Browse Source

Updates/links

pull/8/head
root 6 years ago
parent
commit
fcb23d58cf
39 changed files with 1194 additions and 435 deletions
  1. +2
    -2
      Draft/Anonymity Opsec Privacy -.md
  2. +0
    -3
      Draft/Attacking Defending iOS -.md
  3. +16
    -1
      Draft/Basic Security Information.md
  4. +18
    -6
      Draft/Building A Pentest Lab.md
  5. +7
    -7
      Draft/CTFs & Wargames -.md
  6. +3
    -1
      Draft/Car Hacking.md
  7. +17
    -4
      Draft/Courses & Training -.md
  8. +1
    -1
      Draft/CryptoCurrencies.md
  9. +8
    -3
      Draft/Data AnalysisVisualization.md
  10. +39
    -3
      Draft/Defense.md
  11. +5
    -0
      Draft/Disclosure -.md
  12. +4
    -0
      Draft/Documentation & Reports -.md
  13. +14
    -0
      Draft/Embedded Device & Hardware Hacking -.md
  14. +25
    -0
      Draft/Exploit Development.md
  15. +13
    -8
      Draft/Forensics Incident Response.md
  16. +12
    -0
      Draft/Game Hacking.md
  17. +5
    -0
      Draft/Honeypots -.md
  18. +39
    -42
      Draft/Interesting Things Useful stuff.md
  19. +2
    -0
      Draft/Lockpicking -.md
  20. +13
    -1
      Draft/Malware.md
  21. +13
    -3
      Draft/Network Attacks & Defenses.md
  22. +32
    -0
      Draft/Network Security Monitoring & Logging.md
  23. +29
    -39
      Draft/Open Source Intelligence.md
  24. +5
    -1
      Draft/Password Bruting and Hashcracking.md
  25. +8
    -1
      Draft/Phishing.md
  26. +34
    -2
      Draft/Phyiscal Security.md
  27. +64
    -1
      Draft/Privilege Escalation & Post-Exploitation.md
  28. +29
    -0
      Draft/Programming - Languages Libs Courses References.md
  29. +130
    -0
      Draft/Red-Teaming.md
  30. +8
    -0
      Draft/Reverse Engineering.md
  31. +62
    -0
      Draft/SCADA.md
  32. +10
    -0
      Draft/Social Engineering.md
  33. +20
    -0
      Draft/System Internals Windows and Linux Internals Reference.md
  34. +4
    -0
      Draft/Threat Modeling.md
  35. +60
    -0
      Draft/Threat-Hunting.md
  36. +37
    -4
      Draft/UX Design - Because we all know how sexy pgp is.md
  37. +43
    -0
      Draft/Web & Browsers.md
  38. +21
    -0
      Draft/Wireless Networks & RF.md
  39. +342
    -302
      Draft/things-added.md

+ 2
- 2
Draft/Anonymity Opsec Privacy -.md View File

@ -18,8 +18,6 @@
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
#### Cull
| Title | Link
| -------- | --------- |
https://github.com/NullHypothesis/exitmap/issues/37
#### end cull
@ -43,7 +41,9 @@ https://github.com/NullHypothesis/exitmap/issues/37
[CIA Vault7 Development Tradecraft DOs and DON'Ts](https://wikileaks.org/ciav7p1/cms/page_14587109.html)
[Dutch-Russian cyber crime case reveals how police tap the internet - ElectroSpaces](http://electrospaces.blogspot.de/2017/06/dutch-russian-cyber-crime-case-reveals.html?m=1)
[Deanonymizing Windows users and capturing Microsoft and VPN accounts](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)


+ 0
- 3
Draft/Attacking Defending iOS -.md View File

@ -25,9 +25,6 @@
| **Mobile self-defense - Karsten Nohl** | https://www.youtube.com/watch?v=GeCkO0fWWqc
| **Pentesting iOS Applications - Pentester Academy - Paid Course** - This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques. | http://www.pentesteracademy.com/course?id=2
#### End Cull
### General


+ 16
- 1
Draft/Basic Security Information.md View File

@ -28,7 +28,7 @@ These are links to basic technically links or things I feel might help someone
### Metasploit
| Title | Link
| -------- | --------- |
| Introduction To Metasploit The Basics | http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/ |
| Introduction To Metasploit – The Basics | http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/ |
@ -38,3 +38,18 @@ These are links to basic technically links or things I feel might help someone
| Shodan Man page | http://www.shodanhq.com/help |
| Shodan Filter Reference | http://www.shodanhq.com/help/filters |
| Shodan FAQ | http://www.shodanhq.com/help/faq |
### I'll sort later
[304 Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk)
[100 OWASP Top 10 Hacking Web Applications with Burp Suite Chad Furman](https://www.youtube.com/watch?v=2p6twRRXK_o)
[213 How not to Infosec Dan Tentler](https://www.youtube.com/watch?v=S5O47gemMNQ)
[So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics)
[How to become a pentester - Corelan](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/)

+ 18
- 6
Draft/Building A Pentest Lab.md View File

@ -12,16 +12,12 @@
### General
[Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
[Pentest Environment Deployer](https://github.com/Sliim/pentest-env)
* This repo provides an easy way to deploy a clean and customized pentesting environment with Kali linux using vagrant and virtualbox.
@ -70,6 +66,22 @@
* I wanted to build a virtual lab environment at home that would emulate an office environment. My requirements were to have separate network segments for Clients & Servers, and two DMZ networks. I also wanted my home network, which is external to the virtual lab environment, to emulate the Internet, even though it really isn’t. The following is how I created multiple “named” LAN segments within VMware Workstation, and routed between them using a VM running pfSense, which is an open source firewall.
[Setting Up a Pentest/Hacking Lab with Hyper-V](http://cyberthreathunt.com/2017/04/01/setting-up-a-pentest-lab-with-hyper-v/)
[Windows Server 2016: Build a Windows Domain Lab at Home for Free](https://social.technet.microsoft.com/wiki/contents/articles/36438.windows-server-2016-build-a-windows-domain-lab-at-home-for-free.aspx#Download)
* Microsoft Technet tutorial
[Pentest Home Lab - 0x2 - Building Your AD Lab on Premises-SethSec](https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html)
[Building A Lab on AWS - 0x1 SethSec](https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html)
[Building an Effective Active Directory Lab Environment for Testing](https://adsecurity.org/?p=2653)
[Hack Yourself: Building a Test Lab - David Boyd](https://www.youtube.com/watch?v=rgdX-hn0xXU)
[Hack-Yourself: Building a pentesting lab for fun & profit](https://www.slideshare.net/DavidBoydCISSP/hack-yourself-building-a-pentesting-lab-for-fun-and-profit)
[Setting up a Windows Lab Environment](http://thehackerplaybook.com/Windows_Domain.htm)
http://blog.netinfiltration.com/2013/12/03/setting-up-a-pentest-lab-for-beginners/


+ 7
- 7
Draft/CTFs & Wargames -.md View File

@ -1,6 +1,6 @@
##CTFs & Wargames
## CTFs & Wargames
#####TOC
##### TOC
[General](#general(
[Wargames](#wargames)
[Vulnerable VMs](#vulnvm)
@ -28,7 +28,7 @@ root-me
###<a name="general">General</a>
### <a name="general">General</a>
[ctf-time](https://ctftime.org/)
[Suggestions on Running a CTF](https://github.com/pwning/docs/blob/master/suggestions-for-running-a-ctf.markdown)
@ -49,7 +49,7 @@ root-me
###<a name="wargames">Wargames</a>
### <a name="wargames">Wargames</a>
[Ringzer0 team CTF](http://ringzer0team.com/)
Description: RingZer0 Team's online CTF offers you tons of challenges designed to test and improve your hacking skills thru hacking challenge. Register and get a flag for every challenges.
@ -76,7 +76,7 @@ Making/Hosting your own CTF
###<a name="vulnvm">Vulnerable Virtual Machines</a>
### <a name="vulnvm">Vulnerable Virtual Machines</a>
[Vulnhub](Https://www.Vulnhub.com)
@ -88,7 +88,7 @@ Making/Hosting your own CTF
* Generates a 'vulnerable' machine using the end users own setup files & product keys.
###<a name="challenge">Challenge Sites</a>
### <a name="challenge">Challenge Sites</a>
Wechall
* An amazing site. Tracks, lists, scores, various challenge sites. If you’re looking for a challenge or two, and not a wargame, this is the site you want to hit up first.
@ -115,7 +115,7 @@ Wechall
###<a name="puzzle">One-off Challenges and Puzzles</a>
### <a name="puzzle">One-off Challenges and Puzzles</a>
[Forensics Contest](http://forensicscontest.com/)


