Browse Source

Some more changes

Some more small changes/adds all over.

Added Table of Contents to some, will eventually have one in each with
links to sections
pull/4/head
Robert 8 years ago
parent
commit
fb34e29fc6
178 changed files with 2021 additions and 2227 deletions
  1. +12
    -3
      Draft/Draft/Anonymity Opsec Privacy.md
  2. +0
    -6
      Draft/Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael Notes.rtf
  3. +2
    -0
      Draft/Draft/AppSec.md
  4. +81
    -68
      Draft/Draft/Attacking Android -.md
  5. +70
    -0
      Draft/Draft/Attacking Android -/Android.txt
  6. +120
    -0
      Draft/Draft/Attacking iOS -.md
  7. +0
    -127
      Draft/Draft/Attacking iOS.md
  8. +22
    -19
      Draft/Draft/Building A Pentest Lab.md
  9. +0
    -6
      Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows Notes.rtf
  10. +4
    -29
      Draft/Draft/CTFs & Wargames.md
  11. +3
    -2
      Draft/Draft/Cheat sheets reference pages Checklists.md
  12. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists/Nmap Cheat Sheet.txt
  13. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists/SQLMap Cheat Sheet.txt
  14. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists/WebApp Exploitation Cheat Sheet.txt
  15. +0
    -0
      Draft/Draft/Cheat sheets reference pages Checklists/sqli cheat.txt
  16. +8
    -5
      Draft/Draft/Classes & Training.md
  17. +0
    -6
      Draft/Draft/Common CLI CMD Refs/Curl Notes.rtf
  18. +0
    -6
      Draft/Draft/Common CLI CMD Refs/Ncat Notes.rtf
  19. +0
    -6
      Draft/Draft/Common CLI CMD Refs/Nmap Notes.rtf
  20. +0
    -6
      Draft/Draft/Common CLI CMD Refs/TCPDump Notes.rtf
  21. +0
    -6
      Draft/Draft/Common CLI CMD Refs/ToDO Notes.rtf
  22. +7
    -0
      Draft/Draft/Computer Hardware Attacks - merge.md
  23. +0
    -1
      Draft/Draft/Con Videos Stuff.md
  24. +21
    -0
      Draft/Draft/Cryptography & Encryption.md
  25. +0
    -6
      Draft/Draft/Cryptography & Encryption/Linux Systems Notes.rtf
  26. +0
    -6
      Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts Notes.rtf
  27. +0
    -6
      Draft/Draft/Cryptography & Encryption/cull Notes.rtf
  28. +0
    -14
      Draft/Draft/Disinformation.md
  29. +17
    -22
      Draft/Draft/Documentation & Reports.md
  30. +0
    -0
      Draft/Draft/Draft.rtf
  31. +101
    -2
      Draft/Draft/Embedded Device & Hardware Hacking.md
  32. +0
    -58
      Draft/Draft/Embedded Device Security.md
  33. +147
    -24
      Draft/Draft/Exploit Development.md
  34. +0
    -6
      Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing Notes.rtf
  35. +21
    -1
      Draft/Draft/Forensics Incident Response.md
  36. +0
    -6
      Draft/Draft/Forensics Incident Response/add cull Notes.rtf
  37. +1
    -1
      Draft/Draft/Forensics Incident Response/add cull.txt
  38. +0
    -6
      Draft/Draft/Frameworks/Metasploit Reference Notes.rtf
  39. +0
    -6
      Draft/Draft/Frameworks/Meterpreter Scripts and Description Notes.rtf
  40. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Discovery & Probing Notes.rtf
  41. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Enumeration Notes.rtf
  42. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Network Footprinting Notes.rtf
  43. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard Notes.rtf
  44. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Password Cracking Notes.rtf
  45. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Penetration Notes.rtf
  46. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/VoIP Security Notes.rtf
  47. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Vulnerability Assessment Notes.rtf
  48. +0
    -6
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Wireless Penetration Notes.rtf
  49. +0
    -6
      Draft/Draft/Frameworks/Post Exploitation with Metasploit Notes.rtf
  50. +44
    -27
      Draft/Draft/Fuzzing Bug Hunting.md
  51. +6
    -0
      Draft/Draft/Home Security.md
  52. +29
    -24
      Draft/Draft/Honeypots -.md
  53. +28
    -0
      Draft/Draft/Interesting Things.md
  54. +0
    -6
      Draft/Draft/Interesting Things/Writeup of Gamma Group Hack Notes.rtf
  55. +1
    -7
      Draft/Draft/Lockpicking.md
  56. +3
    -0
      Draft/Draft/Logging - Combine with NSM.md
  57. +23
    -1
      Draft/Draft/Malware.md
  58. +24
    -0
      Draft/Draft/Network Recon and Enumeration.md
  59. +0
    -0
      Draft/Draft/Network Recon and Enumeration/Getting Busy at the Command Line.txt
  60. +16
    -0
      Draft/Draft/Network Recon and Enumeration/Tools.txt
  61. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/Getting Busy at the Command Line Notes.rtf
  62. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/Misc Links Notes.rtf
  63. +0
    -10
      Draft/Draft/Network Reconnaissance&Enumeration/Misc Links.txt
  64. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/Network Reconnaissance&Enumeration Notes.rtf
  65. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/Nmap Cheat Sheet Notes.rtf
  66. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/PTES Methodology Notes.rtf
  67. +0
    -10
      Draft/Draft/Network Reconnaissance&Enumeration/PTES Methodology.txt
  68. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/Passive Notes.rtf
  69. +0
    -5
      Draft/Draft/Network Reconnaissance&Enumeration/Passive.txt
  70. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/Scanning Notes.rtf
  71. +0
    -30
      Draft/Draft/Network Reconnaissance&Enumeration/Scanning.txt
  72. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/Scanning/Cull Notes.rtf
  73. +0
    -62
      Draft/Draft/Network Reconnaissance&Enumeration/Scanning/Cull.txt
  74. +0
    -6
      Draft/Draft/Network Reconnaissance&Enumeration/Tools Notes.rtf
  75. +10
    -0
      Draft/Draft/Network Security Monitoring - Combine with logging.md
  76. +24
    -0
      Draft/Draft/Open Source Intelligence.md
  77. +0
    -6
      Draft/Draft/Open Source Intelligence/Active cull Notes.rtf
  78. +0
    -11
      Draft/Draft/Persistence.md
  79. +0
    -0
      Draft/Draft/PrivEsc Post-Exploitation/CLI Tricks Spawn Shells.txt
  80. +0
    -0
      Draft/Draft/PrivEsc Post-Exploitation/CLI Tricks Spawn Shells/Password Bruting and Hashcracking.txt
  81. +0
    -0
      Draft/Draft/PrivEsc Post-Exploitation/Exfiltration.txt
  82. +0
    -0
      Draft/Draft/PrivEsc Post-Exploitation/Linux/Linux.rtf
  83. +0
    -0
      Draft/Draft/PrivEsc Post-Exploitation/Misc.txt
  84. +0
    -0
      Draft/Draft/PrivEsc Post-Exploitation/OS X/OS X.rtf
  85. +0
    -22
      Draft/Draft/PrivEsc Post-Exploitation/Persistence Techniques.md
  86. +0
    -31
      Draft/Draft/PrivEsc Post-Exploitation/Pivoting.md
  87. +0
    -0
      Draft/Draft/PrivEsc Post-Exploitation/PrivEsc Post-Exploitation.rtf
  88. +0
    -2
      Draft/Draft/PrivEsc Post-Exploitation/To Do.txt
  89. +5
    -4
      Draft/Draft/PrivEsc Post-Exploitation/Windows/Privilege Escalation Techniques.txt
  90. +2
    -5
      Draft/Draft/PrivEsc Post-Exploitation/Windows/Windows System Enumeration.txt
  91. +0
    -0
      Draft/Draft/PrivEsc Post-Exploitation/Windows/Windows.rtf
  92. +120
    -0
      Draft/Draft/Privilege Escalation & Post-Exploitation.md
  93. +473
    -0
      Draft/Draft/Reverse Engineering - REMath Literature.md
  94. +293
    -5
      Draft/Draft/Reverse Engineering.md
  95. +0
    -6
      Draft/Draft/Reverse Engineering_1/Android Notes.rtf
  96. +0
    -73
      Draft/Draft/Reverse Engineering_1/Android.md
  97. +0
    -6
      Draft/Draft/Reverse Engineering_1/Cull integrate Notes.rtf
  98. +0
    -107
      Draft/Draft/Reverse Engineering_1/Cull integrate.md
  99. +0
    -6
      Draft/Draft/Reverse Engineering_1/Da List of Info Notes.rtf
  100. +0
    -355
      Draft/Draft/Reverse Engineering_1/Da List of Info.md

