheckli.st/?mc_cid=b3a4b630b7&mc_eid=f956a0c5ca +* https://cyber.gov.au/government/publications/securing-powershell-in-the-enterprise-pdf/ + +* [Inventory-BrowserExts - keyboardcrunch](https://github.com/keyboardcrunch/Inventory-BrowserExts) + * This script can inventory Firefox and/or Chrome extensions for each user from a list of machines. It returns all the information back in a csv file and prints to console a breakdown of that information. +https://github.com/Schillings/SwordPhish + + * [Detect Password Spraying With Windows Event Log Correlation](https://www.ziemba.ninja/?p=66) + * [Hunting for SILENTTRINITY - Wee-Jing Chung](https://countercept.com/blog/hunting-for-silenttrinity/) +* [BloodHound and the Adversary Resilience Model](https://docs.google.com/presentation/d/14tHNBCavg-HfM7aoeEbGnyhVQusfwOjOyQE1_wXVs9o/mobilepresent#slide=id.g35f391192_00) + +http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html?m=1 + +https://cqureacademy.com/blog/securing-infrastructure/role-separation-pki + + +* [Configuring Additional LSA Protection - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) +https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-two-279a1ed7863d?gi=8bb99beb092b + +https://github.com/google/santa + +* [CIS Amazon Web Services Foundations](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) +* [Blocking Remote Use of Local Accounts - blogs.technet](https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-use-of-local-accounts/) + +* [Weaponizing Active Directory - David Fletcher](https://www.youtube.com/watch?reload=9&v=vLWGJ3f3-gI&feature=youtu.be) + * This webcast covers basic techniques to catch attackers attempting lateral movement and privilege escalation within your environment with the goal of reducing that Mean Time to Detect (MTTD) metric. Using tactical deception, we will lay out strategies to increase the odds that an attacker will give away their presence early after initial compromise. + +https://www.microsoft.com/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/ +https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password + +* [Practical PowerShell Security: Enable Auditing and Logging with DSC - Ashley McGlone](https://blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc/) + +* [Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators - Rob VandenBrink](https://isc.sans.edu/diary/Where+have+all+the+Domain+Admins+gone%3F++Rooting+out+Unwanted+Domain+Administrators/24874) +* [Account lockout duration - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-duration) +* [Detecting Offensive PowerShell Attack Tools - adsecurity.org](https://adsecurity.org/?p=2604) + +https://dirteam.com/sander/2012/09/05/new-features-in-active-directory-domain-services-in-windows-server-2012-part-11-kerberos-armoring-fast/ +https://social.technet.microsoft.com/wiki/contents/articles/38015.credential-guard-say-good-bye-to-ptht-pass-the-hashticket-attacks.aspx +https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/ + +https://www.youtube.com/watch?v=YXjIVuX6zQk +* [BloodHound From Red to Blue - Mathieu Saulnier(BSides Charm2019)](https://www.youtube.com/watch?v=UWY772iIq_Y) + +* [Beyond Domain Admins – Domain Controller & AD Administration - ADSecurity.org](https://adsecurity.org/?p=3700) + * This post provides information on how Active Directory is typically administered and the associated roles & rights. +https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ + +* [Why Does the Penetration Testing Team Hate Me? - Ryan Oberfelder](https://medium.com/@ryoberfelder/why-does-the-penetration-testing-team-hate-me-67a981c5e10c) + +* [Weaponizing Active Directory - David Fletcher](https://www.youtube.com/watch?v=vLWGJ3f3-gI&feature=youtu.be) + * This webcast covers basic techniques to catch attackers attempting lateral movement and privilege escalation within your environment with the goal of reducing that Mean Time to Detect (MTTD) metric. Using tactical deception, we will lay out strategies to increase the odds that an attacker will give away their presence early after initial compromise. + +* [Introducing the Adversary Resilience Methodology — Part One - Andy Robbins](https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-one-e38e06ffd604) +* [Introducing the Adversary Resilience Methodology — Part Two - Andy Robbins](https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-two-279a1ed7863d) + + + + + + + + + + + + @@ -34,6 +151,11 @@ * Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source. * **Amazon AWS** * **AWS** + * [The Open Guide to Amazon Web Services](https://github.com/open-guides/og-aws) + * A lot of information on AWS is already written. Most people learn AWS by reading a blog or a “getting started guide” and referring to the standard AWS references. Nonetheless, trustworthy and practical information and recommendations aren’t easy to come by. AWS’s own documentation is a great but sprawling resource few have time to read fully, and it doesn’t include anything but official facts, so omits experiences of engineers. The information in blogs or Stack Overflow is also not consistently up to date. This guide is by and for engineers who use AWS. It aims to be a useful, living reference that consolidates links, tips, gotchas, and best practices. It arose from discussion and editing over beers by several engineers who have used AWS extensively. + * **Lambda** + * [AWS Lambda - IAM Access Key Disabler](https://github.com/te-papa/aws-key-disabler) + * The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys. * **S3** * [Amazon S3 Bucket Public Access Considerations](https://aws.amazon.com/articles/5050) * **Blue team Tactics** @@ -70,7 +192,6 @@ * Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights. * **(General) Hardening** * **101** - * **Browsers** * **Guides** * [ERNW Repository of Hardening Guides](https://github.com/ernw/hardening) * [OWASP Secure Configuration Guide](https://www.owasp.org/index.php/Secure_Configuration_Guide) @@ -157,14 +278,13 @@ * [Decryptonite](https://github.com/DecryptoniteTeam/Decryptonite) * Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware. * **User Awareness Training** -* **Web** - * [Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2](https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877) - * [AWS Lambda - IAM Access Key Disabler](https://github.com/te-papa/aws-key-disabler) - * The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys. - * [OWASP Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project) - * [The Open Guide to Amazon Web Services](https://github.com/open-guides/og-aws) - * A lot of information on AWS is already written. Most people learn AWS by reading a blog or a “getting started guide” and referring to the standard AWS references. Nonetheless, trustworthy and practical information and recommendations aren’t easy to come by. AWS’s own documentation is a great but sprawling resource few have time to read fully, and it doesn’t include anything but official facts, so omits experiences of engineers. The information in blogs or Stack Overflow is also not consistently up to date. This guide is by and for engineers who use AWS. It aims to be a useful, living reference that consolidates links, tips, gotchas, and best practices. It arose from discussion and editing over beers by several engineers who have used AWS extensively. +* **Web Browsers** + * **User-Profiling** + * [Browser fingerprints for a more secure web - Julien Sobrier & Ping Yan(OWASP AppSecCali2019)](https://www.youtube.com/watch?v=P_nYYsaVi1w&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=30&t=0s) * **WAF** + * **General** + * [Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2](https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877) + * [OWASP Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project) * **NAXSI** * [naxsi](https://github.com/nbs-system/naxsi) * NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX @@ -442,6 +562,8 @@ * [Awesome Windows Domain Hardening](https://github.com/PaulSec/awesome-windows-domain-hardening) * A curated list of awesome Security Hardening techniques for Windows. * **Documentation** + * [Introducing the security configuration framework: A prioritized guide to hardening Windows 10 - Chris Jackson(MS)](https://www.microsoft.com/security/blog/2019/04/11/introducing-the-security-configuration-framework-a-prioritized-guide-to-hardening-windows-10/) + * [Windows security baselines - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines) * **Guides** * [Enable Attack surface reduction(Win10)- docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction) * [Harden windows IP Stack](https://www.reddit.com/r/netsec/comments/2sg80a/how_to_harden_windowsiis_ssltls_configuration/) @@ -471,6 +593,21 @@ * In this article you will learn some best-practice suggestions for using service applications according to the IT security rule of least privilege. * [Best Practice: Securing Windows Service Accounts and Privileged Access – Part 1 - SecurIT360](https://www.securit360.com/blog/best-practice-service-accounts/) * [Best Practice: Securing Windows Service Accounts and Privileged Access – Part 2 - SecurIT360](https://www.securit360.com/blog/best-practice-service-accounts-p2/) +* **Vulnerability Management** + * **101** + * US-CERT VulnMGMT FAQ: https://www.us-cert.gov/cdm/capabilities/vuln + * The Five Stages of Vulnerability Management(tripwire) - https://www.tripwire.com/state-of-security/vulnerability-management/the-five-stages-of-vulnerability-management/ + * SANS - Implementing a Vulnerability Management Process: https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-process-34180 + * Building a Model for Endpoint Security Maturity: https://www.tripwire.com/state-of-security/vulnerability-management/building-a-model-for-endpoint-security-maturity/ + * **Measuring Maturity** + * Vulnerability Management Maturity Models – Trip Wire: https://traviswhitney.com/2016/05/02/vulnerability-management-maturity-models-trip-wire/ + * Capability Maturity Model(Wikipedia): https://en.wikipedia.org/wiki/Capability_Maturity_Model + * **CVSS-related** + * Towards Improving CVSS - CMU SEI: https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf + * When CVSS Fits and When it Doesn’t(NCC Group): https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/when-cvss-fits-and-when-it-doesnt/ + * Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/dont-substitute-cvss-for-risk-scoring-system-inflates-importance-of-cve-2017-3735/ + * Microsoft Exploitability Index: https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1 + diff --git a/Draft/Docs_and_Reports.md b/Draft/Docs_and_Reports.md index 3263870..dd08afa 100755 --- a/Draft/Docs_and_Reports.md +++ b/Draft/Docs_and_Reports.md @@ -11,7 +11,12 @@ - [Video Documentation](#video) - [Disclosure](#disclosure) - +https://github.com/pavanw3b/sh00t +https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force/ +https://github.com/GhostManager/Ghostwriter +https://posts.specterops.io/introducing-ghostwriter-part-1-61e7bd014aff +* [The Ultimate Workflow for Writers Obsessed with Quality - Rob Hardy](https://betterhumans.coach.me/the-ultimate-workflow-for-writers-obsessed-with-quality-5b2810e1214b) +* [The Elements Of Style: UNIX As Literature - Thomas Scoville](http://theody.net/elements.html) ----------------- ### Start Here @@ -49,15 +54,22 @@ * Curated list of public penetration test reports released by several consulting firms and academic security groups * [Penetration tests done by cure53, good examples of how a report should be done.](https://cure53.de/#publications ) * [Offensive Security 2013 Demo report](http://www.offensive-security.com/offsec/penetration-test-report-2013/) - * **Writing a Report** - * [Writing a Penetration Testing Report by SANS](https://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343) - * [I \<3 Reporting - ](https://github.com/leesoh/iheartreporting) - * Reporting Tips for Penetration Testers - * [Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting) - * [Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/) - * [HowTo: Write pentest reports the easy way](http://blog.dornea.nu/2014/05/20/howto-write-pentest-reports-the-easy-way/) - * [ The Penetration Testing Report - websecuritywatch](https://web.archive.org/web/20180201103151/http://www.websecuritywatch.com/the-penetration-testing-report/) - * [Excellent blog post breaking down the various parts, a must read](http://wwwwebsecuritywatch.com/the-penetration-testing-report/) + * **Writing a Penetration Test Report** + * **Articles** + * [Writing a Penetration Testing Report by SANS](https://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343) + * [Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting) + * [Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/) + * [HowTo: Write pentest reports the easy way](http://blog.dornea.nu/2014/05/20/howto-write-pentest-reports-the-easy-way/) + * [ The Penetration Testing Report - websecuritywatch](https://web.archive.org/web/20180201103151/http://www.websecuritywatch.com/the-penetration-testing-report/) + * [Excellent blog post breaking down the various parts, a must read](http://wwwwebsecuritywatch.com/the-penetration-testing-report/) + * [Your Reporting Matters: How to Improve Pen Test Reporting - Brian B. King](https://www.blackhillsinfosec.com/your-reporting-matters-how-to-improve-pen-test-reporting/) + * [Video Presentation](https://www.youtube.com/watch?v=NUueNT1svb8) + * **Talks** + * [Hack for Show, Report for Dough - Brian B. King(WWHF 2018)](https://www.youtube.com/watch?v=c_LBWqNDY0M) + * The fun part of pentesting is the hacking. But the part that makes it a viable career is the report. You can develop the most amazing exploit for the most surprising vulnerability, but if you can't document it clearly for the people who need to fix it, then you're just having fun. Which is fine! But if you want to make a career out of it, your reports need to be as clear and useful as your hacks are awesome. This talk shows simple techniques you can use to make your reports clear, useful, and brief. You'll see some before-and-after examples of a bad report made good, with clear explanations of what makes the difference. Those things will be useful no matter what tools you use to create reports. Then, if we have time, we'll look at some Microsoft Word hacks that will save you time and improve consistency. + * **Tools that can help** + * [I \<3 Reporting - ](https://github.com/leesoh/iheartreporting) + * Reporting Tips for Penetration Testers * **Writing an Request for Proposal** * [security-assessment-rfp-cheat-sheet](http://zeltser.com/security-assessments/security-assessment-rfp-cheat-sheet.html) * **Templates** @@ -66,11 +78,15 @@ * **Meta** * **LaTex** * **Markdown** - * [What is Markdown?](http://daringfireball.net/projects/markdown/syntax) - * [Using markdown](https://guides.github.com/features/mastering-markdown/) - * [Markdown Syntax](http://daringfireball.net/projects/markdown/syntax) - * [Markdown basics](https://help.github.com/articles/markdown-basics/) - * [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) + * **101** + * [What is Markdown?](http://daringfireball.net/projects/markdown/syntax) + * [Markdown Syntax](http://daringfireball.net/projects/markdown/syntax) + * [Markdown basics](https://help.github.com/articles/markdown-basics/) + * **Using** + * [Markdown For Penetration testers & Bug-bounty hunters - enciphers](https://enciphers.com/markdown-for-penetration-testers-bug-bounty-hunters/) + * [Using markdown](https://guides.github.com/features/mastering-markdown/) + * [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) + * **Tools** * **Tools** * [vim-wordy](https://github.com/reedes/vim-wordy/blob/master/README.markdown) * wordy is not a grammar checker. Nor is it a guide to proper word usage. Rather, wordy is a lightweight tool to assist you in identifying those words and phrases known for their history of misuse, abuse, and overuse, at least according to usage experts. diff --git a/Draft/Embedded.md b/Draft/Embedded.md index 7a1069a..d718539 100755 --- a/Draft/Embedded.md +++ b/Draft/Embedded.md @@ -31,8 +31,25 @@ +http://www.sp3ctr3.me/hardware-security-resources/ +https://www.irongeek.com/i.php?page=videos/derbycon7/t316-anatomy-of-a-medical-device-hack-doctors-vs-hackers-in-a-clinical-simulation-cage-match-joshua-corman-christian-dameff-md-ms-jeff-tully-md-beau-woods + + + * https://media.blackhat.com/us-13/US-13-Zaddach-Workshop-on-Embedded-Devices-Security-and-Firmware-Reverse-Engineering-WP.pdf + * https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance +https://inception-framework.github.io/inception/ + + +IoT Methodology +https://resources.infosecinstitute.com/beginners-guide-to-pentesting-iot-architecture-network-and-setting-up-iot-pentesting-lab-part-1/ +https://github.com/phodal/awesome-iot +http://iotpentest.com/iot-protocols-introduction/ +https://www.networkworld.com/article/3198495/internet-of-things/how-to-conduct-an-iot-pen-test.html +https://github.com/V33RU/IoTSecurity101 +https://blog.attify.com/how-to-iot-pentesting/ + * **To-Do** * Fingeprint readers * [Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid) @@ -44,7 +61,14 @@ * SD Cards * TPM * [Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA) +https://firmwaresecurity.com/2019/05/01/deral-heiland-extracting-firmware-from-microcontrollers-onboard-flash-memory-parts-1-3/ +https://firmwaresecurity.com/2019/04/28/mimoja-amd-firmware-presentation-uploaded/ + +http://www.farleyforensics.com/2019/04/25/have-you-ever-wanted-to-get-started-with-jtag-isp-chip-off-extractions-but-never-knew-what-you-needed-to-get-started/ + +https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html +https://github.com/ChrisTheCoolHut/Firmware_Slap * [From 0 to Infinity - Guy](https://docs.google.com/presentation/d/19A1JWyOTueZvD8AksqCxtxriNJJgj0vPdq3cNTwndf4/mobilepresent#slide=id.g35506ef05e_0_0) diff --git a/Draft/Exfiltration.md b/Draft/Exfiltration.md index 5cc5b0e..b5124f8 100755 --- a/Draft/Exfiltration.md +++ b/Draft/Exfiltration.md @@ -17,10 +17,14 @@ Sort tools into categories of type, i.e. physical network, wireless(types thereo * [SneakyCreeper](https://strikersecurity.com/blog/sneaky-creeper-data-exfiltration-overview/) * A Framework for Data Exfiltration * [Github](https://github.com/DakotaNelson/sneaky-creeper) - +* [PacketWhisper](https://github.com/TryCatchHCF/PacketWhisper?mc_cid=065d80dbfd&mc_eid=f956a0c5ca) + * Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective. * [GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies - usenix conference](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-guri-update.pdf) - +https://github.com/moloch--/wire-transfer ##### End Sort +https://github.com/TarlogicSecurity/Arecibo +* [Secure WebDav Egress: AMZ EC2, Apache, and Let's Encrypt - Chris Patten](http://rift.stacktitan.com/alternate-unc-webdav-ssl-and-lets-encrypt/) + ----- diff --git a/Draft/Exploit_Dev.md b/Draft/Exploit_Dev.md index 28dbf49..0434d8c 100755 --- a/Draft/Exploit_Dev.md +++ b/Draft/Exploit_Dev.md @@ -67,6 +67,57 @@ +https://rastating.github.io/creating-a-custom-shellcode-encoder/ +https://www.corelan.be/index.php/2019/04/23/windows-10-egghunter/ +https://blog.flanker017.me/galaxy-leapfrogging-pwning-the-galaxy-s8/ +https://blog.flanker017.me/galaxy-leapfrogging-pwning-the-galaxy-s8/ + +https://github.com/swisskyrepo/PayloadsAllTheThings +https://github.com/Cn33liz/MS17-012 +https://github.com/qazbnm456/awesome-cve-poc#cve-2018-5318 +https://github.com/Cn33liz/Tater + + + * [High-Level Approaches for Finding Vulnerabilities - @Jackson_T](https://web.archive.org/web/20171119102445/https://jackson.thuraisamy.me/finding-vulnerabilities.html) + + +http://blog.sevagas.com/?Code-segment-encryption + + + +* https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf + + + +https://www.youtube.com/watch?v=gu_i6LYuePg + + +https://j00ru.vexillium.org/syscalls/nt/64/ +http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html +https://hovav.net/ucsd/dist/noret-ccs.pdf + + + + + + +* [Return-Oriented Programming without Returns - Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy](https://hovav.net/ucsd/papers/cddssw10.html) + * We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets. Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction. + + + + +https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html + + + + + + + + + + diff --git a/Draft/Fuzzing.md b/Draft/Fuzzing.md index 31391f4..d60413e 100755 --- a/Draft/Fuzzing.md +++ b/Draft/Fuzzing.md @@ -41,6 +41,29 @@ + +https://danluu.com/testing/ + +https://www.usenix.org/conference/woot12/workshop-program/presentation/vanegue +https://labs.mwrinfosecurity.com/publications/corrupting-memory-in-microsoft-office-protected-view-sandbox/?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email&iid=565088e5a455476c97c557e8bbcec069&fl=4&uid=150127534&nid=244+285282312 +https://github.com/nccgroup/fuzzowski +https://mattwarren.org/2018/08/28/Fuzzing-the-.NET-JIT-Compiler/ +https://github.com/jakobbotsch/Fuzzlyn + + + + + + + + + + + + + + + ------------ ### General * **101** diff --git a/Draft/Games.md b/Draft/Games.md index 85dd399..aefc6a0 100755 --- a/Draft/Games.md +++ b/Draft/Games.md @@ -9,6 +9,13 @@ * [Talks & Presentations](#talks) * [Tools](#tools) +https://www.youtube.com/user/L4DL4D2EUROPE/videos + + +* [Diablo1 Notes](https://github.com/sanctuary/notes) + * The aim of this project is to organize and cross-reference a collection of notes related to the inner workings of the Diablo 1 game engine. + + ------------ diff --git a/Draft/Interesting_Things.md b/Draft/Interesting_Things.md index e17350c..a5959a8 100755 --- a/Draft/Interesting_Things.md +++ b/Draft/Interesting_Things.md @@ -4,6 +4,45 @@ #### Sort + + + +https://getindico.io/ + +https://www.niceideas.ch/roller2/badtrash/entry/deciphering-the-bengladesh-bank-heist +https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/ + +* [Cambridge Analytica explains how the Trump campaign worked](https://www.youtube.com/watch?v=bB2BJjMNXpA) + * Molly Schweickert, Vice President Global Media from Cambridge Analytica on "How digital advertising worked for the US 2016 presidential campaign". How they used Facebook user data and other sources to target specific users with individual messages for the 2016 Trump election campaign. She is Alexander Nix' digital marketing expert. + +http://www.tidepools.co/history.html + +http://habitatchronicles.com/2007/03/the-untold-history-of-toontowns-speedchat-or-blockchattm-from-disney-finally-arrives/ +https://v1.escapistmagazine.com/articles/view/video-games/issues/issue_101/559-Will-Bobba-for-Furni.3 + +https://pagedout.institute/?page=issues.php +https://www.cnet.com/forums/discussions/beyond-the-grave-virus-infecting-hedge-funds/ + +https://elpais.com/elpais/2019/03/13/inenglish/1552464196_279320.html +http://www.catb.org/~esr/jargon/html/koans.html + +* [Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else - Cooper Quintin(EFF)](https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else) + + +https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html +https://www.ribbonfarm.com/2012/03/08/halls-law-the-nineteenth-century-prequel-to-moores-law/ +https://epic.org/2019/01/border-agency-finalizes-social.html +https://epic.org/foia/epic-v-dhs-media-monitoring/ +https://www.govinfo.gov/content/pkg/FR-2018-12-27/pdf/2018-27944.pdf +https://www.rand.org/research/gun-policy/analysis/essays/mass-shootings.html + + + + + + + + * [A Verified Information-Flow Architecture](http://www.crash-safe.org/assets/verified-ifc-long-draft-2013-11-10.pdf) * SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end- to-end proof of noninterference for this model. * [SimpleVisor](https://github.com/ionescu007/SimpleVisor) @@ -13,7 +52,7 @@ http://spth.virii.lu/articles.htm https://bugs.php.net/bug.php?id=50696 - +https://dynamicland.org/ * [Pulling Back the Curtain on Airport Security: Can a Weapon Get Past TSA? - Billy Rios - BHUSA 2014](https://www.youtube.com/watch?reload=9&v=hbqVNlwfjxo) * Every day, millions of people go through airport security. While it is an inconvenience that could take a while, most are willing to follow the necessary procedures if it can guarantee their safety. Modern airport security checkpoints use sophisticated technology to help the security screeners identify potential threats and suspicious baggage. Have you ever wondered how these devices work? Have you ever wondered why an airport security checkpoint was set up in a particular configuration? Join us as we present the details on how a variety of airport security systems actually work, and reveal their weaknesses. We’ll present what we have learned about modern airport security procedures, dive deep into the devices used to detect threats, and we’ll present some the bugs we discovered along the way. @@ -67,15 +106,15 @@ https://bugs.php.net/bug.php?id=50696 * [Windows Commands Abused by Attackers](http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html) * [The Distribution of Users’ Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/) * [Infosec Podcasts](http://www.getmon.com/) - * [THE BASIC LAWS OF HUMAN STUPIDITY - Carlo M. Cipolia](http://harmful.cat-v.org/people/basic-laws-of-human-stupidity/) + * [The Basic Laws Of Human Stupidity - Carlo M. Cipolia](http://harmful.cat-v.org/people/basic-laws-of-human-stupidity/) * **Airplanes** * [NTSB Aviation Accident Database & Synopses](https://www.ntsb.gov/_layouts/ntsb.aviation/index.aspx) * [The Aviation Herald](https://avherald.com/) * [radar - securitywizardy](http://www.securitywizardry.com/radar.htm) * [Real-life experiences in avionics security assessment (A. Barisani)](https://www.youtube.com/watch?v=xtSmPgXw34I&feature=youtu.be&app=desktop) * **Attacking** - * [It’s all about the timing. . . Blackhat talk](https://www.blackhat.com/presentations/bh-usa-07/Meer_and_Slaviero/Whitepaper/bh-usa-07-meer_and_slaviero-WP.pdf) - * Description: This paper is broken up into several distinct parts, all related loosely to timing and its role in information se- curity today. While timing has long been recognized as an important component in the crypt-analysts arse- nal, it has not featured very prominently in the domain of Application Security Testing. This paper aims at highlighting some of the areas in which timing can be used with great effect, where traditional avenues fail. In this paper, a brief overview of previous timing attacks is provided, the use of timing as a covert channel is examined and the effectiveness of careful timing during traditional web application and SQL injection attacks is demonstrated. The use of Cross Site Timing in bypass- ing the Same Origin policy is explored as we believe the technique has interesting possibilities for turning innocent browsers into bot-nets aimed at, for instance, brute-force attacks against third party web-sites + * [It’s all about the timing... - lackhat talk](https://www.blackhat.com/presentations/bh-usa-07/Meer_and_Slaviero/Whitepaper/bh-usa-07-meer_and_slaviero-WP.pdf) + * Description: This paper is broken up into several distinct parts, all related loosely to timing and its role in information se- curity today. While timing has long been recognized as an important component in the crypt-analysts arse- nal, it has not featured very prominently in the domain of Application Security Testing. This paper aims at highlighting some of the areas in which timing can be used with great effect, where traditional avenues fail. In this paper, a brief overview of previous timing attacks is provided, the use of timing as a covert channel is examined and the effectiveness of careful timing during traditional web application and SQL injection attacks is demonstrated. The use of Cross Site Timing in bypass- ing the Same Origin policy is explored as we believe the technique has interesting possibilities for turning innocent browsers into bot-nets aimed at, for instance, brute-force attacks against third party web-sites * [A Look In the Mirror: Attacks on Package Managers](https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf) * [VM as injection payload ](http://infiltratecon.com/downloads/python_deflowered.pdf) * [Thousands of MongoDB installations on the net unprotected](http://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf) @@ -400,7 +439,6 @@ https://bugs.php.net/bug.php?id=50696 * Local * [Foreign LINUX](https://github.com/wishstudio/flinux) * Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools. - * **Network** * [Netdude](http://netdude.sourceforge.net/) * The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX. @@ -459,68 +497,3 @@ https://bugs.php.net/bug.php?id=50696 * **GPU Keylogger** * [Demon](https://github.com/x0r1/Demon) * GPU keylogger PoC by Team Jellyfish - - - - - -### Professional Development -* [You Suck at Excel with Joel Spolsky(2015)](https://www.youtube.com/watch?v=0nbkaYsR94c&feature=youtu.be) - * The way you are using Excel causes errors, creates incomprehensible spaghetti spreadsheets, and makes me want to stab out my own eyes. Enough of the =VLOOKUPs with the C3:$F$38. You don't even know what that means. - * [Notes](https://trello.com/b/HGITnpih/you-suck-at-excel) -* [Robustness Principle - Wikipedia](https://en.m.wikipedia.org/wiki/Robustness_principle) -https://blog.codinghorror.com/recommended-reading-for-developers/ - -* Add: - * Manager's Tools podcast - * RibbonFarm Gervais theory -* These are rantings of someone who dropped out of college and holds no business degree. Be forewarned. - -https://hbr.org/2017/05/how-to-have-difficult-conversations-when-you-dont-like-conflict -https://malicious.link/post/2018/getting-hired-a-few-tips/ - - - -* [Maker's Schedule, Manager's Schedule - Paul Graham(2009)](http://www.paulgraham.com/makersschedule.html) -* [Reaching Peak Meeting Efficiency: Meetings are a critical tool for building a diverse, high-performance team with shared values - Steven Sinofsky](https://medium.learningbyshipping.com/reaching-peak-meeting-efficiency-f8e47c93317a) -* [Salary Comparison Across Various companies](https://www.levels.fyi/) - -* [How to Apply Critical Thinking Using Paul-Elder Framework - designorate](https://www.designorate.com/critical-thinking-paul-elder-framework/) -* [When to Test and How to Test It - Bruce Potter - Derbycon7](https://www.youtube.com/watch?v=Ej97WyEMRkI) - * “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity. -* [Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models](https://www.usenix.org/conference/usenixsecurity18/presentation/mickens) - * Some people enter the technology industry to build newer, more exciting kinds of technology as quickly as possible. My keynote will savage these people and will burn important professional bridges, likely forcing me to join a monastery or another penance-focused organization. In my keynote, I will explain why the proliferation of ubiquitous technology is good in the same sense that ubiquitous Venus weather would be good, i.e., not good at all. Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits. At some point, my microphone will be cut off, possibly by hotel management, but possibly by myself, because microphones are technology and we need to reclaim the stark purity that emerges from amplifying our voices using rams’ horns and sheets of papyrus rolled into cone shapes. I will explain why papyrus cones are not vulnerable to buffer overflow attacks, and then I will conclude by observing that my new start-up papyr.us is looking for talented full-stack developers who are comfortable executing computational tasks on an abacus or several nearby sticks. - - - -* **101** - * [Bureaucratic drift - Wikipedia](https://en.wikipedia.org/wiki/Bureaucratic_drift) - * [Organizational Theory - Wikipedia](https://en.wikipedia.org/wiki/Organizational_theory) -* **Compensation/Salary Negotiation** -* **Culture** - * [Containers Will Not Fix Your Broken Culture (and Other Hard Truths) - Complex socio-technical systems are hard; film at 11. - Bridget Kromhout](https://queue.acm.org/detail.cfm?id=3185224) -* **Informal Laws & Principles** - * [The Gervais Principle - RibbonFarm](https://www.ribbonfarm.com/the-gervais-principle/) - * [Peter Principle - Wikipedia](https://en.wikipedia.org/wiki/Peter_principle) - * The Peter principle is a concept in management developed by Laurence J. Peter, which observes that people in a hierarchy tend to rise to their "level of incompetence". In other words, employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent, as skills in one job do not necessarily translate to another. The concept was enunciated in the 1969 book The Peter Principle by Peter and Raymond Hull. - * It was originally written as a satire. - * [Dilbert Principle - Wikipedia](https://en.wikipedia.org/wiki/Dilbert_principle) - * The Dilbert principle refers to a 1990s theory by Dilbert cartoonist Scott Adams stating that companies tend to systematically promote their least competent employees to management (generally middle management), to limit the amount of damage they are capable of doing. - * [The Iron Law of Bureaucracy](https://www.jerrypournelle.com/reports/jerryp/iron.html) - * Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people": - * `First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.` - * `Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.` - * The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization. -* **Management** - * [The Tyranny of Structurelessness - Jo freeman](https://www.jofreeman.com/joreen/tyranny.htm) - * [Vitality Curve](https://en.m.wikipedia.org/wiki/Vitality_curve) -* **Networking** - * [That’s still not my RJ 45 Jack - IRL Networking for Humans Pt 2 - Johnny Xmas](https://www.irongeek.com/i.php?page=videos/converge2015/%22track112-how-to-dress-like-a-human-being-irl-networking-for-humans-pt-2-johnny-xmas%22) - * We're smart. We're incredibly tech savvy. We can rock some mad OSINT with our Google-Fu. We're 85% +-10% sure which part of the body a hat goes on. We think you can never have enough beard. WE THINK THAT'S ACCEPTABLE. The second in his multi-part series on building social prowess, this talk will focus on the inconvenient truth of your book always, always, always being judged by its cover, and how to deal with that with minimal effort so you can get back to sewing more pockets on your utilikilt. This talk covers both male and female situations, though it is primarily unisex. We'll get you set up with a core wardrobe and hygenic skillset so you'll be able to roll out of bed, spend minimal time "getting ready," rock the dreaded client-facing meeting or industry meetup, and get you back home where you can safely take your pants off. -* **Problem Solving** - * [The XY Problem](http://xyproblem.info/) - * The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help. - * [The AZ Problem](http://azproblem.info/) - * This website introduces the AZ Problem: a generalization of the XY Problem. To wit, if we agree that the XY Problem is a problem, than the AZ Problem is a metaproblem. And while the XY Problem is often technical, the AZ Problem is procedural. The AZ Problem is when business requirements are misunderstood or decontextualized. These requirements end up being the root cause of brittle, ill-suited, or frivolous features. An AZ Problem will often give rise to several XY Problems. -* **Surrounding Environment** - * [My Canons on (ISC)² Ethics - Such as They Are(2011)](http://infosecisland.com/blogview/15450-My-Canons-on-ISC-Ethics-Such-as-They-Are.html) diff --git a/Draft/L-SM-TH.md b/Draft/L-SM-TH.md index d245a2d..54d8738 100755 --- a/Draft/L-SM-TH.md +++ b/Draft/L-SM-TH.md @@ -9,17 +9,88 @@ +* [Mental Models for Effective Searching - Chris Sanders](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1555082140.pdf) +https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks + +https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html?m=1 +* [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/en-gb/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809#windows-error-reporting-events) + +* [The Role of Evidence Intention - Chris Sanders](https://rhinosecuritylabs.com/application-security/simplifying-api-pentesting-swagger-files/) +* [$SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase - Matthew Dunwoody, Daniel Bohannon(BruCON 0x0A)](https://www.youtube.com/watch?v=YGJaj6_3dGA) + * Signatures are dead, or so we're told. It's true that many items that are shared as Indicators of Compromise (file names/paths/sizes/hashes and network IPs/domains) are no longer effective. These rigid indicators break at the first attempt at evasion. Creating resilient detections that stand up to evasion attempts by dedicated attackers and researchers is challenging, but is possible with the right tools, visibility and methodical (read iterative) approach. As part of FireEye's Advanced Practices Team, we are tasked with creating resilient, high-fidelity detections that run across hundreds of environments and millions of endpoints. In this talk we will share insights on our processes and approaches to detection development, including practical examples derived from real-world attacks. +https://github.com/miriamxyra/EventList +* [Different Approaches to Linux Monitoring - Kelly Shortridge](https://capsule8.com/blog/different-approaches-to-linux-monitoring/) +* [Detecting the Elusive Active Directory Threat Hunting - Sean Metcalf(BSidesCharm2017)](https://www.youtube.com/watch?v=9Uo7V9OUaUw) + * Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected? This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks. One of the latest tools in the offensive toolkit is ""Kerberoast"" which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed. The attacker's playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks. + * [Slides](https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf) + +* [What’s in a name? TTPs in Info Sec - Robby Winchester](https://posts.specterops.io/whats-in-a-name-ttps-in-info-sec-14f24480ddcc) + +https://blog.kolide.com/monitoring-macos-hosts-with-osquery-ba5dcc83122d?gi=e42e60717e0 +https://blog.trailofbits.com/2017/11/09/how-are-teams-currently-using-osquery/ +https://blog.trailofbits.com/2017/12/21/osquery-pain-points/ +https://blog.trailofbits.com/2018/04/10/what-do-you-wish-osquery-could-do/ +https://github.com/davehull/Kansa +* [WebDAV Traffic To Malicious Sites - Didier Stevens](https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/) + +https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ +https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings +https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630 +https://www.microsoft.com/en-us/download/details.aspx?id=50034 + + +* [Mental Models for Effective Searching - Chris Sanders](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1555082140.pdf) + + + + + +https://posts.specterops.io/threat-hunting-with-jupyter-notebooks-part-4-sql-join-via-apache-sparksql-6630928c931e * **Osquery** * [Using Osquery to Detect Reverse Shells on MacOS - Chris Long](https://www.clo.ng/blog/osquery_reverse_shell/) * **File Monitoring** * [Practical PowerShell for IT Security, Part I: File Event Monitoring - varonis.com](https://www.varonis.com/blog/practical-powershell-for-it-security-part-i-file-event-monitoring/) +* [Use Windows Event Forwarding to help with intrusion detection - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection) +* [Threat Hunting: Fine Tuning Sysmon & Logstash to find Malware Callbacks C&C - Pablo Delgado](https://www.syspanda.com/index.php/2018/07/30/threat-hunting-fine-tuning-sysmon-logstash-find-malware-callbacks-cc/) * [Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK - Part I (Event ID 7) - Roberto Rodriguez](https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html?m=1) * [Threat Hunting With Python Part 1 - Dan Gunter](https://dragos.com/blog/industry-news/threat-hunting-with-python-part-1/) * [Windows-Hunting](https://github.com/beahunt3r/Windows-Hunting) * The Purpose of this repository is to aid windows threat hunters to look for some common artifacts during their day to day operations. +* [Danger-Zone](https://github.com/woj-ciech/Danger-zone) + * Correlate data between domains, IPs and email addresses, present it as a graph and store everything into Elasticsearch and JSON files. +https://medium.com/@maarten.goet/analyzing-your-microsoft-defender-atp-data-in-real-time-in-elk-using-the-new-streaming-api-c435d2943605 + +https://blog.redteam.pl/2019/04/dns-based-threat-hunting-and-doh.html +https://www.peerlyst.com/posts/security-monitoring-and-attack-detection-with-elasticsearch-logstash-and-kibana-martin-boller + +https://www.youtube.com/watch?v=SzbABydoz0k + +* https://github.com/Patrowl/PatrowlManager +https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950 + +https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation-wp.pdf + +https://github.com/kolide/fleet + +https://github.com/deviantony/docker-elk +https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Hunting-for-reconnaissance-activities-using-LDAP-search-filters/ba-p/824726 + +https://github.com/github/vulcanizer + +* [Hunting for Bad Apples – Part 1 - Richie Cyrus](https://securityneversleeps.net/2018/06/25/hunting-for-bad-apples-part-1/) + +http://penconsultants.com/blog/crown-jewels-monitoring-vs-mitigating/ + +https://github.com/Yelp/elastalert + + + + + --------------------------- diff --git a/Draft/Malware.md b/Draft/Malware.md index 6442d24..110dde3 100755 --- a/Draft/Malware.md +++ b/Draft/Malware.md @@ -29,6 +29,11 @@ Table of Contents - [Honeypots](#honey) +https://github.com/MISP/MISP +* [Golem Malware - The Malware Hiding in Your Windows Fonts Folder - Pierre-Alexandre Braeken](https://sysadminconcombre.blogspot.com/2018/11/golem-malware-malware-hiding-in-your.html) + + +https://research.checkpoint.com/macos-malware-pedia/ * Extend * maldocs section @@ -46,12 +51,42 @@ Table of Contents * FSG * PESpin +* [Windows API resolution via hashing](https://github.com/LloydLabs/Windows-API-Hashing) + * Although this method of API obfuscation is relatively old, my friend who was wanting to increase his skills in the Windows sphere confronted me about a way a few malware families seem to resolve APIs. It's pretty simple, however he could not find any documentation with a solid programming example on the matter at the time, so I thought I'd quickly write something up regarding it. I was going to write my own loader for this example (loading the desired module via LdrLoadDll within kernel32.dll, walking the InMemoryOrderModuleList to find the desired loaded module, finding the exported function we're after within the EAT..) - however I thought this might of have been a bit overkill for such a simple concept, I want to cover writing your own PE loader in the future though as it's an interesting subject. + +* [Tip: how to find malware samples containing specific strings - Decalage](https://decalage.info/en/malware_string_search) + + +* [Betabot still alive with multi-stage packing. - Wojciech](https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39) + +* [Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis) - fumko](https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/) +* [Predator The Thief: In-depth analysis (v2.3.5) - fumko](https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/) + + +* [PDF Analysis - zbetheckin](https://github.com/zbetcheckin/PDF_analysis) + * Several PDF analysis reassembled with additional tips and tools + +* [Vba2Graph](https://github.com/MalwareCantFly/Vba2Graph) + * Generate call graphs from VBA code, for easier analysis of malicious documents. + + + + + + + + + + + + + +https://github.com/rj-chap/CFWorkshop -* [Betabot still alive with multi-stage packing. - Wojciech](https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39) diff --git a/Draft/Network_Attacks.md b/Draft/Network_Attacks.md index f21091e..18f1d35 100755 --- a/Draft/Network_Attacks.md +++ b/Draft/Network_Attacks.md @@ -1,4 +1,4 @@ -# Network Attacks & Defenses +https://hypothetical.me/short/dns-0x20/# Network Attacks & Defenses ## Table of Contents - [General](#general) @@ -67,6 +67,239 @@ * STUN * Hadoop * Fax + * Packet sniffers + + * [Packet sniffing with powershell](https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/12/packet-sniffing-with-powershell-getting-started/) +https://github.com/x1mdev/ReconPi +https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ +https://cqureacademy.com/blog/penetration-testing/nse-scripts +https://github.com/dnkolegov/bigipsecurity/blob/master/README.md +WMI Stuff +https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf +https://github.com/mattifestation/WMI_Backdoor +https://blog.netspi.com/getting-started-wmi-weaponization-part-5/ +* [Windows Management Instrumentation(WMI) Offense, Defense, and Forensics - William Ballenthin, Matt Graeber, Claudiu Teodorescu](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf) +https://docs.microsoft.com/en-us/windows/win32/wmisdk/about-wmi +https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page +https://en.wikipedia.org/wiki/Windows_Management_Instrumentation +* Understanding WMI Scripting: Exploiting Microsoft's Windows Management Instrumentation in Mission-Critical Computing Infrastructures - Alain Lissoir +* [An Illustrated Guide to the BEAST Attack - Joshua Davies](http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art027) + + +* [Papercut](https://github.com/changemakerstudios/papercut) + * Simple Desktop SMTP Server + +* [RFC 3041: Privacy Extensions for Stateless Address Autoconfiguration in IPv6](https://tools.ietf.org/html/rfc3041) +* [RFC 7710: Captive-Portal Identification Using DHCP or Router Advertisements (RAs)](https://tools.ietf.org/html/rfc7710) + + +https://github.com/nccgroup/DatajackProxy +* [RFC 4861: Neighbor Discovery for IP version 6 (IPv6)](https://tools.ietf.org/html/rfc4861) +https://github.com/praetorian-inc/trudy +https://github.com/brannondorsey/dns-rebind-toolkit +* [LLMNR/NBT-NS Poisoning Using Responder](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/) +https://blog.netspi.com/attacks-against-windows-pxe-boot-images/ +https://www.andreafortuna.org/2017/08/09/windows-command-line-cheatsheet-part-2-wmic/ +https://tools.ietf.org/html/rfc8461 +https://github.com/dnkolegov/bigipsecurity/blob/master/README.md +https://github.com/danielmiessler/egression +https://github.com/audibleblink/doxycannon +* [A Tale From Defcon and the Fun of BNAT](https://blog.rapid7.com/2011/08/26/a-tale-from-defcon-and-the-fun-of-bnat/) +* [BNAT Hijacking: Repairing Broken Communication Channels - Jonathan Claudius + - AIDE 2012](http://www.irongeek.com/i.php?page=videos/aide2012/bnat-hijacking-repairing-broken-communication-channels-jonathan-claudius) + https://tls.ulfheim.net/ +https://nmap.org/nsedoc/scripts/ipidseq.html + https://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/ +* AMQP + * [AMQP v1.0(2011) Protocol Document](http://www.amqp.org/sites/amqp.org/files/amqp.pdf) +https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +* [Capturing NetNTLM Hashes with Office [DOT] XML Documents - bohops](https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/) + +* [RFC1350: THE TFTP PROTOCOL (REVISION 2)](https://tools.ietf.org/html/rfc1350) +https://github.com/cldrn/nmap-nse-scripts +https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v2.pdf +* [Ntlm Relay Reloaded: Attack methods you do not know - Jianing Wang, Junyu Zhou - zeronights18](https://www.youtube.com/watch?v=BrSS_0a0vzQ) + +http://niiconsulting.com/checkmate/2013/05/memcache-exploit/ +* [Overpass-the-hash - GentilKiwi](http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash) + +http://trouble.org/?p=712 +https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi +http://fish2.com/ipmi/bp.pdf + +https://github.com/lorenzog/dns-rebinding +https://www.blackhat.com/docs/us-15/materials/us-15-Cassidy-Switches-Get-Stitches.pdf + +https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/ + +Redis +* [redis - Wikipedia](https://en.wikipedia.org/wiki/Redis) +* [Introduction to redis - redis.io](https://redis.io/topics/introduction) +* [redis security - redis.io](https://redis.io/topics/security) +* [A Few Things About redis Security - antirez](http://antirez.com/news/96) +* [Securing redis - redis.io](https://redis.io/topics/quickstart#securing-redis) +* [Pentesting Redis Servers - averagesecurityguy](https://averagesecurityguy.github.io/code/pentest/2015/09/17/pentesting-redis-servers/) +* [redis-dump](http://delanotes.com/redis-dump/) +* [Script attempted to create global variable - Stackoverflow](https://stackoverflow.com/questions/19997647/script-attempted-to-create-global-variable) + +* [NetworkBoot.org](https://networkboot.org/) + * A place where beginners can learn the fundamentals of network booting. +Hadoop +* [Hadoop Safari Hunting for Vulnerabilities - Thomas Debize, Mehdi Braik - PHDays](https://www.slideshare.net/phdays/hadoop-76515903) +* [Hadoop Attack Library](https://github.com/wavestone-cdt/hadoop-attack-library) + * A collection of pentest tools and resources targeting Hadoop environments +* [Talk - Big problems with big data - Hadoop interfaces security - AppSecEU16](https://www.youtube.com/watch?v=ClXKGI8AzTk) + * [Slides - Big problems with big data – Hadoop interfaces security - Jakub Kaluzny - ZeroNights, Moscow 2015](http://2015.zeronights.org/assets/files/03-Kaluzny.pdf) +* [Cloud Security in Map/Reduce - An Analysis - Jason Schlesinger(2009)](http://hackedexistence.com/downloads/Cloud_Security_in_Map_Reduce.pdf) +* [Hadoop Security Design? Just Add Kerberos? Really? - Andrew Becherer - BHUSA2010] +* [Securing Hadoop: Security Recommendations for Hadoop Environments - Securosis(2016)](https://securosis.com/assets/library/reports/Securing_Hadoop_Final_V2.pdf) +* [SANS Cloudera Hadoop Hardening Checklist Guide](https://www.sans.org/score/checklists/cloudera-security-hardening) +* [Ports Used by Components of CDH 5 - cloudera.com](https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_ig_ports_cdh5.html) +* [The Hadoop Ecosystem Table](https://hadoopecosystemtable.github.io/) + * This page is a summary to keep the track of Hadoop related projects, focused on FLOSS environment. +* WMI + * https://pentestarmoury.com/2016/07/13/151/ + * https://learn-powershell.net/2013/08/02/powershell-and-events-wmi-temporary-event-subscriptions/ + * http://www.fuzzysecurity.com/tutorials/19.html + * https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf + * https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 + * https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ + * https://www.redcanary.com/blog/lateral-movement-winrm-wmi/ + * https://blog.netspi.com/getting-started-wmi-weaponization-part-2/ + * https://docs.microsoft.com/en-us/windows/desktop/WmiSdk/wmi-classes + * https://www.xorrior.com/wmic-the-enterprise/ + * https://www.andreafortuna.org/dfir/windows-command-line-cheatsheet-part-2-wmic/ + * https://www.andreafortuna.org/command-line/windows-command-line-cheatsheet-part-1-some-useful-tips/ + * https://docs.microsoft.com/en-us/windows/desktop/wmisdk/access-to-wmi-namespaces + * https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmi-tasks--files-and-folders + * https://www.cs.cmu.edu/~tgp/scsadmins/winadmin/WMIC_Queries.txt + * https://www.jaapbrasser.com/search-for-files-using-wmi/ + * https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmi-reference + * https://blogs.msdn.microsoft.com/powershell/2012/08/24/introduction-to-cim-cmdlets/ + * https://blogs.technet.microsoft.com/heyscriptingguy/2016/02/10/using-the-powershell-cim-cmdlets-for-fun-and-profit/ + * https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/26/use-powershell-and-wmi-to-get-processor-information/ + * https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmi-tasks--accounts-and-domains + * https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmi-tasks--services + * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ee176854(v=technet.10) + * https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Management/Get-Process?view=powershell-5.1 + * https://support.microsoft.com/en-us/help/290216/a-description-of-the-windows-management-instrumentation-wmi-command-li + * https://docs.microsoft.com/en-us/windows/desktop/WmiSdk/wmic + * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb742610(v=technet.10) + * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779482(v=ws.10) + * http://www.room362.com/blog/2014/04/19/executing-code-via-smb-without-psexec/ (import wmiexec) + * http://passing-the-hash.blogspot.co.nz/2013/07/WMIS-PowerSploit-Shells.html + * https://msdn.microsoft.com/en-us/library/bb742610.aspx + * https://www.youtube.com/watch?v=0SjMgnGwpq8&gl=http://h4k.in/dataurlUS&hl=en + * https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/ + + +https://github.com/theMiddleBlue/nmap-elasticsearch-nse +https://medium.com/@themiddleblue + +* [Revocation doesn't work - ImperialViolet(2011)](https://www.imperialviolet.org/2011/03/18/revocation.html) + +Message Queueing Telemetry Transport Protocol (MQTT) +* Default port `1833` +* MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. + +It’s open source, royalty free and therefore easy to adopt and adapt +It follows a publish/subscribe model for one-to-many distribution +Small message headers +Multiple Quality of Service levels +Simple command messages +Data type agnostic +Retained messages +Clean sessions and durable connections +Last Will and Testament (LWT) + +| Publisher | + V +| MQTT Broker | <-> Bridge <-> | MQTT Broker | + V +| Subscriber | +https://sensepost.com/blog/2018/punching-messages-in-the-q/ +http://mqtt.org/faq +http://mqtt.org/documentation +https://github.com/mqtt/mqtt.github.io/wiki +http://blog.catchpoint.com/2017/07/06/dissecting-mqtt-using-wireshark/ +https://www.hivemq.com/mqtt-security-fundamentals/ +http://www.steves-internet-guide.com/mqtt-security-mechanisms/ +https://dzone.com/articles/mqtt-security +https://ieeexplore.ieee.org/document/8239179/ +https://dzone.com/articles/exploiting-mqtt-using-lua +http://www.steves-internet-guide.com/mqtt/ +https://hub.packtpub.com/lightweight-messaging-mqtt-311-and-mosquitto/ +https://www.youtube.com/watch?v=J_BAXVSVPVI&feature=youtu.be +https://github.com/zombiesam/joffrey +https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b +NSE Lib: https://nmap.org/nsedoc/lib/mqtt.html +https://dzone.com/articles/exploiting-mqtt-using-lua +http://blog.catchpoint.com/2017/05/30/protocol-for-internet-of-things/ +http://blog.catchpoint.com/2017/07/06/dissecting-mqtt-using-wireshark/ +http://www.steves-internet-guide.com/mqtt-protocol-messages-overview/ +http://www.steves-internet-guide.com/mqtt-security-mechanisms/ +MQTT Version 3.1: http://public.dhe.ibm.com/software/dw/webservices/ws-mqtt/MQTT_V3.1_Protocol_Specific.pdf +MQTT Version 5 HTML: http://docs.oasis-open.org/mqtt/mqtt/v5.0/cs01/mqtt-v5.0-cs01.html +MQTT Version 5 PDF: http://docs.oasis-open.org/mqtt/mqtt/v5.0/cs01/mqtt-v5.0-cs01.pdf +Big changes for V5: https://www.oasis-open.org/committees/download.php/57616/Big%20Ideas%20for%20MQTT%20v5.pdf + + + + + + + +* [Writing NMAP Scripts Like A Super-Hero - Peter Benjamin](https://medium.com/@petermbenjamin/writing-nmap-scripts-like-a-super-hero-e4b0dc4c782) +* [Nmap Script Writing Tutorial - nmap.org](https://nmap.org/book/nse-tutorial.html) + + + + +https://hypothetical.me/short/dns-0x20/ + + +* [SMTP Log Poisioning through LFI to Remote Code Excecution - Raj Chandel](https://www.hackingarticles.in/smtp-log-poisioning-through-lfi-to-remote-code-exceution/) + +* MQTT + * [What simple security tests can I perform on my MQTT network? - StackExchange IoT](https://iot.stackexchange.com/questions/452/what-simple-security-tests-can-i-perform-on-my-mqtt-network) + * [MQTT Security: A Novel Fuzzing Approach](https://www.hindawi.com/journals/wcmc/2018/8261746/) + * "we propose the creation of a framework that allows for performing a novel, template-based fuzzing technique on the MQTT protocol. The first experimental results showed that performance of the fuzzing technique presented here makes it a good candidate for use in network architectures with low processing power sensors, such as Smart Cities. In addition, the use of this fuzzer in widely used applications that implement MQTT has led to the discovery of several new security flaws not hitherto reported, demonstrating its usefulness as a tool for finding security vulnerabilities." + * [Yankee Swapped: MQTT Primer, Exposure, Exploitation, and Exploration - Rapid7](https://blog.rapid7.com/2018/01/02/yankee-swapped-mqtt-primer-exposure-exploitation-and-exploration/) + * [MQTT Version 3.1.1 Oasis Standard](http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html) + +https://github.com/T-S-A/smbspider + +* [SSL/TLS and PKI History](https://www.feistyduck.com/ssl-tls-and-pki-history/) + * A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem. + +https://github.com/tcstool/Fireaway + +NSE Scripts +* https://github.com/cldrn/nmap-nse-scripts/tree/master/scripts +* https://github.com/b4ldr/nse-scripts +* https://github.com/peter-hackertarget/nmap-nse-scripts +* https://github.com/s4n7h0/NSE +* https://github.com/aerissecure/nse + + + + + +* [PDFiD: GoToE and GoToR Detection (“NTLM Credential Theft”) - Didier Stevens](https://blog.didierstevens.com/2018/05/31/pdfid-gotoe-and-gotor-detection-ntlm-credential-theft/) + * The article [“NTLM Credentials Theft via PDF Files”](https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/) explains how PDF documents can refer to a resource via UNC paths. This is done using PDF names /GoToE or /GoToR. My tool pdfid.py can now be extended to report /GoToE and /GoToR usage in a PDF file, without having to change the source code + + + + + + + + + + + + + @@ -1161,8 +1394,10 @@ ### Windows Management Instrumentation(WMI) * **101** * [Introduction to WMI Basics with PowerShell Part 1 (What it is and exploring it with a GUI) - Carlos Perez](https://www.darkoperator.com/blog/2013/1/31/introduction-to-wmi-basics-with-powershell-part-1-what-it-is.html) + * [WMIC - Take Command-line Control over WMI - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb742610(v=technet.10)) * **General/Articles/Writeups** * [Post Exploitation Using WMIC (System Command) - hackingarticles.in](https://www.hackingarticles.in/post-exploitation-using-wmic-system-command/) + * [WMIC Command Line Kung-Fu - tech-wreck.blogspot.com](https://tech-wreckblog.blogspot.com/2009/11/wmic-command-line-kung-fu.html) * **Reference** * [Connecting to WMI Remotely with C# - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/wmisdk/connecting-to-wmi-remotely-with-c-) * **Tools** @@ -1171,6 +1406,7 @@ + ------------ ### Other (Breaking Routers) * [ASUS Router infosvr UDP Broadcast root Command Execution](https://github.com/jduck/asus-cmd) diff --git a/Draft/Osint.md b/Draft/Osint.md index 789f10d..0a59184 100755 --- a/Draft/Osint.md +++ b/Draft/Osint.md @@ -18,7 +18,8 @@ - [Miscellaneous](#misc) - +* [WhatsMyName](https://github.com/webbreacher/whatsmyname) + * This repository has the unified data required to perform user and username enumeration on various websites. Content is in a JSON file and can easily be used in other projects #### Sort * Add list of Sources: @@ -29,13 +30,52 @@ * Operating Licenses/Permits; * Trade Journals; +https://github.com/intrigueio/intrigue-core + + +https://github.com/vysecurity/DomLink +https://github.com/woj-ciech/kamerka +https://github.com/SourcingDenis/free-online-competitive-intelligence/blob/master/README.md +https://github.com/0days/Blue +https://github.com/digininja/leakyrepo +* [Username enumeration techniques and their value - Ben Williams](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/june/username-enumeration-techniques-and-their-value/) +* [MailInt - Profiling China based Employees](https://web.archive.org/web/20180706004654/https://vincentyiu.co.uk/maiint-profiling-china-based-employees/) + +* [Giggity](https://github.com/needmorecowbell/giggity) + * Get information about an organization, user, or repo on github. Stores all data in a json file, organized in a tree of dictionaries for easy database transfer or data analysis. All done through the github api, with or without authentication (authentication highly recommended) +https://www.komodosec.com/post/github-the-red-teamer-s-cheat-sheet +https://github.com/IVMachiavelli/OSINT_Team_Links +https://www.bellingcat.com/resources/2019/07/12/how-to-tell-stories-a-beginners-guide-for-open-source-researchers/ * [asint collection - start.me](https://start.me/p/b5Aow7/asint_collection) * [cloud_enum](https://github.com/initstring/cloud_enum) * Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. * [SingleFile](https://github.com/gildas-lormeau/SingleFile) * SingleFile is a Web Extension compatible with Chrome, Firefox (Desktop and Mobile), Chromium-based Edge, Vivaldi, Brave, Waterfox, Yandex browser, and Opera. It helps you to save a complete web page into a single HTML file. +https://github.com/ZephrFish/GoogD0rker + + + +https://github.com/GeneralTesler/deluxe + + +* [ODIN](https://github.com/chrismaddalena/ODIN) + * ODIN aims to automate the basic recon tasks used by red teams to discover and collect data on network assets, including domains, IP addresses, and internet-facing systems. The key feature of ODIN is the data management and reporting. The data is organized in a database and then, optionally, that database can be converted into an HTML report or a Neo4j graph database for visualizing