+ 3
- 1
Draft/Car Hacking.md View File

@ -15,12 +15,14 @@
http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
### End cull
## General
[Awesome Vehicle Security List(github awesome lists)](https://github.com/jaredthecoder/awesome-vehicle-security)
Seriously check this first ---> [Awesome Vehicle Security List(github awesome lists)](https://github.com/jaredthecoder/awesome-vehicle-security)
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](https://www.youtube.com/watch?v=WHDkf6kpE58)


+ 17
- 4
Draft/Courses & Training -.md View File

@ -58,7 +58,7 @@ These classes are all focused on computer/information security. If you're lookin
[Learning How to Learn](https://www.coursera.org/learn/learning-how-to-learn)
* Free Coursera Course
* About this course: This course gives you easy access to the invaluable learning techniques used by experts in art, music, literature, math, science, sports, and many other disciplines. We’ll learn about the how the brain uses two very different learning modes and how it encapsulates (“chunks”) information. We’ll also cover illusions of learning, memory techniques, dealing with procrastination, and best practices shown by research to be most effective in helping you master tough subjects.
* About this course: This course gives you easy access to the invaluable learning techniques used by experts in art, music, literature, math, science, sports, and many other disciplines. We’ll learn about the how the brain uses two very different learning modes and how it encapsulates (“chunks�) information. We’ll also cover illusions of learning, memory techniques, dealing with procrastination, and best practices shown by research to be most effective in helping you master tough subjects.
@ -91,10 +91,18 @@ These classes are all focused on computer/information security. If you're lookin
### Incident Response/Forensics Training
### Incident Response/Forensics/NSM Training
[Android Forensics & Security Testing - OpenSecurityTraining.info](http://opensecuritytraining.info/AndroidForensics.html)
[CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)
### Penetration Testing
@ -107,6 +115,8 @@ These classes are all focused on computer/information security. If you're lookin
[FSU Offensive Security 2013](http://www.cs.fsu.edu/~redwood/OffensiveSecurity/)
* Florida State University Offensive Security 2013 Class materials
[HackSplaining](https://www.hacksplaining.com/faq)
* Security training aimed towards developers. Free.
@ -146,7 +156,7 @@ These classes are all focused on computer/information security. If you're lookin
* Linking object files together to create a well-formed binary.
* Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
* How an OS loads a binary into memory and links it on the fly before executing it.
*Along the way we discuss the relevance of security at different stages of a binarys life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).
*Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers� duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).
[Introduction to Reverse Engineering Software - Dartmouth](http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/)
@ -190,6 +200,9 @@ These classes are all focused on computer/information security. If you're lookin
[Google Gruyere - Web Application Exploits and Defenses ](http://google-gruyere.appspot.com/)
### Data Science
[CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)
@ -205,7 +218,7 @@ These classes are all focused on computer/information security. If you're lookin
[Teaching Evil - Chris Niemira](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t200-teaching-evil-chris-niemira)
[The Distribution of Users Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)
[The Distribution of Users’ Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)


+ 1
- 1
Draft/CryptoCurrencies.md View File

@ -14,7 +14,7 @@ Bitcointalk
[The Ether Thief](https://www.bloomberg.com/features/2017-the-ether-thief/)
[Deanonymisation of Clients in Bitcoin P2P Network](http://orbilu.uni.lu/bitstream/10993/18679/1/Ccsfp614s-biryukovATS.pdf)
* We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or rewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-o by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.

+ 8
- 3
Draft/Data AnalysisVisualization.md View File

@ -48,19 +48,20 @@ http://www.pentaho.com/
Applied Security Visualization: http://www.secviz.org/content/applied-security-visualization
#### End Cull
### Tools
[d3js(Data Driven Documents)](http://d3js.org/)
* D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS. D3s emphasis on web standards gives you the full capabilities of modern browsers without tying yourself to a proprietary framework, combining powerful visualization components and a data-driven approach to DOM manipulation.
* D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS. D3’s emphasis on web standards gives you the full capabilities of modern browsers without tying yourself to a proprietary framework, combining powerful visualization components and a data-driven approach to DOM manipulation.
[Data Science Toolkit](https://github.com/petewarden/dstk)
* A collection of the best open data sets and open-source tools for data science, wrapped in an easy-to-use REST/JSON API with command line, Python and Javascript interfaces. Available as a self-contained VM or EC2 AMI that you can deploy yourself.
* [Documentation](http://www.datasciencetoolkit.org/developerdocs)
[*ORA](http://www.casos.cs.cmu.edu/projects/ora/)
* ORA is a dynamic meta-network assessment and analysis tool developed by CASOS at Carnegie Mellon. It contains hundreds of social network, dynamic network metrics, trail metrics, procedures for grouping nodes, identifying local patterns, comparing and contrasting networks, groups, and individuals from a dynamic meta-network perspective. *ORA has been used to examine how networks change through space and time, contains procedures for moving back and forth between trail data (e.g. who was where when) and network data (who is connected to whom, who is connected to where ), and has a variety of geo-spatial network metrics, and change detection techniques. *ORA can handle multi-mode, multi-plex, multi-level networks. It can identify key players, groups and vulnerabilities, model network changes over time, and perform COA analysis. It has been tested with large networks (106 nodes per 5 entity classes).Distance based, algorithmic, and statistical procedures for comparing and contrasting networks are part of this toolkit. Based on network theory, social psychology, operations research, and management theory a series of measures of “criticality” have been developed at CMU. Just as critical path algorithms can be used to locate those tasks that are critical from a project management perspective, the *ORA algorithms can find those people, types of skills or knowledge and tasks that are critical from a performance and information security perspective.
* ORA is a dynamic meta-network assessment and analysis tool developed by CASOS at Carnegie Mellon. It contains hundreds of social network, dynamic network metrics, trail metrics, procedures for grouping nodes, identifying local patterns, comparing and contrasting networks, groups, and individuals from a dynamic meta-network perspective. *ORA has been used to examine how networks change through space and time, contains procedures for moving back and forth between trail data (e.g. who was where when) and network data (who is connected to whom, who is connected to where …), and has a variety of geo-spatial network metrics, and change detection techniques. *ORA can handle multi-mode, multi-plex, multi-level networks. It can identify key players, groups and vulnerabilities, model network changes over time, and perform COA analysis. It has been tested with large networks (106 nodes per 5 entity classes).Distance based, algorithmic, and statistical procedures for comparing and contrasting networks are part of this toolkit. Based on network theory, social psychology, operations research, and management theory a series of measures of “criticality� have been developed at CMU. Just as critical path algorithms can be used to locate those tasks that are critical from a project management perspective, the *ORA algorithms can find those people, types of skills or knowledge and tasks that are critical from a performance and information security perspective.
[pewpew](https://github.com/hrbrmstr/pewpew)
* In all seriousness, IPew provides a simple framework - based on Datamaps - for displaying cartographic attack data in a (mostly) responsive way and shows how to use dynamic data via javascript event timers and data queues (in case you're here to learn vs have fun - or both!). You can customize the display through a myriad of query string options, including sounds.
@ -89,14 +90,18 @@ Applied Security Visualization: http://www.secviz.org/content/applied-security-v
* The Kismet Log Viewer (KLV) takes Kismet .xml log files and produces a nicely formatted html interface to browse the logs with. KLV has the ability to utilize available GPS information to create links for external maps via the net, and provides the ability for those with Snort to generate a page of Snort output for each specific bssid that has data available. KLV also comes with my Kismet Log Combiner script to help users consolidate multiple .xml and .dump log files.
[plaso](https://github.com/log2timeline/plaso)
* plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline.
* plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline.
[huginn](https://github.com/huginn/huginn)
* Create agents that monitor and act on your behalf. Your agents are standing by!
* Huginn is a system for building agents that perform automated tasks for you online. They can read the web, watch for events, and take actions on your behalf. Huginn's Agents create and consume events, propagating them along a directed graph. Think of it as a hackable version of IFTTT or Zapier on your own server. You always know who has your data. You do.
[Norikra](http://norikra.github.io/)
* Norikra is a open source server software provides "Stream Processing" with SQL, written in JRuby, runs on JVM, licensed under GPLv2.
[Fluentd](https://www.fluentd.org/architecture)
* Fluentd is an open source data collector, which lets you unify the data collection and consumption for a better use and understanding of data.