+ 12
- 3
Draft/Draft/Anonymity Opsec Privacy.md View File

@ -8,15 +8,24 @@
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
portalmasq.com
[Blinding The Surveillance State - Christopher Soghoian - DEFCON22](https://www.youtube.com/watch?v=pM8e0Dbzopk)
* We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.
[]()
[The NSA: Capabilities and Countermeasures - Bruce Schneier - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
* Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on. I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on.
[]()
[]()
[Protocol Misidentification Made Easy with Format-Transforming Encryption](https://eprint.iacr.org/2012/494.pdf)
* Deep packet inspection (DPI) technologies provide much- needed visibility and control of network trac using port- independent protocol identi cation, where a network ow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the rst comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidenti cation attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic prim- itive called format-transforming encryption (FTE), which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbi- trary application-layer trac, and we experimentally show that this forces misidenti cation for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demon- strate that it evades real-world censorship by the Great Fire- wall of China.
[fteproxy](https://fteproxy.org/about)
* fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro, YAF, nProbe, l7-filter, and appid, as well as closed-source commercial DPI systems
[Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring - Defcon22](https://www.youtube.com/watch?v=_KyfJW2lHtk&spfreload=1)
* Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny.Format-Transforming Encryption (FTE) can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden. However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings. We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis.
['I've Got Nothing to Hide' and Other Misunderstandings of Privacy](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)


+ 0
- 6
Draft/Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 2
- 0
Draft/Draft/AppSec.md View File

@ -1,4 +1,6 @@
##AppSec
idk


Draft/Draft/Attacking Android.md → Draft/Draft/Attacking Android -.md View File


+ 70
- 0
Draft/Draft/Attacking Android -/Android.txt View File

@ -0,0 +1,70 @@
Reversing Android
[Android ADB cheat sheet](https://github.com/maldroid/adb_cheatsheet/blob/master/cheatsheet.pdf?raw=true)
[Android apk-tool](https://code.google.com/p/android-apktool/)
* It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
[Reversing and Auditing Android’s Proprietary bits](http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits)
[Smali](https://code.google.com/p/smali/)
* smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)
[Dexter](http://dexter.dexlabs.org/accounts/login/?next=/dashboard)
* Dexter is a static android application analysis tool.
Android Packers
http://www.fortiguard.com/uploads/general/Area41Public.pdf
Obfuscation in Android malware, and how to fight back
https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Android-obfuscation
APKinpsector
APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
https://github.com/honeynet/apkinspector/
Reversing Android Apps Slides
http://www.floyd.ch/download/Android_0sec.pdf
ARE
Virtual Machine for Android Reverse Engineering
https://redmine.honeynet.org/projects/are
Dalvik Bytecode Format docs
http://source.android.com/devices/tech/dalvik/dex-format.html
Dalvik opcodes
http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
Mobile Malware dumps - Contagio
http://contagiominidump.blogspot.ca/
Platform for Architecture-Neutral Dynamic Analysis
https://github.com/moyix/panda
Android
https://code.google.com/p/androguard/wiki/RE

+ 120
- 0
Draft/Draft/Attacking iOS -.md View File

@ -0,0 +1,120 @@
##Attacking & Defending iOS
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
CULL
[Pentesting iOS Applications - Pentester Academy - Paid Course](http://www.pentesteracademy.com/course?id=2)
* This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques.
###List of Hardening Guides for iOS
[Excellent forum post detailing general security practices](https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/)
[Apple’s white paper on their security mechanisms built into iOS](https://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf)
[University of Texas’s Checklist/Guide to securing iOS](https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist)
[Center for Internet Security Guide to securing iOS 7](https://benchmarks.cisecurity.org/tools2/iphone/CIS_Apple_iOS_7_Benchmark_v1.1.0.pdf)
[Australian Signals Intel Guide to securing iOS 7](http://www.asd.gov.au/publications/iOS7_Hardening_Guide.pdf)
[Excellent forum post detailing general security practices](https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/)
[Guide to hardening iOS with the goal of privacy](http://cydia.radare.org/sec/)
###Vulnerabilities/Exploits
[List of iOS Exploits](http://theiphonewiki.com/wiki/Category:Exploits)
###Techniques
###Training & Tutorials
[Bypassing SSL Cert Pinning in iOS](http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate-pinning-in-ios-apps.html)
[Learning iOS Application Security - 34 part series - damnvulnerableiosapp](http://damnvulnerableiosapp.com/#learn)
* iOS app designed to be vulnerable in specific ways to teach security testing of iOS applications.
* [Damn Vulnerable iOS App - Getting Started](http://damnvulnerableiosapp.com/2013/12/get-started/)
[OWASP iGOAT](https://www.owasp.org/index.php/OWASP_iGoat_Project)
* “iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.”
###iOS Security Testing Methodologies/Tools
[iPwn Apps: Pentesting iOS Applications - SANS](https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577)
[iOS Application Security Testing Cheat Sheet](https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet)
[idb](https://github.com/dmayer/idb)
* idb is a tool to simplify some common tasks for iOS pentesting and research. It is still a work in progress but already provides a bunch of (hopefully) useful commands. The goal was to provide all (or most) functionality for both, iDevices and the iOS simulator. For this, a lot is abstracted internally to make it work transparently for both environments. Although recently the focus has been more on supporting devices.
* [idb project page](http://cysec.org/blog/2014/01/23/idb-ios-research-slash-pentesting-tool/)
* [idb - iOS Blackbox Pentesting - Daniel A Meyer](http://matasano.com/research/Introducing_idb_-_Simplified_Blackbox_iOS_App_Pentesting.pdf)
* [github page](https://github.com/dmayer/idb)
###General Research Papers
###Reverse Engineering
[IODIDE - The IOS Debugger and Integrated Disassembler Environment](https://github.com/nccgroup/IODIDE)
[Clutch](https://github.com/KJCracks/Clutch)
* Fast iOS executable dumper
[MEMSCAN - Dump iPhone app RAM](http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/)
* A Cigital consultant – Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use.
[IOS Reverse Engineering toolkit](https://github.com/S3Jensen/iRET)
* The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. It automates a many common tasks including:
binary analysis using otool
keychain analysis using keychain_dumper
reading database content using sqlite
reading log and plist files
binary decryption using dumpdecrypted
dumping binary headers using class_dump_z
creating, editing, installing theos tweaks
###Jailbreaking
[Guide to hardening iOS with the goal of privacy](http://cydia.radare.org/sec/)
[IPhoneDevWiki](http://iphonedevwiki.net/index.php/Main_Page)
* “Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.”
[The iPhone Wiki](http://theiphonewiki.com/wiki/Main_Page)
* The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices.
[OWASP Jailbreaking Cheat Sheet](https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet)
###iOS Development
[imas](https://project-imas.github.io/)
* Defense for your iOS app - for developers