the data. + * [Open Source Intelligence Gathering: Techniques, Automation, and Visualization - Christopher Maddalena](https://posts.specterops.io/gathering-open-source-intelligence-bee58de48e05) + + +Remove hidden data and personal information by inspecting documents, presentations, or workbooks +https://support.office.com/en-us/article/remove-hidden-data-and-personal-information-by-inspecting-documents-presentations-or-workbooks-356b7b5d-77af-44fe-a07f-9aa4d085966f + + + + + + + + + -------------------- ### General diff --git a/Draft/P_C.md b/Draft/P_C.md deleted file mode 100755 index 6b3956f..0000000 --- a/Draft/P_C.md +++ /dev/null @@ -1,82 +0,0 @@ -# Policy & Compliance - - - - -* [Documentation for OpenSCAP Base](https://www.open-scap.org/tools/openscap-base/#documentation) -* [Cloud Controls Matrix Working Group](https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview) -* [Penetration Testing Shouldn't be a Waste of Time - Jim Bird](https://dzone.com/articles/penetration-testing-shouldnt) - - - -SOX -* [California S.B. 1386 - Wikipedia](https://en.wikipedia.org/wiki/California_S.B._1386) -https://www.auditscripts.com/training/ - - - ------------- -### General -* **General** - * [CSIS Critical Security Controls v7.0](https://www.auditscripts.com/free-resources/critical-security-controls/) - * [The Red Book: A Roadmap for Systems Security Research](http://www.red-book.eu/m/documents/syssec_red_book.pdf) - * [IT Law Wiki](http://itlaw.wikia.com/wiki/The_IT_Law_Wiki)) - * [The security laws, regulations and guidelines directory - csoonline](https://www.csoonline.com/article/2126072/compliance/compliance-the-security-laws-regulations-and-guidelines-directory.html) -* **Finance** - * [FATF blacklist - Wikipedia](https://en.wikipedia.org/wiki/FATF_blacklist) - * The FATF blacklist was the common shorthand description for the Financial Action Task Force list of "Non-Cooperative Countries or Territories" (NCCTs) issued since 2000, which it perceived to be non-cooperative in the global fight against money laundering and terrorist financing. - * [Security Assessment Guidelines for Financial Institutions](https://www.sans.org/reading-room/whitepapers/auditing/security-assessment-guidelines-financial-institutions-993) - * [SWIFT Customer Security Programme](https://www2.swift.com/uhbonline/books/a2z/customer_security_programme.htm) - * [SWIFT Customer Security Controls Framework](https://www.swift.com/myswift/customer-security-programme-csp/security-controls?tl=en#topic-tabs-menu) - * [Sheltered Harbor FAQ](https://shelteredharbor.org/sh-faqs) -* **HIPAA** - * [HIPAA vs Security: Building security into medical purchasing decisions - infosystir](https://infosystir.blogspot.com/2018/01/hipaa-vs-security-building-security.html?m=1) -* **Insider Threat** - * [A Survey of Insider Attack Detection Research - 2008](http://web.stanford.edu/class/cs259d/readings/Insider_survey.pdf) - * [The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures](http://web.stanford.edu/class/cs259d/readings/Infrastructure.pdf) - * [An Overview of Threat and Risk Assessment](https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76) - * [The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24) -* **ISO** - * [ISO/IEC 27001 - Wikipedia](https://en.wikipedia.org/wiki/ISO/IEC_27001) - * [ISO/IEC 27000 family - Information security management systems](https://www.iso.org/isoiec-27001-information-security.html) - * The ISO/IEC 27000 family of standards helps organizations keep information assets secure. -* **NIST** - * [NIST Special Publication 800-series - General Information](https://www.nist.gov/itl/nist-special-publication-800-series-general-information) - * Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities. SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. -* **Notable Malicious Occurances** - * [Moldovan bank fraud scandal - Wikipedia](https://en.wikipedia.org/wiki/Moldovan_bank_fraud_scandal) -* **PCI** - * [PCI DSS V3.2.1](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) - * [PCI SSC Cloud Computing Guidelines - 4/2018](https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Cloud_Guidelines_v3.pdf) - * [PCI DSS Quick Reference Guide - v3.2](https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf) - * [Guidance for PCI DSS Scoping and Network Segmentation - 2016](https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf) -* **PII** - * [EU General Data Protection Regulation(GDPR)](https://gdpr-info.eu/) - * [GDPR - Wikipedia](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) -* **Misellaneous** - * [Goodhart's Law - Wikipedia](https://en.m.wikipedia.org/wiki/Goodhart%27s_law) - * Goodhart's law is an adage named after economist Charles Goodhart, which has been phrased by Marilyn Strathern as: "When a measure becomes a target, it ceases to be a good measure."[1] One way in which this can occur is individuals trying to anticipate the effect of a policy and then taking actions which alter its outcome. -* **Vendor Security** - * [Web Application Security Requirements for Google Providers](https://partner-security.withgoogle.com/docs/webapp_requirements) - - - ------------- -### Guides -* [NICE Cybersecurity Workforce Framework - NICCS.us-cert.gov](https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework) -* [Security and Privacy Controls forFederal Information Systemsand Organizations - NIST-800-53](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) -* [NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations](https://nccoe.nist.gov/projects/use-cases/medical-devices) - * [SP 1800-8a: Executive Summary](https://nccoe.nist.gov/publication/draft/1800-8/VolA/) - * [SP 1800-8b: Approach, Architecture, and Security Characteristics ](https://nccoe.nist.gov/publication/draft/1800-8/VolB/) - * [SP 1800-8c: How-To Guides](https://nccoe.nist.gov/publication/draft/1800-8/VolC/) -* [SP 800-115: Technical Guide to Information Security Testing and Assessment](https://csrc.nist.gov/publications/detail/sp/800-115/final) - * [Technical Guide to Information Security Testing and Assessment - NIST-800-115 - PDF](http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf) - * The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. The guide is not intended to present a comprehensive information security testing and examination program but rather an overview of key elements of technical security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each, and recommendations for their use. -* [Information Security Risk Assessment Guidelines - mass.gov](http://www.mass.gov/anf/research-and-tech/cyber-security/security-for-state-employees/risk-assessment/risk-assessment-guideline.html) -* [NIST Special Publication 800 -46 Revision 2 - Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf) - - - - - - diff --git a/Draft/Passwords.md b/Draft/Passwords.md index ba5bceb..a2f2a2a 100755 --- a/Draft/Passwords.md +++ b/Draft/Passwords.md @@ -14,6 +14,31 @@ - [Talks & Presentations](#) - [Papers](#papers) + + +https://github.com/Raikia/CredNinja +* [HVAZARD Dictionary Modifier](https://github.com/MichaelDim02/Hvazard) + * Remove short passwords & duplicates, change lowercase to uppercase & reverse, combine wordlists! + +https://allanfeid.com/content/cracking-zip-files-fcrackzip +https://github.com/hyc/fcrackzip +http://pdfcrack.sourceforge.net/ + +https://www.betterbuys.com/estimating-password-cracking-times/ + +https://github.com/clr2of8/DPAT +* [Comprehensive Guide on Cewl Tool - rajhackingarticles.blogspot.com](https://rajhackingarticles.blogspot.com/2018/11/hello-friends-in-this-article-we-are.html) + +* [Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Targets Network: Part 1 - BHIS](https://www.blackhillsinfosec.com/exploiting-password-reuse-on-personal-accounts-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-1/) +* [Password Spraying Outlook Web Access How to Gain Access to Domain Credentials Without Being on a Targets Network: Part 2 - BHIS](https://www.blackhillsinfosec.com/password-spraying-outlook-web-access-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-2/) +* [Brute Forcing with Burp - Pentesters Tips & Tricks Week 1 - securenetwork.com](https://www.securenetworkinc.com/news/2017/7/16/brute-forcing-with-burp-pentesters-tips-tricks-week-1) +* [Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Targets Network: Part 1 - Beau Bullock](https://www.blackhillsinfosec.com/exploiting-password-reuse-on-personal-accounts-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-1/) +* [Password Spraying Outlook Web Access How to Gain Access to Domain Credentials Without Being on a Targets Network: Part 2 - Beau Bullock](https://www.blackhillsinfosec.com/password-spraying-outlook-web-access-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-2/) + + +Default Oracle Creds: +http://www.petefinnigan.com/default/default_password_list.htm + --------------------------- ### General * **101** diff --git a/Draft/Phishing.md b/Draft/Phishing.md index e7e6e91..0723d35 100755 --- a/Draft/Phishing.md +++ b/Draft/Phishing.md @@ -12,6 +12,164 @@ * [Setting up a Server](#settingup) * [Talks/Presentations](#talks) +* [VBA Macros Pest Control - Philippe Lagadec](https://www.decalage.info/files/THC17_Lagadec_Macro_Pest_Control2.pdf) +* [Traversing The Kill-Chain: The New Shiny In 2018 - Vincent Yiu - HITBGSEC 2018](https://www.youtube.com/watch?v=w1fNGOKkeSg&feature=youtu.be) + +https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/ +* [Papercut](https://github.com/changemakerstudios/papercut) + * Simple Desktop SMTP Server +* [How to Bypass Safe Link/Attachment Processing of ATP - support.knowbe4.com](https://support.knowbe4.com/hc/en-us/articles/115004326408-How-to-Bypass-Safe-Link-Attachment-Processing-of-ATP) + +https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html +https://github.com/mdsecactivebreach/SharpShooter +https://github.com/0x09AL/WordSteal +* [JS2PDFInjector](https://github.com/cornerpirate/JS2PDFInjector) + * Use this tool to Inject a JavaScript file into a PDF file. +https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 +* [Introducing the Office 365 Attack Toolkit - MDSec](https://www.mdsec.co.uk/2019/07/introducing-the-office-365-attack-toolkit/) +* [o365-attack-toolkit](https://github.com/mdsecactivebreach/o365-attack-toolkit) +https://www.mdsec.co.uk/2019/07/introducing-the-office-365-attack-toolkit/ +https://github.com/mdsecactivebreach/o365-attack-toolkit +https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Hegt-MS-Office-in-Wonderland.pdf +https://secureyourit.co.uk/wp/2019/05/10/dynamic-microsoft-office-365-amsi-in-memory-bypass-using-vba/ +https://www.youtube.com/watch?v=xY2DIRfqNvA +https://github.com/InfoPhish/InfoPhish +https://blog.netspi.com/10-places-to-stick-your-unc-path/ +* [PowerPoint and Custom Actions - Sean Wilson](https://cofense.com/powerpoint-and-custom-actions/) +* [Phishing for Funds: Understanding Business Email Compromise - Keith Turpin - BHA17](https://www.youtube.com/watch?v=_gk4i33lriY&list=PLH15HpR5qRsWx4qw9ZlgmisHOcKG4ZcRS&index=11) + * Business Email Compromise (aka CEO fraud) is a rapidly expanding cybercrime in which reported cases jumped 1300% from 2015 to 2016. This financial fraud scheme can target any market segment or organization regardless of size. Thousands of organizations from more than 100 countries have reported losses. The reasons for this surge is simple - it makes money. +* [VB2018 paper: Office bugs on the rise - Gabor Szappanos](https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-office-bugs-rise/) +* [Detecting and Protecting Against Word Field Code Abuse - Mark E. Soderlund(2003)](https://www.giac.org/paper/gsec/2624/detecting-protecting-word-field-code-abuse/104497) +* [Abusing Misconfigured Cloud Email Providers for Enhanced Phishing Campaigns - und3rf10w.blogspot](https://und3rf10w.blogspot.com/2017/07/abusing-misconfigured-cloud-email.html) + +* [Malicious Outlook Rules - Nick Landers](https://silentbreaksecurity.com/malicious-outlook-rules/) +* [Macro-less Code Exec in MSWord - Etienne Stalmans, Saif El-Sherei](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/) +* [Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass - PwnDizzle](https://pwndizzle.blogspot.com/2017/03/office-document-macros-ole-actions-dde.html) +https://duo.com/blog/new-open-source-phishing-tools-isthislegit-and-phinn + +https://labs.mwrinfosecurity.com/publications/corrupting-memory-in-microsoft-office-protected-view-sandbox/?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email&iid=565088e5a455476c97c557e8bbcec069&fl=4&uid=150127534&nid=244+285282312 +https://www.forcepoint.com/blog/x-labs/sway-and-pray +https://www.greyhathacker.net/?p=948 +https://pwndizzle.blogspot.com/2017/03/office-document-macros-ole-actions-dde.html + +* [When Scriptlets Attack: Excels Alternative to DDE Code Execution - David Wells](https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/) +* [Insert an object in your Excel spreadsheet - support.office](https://support.office.com/en-us/article/Insert-an-object-in-your-Excel-spreadsheet-e73867b2-2988-4116-8d85-f5769ea435ba) +* [Malicious Excel DDE Execution with ML AV Bypass and Persistence - hyperiongray.com](https://blog.hyperiongray.com/excel-dde-exploitation-and-ml-av-bypass/) +* [Microsoft Powerpoint as Malware Dropper - Marco Ramilli](https://marcoramilli.blogspot.com/2018/11/microsoft-powerpoint-as-malware-dropper.html) +* [Running Macros via ActiveX Controls - Parvez](http://www.greyhathacker.net/?p=948) +* [Abusing Microsoft Office DDE - Mike Czumak](https://www.securitysift.com/abusing-microsoft-office-dde/) +* [Detecting and Protecting Against Word Field Code Abuse - Mark E. Soderlund(2003)](https://www.giac.org/paper/gsec/2624/detecting-protecting-word-field-code-abuse/104497) +* [Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016](https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b) +* [The Current State of DDE - 0xdeadbeefjerky](1/2018)](https://0xdeadbeefjerky.github.io/2018/01/29/state-of-dde.html) + +* [Word to Your Mac - analyzing a malicious word document targeting macOS users - Patrick Wardle](https://objective-see.com/blog/blog_0x3A.html) +* [Escaping the Microsoft Office Sandbox +a faulty regex, allows malicious code to escape and persist](https://objective-see.com/blog/blog_0x35.html) + +* [Hacking around HTA Files](http://blog.sevagas.com/?Hacking-around-HTA-files) +https://silentbreaksecurity.com/malicious-outlook-rules/ + + +* [EmbedInHTML](https://github.com/Arno0x/EmbedInHTML) + * What this tool does is taking a file (any type of file), encrypt it, and embed it into an HTML file as ressource, along with an automatic download routine simulating a user clicking on the embedded resource. Then, when the user browses the HTML file, the embedded file is decrypted on the fly, saved in a temporary folder, and the file is then presented to the user as if it was being downloaded from the remote site. Depending on the user's browser and the file type presented, the file can be automatically opened by the browser. + + + + + + + + + + + + +https://blog.cymulate.com/abusing-microsoft-office-online-video + + + +Hacking Outlook/OWA: +https://silentbreaksecurity.com/malicious-outlook-rules/ +https://www.youtube.com/watch?v=cVhc9VOK5MY +https://doublepulsar.com/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0?gi=18b1f4a3ca13 + + +* [Introducing the Office (2007) Open XML File Formats + - docs.ms](https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2007/aa338205(v=office.12)#office2007aboutnewfileformat_structureoftheofficexmlformats) + + + + + +* [macro_pack](https://github.com/sevagas/macro_pack) + * macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from vba generation to final Office document generation. +* [mraptor](https://github.com/decalage2/oletools/wiki/mraptor) + * mraptor is a tool designed to detect most malicious VBA Macros using generic heuristics. Unlike antivirus engines, it does not rely on signatures. + * [blogpost](http://decalage.info/mraptor) +* [olevba](https://github.com/decalage2/oletools/wiki/olevba) + * olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions, and extracts IOCs from decoded strings. +* [loffice - Lazy Office Analyzer](https://github.com/tehsyntx/loffice) + * Loffice is making use of WinAppDbg to extract URLs' from Office documents but also VB-script and Javascript. By setting strategical breakpoints it's possible to neutralize obfuscation and get the URL and file destination. Anti-analysis via WMI, for example detecting running processes or installed software is handled by patching the query string before the query is run. +* [VBA Dynamic Hook](https://github.com/eset/vba-dynamic-hook) + * Dynamically analyzes VBA macros inside Office documents by hooking function calls +* [[MS-OVBA]: Office VBA File Format Structure - msdn.ms](https://msdn.microsoft.com/en-us/library/cc313094(v=office.12).aspx) + * Specifies the Office VBA File Format Structure, which describes the Microsoft Visual Basic for Applications (VBA) File Format for Microsoft Office 97, Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office system. This specification also describes a storage that contains a VBA project, which contains embedded macros and custom forms for use in Office documents. +* [[MS-VBAL]: VBA Language Specification](https://msdn.microsoft.com/en-us/library/dd361851.aspx) + * Specifies the VBA Language, which defines the implementation-independent and operating system-independent programming language that is required to be supported by all conforming VBA implementations. This specification also defines all features and behaviors of the language that are required to exist and behave identically in all conforming implementations. +* [How to grill Malicious Macros - SSTIC15 - Decalage](https://decalage.info/en/sstic15) +* [Applied Machine Learning: Defeating Modern Malicious Documents](https://www.youtube.com/embed/ZAuCEgA3itI?enablejsapi=1&modestbranding=1&disablekb=1&rel=0) +* [MaliciousMacroBot](https://github.com/egaus/MaliciousMacroBot) +* [Direct shellcode execution in MS Office macros - scriptjunkie.us](https://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/) +* [Powershell Empire Stagers 1: Phishing with an Office Macro and Evading AVs - fzuckerman](https://fzuckerman.wordpress.com/2016/10/06/powershell-empire-stagers-1-phishing-with-an-office-macro-and-evading-avs/) +* [MacroMilter](https://github.com/sbidy/MacroMilter) + * This python based milter (mail-filter) checks an incoming mail for suspicious VBA macro code in MS 20xx Office attachments (doc, xls, ppt ...). +* [MSWord - Obfuscation with Field Codes - staaldraad](http://staaldraad.github.io/2017/10/23/msword-field-codes/) +* [Macroless DOC malware that avoids detection with Yara rule - furoner](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/) + +DDE +* [The Current State of DDE - Office DDE Attacks from an Offensive and Defensive Perspective - @0xdeadbeefJERKY](https://medium.com/@0xdeadbeefJERKY/the-current-state-of-dde-a62fd3277e9) + +* [When Scriptlets Attack: Excels Alternative to DDE Code Execution - David Wells](https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/) + +* [Insert an object in your Excel spreadsheet - support.office](https://support.office.com/en-us/article/Insert-an-object-in-your-Excel-spreadsheet-e73867b2-2988-4116-8d85-f5769ea435ba) +* [Running Macros via ActiveX Controls - greyhathacker.net](http://www.greyhathacker.net/?p=948) +* [Variable Object (Word) - msdn.ms](https://msdn.microsoft.com/en-us/VBA/Word-VBA/articles/variable-object-word) +* [Using ScriptControl Methods - docs.ms](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-6.0/aa227637(v=vs.60)) + * The ScriptControl contains methods to execute code, add code and objects to the scripting engine, and reset the scripting engine to its initial state. +* [VBA ScriptControl to run Java Script Function](https://www.experts-exchange.com/questions/28190006/VBA-ScriptControl-to-run-Java-Script-Function.html) +* [CallByName Function - msdn.ms](https://msdn.microsoft.com/en-us/VBA/Language-Reference-VBA/articles/callbyname-function) + * Executes a method of an object, or sets or returns a property of an object. SyntaxCallByName( object, procname, calltype,[args()]) +* [Abusing native Windows functions for shellcode execution - ropgadget](http://ropgadget.com/posts/abusing_win_functions.html) +* [trigen](https://github.com/karttoon/trigen) + * Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. +* [PowerShell, C-Sharp and DDE The Power Within - sensepost](https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/) +* [Macro-less Code Exec in MSWord - sensepost] +* [Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass - pwndizzle](http://pwndizzle.blogspot.com.es/2017/03/office-document-macros-ole-actions-dde.html) + + + + + + +* [Factur-X](http://fnfe-mpe.org/factur-x/factur-x_en/) + * Factur-X is a Franco-German standard for hybrid e-invoice (PDF for users and XML data for process automation), the first implementation of the European Semantic Standard EN 16931 published by the European Commission on October 16th 2017. Factur-X is the same standard than ZUGFeRD 2.0. + * Factur-X is at the same time a full readable invoice in a PDF A/3 format, containing all information useful for its treatment, especially in case of discrepancy or absence of automatic matching with orders and / or receptions, and a set of invoice data presented in an XML structured file conformant to EN16931 (syntax CII D16B), complete or not, allowing invoice process automation. +* [Factur-X Python library - github](https://github.com/invoice-x/factur-x-ng) + * Factur-X is a EU standard for embedding XML representations of invoices in PDF files. This library provides an interface for reading, editing and saving the this metadata. + + + + + + + + + + + + + + ------------------ diff --git a/Draft/Physical_Security.md b/Draft/Physical_Security.md index e9ad16e..6c2fb49 100644 --- a/Draft/Physical_Security.md +++ b/Draft/Physical_Security.md @@ -24,6 +24,8 @@ #### End Sort +* [Under Cover of Darkness: Practical considerations for (legally) breaking and entering. - Tom](https://medium.com/tsscyber/under-cover-of-darkness-7c2b4b5203f8) + ----------------------- ### General diff --git a/Draft/Policy_Compliance.md b/Draft/Policy_Compliance.md index 80218f3..ee2ede3 100755 --- a/Draft/Policy_Compliance.md +++ b/Draft/Policy_Compliance.md @@ -8,6 +8,95 @@ +# Policy & Compliance + + + + +* [Documentation for OpenSCAP Base](https://www.open-scap.org/tools/openscap-base/#documentation) +* [Cloud Controls Matrix Working Group](https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview) +* [Penetration Testing Shouldn't be a Waste of Time - Jim Bird](https://dzone.com/articles/penetration-testing-shouldnt) +* [Please don’t kill your CISO if he doesn’t know how a virus works - M S Sripati](https://medium.com/trinetra/please-dont-kill-your-ciso-if-he-doesn-t-know-how-a-virus-works-facecd6cdf5d) + +* [The normalization of deviance in healthcare delivery - John Banja](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2821100/) + +https://github.com/strongdm/comply +https://www.natlawreview.com/article/preparing-new-york-s-new-data-security-requirements +SOX +* [California S.B. 1386 - Wikipedia](https://en.wikipedia.org/wiki/California_S.B._1386) +https://www.auditscripts.com/training/ + +https://www.zdnet.com/article/at-t-employees-took-bribes-to-plant-malware-on-the-companys-network/ + + +------------ +### General +* **General** + * [CSIS Critical Security Controls v7.0](https://www.auditscripts.com/free-resources/critical-security-controls/) + * [The Red Book: A Roadmap for Systems Security Research](http://www.red-book.eu/m/documents/syssec_red_book.pdf) + * [IT Law Wiki](http://itlaw.wikia.com/wiki/The_IT_Law_Wiki)) + * [The security laws, regulations and guidelines directory - csoonline](https://www.csoonline.com/article/2126072/compliance/compliance-the-security-laws-regulations-and-guidelines-directory.html) +* **Finance** + * [FATF blacklist - Wikipedia](https://en.wikipedia.org/wiki/FATF_blacklist) + * The FATF blacklist was the common shorthand description for the Financial Action Task Force list of "Non-Cooperative Countries or Territories" (NCCTs) issued since 2000, which it perceived to be non-cooperative in the global fight against money laundering and terrorist financing. + * [Security Assessment Guidelines for Financial Institutions](https://www.sans.org/reading-room/whitepapers/auditing/security-assessment-guidelines-financial-institutions-993) + * [SWIFT Customer Security Programme](https://www2.swift.com/uhbonline/books/a2z/customer_security_programme.htm) + * [SWIFT Customer Security Controls Framework](https://www.swift.com/myswift/customer-security-programme-csp/security-controls?tl=en#topic-tabs-menu) + * [Sheltered Harbor FAQ](https://shelteredharbor.org/sh-faqs) +* **HIPAA** + * [HIPAA vs Security: Building security into medical purchasing decisions - infosystir](https://infosystir.blogspot.com/2018/01/hipaa-vs-security-building-security.html?m=1) +* **Insider Threat** + * [A Survey of Insider Attack Detection Research - 2008](http://web.stanford.edu/class/cs259d/readings/Insider_survey.pdf) + * [The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures](http://web.stanford.edu/class/cs259d/readings/Infrastructure.pdf) + * [An Overview of Threat and Risk Assessment](https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76) + * [The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24) +* **ISO** + * [ISO/IEC 27001 - Wikipedia](https://en.wikipedia.org/wiki/ISO/IEC_27001) + * [ISO/IEC 27000 family - Information security management systems](https://www.iso.org/isoiec-27001-information-security.html) + * The ISO/IEC 27000 family of standards helps organizations keep information assets secure. +* **NIST** + * [NIST Special Publication 800-series - General Information](https://www.nist.gov/itl/nist-special-publication-800-series-general-information) + * Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities. SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. +* **Notable Malicious Occurances** + * [Moldovan bank fraud scandal - Wikipedia](https://en.wikipedia.org/wiki/Moldovan_bank_fraud_scandal) +* **PCI** + * [PCI DSS V3.2.1](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) + * [PCI SSC Cloud Computing Guidelines - 4/2018](https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Cloud_Guidelines_v3.pdf) + * [PCI DSS Quick Reference Guide - v3.2](https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf) + * [Guidance for PCI DSS Scoping and Network Segmentation - 2016](https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf) +* **PII** + * [EU General Data Protection Regulation(GDPR)](https://gdpr-info.eu/) + * [GDPR - Wikipedia](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) +* **Misellaneous** + * [Goodhart's Law - Wikipedia](https://en.m.wikipedia.org/wiki/Goodhart%27s_law) + * Goodhart's law is an adage named after economist Charles Goodhart, which has been phrased by Marilyn Strathern as: "When a measure becomes a target, it ceases to be a good measure."