Draft/Defense → Draft/Defense.md View File


+ 5
- 0
Draft/Disclosure -.md View File

@ -20,6 +20,11 @@ https://adamcaudill.com/2015/11/19/responsible-disclosure-is-wrong/
* Recommended reading.
[Request a CVE ID](http://cve.mitre.org/cve/request_id.html#cna_coverage)
[My first CVE-2016-1000329 in BlogPHP](https://www.stevencampbell.info/2016/12/my-first-cve-2016-1000329-in-blogphp/)
###Dealing with the press/journalists:
[Hacking the media for fame/profit talk](http://www.irongeek.com/i.php?page=videos/derbycon4/Hacking-The-Media-For-Fame-And-Profit-Jenn-Ellis-Steven-Reganh)


+ 4
- 0
Draft/Documentation & Reports -.md View File

@ -22,6 +22,7 @@
### <a name="writing">Writing</a>
Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
@ -99,6 +100,9 @@ Three parter from jacobian.org:
[Mastering Markdown](https://guides.github.com/features/mastering-markdown/)
[vim-wordy](https://github.com/reedes/vim-wordy/blob/master/README.markdown)
* wordy is not a grammar checker. Nor is it a guide to proper word usage. Rather, wordy is a lightweight tool to assist you in identifying those words and phrases known for their history of misuse, abuse, and overuse, at least according to usage experts.
### <a name="collab">Penetration Testing &/ Collaboration Tools</a>


+ 14
- 0
Draft/Embedded Device & Hardware Hacking -.md View File

@ -37,7 +37,21 @@ http://www.sp3ctr3.me/hardware-security-resources/
http://greatscottgadgets.com/infiltrate2013/
[ThunderGate](http://thundergate.io/)
* ThunderGate is a collection of tools for the manipulation of Tigon3 Gigabit Ethernet controllers, with special emphasis on the Broadcom NetLink 57762, such as is found in Apple Thunderbolt Gigabit Ethernet adapters.
[ISO/IEC 7816](https://en.wikipedia.org/wiki/ISO/IEC_7816)
[ISO/IEC 15693](https://en.wikipedia.org/wiki/ISO/IEC_15693)
[ISO/IEC 14443](https://en.wikipedia.org/wiki/ISO/IEC_14443)
[Attacks via physical access to USB (DMA…?)](https://security.stackexchange.com/questions/118854/attacks-via-physical-access-to-usb-dma)
[Can a connected USB device read all data from the USB bus?](https://security.stackexchange.com/questions/37927/can-a-connected-usb-device-read-all-data-from-the-usb-bus?rq=1)
[Hacking Printers Wiki](http://hacking-printers.net/wiki/index.php/Main_Page)
[Ian Douglas - Creating an Internet of Private Things](https://www.youtube.com/watch?v=4W8SkujOXi4&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=8)
* The next big market push is to have the cool IoT device that’s connected to the internet. As we’ve seen from the Mirai and Switcher hacks, it’s important to embed the appropriate safeguards so that devices are not open to attack. When selecting device components there are things that should be checked for, and when you’re doing the coding and workflows, there are other things that need to be taken in to account. Although security and privacy are close cousins, they’re also different. This talk will be centered around some best security and privacy practices as well as some common errors that should be avoided.


+ 25
- 0
Draft/Exploit Development.md View File

@ -93,6 +93,31 @@ Corelan Exploit Series
[MS17-010](https://github.com/worawit/MS17-010)
* Add use-after-free section
[ShellcodeStdio](https://github.com/jackullrich/ShellcodeStdio)
* An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms.
[gdbgui](https://github.com/cs01/gdbgui)
* A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust. Simply run gdbgui from the terminal and a new tab will open in your browser.
[I-know-where-your-page-lives](https://github.com/IOActive/I-know-where-your-page-lives)
* I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016
[Crashing phones with Wi-Fi: Exploiting nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn2/)
[Sigreturn Oriented Programming is a real Threat](https://subs.emis.de/LNI/Proceedings/Proceedings259/2077.pdf)
* Abstract: This paper shows that Sigreturn Oriented Programming (SROP), which consists of using calls to sigreturn to execute arbitrary code, is a pow erful method for the de velopment of exploits. This is demonstrated by developing two different kinds of SROP based exploits, one asterisk exploit which was already portrayed in the paper presenting SROP, and one novel exploit for a recently disclosed bug inthe DNS address resolution of the default GNUC library. Taking advantage of the fact, that these exploits have very few dependencies on the program being exploited, a library is implemented to automate wide parts of SROP exploit creation. This highlights the potential of SROP in respect to reusable and portable exploit code which strongly supports the conclusion of the original paper: SROP is areal threat!
[Playing with signals : An overview on Sigreturn Oriented Programming](https://thisissecurity.net/2015/01/03/playing-with-signals-an-overview-on-sigreturn-oriented-programming/)
[SROP | Signals, you say?](https://0x00sec.org/t/srop-signals-you-say/2890)
[EnglishmansDentist Exploit Analysis](https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/)
[Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets](https://blog.exodusintel.com/2017/07/26/broadpwn/)
#### end sort


+ 13
- 8
Draft/Forensics Incident Response.md View File

@ -31,11 +31,10 @@ Forensics wiki
Yelp/Github - OSX Collector - Mass style forensics/management
[Know your Windows' Processes](https://sysforensics.org/2014/01/know-your-windows-processes.html)
hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[Santoku Linux How-Tos'](https://santoku-linux.com/howtos)
hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[THE CIDER PRESS:EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY](https://www.sans.org/summit-archives/file/summit-archive-1498146226.pdf)
#### End Cull
@ -67,6 +66,9 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
### General
[IRM (Incident Response Methodologies)](https://github.com/certsocietegenerale/IRM)
* CERT Societe Generale provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields in which a CERT team can be involved. One IRM exists for each security incident we're used to dealing with.
[Introduction to DFIR](https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/)
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
@ -334,10 +336,7 @@ Ghiro
### <a name="linux">Linux Forensics</a>
[Santoku Linux How-Tos'](https://santoku-linux.com/howtos)
### <a name="windows">Windows Forensics</a>
@ -346,6 +345,9 @@ Ghiro
[How to parse Windows Eventlog](http://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/)
[Know your Windows' Processes](https://sysforensics.org/2014/01/know-your-windows-processes.html)
@ -358,6 +360,8 @@ database of Microsoft Active Directory (NTDS.DIT).
[Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
[Get-InjectedThread.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
[HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
@ -405,7 +409,8 @@ What are the changes done on an AD between two points in time ?
[Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
[PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
### <a name="osx">OS X Forensics Tools</a>


+ 12
- 0
Draft/Game Hacking.md View File

@ -12,6 +12,16 @@
#### Sort
http://douevenknow.us/post/151129092928/throwback-k9lhax-by-bruteforce
#### End Sort
#### Writeups
@ -19,6 +29,8 @@
[Reverse Engineering Strike Commander](http://fabiensanglard.net/reverse_engineering_strike_commander/index.php)
[Remote Code Execution In Source Games](https://oneupsecurity.com/research/remote-code-execution-in-source-games?t=r)
### Console Hacking


+ 5
- 0
Draft/Honeypots -.md View File

@ -21,6 +21,11 @@ http://www.cuckoosandbox.org/
http://highaltitudehacks.com/2013/06/15/ghost-usb-honeypot-part-2-installing-and-running-the-honeypot/
[honeyLambda](https://github.com/0x4D31/honeyLambda)
* a simple, serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway
[Masarah Paquet-Clouston & Olivier Bilodeau - Attacking Linux Moose Unraveled an Ego Market](https://www.youtube.com/watch?v=8c8C5cHbRU0&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=2)
#### End Cull