+ 0
- 127
Draft/Draft/Attacking iOS.md View File

@ -1,127 +0,0 @@
##Attacking & Defending iOS
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
CULL
https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet
[MEMSCAN - Dump iPhone app RAM](http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/)
* A Cigital consultant – Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use.
iPwn Apps
:
Pentesting iOS Applications
https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577
[Bypassing SSL Cert Pinning in iOS](http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate-pinning-in-ios-apps.html)
http://project-imas.github.io/
https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
[idb](https://github.com/dmayer/idb)
* idb is a tool to simplify some common tasks for iOS pentesting and research. Originally there was a command line version of the tool, but it is no longer under development so you should get the GUI version.
http://matasano.com/research/Introducing_idb_-_Simplified_Blackbox_iOS_App_Pentesting.pdf
https://github.com/dmayer/idb
gidb is a tool to simplify some common tasks for iOS pentesting and research. It is still a work in progress but already provides a bunch of (hopefully) useful commands. The goal was to provide all (or most) functionality for both, iDevices and the iOS simulator. For this, a lot is abstracted internally to make it work transparently for both environments. Although recently the focus has been more on supporting devices.
http://cysec.org/blog/2014/01/23/idb-ios-research-slash-pentesting-tool/
http://www.pentesteracademy.com/course?id=2
This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques.
###Vulnerabilities/Exploits
List of iOS Exploits:
http://theiphonewiki.com/wiki/Category:Exploits
###Techniques
###Training & Tutorials
Learning iOS Application Security - 34 part series
http://damnvulnerableiosapp.com/#learn
Damn Vulnerable iOS App
iOS app designed to be vulnerable in specific ways to teach security testing of iOS applications.
http://damnvulnerableiosapp.com/2013/12/get-started/
OWASP iGOAT
From: https://www.owasp.org/index.php/OWASP_iGoat_Project
“iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.”
https://www.owasp.org/index.php/OWASP_iGoat_Project
###iOS Security Testing Methodologies
###General Research Papers
###Reverse Engineering
[IOS Reverse Engineering toolkit](https://github.com/S3Jensen/iRET)
* The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. It automates a many common tasks including:
binary analysis using otool
keychain analysis using keychain_dumper
reading database content using sqlite
reading log and plist files
binary decryption using dumpdecrypted
dumping binary headers using class_dump_z
creating, editing, installing theos tweaks
###Jailbreaking
####Jailbreaking Pros - Cons
Guide to hardening iOS with the goal of privacy:
http://cydia.radare.org/sec/
[IPhoneDevWiki](http://iphonedevwiki.net/index.php/Main_Page)
* “Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.”
[The iPhone Wiki](http://theiphonewiki.com/wiki/Main_Page)
* The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices.
###Defeating iOS cryptography

+ 22
- 19
Draft/Draft/Building A Pentest Lab.md View File

@ -1,6 +1,27 @@
Building a Pentest Lab
##Building a Pentest Lab
###VMs Designed to be Attacked
Now, making your own lab filled with software you’ve configured is great and all, but sometimes you want a bit more of a challenge, you don’t want to know what software is running on the machine, you want to go in blind and hack all the things. For this, I recommend:
[Vulnhub](Vulnhub.com)
* Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
[List of VMs that are preconfigured virtual machines](http://www.amanhardikar.com/mindmaps/PracticeUrls.html)
###Guides to setting up a Pen test lab:
http://blog.netinfiltration.com/2013/12/03/setting-up-a-pentest-lab-for-beginners/
https://community.rapid7.com/docs/DOC-2196
http://www.stan.gr/2013/03/building-pentest-lab.html
### Personal rant on how to build one
So, I’m biased. That said, two ways to build a lab, local and online. With todays online services, you don’t have to have a powerful server sitting in your house. You can use amazon’s AWS to host VMs and pay only for time used. For some, this may be preferable for the cost/space. Otherwise, if you’re looking for a local solution, Oracle’s Virtualbox and VMWare’s Workstation/Parallels is where its at.
That being said, skip virtualbox. Get VMware ESXi if you’re cool, and have a spare box laying around, if not, grab VMWare Workstation. It works on linux/win and Parallels for OSX. ESXi is a virtualization platform that runs bare metal. If you have hardware for it, I recommend that. Otherwise, Workstation works wonderfully.
@ -28,21 +49,3 @@ The Linux distros can be downloaded from their respective sites, and Trials exis
To download applications, simply visit oldapps.com to download the respective version you wish to attempt vulnerabilities on.
VMs Designed to be Attacked
Now, making your own lab filled with software you’ve configured is great and all, but sometimes you want a bit more of a challenge, you don’t want to know what software is running on the machine, you want to go in blind and hack all the things. For this, I recommend:
Vulnhub.com
Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
List of VMs that are preconfigured virtual machines.
http://www.amanhardikar.com/mindmaps/PracticeUrls.html
Guides to setting up a Pen test lab:
http://blog.netinfiltration.com/2013/12/03/setting-up-a-pentest-lab-for-beginners/
https://community.rapid7.com/docs/DOC-2196
http://www.stan.gr/2013/03/building-pentest-lab.html

+ 0
- 6
Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 4
- 29
Draft/Draft/CTFs & Wargames.md View File