[1] One way in which this can occur is individuals trying to anticipate the effect of a policy and then taking actions which alter its outcome. +* **Vendor Security** + * [Web Application Security Requirements for Google Providers](https://partner-security.withgoogle.com/docs/webapp_requirements) + + + +------------ +### Guides +* [NICE Cybersecurity Workforce Framework - NICCS.us-cert.gov](https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework) +* [Security and Privacy Controls forFederal Information Systemsand Organizations - NIST-800-53](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) +* [NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations](https://nccoe.nist.gov/projects/use-cases/medical-devices) + * [SP 1800-8a: Executive Summary](https://nccoe.nist.gov/publication/draft/1800-8/VolA/) + * [SP 1800-8b: Approach, Architecture, and Security Characteristics ](https://nccoe.nist.gov/publication/draft/1800-8/VolB/) + * [SP 1800-8c: How-To Guides](https://nccoe.nist.gov/publication/draft/1800-8/VolC/) +* [SP 800-115: Technical Guide to Information Security Testing and Assessment](https://csrc.nist.gov/publications/detail/sp/800-115/final) + * [Technical Guide to Information Security Testing and Assessment - NIST-800-115 - PDF](http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf) + * The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. The guide is not intended to present a comprehensive information security testing and examination program but rather an overview of key elements of technical security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each, and recommendations for their use. +* [Information Security Risk Assessment Guidelines - mass.gov](http://www.mass.gov/anf/research-and-tech/cyber-security/security-for-state-employees/risk-assessment/risk-assessment-guideline.html) +* [NIST Special Publication 800 -46 Revision 2 - Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf) + + + + + + + + + To Sort: diff --git a/Draft/PrivescPostEx.md b/Draft/PrivescPostEx.md index f7275f0..6a73c21 100755 --- a/Draft/PrivescPostEx.md +++ b/Draft/PrivescPostEx.md @@ -23,12 +23,737 @@ - [Avoiding/Bypassing Anti-Virus/Whitelisting/Sandboxes/etc](#av) - [Payloads](#payloads) +https://x-c3ll.github.io/posts/PAM-backdoor-DNS/ +https://github.com/securing/DumpsterDiver +https://github.com/securemode/Invoke-Apex +https://github.com/bitsadmin/wesng +https://github.com/DimopoulosElias/SEPM-EoP +https://github.com/foospidy/payloads +https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 +https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 +https://3xpl01tc0d3r.blogspot.com/2019/07/dumping-process-memory-with-custom-c-sharp.html +https://github.com/checkymander/MemScan +https://github.com/GhostPack/Rubeus#asktgt +* [Lateral Movement and Persistence: tactics vs techniques - hexacorn](http://www.hexacorn.com/blog/2018/10/05/lateral-movement-and-persistence-tactics-vs-techniques/) +* [Capturing NetNTLM Hashes with Office [DOT] XML Documents - bohops](https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/) +https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ +https://blog.christophetd.fr/stealthier-persistence-using-new-services-purposely-vulnerable-to-path-interception/ +https://stackoverflow.com/questions/29865977/bypassing-windows-aslr-by-determining-the-library-address-using-shared-pages +https://github.com/outflanknl/Dumpert +https://gist.github.com/knavesec/0bf192d600ee15f214560ad6280df556 +https://github.com/tinkersec/scratchpad/blob/master/BashScripts/grabDump.sh +* [[MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol - msdn.ms](https://msdn.microsoft.com/en-us/library/cc226801.aspx) +* [DCOM Overview - active-undelete.com](http://active-undelete.com/dcom-overview.htm) +* [Three New DDE Obfuscation Methods - reversinglabs.com](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation) +* [Shadow Admins – The Stealthy Accounts That You Should Fear The Most - Asaf Hect](https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/) +* [Escaping the Microsoft Office Sandbox: a faulty regex, allows malicious code to escape and persist - Adam Chester](https://objective-see.com/blog/blog_0x35.html) +https://www.fortynorthsecurity.com/how-to-bypass-wdac-with-dbgsrv-exe/ +https://github.com/panagioto/SharpExchangePriv + +* [MessageBox](https://github.com/enigma0x3/MessageBox) + * PoC dlls for Task Scheduler COM Hijacking +* [Get $pwnd: Attacking Battle Hardened Windows Server - Lee Holmes - Defcon25](https://www.youtube.com/watch?v=ahxMOAAani8) + +* https://blog.netspi.com/databases-and-clouds-sql-server-as-a-c2/ +* https://blog.netspi.com/exploiting-adidns/ +* https://blog.netspi.com/tokenvator-a-tool-to-elevate-privilege-using-windows-tokens/ +* https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf +* https://github.com/vysec/RedTips +https://github.com/M4ximuss/Powerless/blob/master/README.md +https://www.blackhat.com/docs/asia-18/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf + +https://github.com/sailay1996/Fileless_UAC_bypass_WSReset + +https://modexp.wordpress.com/2019/08/27/process-injection-apc/ +https://www.activecyber.us/activelabs/windows-uac-bypass + +https://github.com/mkorman90/sysmon-config-bypass-finder +https://www.n00py.io/2017/03/from-osint-to-internal-gaining-access-from-the-outside-the-perimeter/ +https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ +http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/ + +https://adsecurity.org/?p=1929 + +LAPS +https://blog.netspi.com/running-laps-around-cleartext-passwords/ +https://www.harmj0y.net/blog/powershell/running-laps-with-powerview/ +https://rastamouse.me/2018/03/laps---part-1/ +https://technet.microsoft.com/en-us/mt227395.aspx +https://rastamouse.me/2018/03/laps---part-2/ +https://adsecurity.org/?p=3164http://www.harmj0y.net/blog/powershell/running-laps-with-powerview/ + +Skeleton Key +https://adsecurity.org/?p=1275 +https://www.secureworks.com/research/skeleton-key-malware-analysis + +* [tgscrack](https://github.com/leechristensen/tgscrack) + * Kerberos TGS_REP cracker written in Golang + +https://rastamouse.me/2019/08/tikiservice/ + + + * [Kerberoast - pentestlab.blog](https://pentestlab.blog/2018/06/12/kerberoast/) + * [The power of backup operators - ](https://decoder.cloud/2018/02/12/the-power-of-backup-operatos/) + * [Targeted Workstation Compromise with SCCM - enigma0x3](https://enigma0x3.net/2015/10/27/targeted-workstation-compromise-with-sccm/) + * [ Fun with LDAP, Kerberos (and MSRPC) in AD Environments - ropnop](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=6) + * [Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS](https://github.com/eladshamir/Internal-Monologue/) + * In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade. + * [LM Hash and NT Hash - AD Shot Gyan](http://www.adshotgyan.com/2012/02/lm-hash-and-nt-hash.html) + * [What is Active Directory Red Forest Design? - social.technet.ms](https://social.technet.microsoft.com/wiki/contents/articles/37509.what-is-active-directory-red-forest-design.aspx) + * [Securing Privileged Access Reference Material - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material) + * [Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowsecurity](https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1409) + * [Planting the Red Forest: Improving AD on the Road to ESAE - Jacques Louw and Katie Knowles](https://www.mwrinfosecurity.com/our-thinking/planting-the-red-forest-improving-ad-on-the-road-to-esae/) + * [ Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowssecurity.com](https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1409) + * [How Microsoft Red Forest improves Active Directory Security - Bryan Patton](https://www.quest.com/community/quest/microsoft-platform-management/b/microsoft-platform-management-blog/posts/how-microsoft-red-forest-improves-active-directory-security) + * [WSUSpendu](https://github.com/AlsidOfficial/WSUSpendu) + * Implement WSUSpendu attack + * [Compromising the Windows Enterprise via Windows Update - Paul Stone, Alex Chapman - BHUS15](https://www.blackhat.com/docs/us-15/materials/us-15-Stone-WSUSpect-Compromising-Windows-Enterprise-Via-Windows-Update.pdf) + * [Active Directory forest trusts part 1 - How does SID filtering work? - Dirk-jan Mollema](https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/) + * [Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 1 - blogs.technet](https://blogs.technet.microsoft.com/askds/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1/) + * [ Return From The Underworld - The Future Of Red Team Kerberos - Jim Shaver & Mitchell Hennigan](https://www.irongeek.com/i.php?page=videos/derbycon7/t107-return-from-the-underworld-the-future-of-red-team-kerberos-jim-shaver-mitchell-hennigan) + * [Abusing Exchange: One API call away from Domain Admin - dirkjanm.io](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/) + * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - RedXORBlue](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) + * [PowerPriv](https://github.com/G0ldenGunSec/PowerPriv) + * A powershell implementation of PrivExchange by `@_dirkjan` (original code found here: https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py) Useful for environments on which you cannot run python-based applications, have user credentials, or do not want to drop files to disk. Will cause the target exchange server system account to attempt to authenticate to a system of your choice. + * * [Designing a Multilayered, In-Depth Defense Approach to AD Security - Quest.com](https://www.quest.com/docs/designing-a-multilayered-in-depth-defense-approach-to-ad-security-white-paper-22453.pdf) + +* [Exchange-AD-Privesc](https://github.com/gdedrouas/Exchange-AD-Privesc) + * This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security. This is a side project of AD-Control-Paths, an AD permissions auditing project to which I recently added some Exchange-related modules. +* [AD-Control-Paths](https://github.com/ANSSI-FR/AD-control-paths) + * Control paths in Active Directory are an aggregation of "control relations" between entities of the domain (users, computers, groups, GPO, containers, etc.) which can be visualized as graphs (such as above) and whose purpose is to answer questions like "Who can get 'Domain Admins' privileges ?" or "What resources can a user control ?" and even "Who can read the CEO's emails ?". + +* [Attack Methods for Gaining Domain Admin Rights in Active Directory - adsecurity](https://adsecurity.org/?p=2362) + +https://github.com/DanMcInerney/icebreaker + + +https://adsecurity.org/?p=1515 + + +Kerberos +https://adsecurity.org/?p=227 +https://www.youtube.com/watch?v=E_BNhuGmJwM&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3 +http://www.roguelynn.com/words/explain-like-im-5-kerberos/ +https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ +https://www.attackdebris.com/?p=311 + +domain trusts +http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/ +http://www.harmj0y.net/blog/redteaming/domain-trusts-were-not-done-yet/ +http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/ + + +* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/) + + +* [Using sshuttle in daily work - Huiming Teo](http://teohm.com/blog/using-sshuttle-in-daily-work/) + +https://github.com/fridgehead/Powershell-SSHTools +https://i.blackhat.com/us-18/Thu-August-9/us-18-Bulazel-Windows-Offender-Reverse-Engineering-Windows-Defenders-Antivirus-Emulator.pdf + +https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-Baz-When-Everyones-Dog-Is-Named-Fluffy.pdf + +https://labs.portcullis.co.uk/presentations/where-2-worlds-collide-bringing-mimikatz-et-al-to-unix/ + +* [Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells - Michal Knapkiewicz](https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9) +https://www.beyondtrust.com/resources/webinar/cybercriminal-checklist-review-password-theft-tactics-pth-attacks/ + + +* [XIGNCODE3 xhunter1.sys LPE - x86.re](https://x86.re/blog/xigncode3-xhunter1.sys-lpe/) + +* [adXtract](https://github.com/LordNem/adXtract) + +* [Abusing Windows Management Instrumentation (WMI) - Matthew Graeber(BH USA 2015)](https://www.youtube.com/watch?v=0SjMgnGwpq8) + * Imagine a technology that is built into every Windows operating system going back to Windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI). With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already know that the introduction of binaries into a high-security environment is subject to increased scrutiny. WMI enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. WMI is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, WMI conditionally executes code asynchronously in response to operating system events. This talk will introduce WMI and demonstrate its offensive uses. We will cover what WMI is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring. + + + + + + + + + +Service Principal Names +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961723(v=technet.10) +https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-2017 +https://adsecurity.org/?p=230 +https://pentestlab.blog/2018/06/04/spn-discovery/ + + +https://github.com/cyberark/zBang +https://www.cyberark.com/threat-research-blog/the-big-zbang-theory-a-new-open-source-tool/ +https://github.com/securifera/serviceFu + +WinEvent Log + * https://github.com/0xrawsec/gene + * https://github.com/hlldz/Invoke-Phant0m + +https://cssi.us/office-365-brute-force-powershell/ + +https://github.com/securemode/Invoke-Apex + +Malware writeup (use for COM) +* [IcoScript: using webmail to control malware - Grooten](https://www.virusbulletin.com/virusbulletin/2014/08/icoscript-using-webmail-control-malware) +* [Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode - James Wyke](https://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/) +* [BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger - Bryan Lee, Josh Grunzweig](https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/) + +https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/ +https://blogs.technet.microsoft.com/srd/2019/03/14/local-privilege-escalation-via-the-windows-i-o-manager-a-variant-finding-collaboration/ + +https://www.blackhat.com/eu-18/briefings/schedule/index.html#when-everyone39s-dog-is-named-fluffy-abusing-the-brand-new-security-questions-in-windows-10-to-gain-domain-wide-persistence-12863 + + +Extracting NTDS.dit + https://blog.stealthbits.com/extracting-password-hashes-from-the-ntds-dit-file/ + https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ + https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + https://adsecurity.org/?p=451 + https://blog.ropnop.com/extracting-hashes-and-domain-info-from-ntds-dit/ + https://blog.didierstevens.com/2016/07/13/practice-ntds-dit-file-part-2-extracting-hashes/ + https://blog.stealthbits.com/extracting-password-hashes-from-the-ntds-dit-file/ + + + + + +https://labs.mwrinfosecurity.com/advisories/windows-dhcp-client/ + + + + + +https://github.com/p3nt4/Powershdll + +* https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/ + +https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python + https://github.com/L3cr0f/DccwBypassUAC +* [Active Directory: What can make your million dollar SIEM go blind? - Vincent Le Toux, Benjamin Delpy](https://www.dropbox.com/s/baypdb6glmvp0j9/Buehat%20IL%20v2.3.pdf) +https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html +* [Get-GPTrashFire - Mike Loss(BSides Canberra 2018)](https://www.youtube.com/watch?v=JfyiWspXpQo) + * Identifying and Abusing Vulnerable Configurations in MS AD Group Policy +https://www.talkingdotnet.com/create-trimmed-self-contained-executable-in-net-core-3-0/ +https://github.com/FuzzySecurity/BH-Arsenal-2019/blob/master/Ruben%20Boonen%20-%20BHArsenal_SilkETW_v0.2.pdf +* [How to break out of restricted shells with tcpdump - Oiver Matula](https://insinuator.net/2019/07/how-to-break-out-of-restricted-shells-with-tcpdump/) +http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/ +http://www.hexacorn.com/blog/2019/05/26/plata-o-plomo-code-injections-execution-tricks/ +https://ninja.style/post/privesc/ +http://www.hexacorn.com/blog/2019/04/18/installers-interactive-lolbins/ +https://web.archive.org/web/20160424110035/http://subt0x10.blogspot.com:80/2016/04/bypass-application-whitelisting-script.html +https://blog.ensilo.com/elastic-boundaries-elevating-privileges-by-environment-variables-expansion +https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-interfaces-adsi +https://github.com/ropnop/kerbrute +https://github.com/TarlogicSecurity/kerbrute +https://blog.ropnop.com/practical-usage-of-ntlm-hashes/ +https://github.com/ropnop/windapsearch +* [Fun with LDAP and Kerberos: Attacking AD from non-Windows machines - Ronnie Flathers(TR19)](https://www.youtube.com/watch?v=2Xfd962QfPs) + * [Slides](https://speakerdeck.com/ropnop/fun-with-ldap-and-kerberos-troopers-19?slide=101) + +https://github.com/Jsitech/relayer + +https://github.com/lolp1/Process.NET +* [kerberos, kerberoast and golden tickets - leonzja](https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/) +https://github.com/GhostPack + + +https://davidstorie.ca/lessons-learned-with-manual-powershell-obfuscation/ + +* https://github.com/no0be/DNSlivery + +https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/ + +* [Malicious use of Microsoft LAPS - akijos](https://akijosberryblog.wordpress.com/2019/01/01/malicious-use-of-microsoft-laps/) + +* [Hiding Registry keys with PSReflect - Brian Reitz](https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353) +https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf +* [A Pentester’s Guide to Group Scoping - Will Harmjoy](https://posts.specterops.io/a-pentesters-guide-to-group-scoping-c7bbbd9c7560) + +* [Gone to the Dogs - Elad Shamir](https://shenaniganslabs.io/2019/08/08/Lock-Screen-LPE.html) + * Win10 PrivEsc Domain Joined + +* [Staged vs Stageless Handlers - OJ Reeves](https://buffered.io/posts/staged-vs-stageless-handlers/) + +* [Gaining Domain Admin from Outside Active Directory - markitzeroday.com](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html) +* [Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw](https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html) +* [Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz - Scott Sutherland](https://blog.netspi.com/auto-dumping-domain-credentials-using-spns-powershell-remoting-and-mimikatz/) +* [Beyond Domain Admins – Domain Controller & AD Administration - ADSecurity.org](https://adsecurity.org/?p=3700) + * This post provides information on how Active Directory is typically administered and the associated roles & rights. + +https://github.com/malcomvetter/DnsCache + +* [Hacking In Windows Using Nishang With Windows PowerShell, Like A Boss! - serenity-networks.com](https://serenity-networks.com/hacking-in-windows-using-nishang-with-windows-powershell/) + +* [Defeating Device Guard: A look into CVE-2017–0007 - Matt Nelson](https://posts.specterops.io/defeating-device-guard-a-look-into-cve-2017-0007-25c77c155767) + + +* [PowerQuinsta - harmj0y](http://www.harmj0y.net/blog/powershell/powerquinsta/) + +https://blog.ensilo.com/metamorfo-avast-abuser +* [Powershell Download Cradles - Matthew Green](https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html) + +https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ + +https://www.fortynorthsecurity.com/how-to-bypass-wdac-with-dbgsrv-exe/ + +* [DotNet Core: A Vector For AWL Bypass & Defense Evasion - bohops](https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/) + +https://github.com/mwrlabs/SharpGPOAbuse + + +* [Adapting Software Fault Isolation to Contemporary CPU Architectures](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf) + * Adapting Software Fault Isolation to Contemporary CPU ArchitecturesSoftware Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for work- loads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf) +* [NaCl SFI model on x86-64 systems](https://developer.chrome.com/native-client/reference/sandbox_internals/x86-64-sandbox#x86-64-sandbox) + * This document addresses the details of the Software Fault Isolation (SFI) model for executable code that can be run in Native Client on an x86-64 system + + + +https://dexters-lab.net/2019/02/16/analyzing-the-windows-lnk-file-attack-method/ + + + + + + + + + + + + +https://github.com/hvqzao/foolavc + +https://github.com/everdox/InfinityHook + + + + + + + + + + +https://github.com/ZenLulz/MemorySharp +https://github.com/itm4n/VBA-RunPE +https://medium.com/@riccardo.ancarani94/bloodhound-tips-and-tricks-e1853c4b81ad +https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/ +https://github.com/silentbreaksec/Throwback/blob/master/README.md +https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ + +* [Gaining Domain Admin from Outside Active Directory - markitzeroday.com](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html) + +* [Lateral Movement via Desired State Configuration(DSC) - Matt Graeber](https://twitter.com/mattifestation/status/970440419485007872?s=19) + +* [Kerberos Golden Tickets are Now More Golden - ADSecurity.org](https://adsecurity.org/?p=1640) + +https://pentest.blog/art-of-anti-detection-4-self-defense/ + +* [Attack Methods for Gaining Domain Admin Rights in Active Directory - ADSecurity.org](https://adsecurity.org/?p=2362) + +* [The Industrial Revolution of Lateral Movement - Tal Be'ery, Tal Maor](https://www.blackhat.com/docs/us-17/thursday/us-17-Beery-The-Industrial-Revolution-Of-Lateral-Movement.pdf) + +* [Offensive P/Invoke: Leveraging the Win32 API from Managed Code - Matt Hand](https://posts.specterops.io/offensive-p-invoke-leveraging-the-win32-api-from-managed-code-7eef4fdef16d) + +https://github.com/mvelazc0/defcon27_csharp_workshop +https://www.exploit-db.com/docs/english/46990-active-directory-enumeration-with-powershell.pdf +https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/ +https://blog.preempt.com/security-advisory-critical-vulnerabilities-in-ntlm +https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/ +https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/ +https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html +https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html +https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67 +* [ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Execution - bohops](https://bohops.com/2017/12/02/clickonce-twice-or-thrice-a-technique-for-social-engineering-and-untrusted-command-execution/) + +https://www.blackhillsinfosec.com/a-toast-to-kerberoast/ +* [Backdooring Plugins - Averagejoe](https://www.gironsec.com/blog/2018/03/backdooring-plugins/ +https://blog.netspi.com/tokenvator-a-tool-to-elevate-privilege-using-windows-tokens/ +https://github.com/anshumanbh/git-all-secrets +https://www.greyhathacker.net/?p=894 +https://github.com/sagishahar/lpeworkshop +https://github.com/Viralmaniar/Remote-Desktop-Caching- +https://github.com/sveinbjornt/Platypus +https://labs.portcullis.co.uk/blog/uid0-is-deprecated-a-trick-unix-privesc-check-doesnt-yet-know/ +https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html +https://www.fracturelabs.com/posts/2017/exploiting-ms17-010-on-windows-embedded-7-devices/ +https://www.trustedsec.com/april-2015/kioskpos-breakout-keys-in-windows/ +https://fedoraproject.org/wiki/QA:Testcase_adcli_info +https://fedoraproject.org/wiki/QA:Testcase_adcli_info_forest +http://carnal0wnage.attackresearch.com/2010/06/more-with-rpcclient.html +http://carnal0wnage.attackresearch.com/2007/08/more-of-using-rpcclient-to-find.html + +https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashes +https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/ +* [Windows Management Instrumentation (WMI)Offense, Defense, and Forensics](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf) +https://github.com/sevagas/swap_digger + * [CVE-2018-0952-SystemCollector](https://github.com/atredispartners/CVE-2018-0952-SystemCollector) + * PoC for Privilege Escalation in Windows 10 Diagnostics Hub Standard Collector Service +* [Hack Microsoft Using Microsoft Signed Binaries - Pierre-Alexandre Braeken](https://www.blackhat.com/docs/asia-17/materials/asia-17-Braeken-Hack-Microsoft-Using-Microsoft-Signed-Binaries-wp.pdf) +* [How-To Assess System Images: Overview (Part 1) - @Jackson_T](https://web.archive.org/web/20190101093253/https://jackson.thuraisamy.me/system-image-assessments.html) + + +https://github.com/maus-/slack-auditor + +* [Pentester’s Windows NTFS Tricks Collection - Rene Freingruber](https://sec-consult.com/en/blog/2018/06/pentesters-windows-ntfs-tricks-collection/) +https://www.researchgate.net/publication/319454675_Testing_UAC_on_Windows_10 + + +* [Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently) - pentestmonkey](http://pentestmonkey.net/uncategorized/from-local-admin-to-domain-admin) +* [5 Ways to Find Systems Running Domain Admin Processes(2012) - Scott Sutherland](https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/) + +C# PostEx +https://www.forcepoint.com/blog/x-labs/using-c-post-powershell-attacks +* [.NET Process Injection - Tim MalcomVetter](https://medium.com/@malcomvetter/net-process-injection-1a1af00359bc) +* [How to Port Microsoft.Workflow.Compiler.exe Loader to Veil - FortyNorth Security](https://www.fortynorthsecurity.com/port-microsoft-workflow-compiler-exe-loader-to-veil/) + + +Looting +* [Compliance search – a pentesters dream - Oddvar Moe](https://msitpros.com/?p=3678) +* [GitHub for Bug Bounty Hunters - Ed Overflow](https://edoverflow.com/2017/github-for-bugbountyhunters/) + + +https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + + +* [Playing Cat and Mouse: Three Techniques Abused to Avoid Detection - ZLAB-YOROI](https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/) + +https://evademalwareml.io/ + +Bypassing Windows 10 Device Guard - using WinDbg +http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html + +* [menu2eng.txt - How To Break Out of Restricted Shells and Menus, v2.3(1999)](https://packetstormsecurity.com/files/14914/menu2eng.txt.html) + * An excellent whitepaper detailing methods for breaking out of virtually any kind of restricted shell or menu you might come across. +https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/ + +* [Automatically Stealing Password Hashes with Microsoft Outlook and OLE - Will Dormann](https://insights.sei.cmu.edu/cert/2018/04/automatically-stealing-password-hashes-with-microsoft-outlook-and-ole.html) +* [SMB hash hijacking & user tracking in MS Outlook - ](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook/) +* [PowerShell Remoting from Linux to Windows - William Martin](https://blog.quickbreach.io/ps-remote-from-linux-to-windows/) + +Persistence Via SQL +https://msdn.microsoft.com/en-us/library/ms141752.aspx +* [Lateral movement using URL Protocol - Matt harr0ey](https://medium.com/@mattharr0ey/lateral-movement-using-url-protocol-e6f7d2d6cf2e + +* [The Dangers of Per-User COM Objects - Jon Larimer](https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Larimer-VB2011.pdf) + +https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-descriptor-modification-2cf505ec5c40 + + + +* [Firework: Leveraging Microsoft Workspaces in a Penetration Test - trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/firework-leveraging-microsoft-workspaces-in-a-penetration-test/) + +Dumping Creds +* [Safely Dumping Domain Hashes, with Meterpreter - Rapid7](https://blog.rapid7.com/2015/07/01/safely-dumping-domain-hashes-with-meterpreter/) +* [Using Shadow Copies to Steal the SAM - dcortesi.com](http://www.dcortesi.com/blog/2005/03/22/using-shadow-copies-to-steal-the-sam/) +* [Dumping user passwords in plaintext on Windows 8.1 and Server 2012 - labofapenetrationtester](http://www.labofapenetrationtester.com/2015/05/dumping-passwords-in-plain-on-windows-8-1.html) +* [Dumping WDigest Creds with Meterpreter Mimikatz/Kiwi in Windows 8.1 - TrustedSec](https://www.trustedsec.com/2015/04/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/) +* [Intercepting Password Changes With Function Hooking - clymb3r](https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/) + + +* [Pentests in restricted VDI environments - tarlogic](https://www.tarlogic.com/en/blog/pentests-in-restricted-vdi-environments/) +* [COM Hijacking – Windows Overlooked Security Vulnerability - Yaniv Assor](https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/) + +https://blog.conscioushacker.io/index.php/2017/09/27/borrowing-microsoft-code-signing-certificates/ +http://www.darknessgate.com/security-tutorials/date-hiding/ntfs-alternate-data-streams/ +https://web.archive.org/web/20170517232357/http://subt0x10.blogspot.com:80/2017/04/consider-application-whitelisting-with.html +https://web.archive.org/web/20170714075746/http://subt0x10.blogspot.com:80/2017/04/bypassing-application-whitelisting.html + +https://github.com/zodiacon/ManagedWindows + +https://github.com/giMini/PowerMemory +http://hardsec.net/post-exploitation-with-incognito/?lang=en +https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/ + + +* [Here Be Dragons The Unexplored Land of Active Directory ACLs - Andy Robbins, Will Schroeder, Rohan(Derbycon7)](https://www.youtube.com/watch?v=bHuetBOeOOQ) + + + +* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Nikhil Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) + +https://shenaniganslabs.io/2019/08/08/Lock-Screen-LPE.html +https://www.exploit-db.com/exploits/46716 +https://initblog.com/2019/switcheroo/ +https://clement.notin.org/blog/2019/07/03/credential-theft-without-admin-or-touching-lsass-with-kekeo-by-abusing-credssp-tspkg-rdp-sso/ +https://github.com/bytecode77/performance-monitor-privilege-escalation +https://github.com/bytecode77/enter-product-key-privilege-escalation +https://github.com/bytecode77/sysprep-privilege-escalation +https://github.com/bytecode77/remote-assistance-privilege-escalation +https://github.com/bytecode77/display-languages-privilege-escalation +https://github.com/bytecode77/component-services-privilege-escalation + +https://cqureacademy.com/blog/windows-internals/black-hat-europe-2017 +https://vztekoverflow.com/2018/07/31/tbal-dpapi-backdoor/ + +https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2821100/ + +https://pulsesecurity.co.nz/articles/TPM-sniffing + + + + +ADS +https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +https://github.com/p0shkatz/Get-ADS +https://github.com/forgottentq/powershell/blob/master/find-steams.ps1 +https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/ +https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780036(v=ws.10) + +https://cr0n1c.wordpress.com/2016/01/27/using-sccm-to-violate-best-practices/ + +* [bytecode-api](https://github.com/bytecode77/bytecode-api) + * C# library with common classes, extensions and additional features in addition to the .NET Framework. BytecodeApi implements lots of extensions and classes for general purpose use. In addition, specific classes implement more complex logic for both general app development as well as for WPF apps. Especially, boilerplate code that is known to be part of any Core DLL in a C# project is likely to be already here. In fact, I use this library in many of my own projects. For this reason, each class and method has been reviewed numerous times. BytecodeApi is highly consistent, particularly in terms of structure, naming conventions, patterns, etc. The entire code style resembles the patterns used in the .NET Framework itself. You will find it intuitive to understand. +* [Here to stay: Gaining persistency by Abusing Advanced Authentication Mechanisms - Marina Simakov, Igal Gofman](https://www.youtube.com/watch?v=JvormRcth9w) + * [Slides](https://paper.seebug.org/papers/Security%20Conf/Defcon/2017/DEFCON-25-Marina-Simakov-and-Igal-Gofman-Here-to-stay-Gaining-persistence-by-abusing-auth-mechanisms.pdf) + + +https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ + + +https://web.archive.org/web/20170815050734/http://subt0x10.blogspot.com/2017/05/using-application-compatibility-shims.html +https://web.archive.org/web/20170517232357/http://subt0x10.blogspot.com:80/2017/04/consider-application-whitelisting-with.html +https://web.archive.org/web/20170714075746/http://subt0x10.blogspot.com:80/2017/04/bypassing-application-whitelisting.html +https://web.archive.org/web/20160908140124/https://subt0x10.blogspot.in/2016/04/setting-up-homestead-in-enterprise-with.html + +https://posts.specterops.io/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript-a88a81df27eb +http://www.exploit-monday.com/2017/08/application-of-authenticode-signatures.html +https://www.youtube.com/watch?v=c8LgqtATAnE&index=21&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3 +https://github.com/Cn33liz/VBSMeter +https://msitpros.com/?p=3831 +http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html + +Code Signing Windows +* https://drive.google.com/file/d/1LZkLx9dscAAbnUOJBaSnRyqdsRMCmi81/view +* https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf +* https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec + +COM +https://web.archive.org/web/20160826221656/http://thrysoee.dk:80/InsideCOM+/ch05e.htm + +https://www.youtube.com/watch?v=j-r6UonEkUw&feature=youtu.be +https://web.archive.org/web/20190303110249/http://threatexpress.com/2017/10/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/ +https://gist.github.com/lithackr/c71c8a1a756e7142cf19a6b9d081b2f4 + +OS X +https://conference.hitb.org/hitbsecconf2019ams/materials/D2T2%20-%20ModJack%20-%20Hijacking%20the%20MacOS%20Kernel%20-%20Zhi%20Zhou.pdf + + +Persistence +https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ +https://labs.mwrinfosecurity.com/publications/one-template-to-rule-em-all/ + +https://github.com/huntresslabs/evading-autoruns + +[Imagecreatefromgif-Bypass](https://github.com/JohnHoder/Imagecreatefromgif-Bypass) + + +* [Scenario-based pen-testing: From zero to domain admin with no missing patches required - Georgia Weidman](https://www.computerworld.com/article/2843632/scenario-based-pen-testing-from-zero-to-domain-admin-with-no-missing-patches-required.html) +* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) + + + + +Execute DLL through excel +https://github.com/3gstudent/ExcelDllLoader +https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 +https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2F3gstudent.github.io%2F3gstudent.github.io%2FUse-Excel.Application-object%27s-RegisterXLL%28%29-method-to-load-dll%2F + +XLL +https://github.com/MoooKitty/xllpoc +https://github.com/edparcell/HelloWorldXll +https://docs.microsoft.com/en-us/office/client-developer/excel/welcome-to-the-excel-software-development-kit + + + + +https://web.archive.org/web/20170614215931/http://mattwarren.org:80/2017/02/07/The-68-things-the-CLR-does-before-executing-a-single-line-of-your-code/ +https://github.com/allyshka/Rogue-MySql-Server +https://www.tripwire.com/state-of-security/mitre-framework/evade-detection-hiding-registry/ +https://www.youtube.com/watch?v=Yp19i40plOA +https://skylightcyber.com/2019/07/18/cylance-i-kill-you/ +* [DotNetToJScript](https://github.com/tyranid/DotNetToJScript) + * This file is part of DotNetToJScript - A tool to generate a JScript which bootstraps an arbitrary .NET Assembly and class. + + +Powershell-less +https://decoder.cloud/2017/11/02/we-dont-need-powershell-exe/ +https://decoder.cloud/2017/11/08/we-dont-need-powershell-exe-part-2/ +https://decoder.cloud/2017/11/17/we-dont-need-powershell-exe-part-3/ + + + + +http://www.hexacorn.com/blog/2019/06/15/toying-with-inheritance/ + + +NTLM +https://blog.preempt.com/how-to-easily-bypass-epa +https://blog.preempt.com/drop-the-mic +https://blog.preempt.com/your-session-key-is-my-session-key +https://blog.preempt.com/security-advisory-critical-vulnerabilities-in-ntlm + + +AdminSDHolder +https://specopssoft.com/support-docs/specops-password-reset/reference-material/understanding-privileged-accounts-and-the-adminsdholder/ +https://blogs.technet.microsoft.com/askds/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop/ + +* [A Black Path Toward The Sun](https://github.com/nccgroup/ABPTTS) + * ABPTTS uses a Python client script and a web application server page/package[1] to tunnel TCP traffic over an HTTP/HTTPS connection to a web application server. In other words, anywhere that one could deploy a web shell, one should now be able to establish a full TCP tunnel. This permits making RDP, interactive SSH, Meterpreter, and other connections through the web application server. + + +* [Go-deliver](https://github.com/0x09AL/go-deliver/) + * Go-deliver is a payload delivery tool coded in Go. This is the first version and other features will be added in the future. + + +* Get-GPTrashFire - Mike Loss(BSides Canberra2018)]() + * Identifying and Abusing Vulnerable Configurations in MS AD Group Policy + * [Slides](https://github.com/l0ss/Get-GPTrashfire) + +* [Hijacking .NET to Defend PowerShell - Amanda Rosseau](https://arxiv.org/pdf/1709.07508.pdf) + * Abstract—With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis + +* [Reflection in the .NET Framework - docs.ms](https://docs.microsoft.com/en-us/dotnet/framework/reflection-and-codedom/reflection) + +* [Out-Minidump.