+ 39
- 42
Draft/Interesting Things Useful stuff.md View File

@ -40,6 +40,27 @@ http://spth.virii.lu/articles.htm
[303 Hacks Lies Nation States Mario DiNatale](https://www.youtube.com/watch?v=nyh_ORq1Qwk)
[Richard Thieme - The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals](https://www.youtube.com/watch?v=0MzcPBAj88A&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
* Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
[recap](https://github.com/rackerlabs/recap)
* recap is a reporting script that generates reports of various information about the server.
[Paul Rascagneres - Modern Reconnaissance Phase by APT – Protection Layer](https://www.youtube.com/watch?v=4JVrK7bRKb0&index=10&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
[BE YOUR OWN VPN PROVIDER WITH OPENBSD (v2)](https://networkfilter.blogspot.com/2017/04/be-your-own-vpn-provider-with-openbsd-v2.html)
[New cache architecture on Intel I9 and Skylake server: An initial assessment](https://cyber.wtf/2017/07/18/new-cache-architecture-on-intel-i9-and-skylake-server-an-initial-assessment/)
[301 The Road to Hiring is Paved in Good Intentions Tim OBrien](https://www.youtube.com/watch?v=sdkf8SIj1rU)
[Ermahgerd: Lawrs - Robert Heverly - Anycon17](http://www.irongeek.com/i.php?page=videos/anycon2017/305-ermahgerd-lawrs-prof-robert-heverly)
* When do you ? and other coders, hackers, developers, and tinkerers ? think or worry about the law? If your answer is, ?Not very often,? then this talk is for you. We all need to think about the law. And it?s not just privacy, or computer fraud, or even anti-circumvention law, that we should think about. We need to think about law as a whole and how it can help us do or stop us from doing what we want to do. This talk will start with a broad overview of the ways in which we implicate law when we do what we do, and then will focus on what that means for us and the broader implications that can arise from our various activities. Do you think the law would stop you from doing what you want to do or punish you for doing it? It might, but it also might not. If you think it does, do you think you should be able to do what you want to do? If you do, then we need to hack the law, and to do that we?ll need to talk to the legal coders, those writers of our cultural software. This talk will tackle not only law and working with code, but also why it matters for us to be aware of the law and engaged in improving it.
[QR Code interesting](http://datagenetics.com/blog/november12013/index.html)
@ -49,28 +70,24 @@ http://spth.virii.lu/articles.htm
[IA Guidance - NSA](https://www.iad.gov/iad/library/ia-guidance/index.cfm)
[Paste-Scraper](https://github.com/KernelEquinox/Paste-Scraper)
[Wayback scraper](https://github.com/abrenaut/waybackscraper)
[LeakedSource.ru](https://leakedsource.ru/)
[Red Team Infrastructure Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
* Wiki to collect Red Team infrastructure hardening resources
* Accompanying Presentation: [Doomsday Preppers: Fortifying Your Red Team Infrastructure](https://speakerdeck.com/rvrsh3ll/doomsday-preppers-fortifying-your-red-team-infrastructure)
[How to Build a 404 page not found C2](https://www.blackhillsinfosec.com/?p=5134)
[404 File not found C2 PoC](https://github.com/theG3ist/404)
[Hiding Malicious Traffic Under the HTTP 404 Error](https://blog.fortinet.com/2015/04/09/hiding-malicious-traffic-under-the-http-404-error)
#### End Sort
## Attribution
### Attribution
[Cyber Attack Attribution Report](http://whohackedus.com/)
@ -122,6 +139,11 @@ http://www.securitywizardry.com/radar.htm
[The S stands for Simple](http://harmful.cat-v.org/software/xml/soap/simple)
* Satire(Only it's not) of a conversation about SOAP
[List of disposable email domains](https://github.com/martenson/disposable-email-domains)
#### Tamper Evidence
@ -179,36 +201,6 @@ http://www.securitywizardry.com/radar.htm
### Pentesting Talks/Stuff
[Penetration Testing considered Harmful Today](http://blog.thinkst.com/p/penetration-testing-considered-harmful.html)
[Make It Count Progressing through Pentesting - Bálint Varga-Perke -Silent Signal](https://silentsignal.hu/docs/Make_It_Count_-_Progressing_through_Pentesting_Balint_Varga-Perke_Silent_Signal.pdf)
[stupid_malware](https://github.com/andrew-morris/stupid_malware)
* Python malware for pentesters that bypasses most antivirus (signature and heuristics) and IPS using sheer stupidity
[Fools of Golden Gate](https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/)
* How major vulnerabilities/large amounts of publicly vulnerable systems can exist without public recognition for long periods of time. (i.e. CVEs(10.0) exist, but no mapping in nessus/metasploit/etc)
[Looping Surveillance Cameras through Live Editing - Van Albert and Banks - Defcon23](https://www.youtube.com/watch?v=RoOqznZUClI)
* This project consists of the hardware and software necessary to hijack wired network communications. The hardware allows an attacker to splice into live network cabling without ever breaking the physical connection. This allows the traffic on the line to be passively tapped and examined. Once the attacker has gained enough knowledge about the data being sent, the device switches to an active tap topology, where data in both directions can be modified on the fly. Through our custom implementation of the network stack, we can accurately mimic the two devices across almost all OSI layers.
* We have developed several applications for this technology. Most notable is the editing of live video streams to produce a “camera loop,” that is, hijacking the feed from an Ethernet surveillance camera so that the same footage repeats over and over again. More advanced video transformations can be applied if necessary. This attack can be executed and activated with practically no interruption in service, and when deactivated, is completely transparent.
[#OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI](https://doublepulsar.com/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0)
### Interesting Talks/Videos
[Kim Jong-il and Me: How to Build a Cyber Army to Defeat the U.S. - Charlie MIller](https://www.youtube.com/watch?v=4up0yTGlpaU)
@ -358,9 +350,12 @@ http://www.securitywizardry.com/radar.htm
[SniffJoke](https://github.com/vecna/sniffjoke)
* SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifyng and inject fake packets inside your transmission, make them almost impossible to be correctly readed by a passive wiretapping technology (IDS or sniffer)
[wikiteam](https://github.com/WikiTeam/wikiteam)
* Tools for downloading and preserving wikis
[Paste-Scraper](https://github.com/KernelEquinox/Paste-Scraper)
[Wayback scraper](https://github.com/abrenaut/waybackscraper)
@ -438,9 +433,9 @@ Underhanded C
[Docker: Not Even a Linker](http://adamierymenko.com/docker-not-even-a-linker/)
[VBScript Injection via GNOME Thumbnailer - On Linux](http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html)
[Locking Your Registry Keys for Fun and, Well, Just Fun I Guess](https://tyranidslair.blogspot.co.uk/2017/07/locking-your-registry-keys-for-fun-and.html)
@ -512,6 +507,8 @@ Underhanded C
### Interesting Articles
### sites


+ 2
- 0
Draft/Lockpicking -.md View File

@ -12,6 +12,7 @@ http://www.keypicking.com/
###Introduction
[Wikipedia on Lockpicking](https://en.wikipedia.org/wiki/Lock_picking)
@ -42,6 +43,7 @@ http://www.keypicking.com/
[CIA Lock Picking [Field Operative Training Manual]](https://archive.org/details/pdfy-eGBVTYko5TUI5P_B)
[Lock Picking Course - LockLab](https://lock-lab.com/locklab-university/lock-picking-course-2/)
###Videos/Talks


+ 13
- 1
Draft/Malware.md View File

@ -28,12 +28,24 @@ https://motherboard.vice.com/read/preserving-the-ancient-art-of-getting-pwned
http://www.exposedbotnets.com/?m=0
[malboxes](https://github.com/GoSecure/malboxes)
* Builds malware analysis Windows VMs so that you don't have to.
f* Builds malware analysis Windows VMs so that you don't have to.
[PlugBot-C2C](https://github.com/redteamsecurity/PlugBot-C2C)
* This is the Command & Control component of the PlugBot project
[hiddentear](https://github.com/goliate/hidden-tear)
* It's a ransomware-like file crypter sample which can be modified for specific purposes.
https://brycampbell.co.uk/new-blog/
https://archive.is/Nol3S
[Hiding in Plain Sight: Advances in malware covert communication channels - BH2015 Pierre-Marc Bureau, Christian Dietrich](https://www.blackhat.com/docs/eu-15/materials/eu-15-Bureau-Hiding-In-Plain-Sight-Advances-In-Malware-Covert-Communication-Channels-wp.pdf)
[rVMI - A New Paradigm For Full System Analysis](https://github.com/fireeye/rvmi)
* rVMI is a debugger on steroids. It leverages Virtual Machine Introspection (VMI) and memory forensics to provide full system analysis. This means that an analyst can inspect userspace processes, kernel drivers, and preboot environments in a single tool. It was specifially designed for interactive dynamic malware analysis. rVMI isolates itself from the malware by placing its interactive debugging environment out of the virtual machine (VM) onto the hypervisor-level. Through the use of VMI the analyst still has full control of the VM, which allows her to pause the VM at any point in time and to use typical debugging features such as breakpoints and watchpoints. In addtion, rVMI provides access to the entire Rekall feature set, which enables an analyst to inspect the kernel and its data structures with ease.
##### END Sort