@ -1,6 +1,6 @@
#CTFs & Wargames
###Capture The Flag(CTF) events
#####event lists goes here
[ctf-time](https://ctftime.org/)
@ -54,32 +54,11 @@ Description: RingZer0 Team's online CTF offers you tons of challenges designed t
* This is the framework that the UC Santa Barbara Seclab uses to host the iCTF, and that can be used to create your own CTFs at http://ictf.cs.ucsb.edu/framework. The framework creates several VMs: one for the organizers and one for every team.
##Online Training Courses
###General Online Courses
Offensive Computer Security
http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/
#####[Open Security Training](www.opensecuritytraining.info)
* Taken from their front page:
>In the spirit of OpenCourseWare and the Khan Academy, OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.
>All material is licensed with an open license like CreativeCommons, allowing anyone to use the material however they see fit, so long as they share modified works back to the community.
>We highly encourage people who already know these topic areas to take the provided material and pursue paid and unpaid teaching opportunities.
>Those who can, teach.
#####[XSS Challenge Wiki](https://github.com/cure53/xss-challenge-wiki/wiki)
* [List without spoilers:](https://github.com/cure53/xss-challenge-wiki/wiki/Older-Challenges-and-Write-Ups)
###Vulnerable Virtual Machines
#####[Vulnhub](Https://www.Vulnhub.com)
[Vulnhub](Https://www.Vulnhub.com)
@ -105,11 +84,10 @@ Wechall
#####[Tasteless](http://chall.tasteless.se/)
#####[Hack This](https://www.hackthis.co.uk/)
#####[XSS Challenge Wiki](https://github.com/cure53/xss-challenge-wiki/wiki)
* [List without spoilers:](https://github.com/cure53/xss-challenge-wiki/wiki/Older-Challenges-and-Write-Ups)
@ -128,6 +106,3 @@ Wechall

Draft/Draft/Cheat sheets reference pages.md → Draft/Draft/Cheat sheets reference pages Checklists.md View File


Draft/Draft/Network Reconnaissance&Enumeration/Nmap Cheat Sheet.txt → Draft/Draft/Cheat sheets reference pages Checklists/Nmap Cheat Sheet.txt View File


Draft/Draft/Web Applications/SQLMap Cheat Sheet.txt → Draft/Draft/Cheat sheets reference pages Checklists/SQLMap Cheat Sheet.txt View File


Draft/Draft/Web Applications/Cheat Sheet.txt → Draft/Draft/Cheat sheets reference pages Checklists/WebApp Exploitation Cheat Sheet.txt View File


Draft/Draft/Web Applications/sqli cheat.txt → Draft/Draft/Cheat sheets reference pages Checklists/sqli cheat.txt View File


+ 8
- 5
Draft/Draft/Classes & Training.md View File

@ -10,6 +10,8 @@ http://www.cis.syr.edu/~wedu/seed/all_labs.html - Training
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
[asm - 0xAX](https://github.com/0xAX/asm)
* Learning assembly for linux-x64
[ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
@ -30,15 +32,16 @@ http://www.cis.syr.edu/~wedu/seed/all_labs.html - Training
* PentesterLab provides vulnerable systems that can be used to test and understand vulnerabilities.
[Open Security Training](www.opensecuritytraining.info)
* Taken from their front page:
>In the spirit of OpenCourseWare and the Khan Academy, OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.
>All material is licensed with an open license like CreativeCommons, allowing anyone to use the material however they see fit, so long as they share modified works back to the community.
>We highly encourage people who already know these topic areas to take the provided material and pursue paid and unpaid teaching opportunities.
>Those who can, teach.


+ 0
- 6
Draft/Draft/Common CLI CMD Refs/Curl Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Common CLI CMD Refs/Ncat Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Common CLI CMD Refs/Nmap Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Common CLI CMD Refs/TCPDump Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Common CLI CMD Refs/ToDO Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

Draft/Draft/Computer Hardware Attacks.md → Draft/Draft/Computer Hardware Attacks - merge.md View File


+ 0
- 1
Draft/Draft/Con Videos Stuff.md View File

@ -18,7 +18,6 @@
[Archive of security conference videos](http://wipkip.nikhef.nl/events/)
)


+ 21
- 0
Draft/Draft/Cryptography & Encryption.md View File

@ -2,8 +2,29 @@
Learning/Courses
Books
Papers
Writeups
###Cull
[Attack of the week: FREAK (or 'factoring the NSA for fun and profit')](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html)
[A Messy State of the Union: Taming the Composite State Machines of TLS](https://www.smacktls.com/smack.pdf)
* Abstract —Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes and key exchange methods, where each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that can correctly multiplex between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years (they are now in the process of being patched). We argue that these vulnerabilities stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported ciphersuites. Our attacks expose the need for the formal verifica- tion of core components in cryptographic protocol libraries; our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.
[RELIC](https://github.com/relic-toolkit/relic)
* RELIC is a modern cryptographic meta-toolkit with emphasis on efficiency and flexibility. RELIC can be used to build efficient and usable cryptographic toolkits tailored for specific security levels and algorithmic choices.
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)


+ 0
- 6
Draft/Draft/Cryptography & Encryption/Linux Systems Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Cryptography & Encryption/cull Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 14
Draft/Draft/Disinformation.md View File

@ -3,18 +3,6 @@
[The Gentleperson’s Guide to Forum Spies]cryptome.org/2012/07/gent-forum-spies.htm)
[Attribution As A Weapon & Marketing Tool: Hubris In INFOSEC & NATSEC](https://krypt3ia.wordpress.com/2014/12/30/attribution-as-a-weapon-marketing-tool-hubris-in-infosec-natsec/)
[Disinformation of Charlie Hebdo and The Fake BBC Website](http://thetrendythings.com/read/18256)
@ -28,8 +16,6 @@
[Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme](http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-7-governments-and-ufos-a-historical-analysis-of-disinformation-and-deception-richard-thieme)
[Russia Convention on International Information Security](http://cryptome.org/2014/05/ru-international-infosec.htm)
[A Digital World Full of Ghost Armies](http://www.cigtr.info/2015/02/a-digital-world-full-of-ghost-armies.html)

+ 17
- 22
Draft/Draft/Documentation & Reports.md View File

@ -1,16 +1,18 @@
##Writing Documentation
##Documentation & Reporting
For writing technical documentation.
[SANS InfoSec Policy Templates](https://www.sans.org/security-resources/policies/)
[Open Broadcaster Software OBS](https://obsproject.com/)
* Open Broadcaster Software is free and open source software for video recording and live streaming.
* Cross Platform, Windows/OsX/Linux
Writing
Reports
Meta
Video Documentation
##Writing
Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
@ -18,18 +20,12 @@ Start with the first two links, and go from there. They
[A beginners guide to writing documentation](http://docs.writethedocs.org/writing/beginners-guide-to-docs/)
[Teach, Don’t Tell](http://stevelosh.com/blog/2013/09/teach-dont-tell/)
###Other Materials:
Other Materials:
Three parter from jacobian.org:
[What to write](http://jacobian.org/writing/what-to-write/)
[Technical Style](http://jacobian.org/writing/technical-style/)
[Editors](http://jacobian.org/writing/editors/)
* [What to write](http://jacobian.org/writing/what-to-write/)
* [Technical Style](http://jacobian.org/writing/technical-style/)
* [Editors](http://jacobian.org/writing/editors/)
[Writing Types of User Documentation](https://en.wikiversity.org/wiki/Technical_writing_Types_of_User_Documentation0
@ -46,6 +42,8 @@ Three parter from jacobian.org:
[Report Template from vulnerabilityassessment.co.uk](http://www.vulnerabilityassessment.co.uk/report%20template.html)
[Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting)
[security-assessment-rfp-cheat-sheet](http://zeltser.com/security-assessments/security-assessment-rfp-cheat-sheet.html)
[Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/)
[SANS InfoSec Policy Templates](https://www.sans.org/security-resources/policies/)
###Meta
[What is Markdown?](http://daringfireball.net/projects/markdown/syntax)
@ -57,14 +55,11 @@ Three parter from jacobian.org:
###Video Recording
[Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/)
[Open Broadcaster Software OBS](https://obsproject.com/)
* Open Broadcaster Software is free and open source software for video recording and live streaming.
* Cross Platform, Windows/OsX/Linux