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1) + * Generates a full-memory minidump of a process. + + + +* [CHAOS](https://github.com/tiagorlampert/CHAOS) + * CHAOS is a PoC that allow generate payloads and control remote operating systems. + +* [Installers – Interactive Lolbins - Hexacorn](http://www.hexacorn.com/blog/2019/04/18/installers-interactive-lolbins/) +* [Installers – Interactive Lolbins, Part 2 - Hexacorn](http://www.hexacorn.com/blog/2019/04/19/installers-interactive-lolbins-part-2/) +* [Bring your own lolbas? - Hexacorn](http://www.hexacorn.com/blog/2019/07/05/bring-your-own-lolbas/) +* [Reusigned Binaries - Hexacorn](http://www.hexacorn.com/blog/category/living-off-the-land/reusigned-binaries/) +* [Reusigned Binaries – Living off the signed land - Hexacorn](http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/) + +* [Invoke-DOSfuscation](https://github.com/danielbohannon/Invoke-DOSfuscation) + * Cmd.exe Command Obfuscation Generator & Detection Test Harness +* [DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques - Daniel Bohannon](https://www.fireeye.com/blog/threat-research/2018/03/dosfuscation-exploring-obfuscation-and-detection-techniques.html) + + +* [Domi-Owned](https://github.com/coldfusion39/domi-owned) + * Domi-Owned is a tool used for compromising IBM/Lotus Domino servers. + +Create NTLM sectoin + +* [Invoke-WCMDump](https://github.com/peewpw/Invoke-WCMDump) + * PowerShell Script to Dump Windows Credentials from the Credential Manager + +* [PowEnum](https://github.com/whitehat-zero/PowEnum) + * Executes common PowerSploit Powerview functions then combines output into a spreadsheet for easy analysis. + + +AD Trusts +https://bohops.com/2017/12/02/trust-direction-an-enabler-for-active-directory-enumeration-and-trust-exploitation/ + + + +https://github.com/mdsecactivebreach/PowerDNS +https://github.com/taviso/dbusmap + + + +* [Invoke-Phant0m](https://github.com/hlldz/Invoke-Phant0m) + * This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running. + + +* [Remote NTLM relaying through meterpreter on Windows port 445 - Diablohorn](https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/) + + +* [Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe - Matt Graeber](https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb) +* [How to Port Microsoft.Workflow.Compiler.exe Loader to Veil - FortyNorthSecurity](https://www.fortynorthsecurity.com/port-microsoft-workflow-compiler-exe-loader-to-veil/) + + + +* [CVE-2018-8440 - PowerShell PoC](https://github.com/OneLogicalMyth/zeroday-powershell) + + + + +* [Using C# for post-PowerShell attacks - John Bergbom](https://www.forcepoint.com/blog/x-labs/using-c-post-powershell-attacks) + +DSC Attack +https://www.blackhat.com/docs/asia-16/materials/asia-16-Kazanciyan-DSCompromised-A-Windows-DSC-Attack-Framework.pdf +https://github.com/matthastings/DSCompromised + + +DC Sync +http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ +https://adsecurity.org/?p=1729 +https://adsecurity.org/?page_id=1821 + + +DC Shadow Attack +https://blog.alsid.eu/dcshadow-explained-4510f52fc19d +http://www.labofapenetrationtester.com/2018/04/dcshadow.html + +Domain Trusts(DOMAINS ARE NOT TRUST BOUNDARIES, FORESTS ARE.) +https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf +https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944 +http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ +https://www.youtube.com/watch?v=tEfwmReo1Hk + + + + + + + + + + +UAC +https://tyranidslair.blogspot.com/2018/10/farewell-to-token-stealing-uac-bypass.html + +https://github.com/skelsec/pypykatz/tree/master/pypykatz + +* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory](https://adsecurity.org/?p=3592) + +[How Attackers Dump Active Directory Database Credentials](https://adsecurity.org/?p=2398) +http://www.exploit-monday.com/2017/08/application-of-authenticode-signatures.html +https://github.com/HarmJ0y/DAMP +https://github.com/trustedsec/unicorn + +https://diaryofadeveloper.wordpress.com/2012/04/26/using-paramters-with-installutil/ +https://www.mdsec.co.uk/2017/06/rdpinception/ +https://github.com/foospidy/DbDat + +https://warroom.securestate.com/pillaging-pst-files/ +https://warroom.securestate.com/pillage-exchange/ +* [Windows oneliners to download remote payload and execute arbitrary code - arno0x0x](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +https://github.com/rofl0r/proxychains-ng + +https://github.com/Cn33liz/p0shKiller + +* [howto ~ scheduled tasks credentials - Benjamin Delpy](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials) + * There are somes ways to get scheduled tasks passwords + +* [SimpleShellcodeInjector (SSI)](https://github.com/DimopoulosElias/SimpleShellcodeInjector) + * SimpleShellcodeInjector or SSI receives as an argument a shellcode in hex and executes it. It DOES NOT inject the shellcode in a third party application and it stays under the radar for tools like Get-InjectedThread. + +* [ClickOnce Applications in Enterprise Environments - Remko Weijnen](https://www.remkoweijnen.nl/blog/2013/08/05/clickonce-applications-in-enterprise-environments/) + * ClickOnce is a Microsoft technology that enables an end user to install an application from the web without administrative permissions. + https://docs.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2015 + +* [NTDSDumpEx](https://github.com/zcgonvh/NTDSDumpEx) + * NTDS.dit offline dumper with non-elevated +* [NTDS-Extraction-Tools](https://github.com/robemmerson/NTDS-Extractions-Tools) + * Automated scripts that use an older version of libesedb (2014-04-06) to extract large NTDS.dit files + + --------------- ## Privilege Escalation @@ -210,15 +935,9 @@ * [Windows Logical EoP Workbook](https://docs.google.com/document/d/1qujIzDmFrcFCBeIgMjWDZTLNMCAHChAnKDkHdWYEomM/edit) * [Abusing Token Privileges For EoP](https://github.com/hatRiot/token-priv) * This repository contains all code and a Phrack-style paper on research into abusing token privileges for escalation of privilege. Please feel free to ping us with questions, ideas, insults, or bugs. - * **PentestLab Windows PrivEsc Writeup List** - * [Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/) - * [Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/) - * [Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/) - * [Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/) - * [Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/) - * [Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/) - * [Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) - * [Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/) + * **Privileged File Operation Abuse** + * [An introduction to privileged file operation abuse on Windows - @Claviollotte](https://offsec.provadys.com/intro-to-file-operation-abuse-on-Windows.html) + * TL;DR This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs. * **NTLM-related** * [Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege](https://bugs.chromium.org/p/project-zero/issues/detail?id=325&redir=1) * [Windows: Local WebDAV NTLM Reflection Elevation of Privilege](https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1) @@ -255,6 +974,15 @@ * [No more rotten/juicy potato? - decoder.cloud](https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/) * Rotten potato inadvertently patched on Win10 1809 * [Juicy Potato (abusing the golden privileges)](https://github.com/ohpe/juicy-potato) + * **PentestLab Windows PrivEsc Writeup List** + * [Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/) + * [Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/) + * [Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/) + * [Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/) + * [Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/) + * [Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/) + * [Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) + * [Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/) * **Obtaining System Privileges** * [The “SYSTEM” challenge](https://decoder.cloud/2017/02/21/the-system-challenge/) * Writeup of achieving system from limited user privs. @@ -417,7 +1145,10 @@ * Query Active Directory for Workstations and then Pull their Wireless Network Passwords. This tool is designed to pull a list of machines from AD and then use psexec to pull their wireless network passwords. This should be run with either a DOMAIN or WORKSTATION Admin account. * [Grouper](https://github.com/l0ss/Grouper) * Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil. -* **Bypass Powershell Restrictions** +* **Bypass X** + * **General** + * [nps_payload](https://github.com/trustedsec/nps_payload) + * This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. * **AMSI** * **101** * [AMSI Bypass - Paul Laine](https://www.contextis.com/en/blog/amsi-bypass) @@ -437,7 +1168,7 @@ * [Antimalware Scan Interface (AMSI) — A Red Team Analysis on Evasion - iwantmore.pizza](https://iwantmore.pizza/posts/amsi.html) * [How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code - modexp](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) * [PowerShell ScriptBlock Logging Bypass - cobbr.io](https://cobbr.io/ScriptBlock-Logging-Bypass.html) - * [Bypassing Amsi using PowerShell 5 DLL Hijacking - cn33liz](http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html) + * [Bypassing Amsi using PowerShell 5 DLL Hijacking - cn33liz](https://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html) * [Bypass for PowerShell ScriptBlock Warning Logging of Suspicious Commands - cobbr.io](https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html) * [Alternative AMSI bypass - Benoit Sevens](https://medium.com/@benoit.sevens/alternative-amsi-bypass-554dc61d70b1) * [AMSI Bypass With a Null Character - satoshi's note](http://standa-note.blogspot.com/2018/02/amsi-bypass-with-null-character.html) @@ -488,59 +1219,29 @@ * **Talks & Presentations** * [Bypassing AMSI for VBA - Pieter Ceelen](https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/) * This blog is a writeup of the various AMSI weaknesses presented at [the Troopers talk ‘MS Office File Format Sorcery‘](https://github.com/outflanknl/Presentations/raw/master/Troopers19_MS_Office_file_format_sorcery.pdf) and [the Blackhat Asia presentation ‘Office in Wonderland’](https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Hegt-MS-Office-in-Wonderland.pdf). - * **Non-AMSI** - * [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) - * Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. - * [Presentation](https://www.youtube.com/watch?v=P1lkflnWb0I) - * [Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em'](http://www.irongeek.com/i.php?page=videos/derbycon6/121-invoke-obfuscation-powershell-obfusk8tion-techniques-how-to-try-to-detect-them-daniel-bohannon) - * **Articles/Videos** - * [15 Ways to Bypass the PowerShell Execution Policy15 Ways to bypass](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/) - * [PowerShell ScriptBlock Logging Bypass](https://cobbr.io/ScriptBlock-Logging-Bypass.html) - * [Powershell without Powershell to bypass app whitelist](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/) - * [Empire without PowerShell.exe](https://bneg.io/2017/07/26/empire-without-powershell-exe/) + * **Constrained-Language Mode** + * **Articles/Blogposts/Writeups** + * [PowerShell Constrained Language Mode - devblogs.ms](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) + * [PowerShell Constrained Language Mode - devblogs.ms](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) * [Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained Language Mode](http://www.exploit-monday.com/2017/08/exploiting-powershell-code-injection.html?m=1) - * [Pulling Back the Curtains on EncodedCommand PowerShell Attacks](https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/) - * [Invoke-CradleCrafter: Moar PowerShell obFUsk8tion by Daniel Bohannon](https://www.youtube.com/watch?feature=youtu.be&v=Nn9yJjFGXU0&app=desktop) - * [Invoke-CradleCrafter v1.1](https://github.com/danielbohannon/Invoke-CradleCrafter) - * [PowerShell: In-Memory Injection Using CertUtil.exe](https://www.coalfire.com/The-Coalfire-Blog/May-2018/PowerShell-In-Memory-Injection-Using-CertUtil-exe) * [AppLocker CLM Bypass via COM - MDSec](https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/) - * [We don’t need powershell.exe - decoder.cloud](https://decoder.cloud/2017/11/02/we-dont-need-powershell-exe/) * **Tools** * [DotNetToJScript Constrained/Restricted LanguageMode Breakout](https://github.com/FuzzySecurity/DotNetToJScript-LanguageModeBreakout/blob/master/README.md) * This repository is based on a post by [@xpn](https://twitter.com/_xpn_), [more details available here.](https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/) Xpn's post outlines a bug of sorts where ConstrainedLanguage, when enforced through AppLocker does not prevent COM invocation. Because of this it is possible to define a custom COM object in the registry and force PowerShell to load a Dll. On load it is possible to change the LanguageMode to FullLanguage and break out of the restricted shell. This repo is a variation on this technique where a DotNetToJScript scriptlet is used to directly stage a .Net assembly into the PowerShell process. - * [PSShell](https://github.com/fdiskyou/PSShell) - * PSShell is an application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It doesn't need to be "installed" so it's very portable. - * [DigitalSignature-Hijack.ps1](https://gist.github.com/netbiosX/fe5b13b4cc59f9a944fe40944920d07c) - * [Hijack Digital Signatures – PowerShell Script - pentestlab](https://pentestlab.blog/2017/11/08/hijack-digital-signatures-powershell-script/) - * [PoCSubjectInterfacePackage](https://github.com/mattifestation/PoCSubjectInterfacePackage) - * A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks. - * [nps - Not PowerShell](https://github.com/Ben0xA/nps) - * Execute powershell without powershell.exe - * [nps_payload](https://github.com/trustedsec/nps_payload) - * This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. - * [PowerShdll](https://github.com/p3nt4/PowerShdll) - * Run PowerShell with rundll32. Bypass software restrictions. - * [p0wnedShell](https://github.com/Cn33liz/p0wnedShell) - * p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). - * [UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell/tree/master) - * [PowerOPS: PowerShell for Offensive Operations](https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/) - * [PowerOPS Github page](https://github.com/fdiskyou/PowerOPS) - * PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a powershell runspace environment (.NET). It intends to include multiple offensive PowerShell modules to make the process of Post Exploitation easier. - * [PowerLine](https://github.com/fullmetalcache/powerline) - * [Presentation](https://www.youtube.com/watch?v=HiAtkLa8FOc) - * [Bat Armor](https://github.com/klsecservices/bat-armor) - * Bypass PowerShell execution policy by encoding ps script into bat file. - * [PyFuscation](https://github.com/CBHue/PyFuscation) - * Obfuscate powershell scripts by replacing Function names, Variables and Parameters. - * [NoPowerShell](https://github.com/bitsadmin/nopowershell) - * NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No `System.Management.Automation.dll` is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: `rundll32 NoPowerShell.dll,main`. * [PoSH_Bypass](https://github.com/davehardy20/PoSHBypass) * PoSHBypass is a payload and console proof of concept that allows an attatcker or for that matter a legitimate user to bypass PowerShell's 'Constrianed Language Mode, AMSI and ScriptBlock and Module logging'. The bulk of this concept is the combination of 3 separate pieces of research, I've stuck these 3 elements together as my first attempt at non 'Hello World!' C# project. - * [OffensivePowerShellTasking](https://github.com/leechristensen/OffensivePowerShellTasking) - * Run multiple PowerShell scripts concurrently in different app domains. Solves the offensive security problem of running multiple PowerShell scripts concurrently without spawning powershell.exe and without the scripts causing problems with each other (usually due to PInvoke'd functions). + * [PSByPassCLM](https://github.com/padovah4ck/PSByPassCLM) + * Bypass for PowerShell Constrained Language Mode * [powershellveryless](https://github.com/decoder-it/powershellveryless) * Constrained Language Mode + AMSI bypass all in one(Currently Blocked without modification) - * **Bypass Logging** + * **Execution Policy** + * [15 Ways to Bypass the PowerShell Execution Policy - NetSPI](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/) + * [Bat Armor](https://github.com/klsecservices/bat-armor) + * Bypass PowerShell execution policy by encoding ps script into bat file. + * **Logging** + * [About Eventlogs(PowerShell) - docs.ms](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs?view=powershell-5.1) + * [Script Tracing and Logging - docs.ms](https://docs.microsoft.com/en-us/powershell/wmf/whats-new/script-logging) + * [PowerShell ScriptBlock Logging Bypass](https://cobbr.io/ScriptBlock-Logging-Bypass.html) * [A Critique of Logging Capabilities in PowerShell v6](http://www.labofapenetrationtester.com/2018/01/powershell6.html) * Introduces 'PowerShell Upgrade Attack' * [Bypass for PowerShell ScriptBlock Warning Logging of Suspicious Commands - cobbr.io](https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html) @@ -584,6 +1285,43 @@ * **Malicious X (Document/Macro/whatever) Generation** * [​psWar.py](https://gist.github.com/HarmJ0y/aecabdc30f4c4ef1fad3) * Code that quickly generates a deployable .war for a PowerShell one-liner +* **Obfuscation** + * [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) + * Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. + * [Presentation](https://www.youtube.com/watch?v=P1lkflnWb0I) + * [Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em'](http://www.irongeek.com/i.php?page=videos/derbycon6/121-invoke-obfuscation-powershell-obfusk8tion-techniques-how-to-try-to-detect-them-daniel-bohannon) + * [PyFuscation](https://github.com/CBHue/PyFuscation) + * Obfuscate powershell scripts by replacing Function names, Variables and Parameters. + * [Pulling Back the Curtains on EncodedCommand PowerShell Attacks](https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/) + * [Invoke-CradleCrafter: Moar PowerShell obFUsk8tion by Daniel Bohannon](https://www.youtube.com/watch?feature=youtu.be&v=Nn9yJjFGXU0&app=desktop) + * [Invoke-CradleCrafter v1.1](https://github.com/danielbohannon/Invoke-CradleCrafter) +* **Powershell without Powershell** + * **Articles/Blogposts/Writeups** + * [Empire without PowerShell.exe](https://bneg.io/2017/07/26/empire-without-powershell-exe/) + * [Powershell without Powershell to bypass app whitelist](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/) + * [We don’t need powershell.exe - decoder.cloud](https://decoder.cloud/2017/11/02/we-dont-need-powershell-exe/) + * [PowerShell: In-Memory Injection Using CertUtil.exe](https://www.coalfire.com/The-Coalfire-Blog/May-2018/PowerShell-In-Memory-Injection-Using-CertUtil-exe) + * **Talks & Presentations** + * **Tools** + * [PowerLessShell](https://github.com/Mr-Un1k0d3r/PowerLessShell) + * PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach. + * [NoPowerShell](https://github.com/bitsadmin/nopowershell) + * NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No `System.Management.Automation.dll` is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: `rundll32 NoPowerShell.dll,main`. + * [p0wnedShell](https://github.com/Cn33liz/p0wnedShell) + * p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). + * [UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell/tree/master) + * [nps - Not PowerShell](https://github.com/Ben0xA/nps) + * Execute powershell without powershell.exe + * [PSShell](https://github.com/fdiskyou/PSShell) + * PSShell is an application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It doesn't need to be "installed" so it's very portable. + * [PowerShdll](https://github.com/p3nt4/PowerShdll) + * Run PowerShell with rundll32. Bypass software restrictions. + * [PowerOPS: PowerShell for Offensive Operations](https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/) + * [PowerOPS Github page](https://github.com/fdiskyou/PowerOPS) + * PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a powershell runspace environment (.NET). It intends to include multiple offensive PowerShell modules to make the process of Post Exploitation easier. + * [PowerLine](https://github.com/fullmetalcache/powerline) + * [Presentation](https://www.youtube.com/watch?v=HiAtkLa8FOc) + * Running into environments where the use of PowerShell is being monitored or is just flat-out disabled? Have you tried out the fantastic PowerOps framework but are wishing you could use something similar via Meterpreter, Empire, or other C2 channels? Look no further! In this talk, Brian Fehrman talks about his new PowerLine framework. He overviews the tool, walks you through how to use it, shows you how you can add additional PowerShell scripts with little effort, and demonstrates just how powerful (all pun intended) this little program can be! * **Priv Esc / Post Ex Scripts** * [PowerUp](https://github.com/HarmJ0y/PowerUp) * PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. @@ -602,9 +1340,11 @@ * AD PowerShell Recon Scripts * [PowEnum](https://github.com/whitehat-zero/PowEnum) * PowEnum executes common PowerSploit Powerview functions and combines the output into a spreadsheet for easy analysis. All network traffic is only sent to the DC(s). PowEnum also leverages PowerSploit Get-GPPPassword and Harmj0y's ASREPRoast. -* **Running Powershell without PowerShell** - * [PowerLessShell](https://github.com/Mr-Un1k0d3r/PowerLessShell) - * PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach. +* **Signatures** + * [DigitalSignature-Hijack.ps1](https://gist.github.com/netbiosX/fe5b13b4cc59f9a944fe40944920d07c) + * [Hijack Digital Signatures – PowerShell Script - pentestlab](https://pentestlab.blog/2017/11/08/hijack-digital-signatures-powershell-script/) + * [PoCSubjectInterfacePackage](https://github.com/mattifestation/PoCSubjectInterfacePackage) + * A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks. * **Miscellaneous Useful Things** * [Invoke-DCOM.ps1](https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1) * [PowerShell and Token Impersonation](https://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/) @@ -626,7 +1366,8 @@ * A PowerShell script to induce a Blue Screen of Death (BSOD) without admin privileges. Also enumerates Windows crash dump settings. This is a standalone script, it does not depend on any other files. * [Invoke-SocksProxy](https://github.com/p3nt4/Invoke-SocksProxy) * Creates a Socks proxy using powershell. - + * [OffensivePowerShellTasking](https://github.com/leechristensen/OffensivePowerShellTasking) + * Run multiple PowerShell scripts concurrently in different app domains. Solves the offensive security problem of running multiple PowerShell scripts concurrently without spawning powershell.exe and without the scripts causing problems with each other (usually due to PInvoke'd functions). ------------------- @@ -641,8 +1382,6 @@ * [RTLO-attack](https://github.com/ctrlaltdev/RTLO-attack) * This is a really simple example on how to create a file with a unicode right to left ove rride character used to disguise the real extention of the file. In this example I disguise my .sh file as a .jpg file. * [Blog](https://ctrlalt.dev/RTLO) -* **Linux** - * [How to determine Linux guest VM virtualization technology](https://www.cyberciti.biz/faq/linux-determine-virtualization-technology-command/) * **Egress Testing** * [Egress Testing using PowerShell](http://www.labofapenetrationtester.com/2014/04/egress-testing-using-powershell.html) * [Egress Buster Reverse Shell](https://www.trustedsec.com/files/egress_buster_revshell.zip) @@ -650,11 +1389,22 @@ * [Egress-Assess](https://github.com/FortyNorthSecurity/Egress-Assess) * Egress-Assess is a tool used to test egress data detection capabilities * **Network Awareness** - * [Packet sniffing with powershell](https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/12/packet-sniffing-with-powershell-getting-started/) + * **Packet Sniffing** + * See Network_Attacks.md + * **Finding your external IP:** + * Curl any of the following addresses: `ident.me, ifconfig.me or whatsmyip.akamai.com` + * [Determine Public IP from CLI](http://askubuntu.com/questions/95910/command-for-determining-my-public-ip) * **Miscellaneous** - * Finding your external IP: - * Simply curl any of the following addresses: `ident.me, ifconfig.me or whatsmyip.akamai.com` - * [Determine Public IP from CLI](http://askubuntu.com/questions/95910/command-for-determining-my-public-ip) +* **Redis** + * [Redis post-exploitation - Pavel Toporkov(ZeroNights18)](https://www.youtube.com/watch?v=Jmv-0PnoJ6c&feature=share) + * We will overview the techniques of redis post-exploitation and present new ones. In the course of the talk, you will also find out what to do if a pentester or adversary has obtained access to redis. +* **Virtual Machine Detection** + * [How to determine Linux guest VM virtualization technology](https://www.cyberciti.biz/faq/linux-determine-virtualization-technology-command/) + * **Virtualbox** + * [VirtualBox Detection Via WQL Queries](http://waleedassar.blogspot.com/) + * [Bypassing VirtualBox Process Hardening on Windows](https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html) + * [VBoxHardenedLoader](https://github.com/hfiref0x/VBoxHardenedLoader) + * VirtualBox VM detection mitigation loader * **Tools** * **Web Browsers** * [HeraKeylogger](https://github.com/UndeadSec/HeraKeylogger) @@ -722,7 +1472,7 @@ * [Fire & Ice; Making and Breaking macOS firewalls - Patrick Wardle(Rootcon12)](https://www.youtube.com/watch?v=zmIt9ags3Cg&app=desktop) * **Grabbing Goodies** * [Mac OS X Keychain Forensic Tool](https://github.com/n0fate/chainbreaker) - * The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from volafox or volatility keychaindump module. Supports: Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, (High) Sierra + * The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from volafox or volatility keychaindump module. Supports: Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, (High) Sierra. This branch contains a quick patch for chainbreaker to dump non-exportable keys on High Sierra, see README-keydump.txt for more details. * **Recon** * [Orchard](https://github.com/its-a-feature/Orchard) * Live off the land for macOS. This program allows users to do Active Directory enumeration via macOS' JXA (JavaScript for Automation) code. This is the newest version of AppleScript, and thus has very poor documentation on the web. @@ -798,7 +1548,6 @@ * [Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753609(v=ws.10)) * This guide shows how you can use an improved version of Ntdsutil and a new Active Directory® database mounting tool in Windows Server® 2008 to create and view snapshots of data that is stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), without restarting the domain controller or AD LDS server. A snapshot is a shadow copy—created by the Volume Shadow Copy Service (VSS)—of the volumes that contain the Active Directory database and log files. * [Extracting SSH Private Keys from Windows 10 ssh-agent - ropnop](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/) - * [Dumping a Domains worth of passwords using mimikatz](http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html) * [Dump Windows password hashes efficiently - Part 1](http://www.bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html) * [Compromising Plain Text Passwords In Active Directory](https://blog.stealthbits.com/compromising-plain-text-passwords-in-active-directory) * **Dumping NTDS.dit** @@ -816,16 +1565,39 @@ * **Internal