+ 13
- 3
Draft/Network Attacks & Defenses.md View File

@ -31,8 +31,12 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing](https://tools.ietf.org/html/rfc2827)
[gateway-finder](https://github.com/pentestmonkey/gateway-finder)
* Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet.
[bluebox-ng](https://github.com/jesusprubio/bluebox-ng)
* Pentesting framework using Node.js powers, focused in VoIP.
[SIMPLYEMAIL](https://github.com/killswitch-GUI/SimplyEmail)
* What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.
##### sort end
@ -234,6 +238,7 @@ when directory browsing is turned off.
### MitM Tools
[Ettercap](https://ettercap.github.io/ettercap/)
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
@ -349,9 +354,14 @@ EIGRP and OSPF).
[a](https://github.com/fmtn/a)
* ActiveMQ CLI testing and message management
[dns-parallel-prober](https://github.com/lorenzog/dns-parallel-prober)
* This script is a proof of concept for a parallelised domain name prober. It creates a queue of threads and tasks each one to probe a sub-domain of the given root domain. At every iteration step each dead thread is removed and the queue is replenished as necessary.
[gateway-finder](https://github.com/pentestmonkey/gateway-finder)
* Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet.
[enumall](https://github.com/Dhayalan96/enumall)
* Script to enumerate subdomains, leveraging recon-ng. Uses google scraping, bing scraping, baidu scraping, yahoo scarping, netcraft, and bruteforces to find subdomains. Plus resolves to IP.


+ 32
- 0
Draft/Network Security Monitoring & Logging.md View File

@ -32,6 +32,9 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
#### End Cull
@ -277,7 +280,36 @@ losing the essense in the DNS answer.
[Spotting the Adversary with Windows Event Log Monitoring - NSA](https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf)
[Uncovering Indicators of Compromise (IoC) Using PowerShell, Event Logs, and a Traditional Monitoring Tool](https://www.sans.org/reading-room/whitepapers/critical/uncovering-indicators-compromise-ioc-powershell-event-logs-traditional-monitoring-tool-36352)
[Advanced Security Audit Policy Settings](https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx)
[Sysinternals Sysmon unleashed](https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/)
[Advanced Security Audit Policy Settings(Windows)](https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx)
[SysInternals: SysMon Unleashed](https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/)
[Windows Event Collector(For centralizing windows domain logging with no local agent, windows actually has built-in logging freely available)](https://msdn.microsoft.com/en-us/library/bb427443(v=vs.85).aspx)
[Windows event Collector - Setting up source initiated Subscriptions](https://msdn.microsoft.com/en-us/library/bb870973(v=vs.85).aspx)
[Use Windows Event Forwarding to help with intrusion detection](https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection)
[GetInjectedThreads.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Looks for threads that were created as a result of code injection.
[Sysmon - The Best Free Windows Monitoring Tool You Aren't Using](http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/)
[check_ioc](https://github.com/oneoffdallas/check_ioc)
* Check_ioc is a script to check for various, selectable indicators of compromise on Windows systems via PowerShell and Event Logs. It was primarily written to be run on a schedule from a monitoring engine such as Nagios, however, it may also be run from a command-line (for incident response).
[Greater Visibility Through PowerShell Logging](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html)
[block-parser](https://github.com/matthewdunwoody/block-parser)
* Parser for Windows PowerShell script block logs
[Revoke -­ Obfuscation: PowerShell Obfuscation Detection Using Science](https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf)


+ 29
- 39
Draft/Open Source Intelligence.md View File

@ -16,39 +16,17 @@ http://computercrimeinfo.com/cleaningid.html
[OSINT - onstrat](http://www.onstrat.com/osint/)
[Fantastic OSINT and where to find it - blindseeker/malware focused](http://archive.is/sYzcP#selection-62.0-62.1)
http://toddington.com/resources/
www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
[PowerMeta](https://github.com/dafthack/PowerMeta)
* PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
[Fantastic OSINT and where to find it - blindseeker/malware focused](http://archive.is/sYzcP#selection-62.0-62.1)
[Corporate Espionage without the Hassle of Committing Felonies](https://www.slideshare.net/JohnCABambenek/corporate-espionage-without-the-hassle-of-committing-felonies)
[How to Use Python to Spy on Your Friends: Web APIs, Recon ng, & OSINT](https://www.youtube.com/watch?v=BOjz7NfsLpA)
#### End cull
### General
[Open Source Intelligence](http://en.wikipedia.org/wiki/Open-source_intelligence)
@ -61,16 +39,11 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
[Email Reconnaissance and Phishing Template Generation Made Simple](https://cybersyndicates.com/2016/05/email-reconnaissance-phishing-template-generation-made-simple/)
[OSINT Resources - greynetwork2](https://sites.google.com/site/greynetwork2/home/osint-resources)
[Fantastic OSINT and where to find it - blindseeker/malware focused](http://archive.is/sYzcP#selection-62.0-62.1)
[Corporate Espionage without the Hassle of Committing Felonies](https://www.slideshare.net/JohnCABambenek/corporate-espionage-without-the-hassle-of-committing-felonies)
@ -93,15 +66,6 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
### Presentations & Talks
[Pwning People Personally - Josh Schwartz](https://www.youtube.com/watch?v=T2Ha-ZLZTz0)
@ -118,7 +82,7 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
[You're Leaking Trade Secrets - Defcon22 Michael Schrenk](https://www.youtube.com/watch?v=JTd5TL6_zgY)
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
[How to Use Python to Spy on Your Friends: Web APIs, Recon ng, & OSINT](https://www.youtube.com/watch?v=BOjz7NfsLpA)
@ -208,8 +172,34 @@ A tool to perform various OSINT techniques, aggregate all the raw data, and give
[OSINT Mantra](http://www.getmantra.com/hackery/osint.html)
[XRAY](https://github.com/evilsocket/xray)
* XRay is a tool for recon, mapping and OSINT gathering from public networks.
[PowerMeta](https://github.com/dafthack/PowerMeta)
* PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
[tweets_analyzer](https://github.com/x0rz/tweets_analyzer)
* Tweets metadata scraper & activity analyzer
[Truffle Hog](https://github.com/dxa4481/truffleHog)
* Searches through git repositories for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed that contain high entropy.
[SimplyEmail](https://github.com/killswitch-GUI/SimplyEmail)
* Email recon made fast and easy, with a framework to build on
[GitPrey](https://github.com/repoog/GitPrey)
* GitPrey is a tool for searching sensitive information or data according to company name or key word something.The design mind is from searching sensitive data leakling in Github:
[linkedin](https://github.com/eracle/linkedin)
* Linkedin Scraper using Selenium Web Driver, Firefox 45, Ubuntu and Scrapy
[repo-supervisor](https://github.com/auth0/repo-supervisor)
[git-all-secrets](https://github.com/anshumanbh/git-all-secrets)
* A tool to capture all the git secrets by leveraging multiple open source git searching tools
[PowerMeta](https://github.com/dafthack/PowerMeta)
* PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.


+ 5
- 1
Draft/Password Bruting and Hashcracking.md View File

@ -27,7 +27,6 @@ http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
* Wordlists sorted by popularity originally created for password generation and testing
### End cull
@ -162,6 +161,11 @@ Hashcat attacks
[Firefox password cracker](https://github.com/pradeep1288/ffpasscracker)
[Cracklord](https://github.com/jmmcatee/cracklord)
* CrackLord is a system designed to provide a scalable, pluggable, and distributed system for both password cracking as well as any other jobs needing lots of computing resources. Better said, CrackLord is a way to load balance the resources, such as CPU, GPU, Network, etc. from multiple hardware systems into a single queueing service across two primary services: the Resource and Queue. It won't make these tasks faster, but it will make it easier to manage them.
[Dagon](https://github.com/Ekultek/Dagon)
* Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more.