Draft/Draft/Network Reconnaissance&Enumeration/Network Reconnaissance&Enumeration.rtf → Draft/Draft/Draft.rtf View File


Draft/Draft/Hardware Hacking Teensy-like stuff.md → Draft/Draft/Embedded Device & Hardware Hacking.md View File


+ 0
- 58
Draft/Draft/Embedded Device Security.md View File

@ -1,58 +0,0 @@
##Embedded Device Security
[An analysis of the vulnerabilities introduced with Java Card 3 Connected Edition](http://www.ma.rhul.ac.uk/static/techrep/2013/MA-2013-04.pdf)
[Methodologies for Hacking Embedded Security Appliances](https://media.blackhat.com/us-13/US-13-Bathurst-Methodologies-for-Hacking-Embdded-Security-Appliances-Slides.pdf)
[Introduction to Smart Card Security](http://resources.infosecinstitute.com/introduction-smartcard-security/)
[ASUS Router infosvr UDP Broadcast root Command Execution](https://github.com/jduck/asus-cmd)
[Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)
###Attacking Routers
TR-069
[I Hunt TR-069 Admins - Pwning ISPs Like a Boss - Defcon 22](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/DEF%20CON%2022%20Hacking%20Conference%20Presentation%20By%20Shahar%20Tal%20-%20I%20Hunt%20TR%20-%20069%20Admins%20-%20Pwning%20ISPs%20Like%20a%20Boss%20-%20Video%20and%20Slides.m4v)
* [Related to TR-069](http://blog.3slabs.com/2012/12/a-brief-survey-of-cwmp-security.html)
[Router Post-Exploitation Framework](https://github.com/mncoppola/rpef
* Abstracts and expedites the process of backdooring stock firmware images for consumer/SOHO routers.
###Tutorials/Walkthroughs
[Unpacking Firmware images from cable modems](http://w00tsec.blogspot.com.br/2013/11/unpacking-firmware-images-from-cable.html0
[Reversing D-Links WPS pin algorithm](http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/)
[From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)](https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/)
###Cable Modem Hacking
[Docsis hacking](https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-self.pdf)
[Hacking Docsis for fun and profit](https://www.defcon.org/images/defcon-18/dc-18-presentations/Blake-bitemytaco/DEFCON-18-Blake-bitemytaco-Hacking-DOCSIS.pdf)