Monologue** * [Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS](https://github.com/eladshamir/Internal-Monologue) * **Mimikatz/Similar** - * [mimikatz](https://github.com/gentilkiwi/mimikatz) - * [Unofficial Guide to Mimikatz](https://adsecurity.org/?page_id=1821) - * [Mimikatz Overview, Defenses and Detection](https://www.sans.org/reading-room/whitepapers/detection/mimikatz-overview-defenses-detection-36780) - * [Mimikatz Logs and Netcat](http://blackpentesters.blogspot.com/2013/12/mimikatz-logs-and-netcat.html?m=1) - * [Mimikatz Scheduled tasks Creds](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials) + * **Official** + * ["Mimikatz" - Benjamin Delpy(NoSuchCon#2)](https://www.youtube.com/watch?v=j2m7x1deVRk) + * [Slides](http://www.nosuchcon.org/talks/2014/D2_02_Benjamin_Delpy_Mimikatz.pdf) + * [mimikatz](https://github.com/gentilkiwi/mimikatz) + * [Mimikatz Scheduled tasks Creds](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials) + * [module ~ dpapi - mimikatz](https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi) + * **Using** + * [Unofficial Guide to Mimikatz](https://adsecurity.org/?page_id=1821) + * [Mimikatz Overview, Defenses and Detection](https://www.sans.org/reading-room/whitepapers/detection/mimikatz-overview-defenses-detection-36780) + * [Mimikatz Logs and Netcat](http://blackpentesters.blogspot.com/2013/12/mimikatz-logs-and-netcat.html?m=1) + * [Dumping a Domains worth of passwords using mimikatz](http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html) + * [Mass mimikatz - hacklikeapornstar](https://www.hacklikeapornstar.com/mass-mimikatz/) + * [Reading DPAPI Encrypted Secrets with Mimikatz and C++ -ired.team](https://ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++) + * **Other** + * [Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest](https://adsecurity.org/?p=1275) + * [mimikatz - golden ticket](http://rycon.hu/papers/goldenticket.html) + * [Windows Credential Guard & Mimikatz - nviso](https://blog.nviso.be/2018/01/09/windows-credential-guard-mimikatz/) + * [Mimikatz DCSync Usage, Exploitation, and Detection - Sean Metcalf](https://adsecurity.org/?p=1729) + * [Mimikatz and DCSync and ExtraSids, Oh My - harmj0y](http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/) + * [DCShadow](https://www.dcshadow.com/) + * DCShadow is a new feature in mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz). + * [Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz - Scott Sutherland](https://blog.netspi.com/auto-dumping-domain-credentials-using-spns-powershell-remoting-and-mimikatz/) + * [Mimikatz 2.0 - Brute-Forcing Service Account Passwords ](https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Brute-Forcing_Service_Account_Passwords.html) + * If everything about that ticket-generation operation is valid except for the NTLM hash, then accessing the web application will result in a failure. However, this will not cause a failed logon to appear in the Windows® event log. It will also not increment the count of failed logon attempts for the service account. Therefore, the result is an ability to perform brute-force (or, more realistically, dictionary-based) password checks for such a service account, without locking it out or generating suspicious event log entries. + * [Active Directory Domain Controller Skeleton Key Malware & Mimikatz - ADSecurity](https://adsecurity.org/?p=1255) * **Volume Shadow Copy Service** * [Shadow Copy - Wikipedia](https://en.wikipedia.org/wiki/Shadow_Copy) * [Manage Volume Shadow Copy Service from the Vssadmin Command-Line - technet.ms](https://technet.microsoft.com/en-us/library/dd348398.aspx) * [vssadmin - ss64](https://ss64.com/nt/vssadmin.html) * [vssown.vbs](https://github.com/lanmaster53/ptscripts/blob/master/windows/vssown.vbs) + * **RDP** + * [Vol de session RDP - Gentil Kiwi](http://blog.gentilkiwi.com/securite/vol-de-session-rdp) + * [Passwordless RDP Session Hijacking Feature All Windows versions - Alexander Korznikov](http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html) * **Tools** * [credgrap_ie_edge](https://github.com/HanseSecure/credgrap_ie_edge) * Extract stored credentials from Internet Explorer and Edge @@ -865,7 +1637,6 @@ * A collection of tools to enumerate and analyse Windows DACLs * [DAMP](https://github.com/HarmJ0y/DAMP) * The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification. This project contains several files that implement host-based security descriptor "backdoors" that facilitate the abuse of various remotely accessible services for arbitrary trustees/security principals. tl;dr - this grants users/groups (local, domain, or 'well-known' like 'Everyone') of an attacker's choosing the ability to perform specific administrative actions on a modified host without needing membership in the local administrators group. - * **DPAPI** * **101** * [CNG DPAPI - docs.ms](https://docs.microsoft.com/en-us/windows/win32/seccng/cng-dpapi) @@ -946,6 +1717,8 @@ ### Active Directory * **101** * [What is Active Directory Domain Services and how does it work?](https://serverfault.com/questions/402580/what-is-active-directory-domain-services-and-how-does-it-work#) + * [Beyond the Mcse: Active Directory for the Security Professional - Sean Metcalf(BHUSA 2016)](https://www.youtube.com/watch?v=2w1cesS7pGY) + * Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it's security, how it's attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication. * **General** * [Offensive Active Directory with Powershell](https://www.youtube.com/watch?v=cXWtu-qalSs) * [Abusing Active Directory in Post-Exploitation](https://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez) @@ -954,7 +1727,8 @@ * [Pen Testing Active Directory Series](https://blog.varonis.com/binge-read-pen-testing-active-directory-series/) * [Beyond the MCSE: Red Teaming Active Directory](https://www.youtube.com/watch?v=tEfwmReo1Hk) * [Red vs Blue: Modern Active Directory Attacks & Defense - Defcon23](https://www.youtube.com/watch?v=rknpKIxT7NM) - * [Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection - BHUSA15](https://www.youtube.com/watch?v=b6GUXerE9Ac) + * [Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection - Sean Metcalf(BHUSA15)](https://www.youtube.com/watch?v=b6GUXerE9Ac) + * Kerberos "Golden Tickets" were unveiled by Alva "Skip" Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right? The news is filled with reports of breached companies and government agencies with little detail on the attack vectors and mitigation. This briefing discusses in detail the latest attack methods for gaining and maintaining administrative access in Active Directory. Also covered are traditional defensive security measures that work (and ones that don't) as well as the mitigation strategies that can keep your company's name off the front page. Prepare to go beyond "Pass-the-Hash" and down the rabbit hole. This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage! * [Abusing Active Directory in Post Exploitation - Carlos Perez - Derbycon 4](https://www.youtube.com/watch?v=sTU-70dD-Ok) * [Setting up Samba as a Domain Member](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) * [ATA Suspicious Activity Playbook - technet.ms](https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38) @@ -1002,7 +1776,7 @@ * **Articles/Blogposts/Writeups** * [Abusing DNSAdmins privilege for escalation in Active Directory](http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html) * [From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration](https://adsecurity.org/?p=4064) - * [AD Zone Transfers as a user - Carnal0wnage](http://carnal0wnage.attackresearch.com/2013/10/ad-zone-transfers-as-user.html) + * [AD Zone Transfers as a user - mubix](http://carnal0wnage.attackresearch.com/2013/10/ad-zone-transfers-as-user.html) * [Feature, not bug: DNSAdmin to DC compromise in one line - Shay Ber](https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83) * [Abusing DNSAdmins privilege for escalation in Active Directory](http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html) * [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/) @@ -1011,6 +1785,9 @@ * **Tools** * [DnsCache](https://github.com/malcomvetter/DnsCache) * This is a reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver. Proof of concept or pattern only. + * [adidnsdump](https://github.com/dirkjanm/adidnsdump) + * By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer. This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks. + * [Blogpost](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/) * **Domain Trusts** * [Domain Trusts: Why You Should Care](http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/) * [Trusts You Might Have Missed](http://www.harmj0y.net/blog/redteaming/trusts-you-might-have-missed/) @@ -1055,6 +1832,7 @@ * [A Red Teamer’s Guide to GPOs and OUs](https://wald0.com/?p=179) * [File templates for GPO Abuse](https://github.com/rasta-mouse/GPO-Abuse) * [GPO Abuse - Part 1](https://rastamouse.me/2019/01/gpo-abuse-part-1/) + * [Local Group Enumeration - harmj0y](http://www.harmj0y.net/blog/redteaming/local-group-enumeration/) * **Talks & Presentations** **Tools** * [Grouper2](https://github.com/l0ss/Grouper2) @@ -1065,6 +1843,8 @@ * Identifiying and Abusing Vulnerable Configuraitons in MS AD Group Policy * [SharpGPOAbuse](https://github.com/mwrlabs/SharpGPOAbuse) * SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO. [Blogpost](https://labs.mwrinfosecurity.com/tools/sharpgpoabuse) +* **Group Scoping** + * [A Pentester’s Guide to Group Scoping - harmj0y](http://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/) * **Kerberos** * **101** * [Kerberos (I): How does Kerberos work? – Theory - Eloy Perez](https://www.tarlogic.com/en/blog/how-kerberos-works/) @@ -1092,6 +1872,7 @@ * [Unconstrained Delegation Permissions](https://blog.stealthbits.com/unconstrained-delegation-permissions/) * [Trust? Years to earn, seconds to break](https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/) * [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) + * [Getting Domain Admin with Kerberos Unconstrained Delegation - Nikhil Mittal](http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html) * **Talks & Presentations** * **Tools** * **Kerberoast(ing)** @@ -1109,6 +1890,8 @@ * [Targeted Kerberoasting - harmj0y](http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/) * [Kerberoast PW list for cracking passwords with complexity requirements](https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5) * **Talks & Presentations** + * [Attacking Kerberos: Kicking the Guard Dog of Hades - Tim Medin](https://www.youtube.com/watch?v=HHJWfG9b0-E) + * Kerberos, besides having three heads and guarding the gates of hell, protects services on Microsoft Windows Domains. Its use is increasing due to the growing number of attacks targeting NTLM authentication. Attacking Kerberos to access Windows resources represents the next generation of attacks on Windows authentication.In this talk Tim will discuss his research on new attacks against Kerberos- including a way to attack the credentials of a remote service without sending traffic to the service as well as rewriting tickets to access systems.He will also examine potential countermeasures against Kerberos attacks with suggestions for mitigating the most common weaknesses in Windows Kerberos deployments. * [Demo of kerberoasting on EvilCorp Derbycon6](https://adsecurity.org/wp-content/uploads/2016/09/DerbyCon6-2016-AttackingEvilCorp-Anatomy-of-a-Corporate-Hack-Demo-4-kerberoast.mp4) * [Attacking EvilCorp Anatomy of a Corporate Hack - Sean Metcalf, Will Schroeder](https://www.youtube.com/watch?v=nJSMJyRNvlM&feature=youtu.be&t=16) * [Slides](https://adsecurity.org/wp-content/uploads/2016/09/DerbyCon6-2016-AttackingEvilCorp-Anatomy-of-a-Corporate-Hack-Presented.pdf) @@ -1180,7 +1963,9 @@ * [Windows Credential Guard & Mimikatz - nviso](https://blog.nviso.be/2018/01/09/windows-credential-guard-mimikatz/) * [Wendel's Small Hacking Tricks - The Annoying NT_STATUS_INVALID_WORKSTATION](https://www.trustwave.com/Resources/SpiderLabs-Blog/Wendel-s-Small-Hacking-Tricks---The-Annoying-NT_STATUS_INVALID_WORKSTATION-/) * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) - * TL;DR: If the remote server allows Restricted Admin login, it is possible to login via RDP by passing the hash using the native Windows RDP client mstsc.exe. (You’ll need mimikatz or something else to inject the hash into the process) + * TL;DR: If the remote server allows Restricted Admin login, it is possible to login via RDP by passing the hash using the native Windows RDP client mstsc.exe. (You’ll need mimikatz or something else to inject the hash into the process) + * **Over-Pass-the-Hash** + * [Overpass-the-hash - Benjamin Delpy](http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash) * **Ticket** * [How To Pass the Ticket Through SSH Tunnels](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/) * [Pass-the-ticket - ldapwiki](http://ldapwiki.com/wiki/Pass-the-ticket) @@ -1201,16 +1986,15 @@ * [Multi-Factor Mixup: Who Were You Again? - Okta](https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability/) * A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization. * [Playing with Relayed Credentials - SecureAuth](https://www.secureauth.com/blog/playing-relayed-credentials) + * [Credential Assessment: Mapping Privilege Escalation at Scale - Matt Weeks(Hack.lu 2016)](https://www.youtube.com/watch?v=tXx6RB0raEY) + * In countless intrusions from large retail giants to oil companies, attackers have progressed from initial access to complete network compromise. In the aftermath, much ink is spilt and products are sold on how the attackers first obtained access and how the malware they used could or could not have been detected, while little attention is given to the credentials they found that turned their access on a single-system into thousands more. This process, while critical for offensive operations, is often complex, involving many links in the escalation chain composed of obtaining credentials on system A that grant access to system B and credentials later used on system B that grant further access, etc. We’ll show how to identify and combat such credential exposure at scale with the framework we developed. We comprehensively identify exposed credentials and automatically construct the compromise chains to identify maximal access and privileges gained, useful for either offensive or defensive purposes. * **Reconaissance** * **Articles/Blogposts/Presentations/Talks/Writeups** * [Active Directory Firewall Ports – Let’s Try To Make This Simple - Ace Fekay(2011)](https://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/) * [Automating the Empire with the Death Star: getting Domain Admin with a push of a button](https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html) * [Active Directory Pentest Recon Part 1: SPN Scanning aka Mining Kerberos Service Principal Names](https://adsecurity.org/?p=230) * [Active Directory Recon Without Admin Rights - adsecurity](https://adsecurity.org/?p=2535) - * [Discovering Service Accounts Without Using Privileges - Jeff Warren](https://blog.stealthbits.com/discovering-service-accounts-without-using-privileges/) * [Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode - Nikhil Mittal](http://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-PowerShell-CLM.html) - * [Extending BloodHound: Track and Visualize Your Compromise](https://porterhau5.com/blog/extending-bloodhound-track-and-visualize-your-compromise/) - * Customizing BloodHound's UI and taking advantage of Custom Queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains. * **Tools** * **Admin/User Hunting** * [Invoke-HostRecon](https://github.com/dafthack/HostRecon) @@ -1225,18 +2009,38 @@ * [DomainTrustExplorer](https://github.com/sixdub/DomainTrustExplorer) * Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output. * **BloodHound** + * [Introducing BloodHound](https://wald0.com/?p=68) * [BloodHound](https://github.com/BloodHoundAD/BloodHound) * BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment. - * [BloodHound 1.3 – The ACL Attack Path Update - wald0](https://wald0.com/?p=112) - * [My First Go with BloodHound](https://blog.cobaltstrike.com/2016/12/14/my-first-go-with-bloodhound/) - * [Lay of the Land with BloodHound](http://threat.tevora.com/lay-of-the-land-with-bloodhound/) - * [Visualizing BloodHound Data with PowerBI — Part 1 - Andy Robbins](https://posts.specterops.io/visualizing-bloodhound-data-with-powerbi-part-1-ba8ea4908422) - * [SharpHound: Evolution of the BloodHound Ingestor - CptJesus](https://blog.cptjesus.com/posts/newbloodhoundingestor) - * [Bloodhound walkthrough. A Tool for Many Tradecrafts - Andy Gill](https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/) - * A walkthrough on how to set up and use BloodHound - * [The Dog Whisperer's Handbook: A Hacker's Guide to the BloodHound Galaxy - @SadProcessor](https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf) + * **Historical Posts** + * [Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. - JohnLaTwC](https://github.com/JohnLaTwC/Shared/blob/master/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs.%20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md) + * [Automated Derivative Administrator Search - wald0](https://wald0.com/?p=14) + * [BloodHound 1.3 – The ACL Attack Path Update - wald0](https://wald0.com/?p=112) + * [BloodHound 1.4: The Object Properties Update - CptJesus](https://blog.cptjesus.com/posts/bloodhoundobjectproperties) + * [SharpHound: Target Selection and API Usage](https://blog.cptjesus.com/posts/sharphoundtargeting) + * [BloodHound 1.5: The Container Update](https://blog.cptjesus.com/posts/bloodhound15) + * [A Red Teamer’s Guide to GPOs and OUs - wald0](https://wald0.com/?p=179) + * [BloodHound 2.0 - CptJesus](https://blog.cptjesus.com/posts/bloodhound20) + * [BloodHound 2.1: The Fix Broken Stuff Update - Rohan Vazarkar](https://posts.specterops.io/bloodhound-2-1-the-fix-broken-stuff-update-4d28ff732b1) + * **Using** + * [The Dog Whisperer's Handbook: A Hacker's Guide to the BloodHound Galaxy - @SadProcessor](https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf) * [Blogpost](https://insinuator.net/2018/11/the-dog-whisperers-handbook/) - * [CypherDog](https://github.com/SadProcessor/CypherDog) + * [My First Go with BloodHound](https://blog.cobaltstrike.com/2016/12/14/my-first-go-with-bloodhound/) + * [Lay of the Land with BloodHound](http://threat.tevora.com/lay-of-the-land-with-bloodhound/) + * [Bloodhound walkthrough. A Tool for Many Tradecrafts - Andy Gill](https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/) + * A walkthrough on how to set up and use BloodHound + * [BloodHound From Red to Blue - Mathieu Saulnier(BSides Charm2019)](https://www.youtube.com/watch?v=UWY772iIq_Y) + * **Neo4j** + * [Neo4j Cypher Refcard 3.5](https://neo4j.com/docs/cypher-refcard/current/) + * **Extending Functionality** + * [Visualizing BloodHound Data with PowerBI — Part 1 - Andy Robbins](https://posts.specterops.io/visualizing-bloodhound-data-with-powerbi-part-1-ba8ea4908422) + * [Extending BloodHound: Track and Visualize Your Compromise](https://porterhau5.com/blog/extending-bloodhound-track-and-visualize-your-compromise/) + * Customizing BloodHound's UI and taking advantage of Custom Queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains. + * **Ingestors** + * [BloodHound.py](https://github.com/fox-it/BloodHound.py) + * A Python based ingestor for BloodHound + * **API** + * [CypherDog](https://github.com/SadProcessor/CypherDog) * **Domain Reconaissance** * [goddi](https://github.com/NetSPI/goddi) * goddi (go dump domain info) dumps Active Directory domain information @@ -1260,11 +2064,13 @@ * **Passwords** * [NtdsAudit](https://github.com/Dionach/NtdsAudit) * NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking. - * **SPN Scanning** + * **Service Principal Name(SPN) Scanning** * [Service Principal Names - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/AD/service-principal-names) * [SPNs - adsecurity.org](https://adsecurity.org/?page_id=183) * This page is a comprehensive reference (as comprehensive as possible) for Active Directory Service Principal Names (SPNs). As I discover more SPNs, they will be added. * [Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe - social.technet.ms.com)](https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx) + * [SPN Discovery - pentestlab.blog](https://pentestlab.blog/2018/06/04/spn-discovery/) + * [Discovering Service Accounts Without Using Privileges - Jeff Warren](https://blog.stealthbits.com/discovering-service-accounts-without-using-privileges/) * **Red Forest** * [Attack and defend Microsoft Enhanced Security Administrative](https://download.ernw-insight.de/troopers/tr18/slides/TR18_AD_Attack-and-Defend-Microsoft-Enhanced-Security.pdf) * **Skeleton Key** @@ -1275,9 +2081,19 @@ * [Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest](https://adsecurity.org/?p=1275) * **Specific Vulnerabilities**"active * **MS14-068** - * [MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege](https://adsecurity.org/?p=525) - * [Digging into MS14-068, Exploitation and Defence](https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/) - * [From MS14-068 to Full Compromise – Step by Step](https://www.trustedsec.com/2014/12/ms14-068-full-compromise-step-step/) + * **About** + * [MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege](https://adsecurity.org/?p=525) + * [MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege - adsecurity.org](https://adsecurity.org/?p=525) + * [Kerberos Vulnerability in MS14-068 (KB3011780) Explained - adsecurity.org](https://adsecurity.org/?p=541) + * [Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works - adsecurity.org](https://adsecurity.org/?p=763) + * [Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) - adsecurity.org](https://adsecurity.org/?p=676) + * [Digging into MS14-068, Exploitation and Defence - Ben Campbell, Jon Cave](https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/) + * **Exploiting** + * [Digging into MS14-068, Exploitation and Defence](https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/) + * [From MS14-068 to Full Compromise - Stepy by Step - David Kennedy](https://www.trustedsec.com/2014/12/ms14-068-full-compromise-step-step/) + * [Microsoft Security Bulletin MS14-068 - Critical - docs.ms](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068) + * [Exploiting MS14-068 with PyKEK and Kali - Zach Grace](https://zachgrace.com/posts/exploiting-ms14-068/) + * [Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) - adsecurity.org](https://adsecurity.org/?p=676) * **MS15-011** * [Practically Exploiting MS15-014 and MS15-011 - MWR](https://labs.mwrinfosecurity.com/blog/practically-exploiting-ms15-014-and-ms15-011/) * [MS15-011 - Microsoft Windows Group Policy real exploitation via a SMB MiTM attack - coresecurity](https://www.coresecurity.com/blog/ms15-011-microsoft-windows-group-policy-real-exploitation-via-a-smb-mitm-attack) @@ -1495,21 +2311,25 @@ * [Invoke-ExShellcode.ps1 - Philts](https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a) * Lateral movement and shellcode injection via Excel 4.0 macros * **Pass-The-Hash** - * [PsExec and the Nasty Things It Can Do](http://www.windowsecurity.com/articles-tutorials/misc_network_security/PsExec-Nasty-Things-It-Can-Do.html) - * An overview of what PsExec is and what its capabilities are from an administrative standpoint. - * [smbexec](https://github.com/pentestgeek/smbexec) - * A rapid psexec style attack with samba tools - * [Blogpost that inspired it](http://carnal0wnage.attackresearch.com/2012/01/psexec-fail-upload-and-exec-instead.html) - * [pth-toolkit I.e Portable pass the hash toolkit](https://github.com/byt3bl33d3r/pth-toolkit) - * A modified version of the passing-the-hash tool collection https://code.google.com/p/passing-the-hash/ designed to be portable and work straight out of the box even on the most 'bare bones' systems - * [Pass-the-Hash is Dead: Long Live Pass-the-Hash](http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/) - * [Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012](https://www.youtube.com/watch?v=O7WRojkYR00) - * [Still Passing the Hash 15 Years Later](http://passing-the-hash.blogspot.com/) - * [The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1](http://www.alex-ionescu.com/?p=97) - * [Et tu Kerberos - Christopher Campbell](https://www.youtube.com/watch?v=RIRQQCM4wz8) - * For over a decade we have been told that Kerberos is the answer to Microsoft’s authentication woes and now we know that isn’t the case. The problems with LM and NTLM are widely known- but the problems with Kerberos have only recently surfaced. In this talk we will look back at previous failures in order to look forward. We will take a look at what recent problems in Kerberos mean to your enterprise and ways you could possibly mitigate them. Attacks such as Spoofed-PAC- Pass-the-Hash- Golden Ticket- Pass-the-Ticket and Over-Pass-the-Ticket will be explained. Unfortunately- we don’t really know what is next – only that what we have now is broken. - * [Battle Of SKM And IUM How Windows 10 Rewrites OS Architecture - Alex Ionescu - BHUSA2015](https://www.youtube.com/watch?v=LqaWIn4y26E&index=15&list=PLH15HpR5qRsXF78lrpWP2JKpPJs_AFnD7) - * [Slides](http://www.alex-ionescu.com/blackhat2015.pdf) + * **Articles/Blogposts/Writeups** + * [*Puff* *Puff* PSExec - Jonathan Renard](https://www.toshellandback.com/2017/02/11/psexec/) + * [PsExec and the Nasty Things It Can Do](http://www.windowsecurity.com/articles-tutorials/misc_network_security/PsExec-Nasty-Things-It-Can-Do.html) + * An overview of what PsExec is and what its capabilities are from an administrative standpoint. + * [Pass-the-Hash is Dead: Long Live Pass-the-Hash - harmj0y](http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/) + * [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) + * [Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012](https://www.youtube.com/watch?v=O7WRojkYR00) + * [Still Passing the Hash 15 Years Later](http://passing-the-hash.blogspot.com/) + * [The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1](http://www.alex-ionescu.com/?p=97) + * [Et tu Kerberos - Christopher Campbell](https://www.youtube.com/watch?v=RIRQQCM4wz8) + * For over a decade we have been told that Kerberos is the answer to Microsoft’s authentication woes and now we know that isn’t the case. The problems with LM and NTLM are widely known- but the problems with Kerberos have only recently surfaced. In this talk we will look back at previous failures in order to look forward. We will take a look at what recent problems in Kerberos mean to your enterprise and ways you could possibly mitigate them. Attacks such as Spoofed-PAC- Pass-the-Hash- Golden Ticket- Pass-the-Ticket and Over-Pass-the-Ticket will be explained. Unfortunately- we don’t really know what is next – only that what we have now is broken. + * [Battle Of SKM And IUM How Windows 10 Rewrites OS Architecture - Alex Ionescu - BHUSA2015](https://www.youtube.com/watch?v=LqaWIn4y26E&index=15&list=PLH15HpR5qRsXF78lrpWP2JKpPJs_AFnD7) + * [Slides](http://www.alex-ionescu.com/blackhat2015.pdf) + * **Tools** + * [smbexec](https://github.com/pentestgeek/smbexec) + * A rapid psexec style attack with samba tools + * [Blogpost that inspired it](http://carnal0wnage.attackresearch.com/2012/01/psexec-fail-upload-and-exec-instead.html) + * [pth-toolkit I.e Portable pass the hash toolkit](https://github.com/byt3bl33d3r/pth-toolkit) + * A modified version of the passing-the-hash tool collection https://code.google.com/p/passing-the-hash/ designed to be portable and work straight out of the box even on the most 'bare bones' systems * **SCM** * [Lateral Movement — SCM and DLL Hijacking Primer - Dwight Hohnstein](https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992) * **WinRM** @@ -1625,6 +2445,7 @@ * [Noob 101: Practical Techniques for AV Bypass - Jared Hoffman - ANYCON 2017](http://www.irongeek.com/i.php?page=videos/anycon2017/103-noob-101-practical-techniques-for-av-bypass-jared-hoffman) * The shortcomings of anti-virus (AV) solutions have been well known for some time. Nevertheless, both public and private organizations continue to rely on AV software as a critical component of their information security programs, acting as a key protection mechanism over endpoints and other information systems within their networks. As a result, the security posture of these organizations is significantly jeopardized by relying only on this weakened control. * **Educational** + * [Bypass Antivirus Dynamic Analysis: Limitations of the AV model and how to exploit them - Emeric Nasi(2014)](https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf) * [Learn how to hide your trojans, backdoors, etc from anti virus.](https://www.hellboundhackers.org/articles/read-article.php?article_id=842) * [Easy Ways To Bypass Anti-Virus Systems - Attila Marosi -Trooper14](https://www.youtube.com/watch?v=Sl1Sru3OwJ4) * [Muts Bypassing AV in Vista/Pissing all over your AV](https://web.archive.org/web/20130514172102/http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4) @@ -1648,6 +2469,7 @@ * [Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus - n00py](https://www.n00py.io/2018/06/executing-meterpreter-in-memory-on-windows-10-and-bypassing-antivirus/) * [Simple AV Evasion Symantec and P4wnP1 USB - Frans Hendrik Botes](https://medium.com/@fbotes2/advance-av-evasion-symantec-and-p4wnp1-usb-c7899bcbc6af) * [How to Bypass Anti-Virus to Run Mimikatz - Carrie Roberts(2017)](https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/) + * [DeepSec 2013 Talk: Easy Ways To Bypass Anti-Virus Systems - Attila Marosi](https://blog.deepsec.net/deepsec-2013-talk-easy-ways-to-bypass-anti-virus-systems/) * **Talks & Presentations** * [Adventures in Asymmetric Warfare by Will Schroeder](https://www.youtube.com/watch?v=53qQfCkVM_o) * As a co-founder and principal developer of the Veil-Framework, the speaker has spent a considerable amount of time over the past year and a half researching AV-evasion techniques. This talk will briefly cover the problem space of antivirus detection, as well as the reaction to the initial release of Veil-Evasion, a tool for generating AV-evading executables that implements much of the speaker’s research. We will trace through the evolution of the obfuscation techniques utilized by Veil-Evasion’s generation methods, culminating in the release of an entirely new payload language class, as well as the release of a new ..NET encryptor. The talk will conclude with some basic static analysis of several Veil-Evasion payload families, showing once and for all that antivirus static signature detection is dead. @@ -1864,11 +2686,7 @@ * [Red Teaming in the EDR age - Will