+ 8
- 1
Draft/Phishing.md View File

@ -15,6 +15,7 @@ TOC
###Cull
#### End cull
@ -48,6 +49,11 @@ TOC
[sptoolkit-rebirth](https://github.com/simplephishingtoolkit/sptoolkit-rebirth)
* sptoolkit hasn't been actively developed for two years. As it stands, it's a brilliant peice of software, and the original developers are pretty damn awesome for creating it. But we'd like to go further, and bring sptoolkit up to date. We've tried contacting the developers, but to no avail. We're taking matters into our own hands now.
[KingPhisher](https://github.com/securestate/king-phisher)
* King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet very flexible architecture allowing full control over both emails and server content. King Phisher can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials.
### Tools
@ -58,7 +64,8 @@ TOC
* Tools for harvesting email addresses for phishing attacks
* [Email Address Harvesting for Phishing](http://www.shortbus.ninja/email-address-harvesting-for-phishing-attacks/)
[SimplyTemplate](https://github.com/killswitch-GUI/SimplyTemplate)
* Phishing Template Generation Made Easy. The goal of this project was to hopefully speed up Phishing Template Gen as well as an easy way to ensure accuracy of your templates. Currently my standard Method of delivering emails is the Spear Phish in Cobalt strike so you will see proper settings for that by default.


+ 34
- 2
Draft/Phyiscal Security.md View File

@ -1,4 +1,36 @@
##Physical Security
# Physical Security
### ToC
#### Sort
http://www.irongeek.com/i.php?page=videos/derbycon4/t540-physical-security-from-locks-to-dox-jess-hires
#### End Sort
### General
### Articles/Blogposts
[Physical Security - Centre for the Protection of National Infrastructure - UK](https://www.cpni.gov.uk/physical-security)
### Videos/Talks
[Physical Penetration Testing You Keep a Knockin But You Cant Come In Phil Grime](https://www.youtube.com/watch?v=_0gz_iWoMT0)
### Tools
### Papers
@ -11,7 +43,7 @@
http://www.irongeek.com/i.php?page=videos/derbycon4/t540-physical-security-from-locks-to-dox-jess-hires


+ 64
- 1
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -41,6 +41,69 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Mimikatz Logs and Netcat](http://blackpentesters.blogspot.com/2013/12/mimikatz-logs-and-netcat.html?m=1)
[Invoke-ProcessScan](https://github.com/vysec/Invoke-ProcessScan)
* Gives context to a system. Uses EQGRP shadow broker leaked list to give some descriptions to processes.
[ElevateKit](https://github.com/rsmudge/ElevateKit)
* The Elevate Kit demonstrates how to use third-party privilege escalation attacks with Cobalt Strike's Beacon payload.
[WMIcmd](https://github.com/nccgroup/WMIcmd)
* A command shell wrapper using only WMI for Microsoft Windows
[mimipenguin](https://github.com/huntergregal/mimipenguin)
* A tool to dump the login password from the current linux user
[BrowserGatherer](https://github.com/sekirkity/BrowserGather)
* Fileless Extraction of Sensitive Browser Information with PowerShell
[wePWNise](https://github.com/mwrlabs/wePWNise)
* WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software
[rattler](https://github.com/sensepost/rattler)
* Rattler is a tool that automates the identification of DLL's which can be used for DLL preloading attacks.
[Brosec](https://github.com/gabemarshall/Brosec)
* Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.
[Application Whitelist Bypass Techniques](https://github.com/subTee/ApplicationWhitelistBypassTechniques)
* A Catalog of Application Whitelisting Bypass Techniques - SubTee
[injectAllTheThings](https://github.com/fdiskyou/injectAllTheThings)
* Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
[Find AD users with empty password using PowerShell](https://4sysops.com/archives/find-ad-users-with-empty-password-passwd_notreqd-flag-using-powershell/)
[PSReflect](https://github.com/mattifestation/PSReflect)
* Easily define in-memory enums, structs, and Win32 functions in PowerShell
[Pulling Back the Curtains on EncodedCommand PowerShell Attacks](https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/)
[quarkspwdump](https://github.com/quarkslab/quarkspwdump)
* Dump various types of Windows credentials without injecting in any process.
[Bypassing UAC using App Paths](https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/)
[Invoke-DCOM.ps1](https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1)
[katz.xml](https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8)
* Downloads Mimikatz From GitHub, Executes Inside of MsBuild.exe
[nps_payload](https://github.com/trustedsec/nps_payload)
* This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources.
[Ruler Pivoting Through Exchange - Etienne Stalmans - TR17](https://www.youtube.com/watch?v=tuc8cwOAAcA)
[Pen Testing Active Directory Series](https://blog.varonis.com/binge-read-pen-testing-active-directory-series/)
[Offensive Active Directory with Powershell](https://www.youtube.com/watch?v=cXWtu-qalSs)
[Hacking SQL Server on Scale with PowerShell - Secure360 2017](https://www.slideshare.net/nullbind/2017-secure360-hacking-sql-server-on-scale-with-powershell)
[EvilAbigail](https://github.com/GDSSecurity/EvilAbigail/blob/master/README.md)
* Initrd encrypted root fs attack
##### end sort
@ -747,7 +810,7 @@ Startup folder on Win8
[Don't Kill My Cat (DKMC)](https://github.com/Mr-Un1k0d3r/DKMC)
* Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool rely on PowerShell the execute the final shellcode payload.
* [Presentation - Northsec2017](https://www.youtube.com/watch?v=7kNwbXgWdX0&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=9)


+ 29
- 0
Draft/Programming - Languages Libs Courses References.md View File

@ -23,6 +23,35 @@ Cull
###Cull
http://www.irongeek.com/i.php?page=videos/derbycon4/t205-code-insecurity-or-code-in-security-mano-dash4rk-paul
http://en.cppreference.com/w/c
[Mostly Adequate Guide](https://drboolean.gitbooks.io/mostly-adequate-guide/)
* This is a book on the functional paradigm in general. We'll use the world's most popular functional programming language: JavaScript. Some may feel this is a poor choice as it's against the grain of the current culture which, at the moment, feels predominately imperative.
[PHP: a fractal of bad design](https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/)
[x86 Assembly Crash Course](https://www.youtube.com/watch?v=75gBFiFtAb8)
[Protect Your Java Code - Through Obfuscators and Beyond](https://www.excelsior-usa.com/articles/java-obfuscators.html)
[aslrepl](https://github.com/enferex/asrepl)
* asrepl is an assembly based REPL. The REPL processes each line of user input, the output can be witnessed by issuing the command 'regs' and looking at the register state.
[Perl & Linguistics](http://world.std.com/~swmcd/steven/perl/linguistics.html)
[What makes lisp macros so special - StackOverflow](https://stackoverflow.com/questions/267862/what-makes-lisp-macros-so-special)
[Big picture software testing unit testing, Lean Startup, and everything in between PyCon 2017](https://www.youtube.com/watch?v=Vaq_e7qUA-4&feature=youtu.be&t=63s)
[RailsConf 2015 - Nothing is Something](https://www.youtube.com/watch?v=OMPfEXIlTVE)
[Boundaries - By Gary Bernhardt from SCNA 2012](https://www.destroyallsoftware.com/talks/boundaries)
* This talk is about using simple values (as opposed to complex objects) not just for holding data, but also as the boundaries between components and subsystems. It moves through many topics: functional programming; mutability's relationship to OO; isolated unit testing with and without test doubles; and concurrency, to name some bar. The "Functional Core, Imperative Shell" screencast mentioned at the end is available as part of season 4 of the DAS catalog.
[Big picture software testing unit testing, Lean Startup, and everything in between PyCon 2017](https://www.youtube.com/watch?v=Vaq_e7qUA-4&feature=youtu.be&t=63s)
* There are many ways you can test your software: unit testing, manual testing, end-to-end testing, and so forth. Take a step back and you'll discover even more form of testing, many of them very different in their goals: A/B testing, say, where you see which of two versions of your website results in more signups or ad clicks. How do these forms of testing differ, how do they relate to each other? How do you choose which kind of testing to pursue, given limited time and resources? How do you deal with strongly held yet opposite views arguing either that a particular kind of testing is essential or that it's a waste time? This talk will provide you with a model, a way to organize all forms of testing and understand what exactly they provide, and why. Once you understand the model you will be able to choose the right form of testing for *your* situation and goals.
#### End Cull