+ 147
- 24
Draft/Draft/Exploit Development.md View File

@ -1,9 +1,41 @@
###Exploit Development
[Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
[Link to Lab Writeup]()
TOC
cull
Anti-Fuzzing
ASM Stuff
Exploit dev -
* Windows Specific
* Linux Specific
* Obfuscation
* Bypassing Exploit Protections
* Presentations
* Tools
* Papers
* Buffer Overflows
* Return-into-lib / Return oriented programming
* Heap Exploitation
* Format String Exploitation
* Integer Overflows
* ASLR
* Exploit Writeups
* Finding Vulnerabilities
* Books and Links
[Open Source Windows x86/x64 Debugger](http://x64dbg.com/)
Add Exploit Prevention Techniques/Bypass section
###Cull
http://www.oldapps.com/
Finding Opcodes
@ -15,12 +47,13 @@ pvefindaddr - mona.py
[Acquiring VMs of any Windows going back to XP to Windows 10](https://www.modern.ie/en-us/virtualization-tools#downloads)
[OneRNG](http://moonbaseotago.com/onerng/theory.html)
[The Ultimate Anti-Debugging Reference(2011)](http://pferrie.host22.com/papers/antidebug.pdf)
* Good reference, though old.
Finding and analyzing Crash dumps:
http://blogs.msdn.com/b/pfedev/archive/2008/09/26/all-the-ways-to-capture-a-dump.aspx
@ -28,57 +61,81 @@ http://blogs.technet.com/b/askperf/archive/2007/05/29/basic-debugging-of-an-appl
http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
[Windows Anti-Debug Reference](http://www.symantec.com/connect/articles/windows-anti-debug-reference)
* Good, but also old, Nov2010
[Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
[Introduction to ROP programming]http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html)
[Gentle introduction to ROP programming](http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/)
[ropshell](http://ropshell.com/)
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.
[Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
[exrs - Binary Exploitation/Reverse Engineering Challenge training](https://github.com/wapiflapi/exrs)
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
[Pool Blade: A new approach for kernel pool exploitation](https://zdresearch.com/pool-blade-a-new-approach-for-kernel-pool-exploitation/)
[Fun with info leaks](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)
###Bypassing Exploit Protections/Mitigations
[Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005](http://www.uninformed.org/?v=2&a=4&t=txt)
[Preventing the Exploitation of SEH Overwrites](http://uninformed.org/?v=all&a=24&t=sumry)
* This paper proposes a technique that can be used to prevent the exploitation of SEH overwrites on 32-bit Windows applications without requiring any recompilation. While Microsoft has attempted to address this attack vector through changes to the exception dispatcher and through enhanced compiler support, such as with /SAFESEH and /GS, the majority of benefits they offer are limited to image files that have been compiled to make use of the compiler enhancements. This limitation means that without all image files being compiled with these enhancements, it may still be possible to leverage an SEH overwrite to gain code execution. In particular, many third-party applications are still vulnerable to SEH overwrites even on the latest versions of Windows because they have not been recompiled to incorporate these enhancements. To that point, the technique described in this paper does not rely on any compile time support and instead can be applied at runtime to existing applications without any noticeable performance degradation. This technique is also backward compatible with all versions of Windows NT+, thus making it a viable and proactive solution for legacy installations.
[Understanding DEP as a mitigation Technology](http://blogs.technet.com/b/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx)
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
[ 64-bit Linux Return-Oriented Programming - Standford](https://crypto.stanford.edu/~blynn/rop/)
[Bypassing Windows Hardware-enforced DEP ](http://uninformed.org/?v=all&a=11&t=sumry)
* This paper describes a technique that can be used to bypass Windows hardware-enforced Data Execution Prevention (DEP) on default installations of Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1. This technique makes it possible to execute code from regions that are typically non-executable when hardware support is present, such as thread stacks and process heaps. While other techniques have been used to accomplish similar feats, such as returning into NtProtectVirtualMemory, this approach requires no direct reprotecting of memory regions, no copying of arbitrary code to other locations, and does not have issues with NULL bytes. The result is a feasible approach that can be used to easily bypass the enhancements offered by hardware-enforced DEP on Windows in a way that requires very minimal modifications to existing exploits.
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
[OptiROP: The art of hunting ROP gadgets](https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-WP.pdf)
* [Video](https://www.youtube.com/watch?v=_3uBybBpq48)
* This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.
[Obfuscating python](https://reverseengineering.stackexchange.com/questions/1943/what-are-the-techniques-and-tools-to-obfuscate-python-programs)
###Obfuscation
[Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005](http://www.uninformed.org/?v=2&a=4&t=txt)
[Obfuscating python](https://reverseengineering.stackexchange.com/questions/1943/what-are-the-techniques-and-tools-to-obfuscate-python-programs)
[Open Source Windows x86/x64 Debugger](http://x64dbg.com/)
###ARM Specific
[Too LeJIT to Quit: Extending JIT Spraying to ARM](www.internetsociety.org/sites/default/files/09_3_2.pdf)
[Fun with info leaks](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)
###Linux Specific
[Pool Blade: A new approach for kernel pool exploitation](https://zdresearch.com/pool-blade-a-new-approach-for-kernel-pool-exploitation/)
[ 64-bit Linux Return-Oriented Programming - Standford](https://crypto.stanford.edu/~blynn/rop/)
###Windows Specific
[A Brief History of Exploit Techniques and Mitigations on Windows](http://www.hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf)
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
[Windows DLL-Injection basics](http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html)
[Bypassing ASLR + DEP Whitepaper](http://www.exploit-db.com/wp-content/themes/exploit/docs/17914.pdf)/
* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.
[Windows DLL-Injection basics](http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html)
[Using Binwally](http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html)
[ActiveX - Active Exploitation](http://uninformed.org/?v=all&a=41&t=sumry)
* This paper provides a general introduction to the topic of understanding security vulnerabilities that affect ActiveX controls. A brief description of how ActiveX controls are exposed to Internet Explorer is given along with an analysis of three example ActiveX vulnerabilities that have been previously disclosed.
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
[Windows Kernel-mode Payload Fundamentals](http://uninformed.org/?v=all&a=15&t=sumry)
* This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows.
[Exploiting the Otherwise Non-Exploitable on Windows](http://uninformed.org/?v=all&a=22&t=sumry)
* This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding, to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer.
@ -103,6 +160,16 @@ https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-
[Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)
###Anti-Debugging
[The Ultimate Anti-Debugging Reference(2011)](http://pferrie.host22.com/papers/antidebug.pdf)
* Good reference, though old.
[Windows Anti-Debug Reference](http://www.symantec.com/connect/articles/windows-anti-debug-reference)
* Good, but also old, Nov2010
###Exploit Development
@ -117,6 +184,23 @@ https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* This past Patch Tuesday Microsoft released MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. This patch addressed multiple privately reported vulnerabilities in win32k.sys and one publicly disclosed vulnerability in cng.sys. This post goes through identifying the patched vulnerability.
[Introduction to ROP programming]http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html)
[Blind Return Oriented Programming (BROP)](http://www.scs.stanford.edu/~sorbo/brop/)
* The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.).
###Presentations
[OptiROP: The art of hunting ROP gadgets](https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-WP.pdf)
* [Video](https://www.youtube.com/watch?v=_3uBybBpq48)
* This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.
###Tools
@ -142,6 +226,8 @@ MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever
[Findjmp2](http://www.securiteam.com/tools/5LP0C1PEUY.html)
Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push in a loaded DLL. This version includes search for pop/pop/ret set of instructions that is useful to bypass Windows XP SP2 and Windows 2003 stack protection mechanism.
[Using Binwally](http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html)
@ -311,6 +397,19 @@ properties of the x86 instruction set.
[Smashing the Stack for Fun and Profit in 2010](http://www.mgraziano.info/docs/stsi2010.pdf)
[Temporal Return Addresses ](http://uninformed.org/?v=all&a=9&t=sumry)
* Nearly all existing exploitation vectors depend on some knowledge of a process' address space prior to an attack in order to gain meaningful control of execution flow. In cases where this is necessary, exploit authors generally make use of static addresses that may or may not be portable between various operating system and application revisions. This fact can make exploits unreliable depending on how well researched the static addresses were at the time that the exploit was implemented. In some cases, though, it may be possible to predict and make use of certain addresses in memory that do not have static contents. This document introduces the concept of temporal addresses and describes how they can be used, under certain circumstances, to make exploitation more reliable.
[Reducing the Effective Entropy of GS Cookies](http://uninformed.org/?v=all&a=32&t=sumry)
* This paper describes a technique that can be used to reduce the effective entropy in a given GS cookie by roughly 15 bits. This reduction is made possible because GS uses a number of weak entropy sources that can, with varying degrees of accuracy, be calculated by an attacker. It is important to note, however, that the ability to calculate the values of these sources for an arbitrary cookie currently relies on an attacker having local access to the machine, such as through the local console or through terminal services. This effectively limits the use of this technique to stack-based local privilege escalation vulnerabilities. In addition to the general entropy reduction technique, this paper discusses the amount of effective entropy that exists in services that automatically start during system boot. It is hypothesized that these services may have more predictable states of entropy due to the relative consistency of the boot process. While the techniques described in this paper do not illustrate a complete break of GS, any inherent weakness can have disastrous consequences given that GS is a static, compile-time security solution. It is not possible to simply distribute a patch. Instead, applications must be recompiled to take advantage of any security improvements. In that vein, the paper proposes some solutions that could be applied to address the problems that are outlined.
[OS X Kernel-mode Exploitation in a Weekend](http://uninformed.org/?v=all&a=37&t=sumry)
* Apple's Mac OS X operating system is attracting more attention from users and security researchers alike. Despite this increased interest, there is still an apparent lack of detailed vulnerability development information for OS X. This paper will attempt to help bridge this gap by walking through the entire vulnerability development process. This process starts with vulnerability discovery and ultimately finished with a remote code execution. To help illustrate this process, a real vulnerability found in the OS X wireless device driver is used.
[Getting out of Jail: Escaping Internet Explorer Protected Mode](http://uninformed.org/?v=all&a=39&t=sumry)
* With the introduction of Windows Vista, Microsoft has added a new form of mandatory access control to the core operating system. Internally known as "integrity levels", this new addition to the security manager allows security controls to be placed on a per-process basis. This is different from the traditional model of per-user security controls used in all prior versions of Windows NT. In this manner, integrity levels are essentially a bolt-on to the existing Windows NT security architecture. While the idea is theoretically sound, there does exist a great possibility for implementation errors with respect to how integrity levels work in practice. Integrity levels are the core of Internet Explorer Protected Mode, a new "low-rights" mode where Internet Explorer runs without permission to modify most files or registry keys. This places both Internet Explorer and integrity levels as a whole at the forefront of the computer security battle with respect to Windows Vista.
@ -328,10 +427,13 @@ properties of the x86 instruction set.
[Smashing the Browser - From fuzzing to 0day on IE11](https://github.com/demi6od/Smashing_The_Browser)
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
[From Fuzzing to 0day.](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
[Adventures in Xen Exploitation](https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/)
* "This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217)."
[From fuzzing to 0-day](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
@ -373,6 +475,8 @@ http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf)
* [Slides](https://www.blackhat.com/docs/us-14/materials/us-14-Kallenberg-Extreme-Privilege-Escalation-On-Windows8-UEFI-Systems.pdf)
* Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
[Diving into A Silverlight Exploit and Shellcode - Analysis and Techniques](http://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf)
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.
@ -387,6 +491,10 @@ http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf)
* WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
[Analyzing Common Binary Parser Mistakes](http://uninformed.org/?v=all&a=12&t=sumry)
* With just about one file format bug being consistently released on a weekly basis over the past six to twelve months, one can only hope developers would look and learn. The reality of it all is unfortunate; no one cares enough. These bugs have been around for some time now, but have only recently gained media attention due to the large number of vulnerabilities being released. Researchers have been finding more elaborate and passive attack vectors for these bugs, some of which can even leverage a remote compromise.
####High Level Searching
#####Searching Github for vulnerable code/credentials
@ -395,5 +503,20 @@ http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf)
- [Cheatsheet](https://github.com/search#search_cheatsheet_pane)
- [Actual Search Page](https://github.com/search)
###Online Resources
[ropshell](http://ropshell.com/)
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.