Burgess](https://www.youtube.com/watch?v=l8nkXCOYQC4) * **Tools** * [Sharp-Suite - Process Argument Spoofing](https://github.com/FuzzySecurity/Sharp-Suite) -* **Virtualbox** - * [VirtualBox Detection Via WQL Queries](http://waleedassar.blogspot.com/) - * [Bypassing VirtualBox Process Hardening on Windows](https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html) - * [VBoxHardenedLoader](https://github.com/hfiref0x/VBoxHardenedLoader) - * VirtualBox VM detection mitigation loader + diff --git a/Draft/Programming_Language_Security.md b/Draft/Programming_Language_Security.md index 778a489..0937963 100755 --- a/Draft/Programming_Language_Security.md +++ b/Draft/Programming_Language_Security.md @@ -19,6 +19,78 @@ * [Papers](#papers) + + + + + +https://github.com/Instagram/LibCST +https://pyre-check.org/ + + +https://github.com/facebookincubator/SPARTA +https://engineering.fb.com/security/zoncolan/ +* [Static Analysis at Scale: An Instagram Story - Benjamin Woodruff](https://instagram-engineering.com/static-analysis-at-scale-an-instagram-story-8f498ab71a0c) + +https://github.com/IOActive/RepoSsessed +* [PHP The Right Way](http://www.phptherightway.com/) +* [Exploiting PHP7 unserialize - Yannay Livneh (33c3)](https://media.ccc.de/v/33c3-7858-exploiting_php7_unserialize) + * PHP-7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions. However, the language has gone through extensive changes and none of previous exploitation techniques are relevant. In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view. We will explain newly found vulnerabilities in the 'unserialize' mechanism of the language and present re-usable primitives for remote exploitation of these vulnerabilities. +* [Damn Small Vulnerable Web in Docker](https://blog.appsecco.com/damn-small-vulnerable-web-in-docker-fd850ee129d5) +https://github.com/OWASP/Benchmark +* [I Forgot Your Password: Randomness Attacks Against PHP Applications - George Argyros, Aggelos Kiayis](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.360.4033&rep=rep1&type=pdf) +* [10 common security gotchas in Python and how to avoid them - Anthony Shaw](https://hackernoon.com/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03?gi=ac211b3349e8) +https://viewsourcecode.org/snaptoken/kilo/index.html + +* [Roslyn](https://github.com/dotnet/roslyn) + * Roslyn provides open-source C# and Visual Basic compilers with rich code analysis APIs. It enables building code analysis tools with the same APIs that are used by Visual Studio. + * [Overview](https://github.com/dotnet/roslyn/wiki/Roslyn%20Overview) +http://pentest.cryptocity.net/code-audits/ +* [Typeful Programming - Luca Cardelli](http://lucacardelli.name/Papers/TypefulProg.pdf) + +https://danger.systems/js/ +https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons +https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html + + +https://github.com/mre/awesome-static-analysis +https://github.com/troessner/reek +https://github.com/seattlerb/flay +https://github.com/seattlerb/flog +https://github.com/whitesmith/rubycritic +http://www.rubyguides.com/2015/08/static-analysis-in-ruby/ +https://github.com/rubocop-hq/rubocop +https://realpython.com/python-csv/ + +https://gist.github.com/carnal0wnage/ed9e4c10e065bd00e21e2af67301e9d9 + +https://blog.ripstech.com/2018/woocommerce-php-object-injection/ + + +* [Static Analysis at Scale: An Instagram Story - Benjamin Woodruff](https://instagram-engineering.com/static-analysis-at-scale-an-instagram-story-8f498ab71a0c) + + + +https://www.blackhillsinfosec.com/pyfunnels-data-normalization-for-infosec-workflows/ +https://github.com/packetvitality/PyFunnels +https://www.sans.org/reading-room/whitepapers/OpenSource/pyfunnels-data-normalization-infosec-workflows-38785 + +https://github.com/slackhq/go-audit + + +* [RSA Encore: The Emergent Cloud Security Toolchain for CI/CD - SignalSciences](https://info.signalsciences.com/cloud-security-toolchain-ci-cd-rsa-2018-encore-web-ty?) +* [The Evil within the Comparison Functions - Andrey Karpov](https://www.viva64.com/en/b/0509/) + + + + + + + + + + + ----------- ### General * The content here is just stuff I've come across or think would be useful to someone in infosec. It is not to be taken as anything beyond a suggestion about stuff. diff --git a/Draft/RE.md b/Draft/RE.md index 85b942d..ee3fbc5 100755 --- a/Draft/RE.md +++ b/Draft/RE.md @@ -18,18 +18,45 @@ * [Papers](#papers) * [Wikis & Useful Sites](#wikis) +http://ropgadget.com/posts/pebwalk.html +https://github.com/TakahiroHaruyama/ida_haru/tree/master/bindiff + + + + +* https://github.com/JusticeRage/Manalyze +* https://bordplate.no/blog/en/post/debugging-a-windows-service/ + + +* [How to break PDF Signatures](https://www.pdf-insecurity.org/) + * [Technical Writeup](https://www.pdf-insecurity.org/signature/signature.html) * **ToDo** * A proper ToC * Sort bottom section +https://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j/ +* [Advanced Portable Executable File Analyzer](https://github.com/blacknbunny/peanalyzer) + * Advanced Portable Executable File Analyzer And Disassembler 32 & 64 Bit +* [Debugging with Symbols - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/DxTechArts/debugging-with-symbols) +https://secrary.com/Random/unexported/ - - +PDF +http://joxeankoret.com/blog/2010/02/21/analyzing-pdf-exploits-with-pyew/ +https://blog.didierstevens.com/2008/10/30/pdf-parserpy/ +http://blog.9bplus.com/ +http://blog.9bplus.com/scoring-pdfs-based-on-malicious-filter/ +http://honeynet.org/node/1304 +https://itsjack.cc/blog/2017/08/analysingdetecting-malicious-pdfs-primer/ +https://securityoversimplicity.wordpress.com/2017/09/28/not-all-she-wrote-part-1-rigged-pdfs/ +https://digital-forensics.sans.org/blog/2009/12/14/pdf-malware-analysis/ +https://blog.didierstevens.com/programs/pdf-tools/ +https://blog.didierstevens.com/2009/03/31/pdfid/ +https://www.cs.unm.edu/~eschulte/data/bed.pdf -------------- ### General diff --git a/Draft/RT.md b/Draft/RT.md index 51c2f8a..cc2ec5e 100644 --- a/Draft/RT.md +++ b/Draft/RT.md @@ -24,9 +24,107 @@ * **To Do** + +https://github.com/mthbernardes/GTRS/blob/master/README.md +https://github.com/tearsecurity/firstorder +https://github.com/CylanceSPEAR/MarkovObfuscate + + +https://www.sprocketsecurity.com/blog/penetration-testing-dropbox-setup-part2 + +https://mthbernardes.github.io/persistence/2019/03/07/using-firefox-webextensions-as-c2-client.html +https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/ + + + +https://github.com/gen0cide/gscript + + + +https://github.com/panagioto/Covenant + + +https://www.irongeek.com/i.php?page=videos/derbycon7/t315-game-on-using-red-team-to-rapidly-evolve-your-defenses-joff-thyer-pete-petersen + +https://www.irongeek.com/i.php?page=videos/derbycon7/t211-common-assessment-mistakes-pen-testers-and-clients-should-avoid-brent-white-tim-roberts + +* [Modern Defenses and YOU!](https://blog.cobaltstrike.com/2017/10/25/modern-defenses-and-you/) +* [OPSEC Considerations for Beacon Commands](https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-commands/) +* [Red Team Tradecraft and TTP Guidance](https://sec564.com/#!docs/tradecraft.md) +* [Fighting the Toolset](https://www.youtube.com/watch?v=RoqVunX_sqA) + +https://posts.specterops.io/designing-effective-covert-red-team-attack-infrastructure-767d4289af43 +https://github.com/psychsecurity/Red-Team-Infrastructure +* [Red Teaming in the EDR age - Will Burgess - WWF HackFest 2018](https://www.youtube.com/watch?v=l8nkXCOYQC4) + * Will Burgess is a security consultant with experience across both defensive and offensive cyber security. Will previously worked as a Threat Hunter within MWR's Countercept Division and specialised in detecting advanced malware across enterprises. As part of his role, Will researched attack techniques used by a wide range of malware families (including popular commercial tools such as Cobalt Strike), developed new ways of catching attackers, and presented this research at different conferences. Most recently, Will has been involved in red team engagements, putting his extensive knowledge of detection to bypass and hide from existing Endpoint Detection & Response (EDR) tools and AV solutions. Will's research interests include advanced attack detection, Windows internals, and finding new techniques for post exploitation in Windows environments. +* [RedTeaming from Zero to One – Part 1](https://payatu.com/RedTeaming-from-zero-to-one-part-1/) +* [RedTeaming from Zero to One – Part 2 - Rashid Feroze](https://payatu.com/redteaming-zero-one-part-2/) * Sort articles better * Add pivoting stuff from postex/privesc * add usb/hw related stuff +* [Cons and Conjurers Lessons for Infiltration - Paul Blonsky - BSides Cleveland](https://www.youtube.com/watch?v=jRgOVCBg_Q4) +* [There is a shell in your lunch-box - Rotimi Akinyele](https://hakin9.org/shell-lunch-box-rotimi-akinyele/) +* [Cons and Conjurers Lessons for Infiltration - Paul Blonsky - BSides Cleveland](https://www.youtube.com/watch?v=jRgOVCBg_Q4) +* [No More Secrets - Sneakers](https://github.com/bartobri/no-more-secrets) + * This project provides a command line tool called nms that recreates the famous data decryption effect seen on screen in the 1992 hacker movie Sneakers. +* [Windows API resolution via hashing](https://github.com/LloydLabs/Windows-API-Hashing) + * Although this method of API obfuscation is relatively old, my friend who was wanting to increase his skills in the Windows sphere confronted me about a way a few malware families seem to resolve APIs. It's pretty simple, however he could not find any documentation with a solid programming example on the matter at the time, so I thought I'd quickly write something up regarding it. I was going to write my own loader for this example (loading the desired module via LdrLoadDll within kernel32.dll, walking the InMemoryOrderModuleList to find the desired loaded module, finding the exported function we're after within the EAT..) - however I thought this might of have been a bit overkill for such a simple concept, I want to cover writing your own PE loader in the future though as it's an interesting subject. +https://posts.specterops.io/being-a-good-domain-shepherd-part-2-5e8597c3fe63 +* [Evading Anomaly-Based NIDS with Empire - utkusen.com](https://utkusen.com/blog/bypassing-anomaly-based-nids-with-empire.html) + +https://github.com/nccgroup/phantap +https://github.com/SecurityRiskAdvisors/VECTR +* [Empire & Tool Diversity: Integration is Key - sixdub](https://www.sixdub.net/?p=627) + +https://labs.mwrinfosecurity.com/blog/tasking-office-365-for-cobalt-strike-c2/ +https://www.youtube.com/watch?v=OjtftdPts4g + +* [Evading Anomaly-Based NIDS with Empire - utkusen.com](https://utkusen.com/blog/bypassing-anomaly-based-nids-with-empire.html) +https://attactics.org/2019/07/18/cslogwatch-cobalt-strike-tracking-parsing-storage/ +* [e2modrewrite](https://github.com/infosecn1nja/e2modrewrite) + * Convert Empire profiles to Apache mod_rewrite scripts + + + +https://blog.stratumsecurity.com/2018/10/17/route-53-as-a-pentest-infrastructure/ + +https://github.com/operatorequals/covertutils + + +* [cmd.exe running any file no matter what extension - Hexacorn](http://www.hexacorn.com/blog/2019/04/21/cmd-exe-running-any-file-no-matter-what-extension/) +https://github.com/Mr-Un1k0d3r/ClickOnceGenerator +* [intrigue-core](https://github.com/intrigueio/intrigue-core) + * Intrigue-core is a framework for external attack surface discovery and automated OSINT. +See payloads section in Postex_Privesc} +https://github.com/byt3bl33d3r/SILENTTRINITY +https://github.com/jymcheong/AutoTTP +https://github.com/vysecurity/RedTips +https://github.com/taherio/redi/ +* [Let's Create A Redteam Mission - Alex Kouzmine - BlackAlps 2018](https://www.youtube.com/watch?v=-kK8K-UVhWY) +https://vanmieghem.io/reigning-the-empire-evading-detection/ + +* [How to Make Communication Profiles for Empire - Jeff Dimmock](https://posts.specterops.io/how-to-make-communication-profiles-for-empire-46da8554338a) +* [Being a Good Domain Shepherd - Christopher Maddalena](https://posts.specterops.io/being-a-good-domain-shepherd-57754edd955f?gi=2cadd2578045) + + * We wrote a tool called firstorder, which analyses the network traffic and identifies normal traffic profile. With this information, it configures Empire’s listener. So with this listener, we have a good chance to evade listener-agent communication from an -application layer- anomaly based NIDS, since we are matching with normal traffic profile. +* [firstorder](https://github.com/tearsecurity/firstorder) + * firstorder is designed to evade Empire's C2-Agent communication from anomaly-based intrusion detection systems. It takes a traffic capture file (pcap) of the network and tries to identify normal traffic profile. According to results, it creates an Empire HTTP listener with appropriate options. +https://www.tarlogic.com/en/blog/red-team-tales-0x01/ +https://www.mdsec.co.uk/2018/06/freestyling-with-sharpshooter-v1-0/ + +https://github.com/sveinbjornt/Platypus +* [PentestHardware](https://github.com/unprovable/PentestHardware) + * Kinda useful notes collated together publicly + +https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html + +https://github.com/SecurityRiskAdvisors/RedTeamSIEM + + + + +https://zachgrace.com/2018/05/20/Red_Team_Telemetry_Part_1.html +https://github.com/ztgrace/pwnboard -------------- @@ -63,8 +161,6 @@ * **Building a Red Team** * [Building A Successful Internal Adversarial Simulation Team - C. Gates & C. Nickerson - BruCON 0x08](https://www.youtube.com/watch?v=Q5Fu6AvXi_A&list=PLtb1FJdVWjUfCe1Vcj67PG5Px8u1VY3YD&index=1) * [Zero to Hero – Building a Red Team - Robert Neel & David Thompson](http://penconsultants.com/blog/presentation-zero-to-hero-building-a-red-team/) - * [Zero to Hero – A Red Team’s Journey - Robert Neel & David Thompson](http://penconsultants.com/blog/presentation-zero-to-hero-a-red-teams-journey/) - * [Building A Successful Internal Adversarial Simulation Team - C. Gates & C. Nickerson - BruCON 0x08](https://www.youtube.com/watch?v=Q5Fu6AvXi_A&list=PLtb1FJdVWjUfCe1Vcj67PG5Px8u1VY3YD&index=1) * **Generally Relevant/Useful Information** * [The ‘Laws’ of Red Teaming - RedTeam Journal](https://redteamjournal.com/red-teaming-laws/) * Red teaming is governed by informal and wholly unscientific “laws” based largely on human nature. These laws are driven by paradox and, in many cases, a healthy dose of humor. We state some from a general perspective, some from the perspective of the customer or sponsor, and some from the perspective of the red team. Enjoy. We add to these as the mood strikes. (For an alternative list of rules, try the one at redteams.net.) diff --git a/Draft/Rootkits.md b/Draft/Rootkits.md index 6c06749..0f5c5ec 100755 --- a/Draft/Rootkits.md +++ b/Draft/Rootkits.md @@ -10,6 +10,25 @@ * [Tools](#tools) + + + + + + + + + + + + + + + +* https://github.com/katlogic/WindowsD +https://www.youtube.com/watch?v=Ul8uPvlOsug&index=43&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3 +https://github.com/bytecode77/r77-rootkit + ----------------- ## Rootkits * **101** diff --git a/Draft/SCA.md b/Draft/SCA.md index a6c088b..9601ddd 100644 --- a/Draft/SCA.md +++ b/Draft/SCA.md @@ -7,6 +7,9 @@ * [ChipWhisperer](http://www.newae.com/chipwhisperer) * ChipWhisperer is the first ever open-source solution that provides a complete toolchain for research and analysis of embedded hardware security. Side Channel Power Analysis, Clock Glitching, VCC Glitching, and more are all possible with this unique tool. +https://blog.xpnsec.com/total-meltdown-cve-2018-1038/ + +https://misc0110.net/web/files/netspectre.pdf --------------------- ### Side-Channel Attacks diff --git a/Draft/SCADA.md b/Draft/SCADA.md index 13ca5fd..355d3f3 100644 --- a/Draft/SCADA.md +++ b/Draft/SCADA.md @@ -14,9 +14,9 @@ +https://labs.mwrinfosecurity.com/blog/offensive-ics-exploitation-a-technical-description/ - - +https://scadahacker.com/training.html ---------------------- ### General * **101/Educational** diff --git a/Draft/SE.md b/Draft/SE.md index 90bca17..b7ff6e0 100755 --- a/Draft/SE.md +++ b/Draft/SE.md @@ -10,7 +10,8 @@ - [Tools](#tools) - +* [Make Vishing Suck Less - Jonathan Stines(Layer8 2018)](https://www.youtube.com/watch?v=4DphohJvnx8&index=5&list=UUynWOUeHAOflEQtJnrZpkNA) + * The purpose of this talk is to describe methodologies which one could follow when performing telephone pretexting. Social dynamics have changed over the years causing the entry barrier to being successful with Vishing more difficult and talking on the telephone less comfortable. The aim of this speech will be to crack the code for a newb getting started so he or she can hit the ground running, jump on the horn, and start pwning some folks like it's 1989. ------------------------ ### Articles diff --git a/Draft/UX.md b/Draft/UX.md index 694befe..d4e8db8 100755 --- a/Draft/UX.md +++ b/Draft/UX.md @@ -9,6 +9,22 @@ * [Websites/Organizations](#web) +UX Strategy: How to Devise Innovative Digital Products that People Want +Mapping Experiences: A Complete Guide to Creating Value through Journeys, Blueprints, and Diagrams +How to Make Sense of Any Mess: Information Architecture for Everybody +The Elements of User Experience: User-Centered Design for the Web and Beyond (2nd Edition) (Voices That Matter) +Articulating Design Decisions: Communicate with Stakeholders, Keep Your Sanity, and Deliver the Best User Experience +UX Research: Practical Techniques for Designing Better Products +Lean UX: Applying Lean Principles to Improve User Experience +Information Architecture: For the Web and Beyond +http://www.catb.org/~esr/html-hell.html + + + + + + + --------------------------- ### General User Interface/User Experience Design diff --git a/Draft/Web.md b/Draft/Web.md index 7365038..7d1b73f 100755 --- a/Draft/Web.md +++ b/Draft/Web.md @@ -79,6 +79,266 @@ - [Google Compute Cloud/AppEngine](#gcc) - [BugBounty Writeups](#bugbounty) +https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi +https://x-c3ll.github.io/posts/parasite-web-server-process/ +* [Robust Defenses for Cross-Site Request Forgery](http://theory.stanford.edu/people/jcm/papers/ccs2008-barth.pdf) +* [Exploiting XXE Vulnerabilities In File Parsing Functionality - Willis Vandevanter - BHUSA 2015](https://www.youtube.com/watch?v=LZUlw8hHp44) + * In this 25-minute briefing, we will discuss techniques for exploiting XXE vulnerabilities in File Parsing/Upload functionality. Specifically, XML Entity Attacks are well known, but their exploitation inside XML supported file formats such as docx, xlsx, pptx, and others are not. Discussing the technically relevant points step by step, we will use real world examples from products and recent bug bounties. Finally, in our experience, creating 'XXE backdoored' files can be a very slow process. We will introduce our battle tested tool for infecting the file formats discussed. +* [Exploiting CVE-2016-4264 With OXML_XXE](https://www.silentrobots.com/blog/2016/10/02/exploiting-cve-2016-4264-with-oxml-xxe/) + * https://seclab.stanford.edu/websec/framebusting/framebust.pdf + * https://tools.ietf.org/html/rfc7034 + * https://www.nccgroup.trust/us/fabout-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/ +https://nets.ec/File_Inclusion +https://github.com/P0cL4bs/Kadimus +https://github.com/m101/lfipwn + +https://github.com/s0md3v/Arjun +https://github.com/phra/rustbuster +https://github.com/yamakira/domains-from-csp +https://securityheaders.com/ +* [Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center - Daniel Somerfield(OWASP AppSec SF 15)](https://www.youtube.com/watch?v=OUSvv2maMYI) +* [SSH "accept : too many open files" on OS X when using Burp - dewhurstsecurity.com](https://blog.dewhurstsecurity.com/2013/04/08/ssh-too-many-open-files-burp.html) +https://github.com/usdAG/cstc +https://github.com/sensepost/gowitness +https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + +* [Cerberus FTP Blind Cross-Site Scripting to remote code execution as SYSTEM. (Version 9 and 10) - Kevin(secu.dk)] +https://github.com/we45/Serverless-Workshop +https://www.balda.ch/posts/2013/Jun/23/python-web-frameworks-pickle/ + +https://hackernoon.com/azure-brute-farce-17e27dc05f85?gi=b3fa876cd4b5 + +https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn + +https://github.com/DenizParlak/Hayat + +https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/ +* [AWS IAM Privilege Escalation – Methods and Mitigation - Spencer Gietzen](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) +https://github.com/OAI/OpenAPI-Specification +https://mahmoudsec.blogspot.com/2019/08/exploiting-out-of-band-xxe-using.html + +* [Reverse engineering AWS Lambda - denialof.service](https://www.denialof.services/lambda/) +* [Firefox uXSS and CSS XSS - leucosite.com](https://leucosite.com/Firefox-uXSS-and-CSS-XSS/) +https://github.com/bishopfox/eyeballer +https://github.com/HoLyVieR/prototype-pollution-nsec18 + +https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/ +https://github.com/aws-samples/aws-serverless-security-workshop + +https://github.com/superhedgy/AttackSurfaceMapper +https://github.com/PortSwigger/postman-integration +https://pen-testing.sans.org/blog/2015/12/20/pen-testing-node-js-staying-n-sync-can-make-the-server-go-bye-bye-bye +https://medium.com/@89berner/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec + +https://danielsomerfield.github.io/turtles/ + + +* [RCE in Hubspot with EL injection in HubL - betterhacker.com](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html) + * "This is the story of how I was able to get remote code execution on Hubspot's servers by exploiting a vulnerability in HubL expression language, which is used for creating templates and custom modules within the Hubspot CRM." + + +Jetty + https://www.appsecconsulting.com/blog/making-jetty-bleed + https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html + +Useful List of file paths to check: +http://www.r00tsec.com/2014/04/useful-list-file-for-local-file.html +https://github.com/maaaaz/webscreenshot +https://github.com/theori-io/zer0con2018_bpak/blob/master/Chrome_Analysis_Zer0Con_2018_Final.pdf +https://fetch.spec.whatwg.org/#goals +http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html +https://www.w3.org/TR/webauthn/ +http://blog.portswigger.net/2016/07/executing-non-alphanumeric-javascript.html +http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html +https://mechatechsec.blogspot.com/2018/01/dom-xss-intro.html +https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html +https://github.com/yuvadm/viewstate +https://www.forcepoint.com/blog/security-labs/manual-reverse-engineering-webassembly-static-code-analysis +https://www.forcepoint.com/blog/security-labs/analyzing-webassembly-binaries-initial-feel-and-behavioral-analysis +https://github.com/Shiva108/WAES + + +https://www.allysonomalley.com/2018/12/03/ios-bug-hunting-web-view-xss/ +https://medium.com/tsscyber/penetration-testing-window-opener-xss-vectors-part-1-c6be37701cab +https://www.netsparker.com/blog/web-security/bypass-disabled-system-functions/ +https://www.netsparker.com/blog/web-security/tabnabbing-protection-bypass/ +https://speakerdeck.com/andresriancho/automated-security-analysis-aws-clouds + +https://xorl.wordpress.com/2017/12/11/microsoft-excel-csv-code-execution-injection-method/ +https://www.contextis.com/blog/comma-separated-vulnerabilities +https://www.forcepoint.com/blog/security-labs/analyzing-webassembly-binaries +https://www.forcepoint.com/blog/security-labs/webassembly-potentials-and-pitfalls +https://github.com/nccgroup/CrossSiteContentHijacking +https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/python/xxe-server.py +https://blog.netspi.com/playing-content-type-xxe-json-endpoints/ +www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf +https://github.com/maaaaz/webscreenshot +https://github.com/mdhama/lazyshot +https://es.slideshare.net/HackIT-ukraine/15-technique-to-exploit-file-upload-pages-ebrahim-hegazy +https://github.com/fgeek/pyfiscan + +https://rhinosecuritylabs.com/research/xml-external-entity-injection-xxe-cve-2018-5758/ +https://leucosite.com/Microsoft-Edge-RCE/ + +https://rhinosecuritylabs.com/application-security/xxe-zeroday-vulnerability-in-hp-project/ + + +http://www.visualsitemapper.com/ +https://www.theregister.co.uk/2019/08/10/memory_corruption_sqlite/ + + + +https://swagger.io/docs/specification/about/ +https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md + +https://github.com/mvetsch/JWT4B + +JS recon +https://github.com/GerbenJavado/LinkFinder +https://github.com/nahamsec/JSParser +https://medium.com/bugbountywriteup/bug-bounty-tips-tricks-js-javascript-files-bdde412ea49d +* [Instrumenting Electron Apps for Security Testing - Paolo Stagno](https://blog.doyensec.com/2018/07/19/instrumenting-electron-app.html) + +* [Gone in 60 Milliseconds (33c3)2016](https://www.youtube.com/watch?v=YZ058hmLuv0)
* This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud. +https://www.youtube.com/watch?v=nsjCQlEsgW8 +https://depthsecurity.com/blog/exploiting-custom-template-engines + +https://github.com/psi-probe/psi-probe +https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017 +https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins +https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/ + +VHostScan +https://github.com/codingo/VHostScan +https://github.com/eldraco/domain_analyzer +https://github.com/jpf/domain-profiler + +http://httpsecure.org/?works=how-to-exploit-http-methods-put-and-delete +MIME Sniffing +https://mimesniff.spec.whatwg.org/#matching-a-mime-type-pattern +Media Type Sniffing - https://tools.ietf.org/html/draft-abarth-mime-sniff-06 +https://jankopecky.net/index.php/2017/04/18/0day-textplain-considered-harmful/ +https://www.w3.org/Protocols/rfc822/#z26 + + + +Browser Extensions + * https://www.usenix.org/system/files/conference/cset17/cset17-paper-dekoven.pdf + * https://www.usenix.org/node/205856 + * https://kjaer.io/extension-malware/ + * https://www.labnol.org/internet/sold-chrome-extension/28377/ + * https://developer.chrome.com/extensions/xhr#security-considerations + * https://developer.chrome.com/extensions/contentSecurityPolicy#interactions + * https://medium.freecodecamp.org/cool-chrome-devtools-tips-and-tricks-you-wish-you-knew-already-f54f65df88d2 + + +* [BookFresh Tricky File Upload Bypass to RCE - secgeek.net](https://secgeek.net/bookfresh-vulnerability/) +OAuth +* [OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-05 - Expires Sept19,2018](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-05) + * This document describes best current security practices for OAuth 2.0.. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and cover new threats relevant due to the broader application of OAuth 2.0. +* [OAuth 2.0 Dynamic Client Registration Protocol - rfc7591](https://tools.ietf.org/html/rfc7591) + * This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration. +* [The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request - ietf.org](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-15) + * The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference. +* [OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens - ietf](https://tools.ietf.org/html/draft-ietf-oauth-mtls-07) + * This document describes Transport Layer Security (TLS) mutual authentication using X.509 certificates as a mechanism for OAuth client authentication to the authorization sever as well as for certificate bound sender constrained access tokens as a method for a protected resource to ensure that an access token presented to it by a given client was issued to that client by the authorization server. + + + + + + + + +* [Fuzzing JSON Web Services: Simple guide how to fuzz JSON web services properly - secapps](https://secapps.com/blog/2018/03/fuzzing-json-web-services) + + +https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/ + +SQL +* ["How I hacked PacketStorm" - rain forest puppy](http://www.ouah.org/rfp.txt) +https://github.com/GerbenJavado/LinkFinder +https://www.lanmaster53.com/2015/04/24/burp-suite-visual-aids/ +https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn +https://github.com/lanjelot/albatar +https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +https://www.fireeye.com/blog/threat-research/2018/05/shining-a-light-on-oauth-abuse-with-pwnauth.html +* [No Place Like Chrome - xorrior](https://www.xorrior.com/No-Place-Like-Chrome/) + +https://github.com/hehnope/slurp +* [Reverse shell on a Node.js application - wiremask.eu](https://wiremask.eu/writeups/reverse-shell-on-a-nodejs-application/) +https://medium.com/@imashishmathur/0auth-a142656859c6 +https://gist.github.com/akhil-reni/e2116cc243af096ca3416168f49b3298 +https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 +https://medium.com/secjuice/waf-evasion-techniques-718026d693d8 +https://github.com/streaak/keyhacks?mc_cid=2c7d4caad8&mc_eid=e91018dc5d#Google-Maps-API-key +https://medium.com/netflix-techblog/netflix-cloud-security-detecting-credential-compromise-in-aws-9493d6fd373a +https://medium.com/netflix-techblog/netflix-information-security-preventing-credential-compromise-in-aws-41b112c15179 +* [Azure ATP Security Alerts - docs.ms](https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide) +* [novahot](https://github.com/chrisallenlane/novahot) + * novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python. Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements "virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications. + +* [Inventory-BrowserExts - keyboardcrunch](https://github.com/keyboardcrunch/Inventory-BrowserExts) + * This script can inventory Firefox and/or Chrome extensions for each user from a list of machines. It returns all the information back in a csv file and prints to console a breakdown of that information. + +* [Firefed](https://github.com/numirias/firefed) + * Firefed is a command-line tool to inspect Firefox profiles. It can extract saved passwords, preferences, addons, history and more. You may use it for forensic analysis, to audit your config for insecure settings or just to quickly extract some data without starting up the browser. + +https://gravitational.com/blog/how-saml-authentication-works/ +* [HTML Punctuation Symbols, Punctuation Entities and ASCII Character Code Reference - toptotal.com](https://www.toptal.com/designers/htmlarrows/punctuation/) + +https://onecloudplease.com/blog/s3-bucket-namesquatting +* [intrigue-core](https://github.com/intrigueio/intrigue-core) + * Intrigue-core is a framework for external attack surface discovery and automated OSINT. + +* [Sunny Wear's Brakeing Down Security Web App Sec Training](https://www.youtube.com/playlist?list=PL-giMT7sGCVI9T4rKhuiTG4EDmUz-arBo&app=desktop) +* [Web Server Screenshots with a Single Command - Carrie Roberts](https://www.blackhillsinfosec.com/web-server-screenshots-single-command/) + +* [Everything about the CSV Excel Macro Injection - Ishaq Mohammed](http://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/) +* [From CSV to CMD to qwerty - exploresecurity](http://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/) +* [Everything about the CSV Excel Macro Injection - Ishaq Mohammed](http://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/) +* [Tricks to improve web app excel export attacks(Slides) - Jerome Smith - CamSec2016]() + * [Video](https://www.youtube.com/watch?v=3wNvxRCJLQQ) + * This presentation is an embellished version of the second half of a talk originally presented at BSides MCR 2016. It covers more general web app export issues as well as revisions on the DDE content following feedback from BSides. This talk also had more demos. +* [CSV Injection Revisited - Making Things More Dangerous(and fun) - Andy Gill](https://blog.zsec.uk/csv-dangers-mitigations/) +* [From CSV to Meterpreter - XPNSec](https://xpnsec.tumblr.com/post/133298850231/from-csv-to-meterpreter) +* [CSV Injection- There's devil in the detail - Sunil Joshi](https://www.we45.com/blog/2017/02/14/csv-injection-theres-devil-in-the-detail) +* [CSV injection: Basic to Exploit!!!! - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/) +https://github.com/IAIK/jstemplate +* [RFC5785: Defining Well-Known Uniform Resource Identifiers (URIs)](https://tools.ietf.org/html/rfc5785) +https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/ms972976(v=msdn.10) +Subdomain recon +https://github.com/nccgroup/CrossSiteContentHijacking/ +https://github.com/flipkart-incubator/Astra/ + +https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6 +* [Fingerprinter](https://github.com/erwanlr/Fingerprinter) + * This script goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach. + + +https://medium.com/@nahoragg/chaining-cache-poisoning-to-stored-xss-b910076bda4f + +* [NT Web Technology Vulnerabilities - rain.forest.puppy](http://phrack.org/issues/54/8.html) + +https://github.com/disruptops/cred_scanner +* [The HTML Handbook - Flavio Copes](https://www.freecodecamp.org/news/the-html-handbook/) + + + * **User-Profiling** + * [Browser fingerprints for a more secure web - Julien Sobrier & Ping Yan(OWASP AppSecCali2019)](https://www.youtube.com/watch?v=P_nYYsaVi1w&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=30&t=0s) + + +* [CloudFlair: Bypassing Cloudflare using Internet-wide scan data - blog.christophetd](https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/) +* [CloudFlair](https://github.com/christophetd/CloudFlair) + * CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should. The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name. +* [Exposing Server IPs Behind CloudFlare - chokepoint](http://www.chokepoint.net/2017/10/exposing-server-ips-behind-cloudflare.html) + + +WebUSB +https://labs.mwrinfosecurity.com/blog/webusb/ + + + @@ -1649,17 +1909,21 @@ fuse.ca/race-conditions-in-web-applications.htm) * [An Introduction to Penetration Testing AWS: Same Same, but Different - GracefulSecurity](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-aws/) * [Using DNS to Break Out of Isolated Networks in a AWS Cloud Environment](https://dejandayoff.com/using-dns-to-break-out-of-isolated-networks-in-a-aws-cloud-environment/) * Customers can utilize AWS' DNS infrastructure in VPCs (enabled by default). Traffic destined to the AmazonProvidedDNS is traffic bound for AWS management infrastructure and does not egress via the same network links as standard customer traffic and is not evaluated by Security Groups. Using DNS exfiltration, it is possible to exfiltrate data out of an isolated network. -* **S3 Buckets** - * [bucket-stream](https://github.com/eth0izzle/bucket-stream/blob/master/README.md) - * This tool simply listens to various certificate transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name. - * [AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) - * Security Tool to Look For Interesting Files in S3 Buckets - * [buckethead.py](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools) - * buckethead.py searches across every AWS region for a variety of bucket names based on a domain name, subdomains, affixes given and more. Currently the tool will only present to you whether or not the bucket exists or if they're listable. If the bucket is listable, then further interrogation of the resource can be done. It does not attempt download or upload permissions currently but could be added as a module in the future. You will need the awscli to run this tool as this is a python wrapper around this tool. - * [slurp](https://github.com/bbb31/slurp) - * Enumerate S3 buckets via certstream, domain, or keywords - * [Bucketlist](https://github.com/michenriksen/bucketlist) - * Bucketlist is a quick project I threw together to find and crawl Amazon S3 buckets and put all the data into a PostgreSQL database for querying. +* **Mapping** +* **S3** + * **Articles/Blogposts/Writeups** + * [A deep dive into AWS S3 access controls – taking full control over your assets - labs.detectify](https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/) + * **Tools** + * [bucket-stream](https://github.com/eth0izzle/bucket-stream/blob/master/README.md) + * This tool simply listens to various certificate transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name. + * [AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) + * Security Tool to Look For Interesting Files in S3 Buckets + * [buckethead.py](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools) + * buckethead.py searches across every AWS region for a variety of bucket names based on a domain name, subdomains, affixes given and more. Currently the tool will only present to you whether or not the bucket exists or if they're listable. If the bucket is listable, then further interrogation of the resource can be done. It does not attempt download or upload permissions currently but could be added as a module in the future. You will need the awscli to run this tool as this is a python wrapper around this tool. + * [slurp](https://github.com/bbb31/slurp) + * Enumerate S3 buckets via certstream, domain, or keywords + * [Bucketlist](https://github.com/michenriksen/bucketlist) + * Bucketlist is a quick project I threw together to find and crawl Amazon S3 buckets and put all the data into a PostgreSQL database for querying. * **Securing** * [AWS Security Primer](https://cloudonaut.io/aws-security-primer/#fn:2) * [CloudMapper](https://github.com/duo-labs/cloudmapper) @@ -1815,7 +2079,7 @@ Sort * domains * [How I hacked hundreds of companies through their helpdesk - Inti De Ceukelaire](https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c) -* [A deep dive into AWS S3 access controls – taking full control over your assets - labs.detectify](https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/) + * [The Good, The Bad and The Ugly of Safari in Client-Side Attacks - bo0om, Wallarm Research](https://lab.wallarm.com/the-good-the-bad-and-the-ugly-of-safari-in-client-side-attacks-56d0cb61275a) * [Rare ASP.NET request validation bypass using request encoding - nccgroup](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet-request-validation-bypass-using-request-encoding/) @@ -1830,7 +2094,6 @@ Sort * [JSON API's Are Automatically Protected Against CSRF, And Google Almost Took It Away.](https://github.com/dxa4481/CORS) https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 -https://github.com/segment-srl/htcap https://github.com/byt3bl33d3r/SprayingToolkit/blob/master/README.md https://latacora.micro.blog/2018/06/12/a-childs-garden.html https://en.wikipedia.org/wiki/Content_Security_Policy diff --git a/Draft/Wireless.md b/Draft/Wireless.md index dde9596..705f2e6 100755 --- a/Draft/Wireless.md +++ b/Draft/Wireless.md @@ -28,12 +28,55 @@ * Fix ToC * Add 101 stuff * Add SMS Standards/related - -* add krack + +* [RFC 7710: Captive-Portal Identification Using DHCP or Router Advertisements (RAs)](https://tools.ietf.org/html/rfc7710) + +https://comsecuris.com/blog/posts/theres_life_in_the_old_dog_yet_tearing_new_holes_into_inteliphone_cellular_modems/ + +* [New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols - Ravishankar Borgaonkar, Lucca Hirschi∗, Shinjo Park, and Altaf Shaik](https://eprint.iacr.org/2018/1175.pdf) + * In this paper, we reveal a new privacy attack against allvariants of the AKA protocol, including 5G AKA, thatbreaches subscriber privacy more severely than knownlocation privacy attacks do. Our attack exploits a newlogical vulnerability we uncovered that would requirededicated fixes. We demonstrate the practical feasibilityof our attack using low cost and widely available setups.Finally we conduct a security analysis of the vulnerabil-ity and discuss countermeasures to remedy our attack + +* [Security and Protocol Exploit Analysis of the 5GSpecifications - Roger Jover, Vuk Marojevic](https://arxiv.org/pdf/1809.06925.pdf) + * ? Abstract—The Third Generation Partnership Project (3GPP)released its first 5G security specifications in March 2018.This paper reviews the proposed security architecture, its mainrequirements and procedures, and evaluates them in the contextof known and new protocol exploits. Although security hasbeen improved from previous generations, our analysis identifiesunrealistic 5G system assumptions and protocol edge cases thatcan render 5G communication systems vulnerable to adversarialattacks. For example, null encryption and null authentication arestill supported and can be used in valid system configurations.With no clear proposal to tackle pre-authentication messages,mobile devices continue to implicitly trust any serving network,which may or may not enforce a number of optional securityfeatures, or which may not be legitimate. Moreover, severalcritical security and key management functions are left outsideof the scope of the specifications. The comparison with known 4GLong-Term Evolution (LTE) protocol exploits reveals that the 5Gsecurity specifications, as of Release 15, Version 1.0.0, do not fullyaddress the user privacy and network availability challenges.Keywords–Security, 5G, 3GPP Release 15, LTE +* [A Formal Analysis of 5G Authentication](https://arxiv.org/pdf/1806.10360.pdf) +* [Component-Based Formal Analysis of 5G-AKA:Channel Assumptions and Session Confusion - Cas Cremers, Martin Dehnel-Wild](https://people.cispa.io/cas.cremers/downloads/papers/CrDe2018-5G.pdf) + * We perform fine-grained formal analysis of 5G’s main au-thentication and key agreement protocol (AKA), and providethe first models to explicitly consider all parties defined by theprotocol specification. Our analysis reveals that the security of5G-AKA critically relies on unstated assumptions on the innerworkings of the underlying channels. In practice this means thatfollowing the 5G-AKA specification, a provider can easily and ‘correctly’ implement the standard insecurely, leaving the protocolvulnerable to a security-critical race condition. We provide thefirst models and analysis considering component and channelcompromise in 5G, whose results further demonstrate the fragilityand subtle trust assumptions of the 5G-AKA protocol.We propose formally verified fixes to the encountered issues,and have worked with 3GPP to ensure these fixes are adopted. + +* add krack +* [Captive-Portal Identification Using DHCP or Router Advertisements (RAs) - RFC 7718](https://tools.ietf.org/html/rfc7710) + * This document describes a DHCP option (and a Router Advertisement(RA) extension) to inform clients that they are behind some sort ofcaptive-portal device and that they will need to authenticate to getInternet access. It is not a full solution to address all of theissues that clients may have with captive portals; it is designed tobe used in larger solutions. The method of authenticating to andinteracting with the captive portal is out of scope for thisdocument +https://wpa3.mathyvanhoef.com/#new +https://news.ycombinator.com/item?id=6942389 * [RPL Attacks Framework](https://github.com/dhondta/rpl-attacks) * This project is aimed to provide a simple and convenient way to generate simulations and deploy malicious motes for a Wireless Sensor Network (WSN) that uses Routing Protocol for Low-power and lossy devices (RPL) as its network layer. With this framework, it is possible to easily define campaign of simulations either redefining RPL configuration constants, modifying single lines from the ContikiRPL library or using an own external RPL library. Moreover, experiments in a campaign can be generated either based on a same or a randomized topology for each simulation. * [Funtenna - Transmitter: XYZ Embedded device + RF Funtenna Payload](https://www.blackhat.com/docs/us-15/materials/us-15-Cui-Emanate-Like-A-Boss-Generalized-Covert-Data-Exfiltration-With-Funtenna.pdf) +https://github.com/steve-m/fl2k-examples +https://osmocom.org/projects/osmo-fl2k/wiki + + +https://wpa3.mathyvanhoef.com/#new + +https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html?m=1 +https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html +https://blade.tencent.com/en/advisories/qualpwn/ + + + + +https://www.blackhat.com/asia-17/arsenal.html#damn-vulnerable-ss7-network + + + + + + + + + + + + diff --git a/Draft/bios_uefi.md b/Draft/bios_uefi.md index fef37e9..9b88da9 100755 --- a/Draft/bios_uefi.md +++ b/Draft/bios_uefi.md @@ -20,11 +20,31 @@ * **To-Do** * Add rowhammer related materials +https://i.blackhat.com/USA-19/Wednesday/us-19-Hasarfaty-Behind-The-Scenes-Of-Intel-Security-And-Manageability-Engine.pdf + +BMC Related +* [The Unbearable Lightness of BMCs | Matias Soler & Nico Waisman (BHUSA2018)](https://www.youtube.com/watch?v=mosERjbrgdo&t=0s&list=PLH15HpR5qRsVAXGmSVfjWrGtGLJjIJuGe&index=101) +* [Remotely Attacking System Firmware - Alex Bazhaniuk, Jesse Michael, Mickey Shkatov(BHUSA2018)](https://i.blackhat.com/us-18/Wed-August-8/us-18-Michael-Shkatov-Remotely-Attacking-System-Firmware.pdf) +* [Turning your BMC into a revolving door - Alexandre Gazet, Fabien Perigaud 0xf4b, Joffrey Czarny - ZeroNights2018](https://www.youtube.com/watch?v=z5uBYTXSex0) + * [Slides](https://www.synacktiv.com/ressources/zeronights_2018_turning_your_bmc_into_a_revolving_door.pdf) +* [Subverting your server through its BMC: the HPE iLO4 case - Fabien Periguad, Alexandre Gazet, Joffrey Czarny](https://airbus-seclab.github.io/ilo/RECONBRX2018-Slides-Subverting_your_server_through_its_BMC_the_HPE_iLO4_case-perigaud-gazet-czarny.pdf) +* [ilo4_toolbox - Subverting your server through its BMC: the HPE iLO4 case](https://github.com/airbus-seclab/ilo4_toolbox) +* [CVE-2017-12542 - skelsec](https://github.com/skelsec/CVE-2017-12542) + * Test and exploit for CVE-2017-12542 +* [Turning your BMC into a revolving door - Alexandre Gazet, Fabien Perigaud 0xf4b, Joffrey Czarny - ZeroNights 2018](https://www.youtube.com/watch?v=z5uBYTXSex0) + * Unmonitored and unpatched BMC (remote administration hardware feature for servers) are an almost certain source of chaos. They have the potential to completely undermined the security of complex network infrastructures and data centers. Our on-going effort to analyze HPE iLO systems (4 and 5) resulted in the discovery of many vulnerabilities, the last one having the capacity to fully compromise the iLO chip from the host system itself. This talk will show how a combination of these vulnerabilities can turn an iLO BMC into a revolving door between an administration network and the production network. + * [Slides]( https://www.synacktiv.com/ressources/zeronights_2018_turning_your_bmc_into_a_revolving_door.pdf) + +https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fblog.ptsecurity.ru%2F2018%2F01%2Fintel-me.html&edit-text= +https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ +https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf * [How Does an Intel Processor Boot? - BinaryDebt](https://binarydebt.wordpress.com/2018/10/06/how-does-an-x86-processor-boot/) * [Understanding L1 Terminal Fault aka Foreshadow: What you need to know - Jon Masters](https://www.redhat.com/en/blog/understanding-l1-terminal-fault-aka-foreshadow-what-you-need-know) * [GuardION - Android GuardION patches to mitigate DMA-based Rowhammer attacks on ARM](https://github.com/vusec/guardion) * This software is the open-source component of our paper "GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM", published in the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2018. It allows you to patch an Android kernel so that DMA allocations are guarded with empty rows, resulting in the isolation of bitflips and thus mitigation of Drammer-like attacks. +https://firmwaresecurity.com/2019/04/22/modern-secure-boot-attacks-slides-available/ + * **Rowhammer** * [Exploiting the DRAM rowhammer bug to gain kernel privileges](https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) * [Row hammer - Wikipedia](https://en.wikipedia.org/wiki/Row_hammer) diff --git a/Draft/containers.md b/Draft/containers.md deleted file mode 100644 index 8260dfd..0000000 --- a/Draft/containers.md +++ /dev/null @@ -1,9 +0,0 @@ -# Containers - - ---------------------- -## Table of contents -- []() -- []() -- []() -- []() \ No newline at end of file diff --git a/Draft/honeypot.md b/Draft/honeypot.md index d37adf8..ab1b57f 100644 --- a/Draft/honeypot.md +++ b/Draft/honeypot.md @@ -1,5 +1,10 @@ --------------------------- ### Honeypots +-------------------------- + +https://github.com/4sp1r3/honeytrap + * [sshesame](https://github.com/jaksi/sshesame) + * A fake SSH server that lets everyone in and logs their activity + * **General** * **101** * [Honeypot Computing - Wikipedia](https://en.wikipedia.org/wiki/Honeypot_%28computing%29) diff --git a/Draft/sysinternals.md b/Draft/sysinternals.md index aa3e4dd..e122f57 100755 --- a/Draft/sysinternals.md +++ b/Draft/sysinternals.md @@ -1,3 +1,4 @@ + # System Internals of Windows; OS X; Linux; ARM ## Table of Contents @@ -13,11 +14,192 @@ + + ##### To Do: * Fix ToC so its accurate * Split sections into reference material and writeup material(quick vs long reference) * Further categorize sections (network vs memory vs exploit mitigations vs feature) +* [SetProcessMitigationPolicy function - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy) + * Sets a mitigation policy for the calling process. Mitigation policies enable a process to harden itself against various types of attacks. +[GetProcessMitigationPolicy function - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-getprocessmitigationpolicy) + * Retrieves mitigation policy settings for the calling process. +* [Introduction to Paging - Philipp Oppermann](https://os.phil-opp.com/paging-introduction/) +* [Windows Defender Advanced Threat Protection - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) +* [Windows Defender ATP data storage and privacy - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection) + * This document explains the data storage and privacy details related to Windows Defender ATP +* [Thread-local storage - Wikipedia](https://en.wikipedia.org/wiki/Thread-local_storage) +* [SSP Packages Provided by Microsoft - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/ssp-packages-provided-by-microsoft) +* [Microsoft Digest SSP - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/microsoft-digest-ssp) + * Microsoft Digest is a security support provider (SSP) that implements the Digest Access protocol, a lightweight authentication protocol for parties involved in Hypertext Transfer Protocol (HTTP) or Simple Authentication Security Layer (SASL) based communications. Microsoft Digest provides a simple challenge response mechanism for authenticating clients. This SSP is intended for use by client/server applications using HTTP or SASL based communications. + + +https://xinu.cs.purdue.edu/ +https://github.com/mit-pdos/xv6-public +http://pages.cs.wisc.edu/~remzi/OSTEP/ +http://man7.org/tlpi/ +https://wiki.osdev.org/Expanded_Main_Page +https://www.haiku-os.org/ + + +https://devblogs.microsoft.com/commandline/learn-about-windows-console-and-windows-subsystem-for-linux-wsl/ + +https://j00ru.vexillium.org/syscalls/nt/64/ + + + +* [User Account Control: Inside Windows 7 User Account Control - Mark Russinovich](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/dd822916(v=msdn.10)) + +http://arno.org/arnotify/2006/10/on-the-origins-of-ds_store/ +https://0day.work/parsing-the-ds_store-file-format/ +https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-store-files-12-03-2018/ +* [Introducing the Office (2007) Open XML File Formats + - docs.ms](https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2007/aa338205(v=office.12)#office2007aboutnewfileformat_structureoftheofficexmlformats) + +* [SSP Packages Provided by Microsoft - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/ssp-packages-provided-by-microsoft) + + +File Locking + * https://lwn.net/Articles/317814/ +OOM + * https://linux-mm.org/OOM_Killer + * https://unix.stackexchange.com/questions/153585/how-does-the-oom-killer-decide-which-process-to-kill-first + * https://www.memset.com/docs/additional-information/oom-killer/ + * https://www.kernel.org/doc/gorman/html/understand/understand016.html + * https://stackoverflow.com/questions/9199731/understanding-the-linux-oom-killers-logs + * https://static.lwn.net/kerneldoc/admin-guide/mm/concepts.html + * https://serverfault.com/questions/134669/how-to-diagnose-causes-of-oom-killer-killing-processes + * http://eloquence.marxmeier.com/sdb/html/linux_limits.html + * http://bl0rg.krunch.be/oom-frag.html + * https://stackoverflow.com/questions/17935873/malloc-fails-when-there-is-still-plenty-of-swap-left + * https://serverfault.com/questions/724469/rsync-triggered-linux-oom-killer-on-a-single-50-gb-file/724518#724518 + * https://www.oracle.com/technetwork/articles/servers-storage-dev/oom-killer-1911807.html + + +https://www.vergiliusproject.com/ + +https://www.tarlogic.com/en/blog/how-kerberos-works/ + + + + + + + + + + + +* [chcp](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp) + * Changes the active console code page. If used without parameters, chcp displays the number of the active console code page. +https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849 + +* [Secure Channel - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/secure-channel) + * Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications. + +* [Know your Windows Processes or Die Trying(2014) - sysforensics.org](https://web.archive.org/web/20140209004217/https://sysforensics.org/2014/01/know-your-windows-processes.html) +* [Fibers - docs.ms](https://docs.microsoft.com/en-us/windows/win32/procthread/fibers) +* [Using Fibers](https://docs.microsoft.com/en-us/windows/win32/procthread/using-fibers) + +* [NUMA Support - docs.ms](https://docs.microsoft.com/en-us/windows/win32/procthread/numa-support) +* [Standard ECMA-335 Common Language Infrastructure (CLI) 6th ed- ECMA](https://www.ecma-international.org/publications/standards/Ecma-335.htm) +* [The NTLM Authentication Protocol and Security Support Provider - davenport.sourceforge.net](http://davenport.sourceforge.net/ntlm.html) +* [What are the undocumented features and limitations of the Windows FINDSTR command? - StackOverflow](https://stackoverflow.com/questions/8844868/what-are-the-undocumented-features-and-limitations-of-the-windows-findstr-comman) +* [Remote Procedure Call (RPC) - cio-wiki.org](https://cio-wiki.org/wiki/Remote_Procedure_Call_(RPC)) +* [Remote Procedure Call - Wikipedia](https://en.wikipedia.org/wiki/Remote_procedure_call) + + * **Constrained-Language Mode** + * [PowerShell Constrained Language Mode - devblogs.ms](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) + * **Logging** + * [About Eventlogs(PowerShell) - docs.ms](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs?view=powershell-5.1) + * [Script Tracing and Logging - docs.ms](https://docs.microsoft.com/en-us/powershell/wmf/whats-new/script-logging) +* [Remote Procedure Calls - Paul Krzyzanowski](https://www.cs.rutgers.edu/~pxk/417/notes/08-rpc.html) +* [What is RPC and why is it so important?(windows) - StackOverflow](https://superuser.com/questions/616098/what-is-rpc-and-why-is-it-so-important) +* [How RPC Works - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc738291(v=ws.10)) +* [RPC Components - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/Rpc/microsoft-rpc-components) + + +* [Kerberos.NET](https://github.com/SteveSyfuhs/Kerberos.NET) +https://devblogs.microsoft.com/commandline/learn-about-windows-console-and-windows-subsystem-for-linux-wsl/ + +* [The COM Library - docs.ms](https://docs.microsoft.com/en-us/windows/win32/com/the-com-library) +* [Security in COM - docs.ms](https://docs.microsoft.com/en-us/windows/win32/com/security-in-com) + + +* [Remote Procedure Call - IBM Knowledgebase](https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.progcomc/ch8_rpc.htm) + +* [Remote Procedure Calls (RPC) - users.cs.cf.ac.uk](https://users.cs.cf.ac.uk/Dave.Marshall/C/node33.html) + +* [CLSID Key - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/com/clsid-key-hklm) + * A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects. + * The CLSID key contains information used by the default COM handler to return information about a class when it is in the running state. + +* [COM Fundamentals - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/com/com-fundamentals) + +* [Executing Macros From a DOCX With Remote Template Injection - redxorblue.com](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html) +* [LM, NTLM, Net-NTLMv2, oh my! - Peter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4) +* [ Microsoft Office – NTLM Hashes via Frameset - netbiosX](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/) +* [SMB/HTTP Auth Capture via SCF File - mubix](https://room362.com/post/2016/smb-http-auth-capture-via-scf/) +* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) +* [Microsoft Word – UNC Path Injection with Image Linking - Thomas Elling](https://blog.netspi.com/microsoft-word-unc-path-injection-image-linking/) + +* [Creating a service using sc.exe](https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe) + + +Windows Authentication +* [Windows Authentication Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-overview) +* [Windows Authentication Architecture - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-architecture) +* [Windows Authentication Technical Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-technical-overview) +* [Security Support Provider Interface Architecture - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/security-support-provider-interface-architecture) +* [Group Policy Settings Used in Windows Authentication - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/group-policy-settings-used-in-windows-authentication) + + +* [Windows Logon and Authentication Technical Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/group-policy-settings-used-in-windows-authentication) +* [Windows Logon and Authentication Technical Overview - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169017(v=ws.10)) + + + +Accounts + * [AD Accounts - docs.ms](https://technet.microsoft.com/itpro/windows/keep-secure/active-directory-accounts) + * [AD Security Groups](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups) + * [Microsoft Accounts - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/microsoft-accounts) + * [Service Accounts - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts) + * [Special Identities - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities) + * [Group Managed Service Accounts Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) + * [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378925(v=ws.10)) + * [Getting Started with Group Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) + * [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378925(v=ws.10)) + * [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff641731(v=ws.10)) + * [Service Accounts Step-by-Step Guide - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)) + +Logon +* [Windows Logon Scenarios - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios) + + +AD +* [How Domain and Forest Trusts Work - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)) +* + +Kerberos +* [Kerberos Authentication Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview) + +https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html +https://web.archive.org/web/20060904080018/http://security.tombom.co.uk/shatter.html + + +https://web.archive.org/web/20170614215931/http://mattwarren.org:80/2017/02/07/The-68-things-the-CLR-does-before-executing-a-single-line-of-your-code/ +http://morningcoffee.io/killing-a-process-and-all-of-its-descendants.html +https://jugad2.blogspot.com/2008/09/unix-one-liner-to-kill-hanging-firefox.html?m=1 + +* [The Windows Research Kernel AKA WRK](https://github.com/Zer0Mem0ry/ntoskrnl) + * Is a part of the source code of the actual windows NT Kernel. WRK is designed for academic uses and research, by no means it can be used for commercial purposes. + + +https://github.com/dotnet/coreclr/blob/master/Documentation/project-docs/clr-configuration-knobs.md + +https://web.archive.org/web/20170411184849/https://github.com/dotnet/coreclr/blob/master/Documentation/project-docs/clr-configuration-knobs.md +https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-interfaces-adsi --------------------- ## General Internals diff --git a/Draft/threatmodel.md b/Draft/threatmodel.md index 1eb6a47..2adff38 100755 --- a/Draft/threatmodel.md +++ b/Draft/threatmodel.md @@ -1,6 +1,30 @@ ## Threat Modeling & Risk Assessment + +* [Threat Modeling: 12 Available Methods - Nataliya Shevchenko](https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html) +* [Draw.io for threat modeling - Michael Henriksen](https://michenriksen.com/blog/drawio-for-threat-modeling/) +https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html +* [The Security Principles of Saltzer and Schroeder - Adam Shostack & Friends](https://adam.shostack.org/blog/the-security-principles-of-saltzer-and-schroeder/) + +* [TOWARDS IMPROVING CVSS - J.M. Spring, E. Hatleback, A. +Householder, A. Manion, D. Shick - CMU](https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf) + +Threat Modeling +* Threat Modeling Book +* OWASP App Threat Modeling +* Evil User Stories +* OWASP ASVS +* Mozilla Rapid Risk Assessment + + +* [Dark Matter and Measuring Security - Crispin Cowan](https://www.leviathansecurity.com/blog/dark-matter-and-measuring-security) +http://plantuml.com/ + +http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf +https://web.archive.org/web/20141118061526/http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf + + ---------------------------------- ### Threat Modeling * **Articles/Papers/Writeups**