+ 130
- 0
Draft/Red-Teaming.md View File

@ -0,0 +1,130 @@
# Red Teaming & Explicitly Pen testing stuff
#### ToC
* Sort
* Talks/Videos
* Articles/Blogposts
* Papers
* Tools
### Sort
#### End sort
### General
[Common Ground Part 1: Red Team History & Overview](https://www.sixdub.net/?p=705)
[Red Teaming Tips - Vincent Yiu](https://threatintel.eu/2017/06/03/red-teaming-tips-by-vincent-yiu/)
[Red Team Tips as posted by @vysecurity on Twitter](https://github.com/vysec/RedTips)
[Red Team Infrastructure Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
* Wiki to collect Red Team infrastructure hardening resources
* Accompanying Presentation: [Doomsday Preppers: Fortifying Your Red Team Infrastructure](https://speakerdeck.com/rvrsh3ll/doomsday-preppers-fortifying-your-red-team-infrastructure)
### Talks/Videos
[Laurent Desaulniers - Stupid RedTeamer Tricks](https://www.youtube.com/watch?v=2g_8oHM0nwA&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=11)
[Dimitry Snezhkov - Abusing Webhooks for Command and Control](https://www.youtube.com/watch?v=1d3QCA2cR8o&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=12)
[Finding Diamonds in the Rough- Parsing for Pentesters](https://bluescreenofjeff.com/2016-07-26-finding-diamonds-in-the-rough-parsing-for-pentesters/)
[Attacking EvilCorp: Anatomy of a Corporate Hack](http://www.irongeek.com/i.php?page=videos/derbycon6/111-attacking-evilcorp-anatomy-of-a-corporate-hack-sean-metcalf-will-schroeder)
[Looping Surveillance Cameras through Live Editing - Van Albert and Banks - Defcon23](https://www.youtube.com/watch?v=RoOqznZUClI)
* This project consists of the hardware and software necessary to hijack wired network communications. The hardware allows an attacker to splice into live network cabling without ever breaking the physical connection. This allows the traffic on the line to be passively tapped and examined. Once the attacker has gained enough knowledge about the data being sent, the device switches to an active tap topology, where data in both directions can be modified on the fly. Through our custom implementation of the network stack, we can accurately mimic the two devices across almost all OSI layers.
* We have developed several applications for this technology. Most notable is the editing of live video streams to produce a “camera loop,” that is, hijacking the feed from an Ethernet surveillance camera so that the same footage repeats over and over again. More advanced video transformations can be applied if necessary. This attack can be executed and activated with practically no interruption in service, and when deactivated, is completely transparent.
[Richard Thieme - The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals](https://www.youtube.com/watch?v=0MzcPBAj88A&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
* Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
[303 Hacks Lies Nation States Mario DiNatale](https://www.youtube.com/watch?v=nyh_ORq1Qwk)
### Slides
[Make It Count: Progressing through Pentesting - Bálint Varga-Perke -Silent Signal](https://silentsignal.hu/docs/Make_It_Count_-_Progressing_through_Pentesting_Balint_Varga-Perke_Silent_Signal.pdf)
### Articles / Blogposts
[Fools of Golden Gate](https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/)
* How major vulnerabilities/large amounts of publicly vulnerable systems can exist without public recognition for long periods of time. (i.e. CVEs(10.0) exist, but no mapping in nessus/metasploit/etc)
[how-to-make-communication-profiles-for-empire](https://github.com/bluscreenofjeff/bluscreenofjeff.github.io/blob/master/_posts/2017-03-01-how-to-make-communication-profiles-for-empire.md)
[Empire – Modifying Server C2 Indicators](http://threatexpress.com/2017/05/empire-modifying-server-c2-indicators/)
[Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike](https://www.cyberark.com/threat-research-blog/red-team-insights-https-domain-fronting-google-hosts-using-cobalt-strike/)
[Hiding Malicious Traffic Under the HTTP 404 Error](https://blog.fortinet.com/2015/04/09/hiding-malicious-traffic-under-the-http-404-error)
[How to Build a 404 page not found C2](https://www.blackhillsinfosec.com/?p=5134)
[404 File not found C2 PoC](https://github.com/theG3ist/404)
[#OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI](https://doublepulsar.com/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0)
[Penetration Testing considered Harmful Today](http://blog.thinkst.com/p/penetration-testing-considered-harmful.html)
### Papers
[Blocking-resistant communication through domain fronting](https://www.bamsoftware.com/papers/fronting/)
### Tools
[PenTesting-Scripts - killswitch-GUI](https://github.com/killswitch-GUI/PenTesting-Scripts)
[stupid_malware](https://github.com/andrew-morris/stupid_malware)
* Python malware for pentesters that bypasses most antivirus (signature and heuristics) and IPS using sheer stupidity
##### HW
[DigiDucky - How to setup a Digispark like a rubber ducky](http://www.redteamr.com/2016/08/digiducky/)
[How to Build Your Own Penetration Testing Drop Box - BHIS](https://www.blackhillsinfosec.com/?p=5156&)
###### SW
[FindFrontableDomains](https://github.com/rvrsh3ll/FindFrontableDomains)
* Search for potential frontable domains
[Domain Hunter](https://github.com/minisllc/domainhunter)
* Checks expired domains, bluecoat categorization, and Archive.org history to determine good candidates for phishing and C2 domain names
[Chameleon](https://github.com/mdsecactivebreach/Chameleon)
* A tool for evading Proxy categorisation

+ 8
- 0
Draft/Reverse Engineering.md View File

@ -31,6 +31,14 @@ To be sorted
### To be sorted
[gdbgui](https://github.com/cs01/gdbgui)
* A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust. Simply run gdbgui from the terminal and a new tab will open in your browser.
[Reverse Engineering a 433MHz Motorised Blind RF Protocol](https://nickwhyte.com/post/2017/reversing-433mhz-raex-motorised-rf-blinds/)
[PPEE(puppy)](https://www.mzrst.com/#top)
* Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more details. Free and fast.
[Symbolic execution timeline](https://github.com/enzet/symbolic-execution)
* Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.


+ 62
- 0
Draft/SCADA.md View File

@ -0,0 +1,62 @@
## SCADA/Industrial Control Systems
### ToC
#### Sort
#### End Sort
### General
### Articles/Blogposts
### Talks/Presentations
[Rocking the Pocket Book: Hacking Chemical Plant for Competition and Extortion - Marina Krotofil - Jason Larsen](https://www.youtube.com/watch?v=AL8L76n0Q9w)
* The appeal of hacking a physical process is dreaming about physical damage attacks lighting up the sky in a shower of goodness. Let’s face it, after such elite hacking action nobody is going to let one present it even at a conference like DEF CON. As a poor substitute, this presentation will get as close as using a simulated plant for Vinyl Acetate production for demonstrating a complete attack, from start to end, directed at persistent economic damage to a production site while avoiding attribution of production loss to a cyber-event. Such an attack scenario could be useful to a manufacturer aiming at putting competitors out of business or as a strong argument in an extortion attack. Exploiting physical process is an exotic and hard to develop skill which have so far kept a high barrier to entry. Therefore real-world control system exploitation has remained in the hands of a few. To help the community mastering new skills we have developed „Damn Vulnerable Chemical Process“ – first open source framework for cyber-physical experimentation based on two realistic models of chemical plants. Come to the session and take your first master class on complex physical hacking.
[Industrial Control Systems : Pentesting PLCs 101 (Part 1/2)](https://www.youtube.com/watch?v=iGwm6-lyn2Y)
[Industrial Control Systems : Pentesting PLCs 101 (Part 2/2)](https://www.youtube.com/watch?v=rP_Jys1_OJk)
[ICS Security Assessment Methodology, Tools & Tips](https://www.youtube.com/watch?v=0WoA9SYLDoM)
* Dale Peterson of Digital Bond describes how to perform an ICS / SCADA cyber security assessment in this S4xJapan video. He goes into a lot of detail on the tools and how to use them in the fragile and insecure by design environment that is an ICS. There are also useful tips on when to bother applying security patches (this will likely surprise you), the importance of identifying the impact of a vulnerability, and an efficient risk reduction approach.
### Tools
[python-opcua](https://github.com/FreeOpcUa/python-opcua/blob/master/README.md)
* OPC UA binary protocol implementation is quasi complete and has been tested against many different OPC UA stacks. API offers both a low level interface to send and receive all UA defined structures and high level classes allowing to write a server or a client in a few lines. It is easy to mix high level objects and low level UA calls in one application.
[UaExpert—A Full-Featured OPC UA Client](https://www.unified-automation.com/products/development-tools/uaexpert.html)
* The UaExpert® is a full-featured OPC UA Client demonstrating the capabilities of our C++ OPC UA Client SDK/Toolkit. The UaExpert is designed as a general purpose test client supporting OPC UA features like DataAccess, Alarms & Conditions, Historical Access and calling of UA Methods. The UaExpert is a cross-platform OPC UA test client programmed in C++. It uses the sophisticated GUI library QT form Nokia (formerly Trolltech) forming the basic framework which is extendable by Plugins.
[dyode](https://github.com/arnaudsoullie/dyode)
* A low-cost data diode, aimed at Industrial Control Systems
[GRASSMARLIN](https://github.com/iadgov/GRASSMARLIN)