+ 0
- 6
Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 21
- 1
Draft/Draft/Forensics Incident Response.md View File

@ -1,9 +1,29 @@
##Forensics & Incident Response
applexaminer.com
Anti-Forensics
Mobile Device Forensics
* Android
* iOS
* Blackberry
PDF Forensics
Photo Forensics
Tools
OS Forensics
* Linux Forensics
* OS X Forensics
* Windows Forensics
applexaminer.com
[Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)


+ 0
- 6
Draft/Draft/Forensics Incident Response/add cull Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 1
- 1
Draft/Draft/Forensics Incident Response/add cull.txt View File

@ -21,7 +21,7 @@
[HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)


+ 0
- 6
Draft/Draft/Frameworks/Metasploit Reference Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/Meterpreter Scripts and Description Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Discovery & Probing Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Enumeration Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Network Footprinting Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Password Cracking Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Penetration Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/VoIP Security Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Vulnerability Assessment Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Wireless Penetration Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Frameworks/Post Exploitation with Metasploit Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

Draft/Draft/Fuzzing.md → Draft/Draft/Fuzzing Bug Hunting.md View File


+ 6
- 0
Draft/Draft/Home Security.md View File

@ -0,0 +1,6 @@
##Home Security & Defense
Anchored window covers
[Home Alone with localhost - Automating Home Defense - Chris Littlebury Defcon22](https://www.youtube.com/watch?v=9Tbft190x3Q)

Draft/Draft/Honeypots.md → Draft/Draft/Honeypots -.md View File


+ 28
- 0
Draft/Draft/Interesting Things.md View File

@ -12,8 +12,36 @@ http://www.securitywizardry.com/radar.htm
[They clapped](http://www.econlib.org/library/Columns/y2007/Mungergouging.html)
TOC
Cull
Interesting Attacks
Interesting Papers
Interesting Projects
Interesting Software
Interesting Write-ups
###CULL
[More on Using Bash's Built-in /dev/tcp File (TCP/IP)](http://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip More on Using Bash's Built-in /dev/tcp File (TCP/IP))
[Foreign LINUX](https://github.com/wishstudio/flinux)
* Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools
[Just What The Doctor Ordered? - Scott Erven and Shawn Merdinger - DEF CON 22](https://www.youtube.com/watch?v=wTEMSBXtkAc)
* This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety.
[Wars Within](http://uninformed.org/?v=all&a=26&t=sumry)
* In this paper I will uncover the information exchange of what may be classified as one of the highest money making schemes coordinated by 'organized crime'. I will elaborate on information gathered from a third party individual directly involved in all aspects of the scheme at play. I will provide a detailed explanation of this market's origin, followed by a brief description of some of the actions strategically performed by these individuals in order to ensure their success. Finally, I will elaborate on real world examples of how a single person can be labeled a spammer, malware author, cracker, and an entrepreneur gone thief. For the purposes of avoiding any legal matters, and unwanted media, I will refrain from mentioning the names of any individuals and corporations who are involved in the schemes described in this paper.
[Postcards from a Post-XSS World - Michael Zalewski](http://lcamtuf.coredump.cx/postxss/#dangling-markup-injection)
* This page is a rough collection of notes on some of the fundamental alternatives to direct script injection that would be available to attackers following the universal deployment of CSP or other security mechanisms designed to prevent the execution of unauthorized scripts. I hope to demonstrate that in many cases, the capabilities offered by these alternative methods are highly compatible with the goals of contemporary XSS attacks.


+ 0
- 6
Draft/Draft/Interesting Things/Writeup of Gamma Group Hack Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 1
- 7
Draft/Draft/Lockpicking.md View File

@ -31,7 +31,7 @@ https://www.reddit.com/r/lockpicking
[Lockpicking how to video using a cut-away lock](http://www.youtube.com/watch?v=LSt0RxkA_f8)
[Distinguishing Lockpicks: Raking vs Lifting vs Jiggling and More - Deviant Ollam](https://www.youtube.com/watch?v=e07VRxJ01Fs)
###Books
@ -59,9 +59,3 @@ https://www.reddit.com/r/lockpicking
[Distinguishing Lockpicks: Raking vs Lifting vs Jiggling and More - Deviant Ollam](https://www.youtube.com/watch?v=e07VRxJ01Fs)

Draft/Draft/Logging.md → Draft/Draft/Logging - Combine with NSM.md View File


+ 23
- 1
Draft/Draft/Malware.md View File

@ -2,7 +2,7 @@
###Cull
[Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix](http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VP9cTDTF-PU)
[Ragpicker - Malware Crawler](https://code.google.com/p/malware-crawler/)
* Ragpicker is a Plugin based malware crawler with pre-analysis and reporting functionalities. Use this tool if you are testing antivirus products, collecting malware for another analyzer/zoo.
@ -15,8 +15,26 @@
http://www.cs.uno.edu/~golden/gpu-malware-research.html
[Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0](https://github.com/strazzere/android-unpacker)
* native-unpacker/ - Unpacker for APKProtect/Bangcle/LIAPP/Qihoo Packer that runs natively, no dependency on gdb
* hide-qemu/ - Small hacks for hiding the qemu/debuggers, specifically from APKProtect
[Triaging Malware Incidents](http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html)
* Good writeup/blogpost from Journey into Incidence Response
[The Backdoor Factory (BDF)](https://github.com/secretsquirrel/the-backdoor-factory)
* For security professionals and researchers only. The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
* [Derbycon Presentation](https://www.youtube.com/watch?v=LjUN9MACaTs)
[Bypass AV through several basic/effective techniques](http://packetstorm.foofus.com/papers/virus/BypassAVDynamics.pdf)
[Trojan.Foxy writeup](http://www.cyberesi.com/2011/08/31/trojan-foxy/?ModPagespeed=noscrip
* Today I will write about a sample that I will refer to as Trojan.Foxy. Trojan.Foxy requests and parses .JPG images that contain encoded instructions. The encoding algorithm used by this Trojan is loosely based off of the Vigenère cipher; however there is a deviation in how the cipher is applied.
[Frida](http://www.frida.re/docs/home/)
* Inject JS into native apps
@ -26,8 +44,12 @@ http://www.cs.uno.edu/~golden/gpu-malware-research.html
[Generate MS Office Macro Malware Script](https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1)
* Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method
[Making FinFisher Undetectable](https://lqdc.github.io/making-finfisher-undetectable.html)
[Modeling Zero Day Malware Spread](https://lqdc.github.io/modeling-zero-day-malware-spread.html)
[VirusTotal Mining](http://blog.9bplus.com/wp-content/uploads/2014/08/VirusTotal-Mining.pdf)
[Pybox](https://bitbucket.org/daniel_plohmann/pybox/)
[Research paper on it](https://eldorado.tu-dortmund.de/bitstream/2003/27336/1/BookOfAbstracts_Spring5_2010.pdf)


+ 24
- 0
Draft/Draft/Network Recon and Enumeration.md View File

@ -0,0 +1,24 @@
http://www.pentest-standard.org/index.php/Intelligence_Gathering
Paste and format here
[A Curated list of assigned ports relevant to pen testing](http://www.vulnerabilityassessment.co.uk/ports.htm)
[Mass Scanning the Internet: Tips, Tricks, Results - DEF CON 22 - Graham, Mcmillan, and Tentler](https://www.youtube.com/watch?v=nX9JXI4l3-E)
http://www.exploit-db.com/papers/35425/
Add sample/simple checklists/links to
[DNS May Be Hazardous to Your Health - Robert Stucke](https://www.youtube.com/watch?v=ZPbyDSvGasw)
* Great talk on attacking DNS
[IANA Complete list of assigned ports](http://www.vulnerabilityassessment.co.uk/port-numbers.txt)

Draft/Draft/Network Reconnaissance&Enumeration/Getting Busy at the Command Line.txt → Draft/Draft/Network Recon and Enumeration/Getting Busy at the Command Line.txt View File


Draft/Draft/Network Reconnaissance&Enumeration/Tools.txt → Draft/Draft/Network Recon and Enumeration/Tools.txt View File


+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/Getting Busy at the Command Line Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/Misc Links Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 10
Draft/Draft/Network Reconnaissance&Enumeration/Misc Links.txt View File

@ -1,10 +0,0 @@
Links to references not mentioned elsewhere:
IANA Complete list of assigned ports:
http://www.vulnerabilityassessment.co.uk/port-numbers.txt
A Curated list of assigned ports relevant to pen testing:
http://www.vulnerabilityassessment.co.uk/ports.htm

+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/Network Reconnaissance&Enumeration Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/Nmap Cheat Sheet Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/PTES Methodology Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 10
Draft/Draft/Network Reconnaissance&Enumeration/PTES Methodology.txt View File

@ -1,10 +0,0 @@
http://www.pentest-standard.org/index.php/Intelligence_Gathering
Paste and format here
http://www.hping.org/
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
http://packetsender.com/

+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/Passive Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 5
Draft/Draft/Network Reconnaissance&Enumeration/Passive.txt View File

@ -1,5 +0,0 @@
##Passive
[DNS May Be Hazardous to Your Health - Robert Stucke](https://www.youtube.com/watch?v=ZPbyDSvGasw)
* Great talk on attacking DNS

+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/Scanning Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 30
Draft/Draft/Network Reconnaissance&Enumeration/Scanning.txt View File

@ -1,30 +0,0 @@
Scanning networks
http://www.exploit-db.com/papers/35425/
Honestly, just use nmap. Use zmap if you’re trying to scan the entire internet. Read either’s docs for more info
For nmap read this: http://www.exploit-db.com/papers/35425/
Nmap
From: www.insecure.org
Zmap
From: www.zmap.io
ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet.
ZMap can be used to study protocol adoption over time, monitor service availability, and help us better understand large systems distributed across the Internet.
Documentation: https://zmap.io/documentation.html
Research Paper: https://zmap.io/paper.html

+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/Scanning/Cull Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

+ 0
- 62
Draft/Draft/Network Reconnaissance&Enumeration/Scanning/Cull.txt View File

@ -1,62 +0,0 @@
Recon/Enum To DO
Add simple methodology demonstrating concepts
Add sample/simple checklists/links to
https://github.com/mubix/netview
Netview is a enumeration tool. It uses (with the -d) the current domain or a specified domain (with the -d domain) to enumerate hosts
[net-creds](https://github.com/DanMcInerney/net-creds)
* Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification
* It sniffs: URLs visited; POST loads sent; HTTP form logins/passwords; HTTP basic auth logins/passwords; HTTP searches; FTP logins/passwords; IRC logins/passwords; POP logins/passwords; IMAP logins/passwords; Telnet logins/passwords; SMTP logins/passwords; SNMP community string; NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc; Kerberos.
[RANCID - Really Awesome New Cisco confIg Differ](http://www.shrubbery.net/rancid/)
* RANCID monitors a router's (or more generally a device's) configuration, including software and hardware (cards, serial numbers, etc) and uses CVS (Concurrent Version System) or Subversion to maintain history of changes.
* RANCID does this by the very simple process summarized as: login to each device in the router table (router.db), run various commands to get the information that will be saved, cook the output; re-format, remove oscillating or incrementing data, email any differences (sample) from the previous collection to a mail list, and finally commit those changes to the revision control system
[Stenographer](https://github.com/google/stenographer/blob/master/README.md)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
libpcap
tcpdump
dsniff
filesnarf
mailsnarf
msgsnarf
urlsnarf
webspy
aprspof
dnsspoof
macof
sshmitm
webmtim
antisniff

+ 0
- 6
Draft/Draft/Network Reconnaissance&Enumeration/Tools Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}

Draft/Draft/Network Security Monitoring.md → Draft/Draft/Network Security Monitoring - Combine with logging.md View File


+ 24
- 0
Draft/Draft/Open Source Intelligence.md View File

@ -7,6 +7,30 @@
###Cull
[Corporate Espionage: Gathering Actionable Intelligence Via Covert Operations - Brent White - Defcon22](https://www.youtube.com/watch?v=D2N6FclMMTg)
[typofinder](https://github.com/nccgroup/typofinder)
* Typofinder for domain typo discovery
[You're Leaking Trade Secrets - Defcon22 Michael Schrenk](https://www.youtube.com/watch?v=JTd5TL6_zgY)
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.


+ 0
- 6
Draft/Draft/Open Source Intelligence/Active cull Notes.rtf View File

@ -1,6 +0,0 @@
{\rtf1\ansi\ansicpg1252\uc1\deff0
{\fonttbl{\f0\fnil\fcharset0\fprq2 Courier New;}}
{\colortbl;\red0\green0\blue0;\red255\green255\blue255;}
\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\fet2\ftnbj\aenddoc
\pgnrestart\pgnstarts0
\pard\plain \ltrch\loch \f0\fs24}