+ 10
- 0
Draft/Social Engineering.md View File

@ -21,6 +21,16 @@ CULL
[How to bypass Web-Proxy Filtering](https://www.blackhillsinfosec.com/?p=5831)
[Malicious Outlook Rules](https://silentbreaksecurity.com/malicious-outlook-rules/)
[EXE-less Malicious Outlook Rules - BHIS](https://www.blackhillsinfosec.com/?p=5544)
["Humans, right?" Soft Skills in Security - Ariel Robinson](http://www.irongeek.com/i.php?page=videos/bsidesnova2017/200-humans-right-soft-skills-in-security-ariel-robinson)
* Let's face it: humans ruin everything. They are almost always the weak link in the information security chain, between their susceptibility to social engineering, rejection of security threats, and sheer laziness. You can make the best security tool in the business, but if a human doesn't use it right, well, you might as well leave your passwords on a sticky note on your-- wait a minute. Yes, humans suck at information security. But we don't make it easy. Infosec is incredibly inaccessible to your average user. Just ask me: I am one. We can't change humans (or get rid of them, no matter how much we might want to), but we can change information security. We can leverage insights from non-technical disciplines such as cognitive science, human-centered design, strategic communications, and psychology. Or we can keep hitting our heads against our desktops. As a professional communicator and bridge builder, help me help you. To make security work, we have to make it easy. For humans.
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/
#### end sort


+ 20
- 0
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -36,6 +36,17 @@ https://tribalchicken.com.au/technical/recovering-bitlocker-keys-on-windows-8-1-
[Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
[windows-operating-system-archaeology](https://github.com/subTee/windows-operating-system-archaeology)
* subTee stuff
[Processes, Threads, and Jobs in the Windows Operating System](https://www.microsoftpressstore.com/articles/article.aspx?p=2233328&seqNum=2)
[Mandatory Integrity Control](https://msdn.microsoft.com/en-gb/library/windows/desktop/bb648648(v=vs.85).aspx)
[Windows Access Control Demystified](http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=E1A09F166B29C17D2CD38C70A02576E4?doi=10.1.1.88.1930&rep=rep1&type=pdf)
#### End Sort
@ -66,6 +77,12 @@ https://tribalchicken.com.au/technical/recovering-bitlocker-keys-on-windows-8-1-
[WinAPIs for Hackers](https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf)
[About Atom Tables](https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx)
[GlobalGetAtomName function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms649063(v=vs.85).aspx)
#### Documentation
@ -192,6 +209,9 @@ https://tribalchicken.com.au/technical/recovering-bitlocker-keys-on-windows-8-1-
[Introduction to ADS: Alternate Data Streams](https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/)
[Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing](https://blogs.technet.microsoft.com/mmpc/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/)


+ 4
- 0
Draft/Threat Modeling.md View File

@ -13,6 +13,10 @@
[ThreatHuntingStuff](https://github.com/MatthewDemaske/ThreatHuntingStuff)
[Adam Shostack - Pentesting: Lessons from Star Wars](https://www.youtube.com/watch?v=BfWWryF8M7E&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=13)
* Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven’t panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It’s designed to help security pros, especially pen testers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively on offense or defense.


+ 60
- 0
Draft/Threat-Hunting.md View File

@ -0,0 +1,60 @@
# Threat Hunting
### ToC
#### Sort
#### End Sort
### General
### Articles/Blogposts
[Windows Log Hunting with PowerShell](http://909research.com/windows-log-hunting-with-powershell/)
[Hunting in Memory](https://www.endgame.com/blog/technical-blog/hunting-memory)
https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
[Windows Log Hunting with PowerShell](http://909research.com/windows-log-hunting-with-powershell/)
### Talks/Videos
[Taking Hunting to the Next Level Hunting in Memory - Jared Atkinson 2017](https://www.youtube.com/watch?v=3RUMShnJq_I)
[Taking Hunting to the Next Level Hunting in Memory - Jared Atkinson 2017](https://www.youtube.com/watch?v=3RUMShnJq_I)
### Tools
[Revoke-Obfuscation](https://github.com/danielbohannon/Revoke-Obfuscation)
* Revoke-Obfuscation is a PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
### Papers
[Revoke -­‐ Obfuscation: PowerShell Obfuscation Detection Using Science](https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf)

+ 37
- 4
Draft/UX Design - Because we all know how sexy pgp is.md View File

@ -1,20 +1,53 @@
##UX/UI Design - Because we all know how sexy PGP looks
## UX/UI Design - Because we all know how sexy PGP looks / How easy to use it is.
Required Reading: [The Design of Everyday Things](http://www.jnd.org/books/design-of-everyday-things-revised.html)
* This book is extraordinary not only in the fact that its a crash course on UI/UX design but also for the fact that almost anyone can read it and understand the principles it talks about.
https://en.wikipedia.org/wiki/User_interface_design
#### Sort
http://www.usability.gov/what-and-why/user-interface-design.html
http://ui-patterns.com/
https://dribbble.com/
https://www.uplabs.com/
[CodePen](https://codepen.io/#)
#### End Sort
### General
[User Interface - Wikipedia](https://en.wikipedia.org/wiki/User_interface)
[User Interface Design - Wikipedia](https://en.wikipedia.org/wiki/User_interface_design)
[UI Patterns](http://ui-patterns.com/)
[Principals of User Interface Design](https://en.wikipedia.org/wiki/Principles_of_user_interface_design)
### Books
### Talks & Presentations
[UI Fundamentals for Programmers by Ryan Singer](https://vimeo.com/6702766)
### Articles/Writeups
https://en.wikipedia.org/wiki/Principles_of_user_interface_design
### Websites/Organizations
[Dark Patterns: fighting user deception worldwide](http://darkpatterns.org/)
* A Dark Pattern is a user interface that has been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills.


+ 43
- 0
Draft/Web & Browsers.md View File

@ -69,6 +69,49 @@ prompt.ml
Clickjacking attacks
[PowerWebShot](https://github.com/dafthack/PowerWebShot)
* A PowerShell tool for taking screenshots of multiple web servers quickly.
[BurpSmartBuster](https://github.com/pathetiq/BurpSmartBuster)
* A Burp Suite content discovery plugin that add the smart into the Buster!
[Java Deserialization Exploits](https://github.com/CoalfireLabs/java_deserialization_exploits)
* A collection of Java Deserialization Exploits
[Critical vulnerabilities in JSON Web Token libraries - 2015](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)
[100 OWASP Top 10 Hacking Web Applications with Burp Suite Chad Furman](https://www.youtube.com/watch?v=2p6twRRXK_o)
[json token decode](http://jwt.calebb.net/)
[JWT Inspector - FF plugin](https://www.jwtinspector.io/)
* JWT Inspector is a browser extension that lets you decode and inspect JSON Web Tokens in requests, cookies, and local storage. Also debug any JWT directly from the console or in the built-in UI.
[Attacking JWT authentication](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
[WAFPASS](https://github.com/wafpassproject/wafpass)
* Analysing parameters with all payloads' bypass methods, aiming at benchmarking security solutions like WAF.
[collaborator-everywhere](https://github.com/PortSwigger/collaborator-everywhere)
* A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
[hackability](https://github.com/PortSwigger/hackability)
* Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
[Exploiting misuse of Python's "pickle"](https://blog.nelhage.com/2011/03/exploiting-pickle/)
[Typosquatting programming language package managers](http://incolumitas.com/2016/06/08/typosquatting-package-managers/)
[The Website Obesity Crisis](http://idlewords.com/talks/website_obesity.htm)
[HUNT Burp Suite Extension](https://github.com/bugcrowdlabs/HUNT)
* HUNT Logo HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes. 2. Organize testing methodologies inside of Burp Suite.
[Caja](https://developers.google.com/caja/)
* The Caja Compiler is a tool for making third party HTML, CSS and JavaScript safe to embed in your website. It enables rich interaction between the embedding page and the embedded applications. Caja uses an object-capability security model to allow for a wide range of flexible security policies, so that your website can effectively control what embedded third party code can do with user data.
#### End Sort