Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

613 lines
30 KiB

Something to pimp: be the correct markdown syntax to jump to the anchor point named pookie.
To insert an anchor point of that name use HTML:
<a name="pookie"></a>
| **NSA USB Playset - ShmooCon201** | 5
| **honggfuzz** - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage |
| **Muts Bypassing AV in Vista/Pissing all over your AV** presentation, listed here as it was a bitch finding a live copy |
[HORNET: High-speed Onion Routing at the Network Layer](
| **Phones and Privacy for Consumers** - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer) |
| **Security of RFID Protocols – A Case Study** |
In the context of Dolev-Yao style analysis of security proto cols, we investigate the security claims of a pro- posed strong-security RFID authentication protocol. We ex hibit a flaw which has gone unnoticed in RFID protocol literature and present the resulting attacks on au thentication, untraceability, and desynchroniza- tion resistance. We analyze and discuss the authors’ proofs of security. References to other vulnerable protocols are given.
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc |
[Google Chrome Forensics-SANS](
[Chromebook Forensics](
| **ClearImage Free Online Barcode Reader / Decoder** |
| **A Sysadmin's Unixersal Translator (ROSETTA STONE)** |
| **Sqoop** - OSINT search engine of public documents(handy) |
| **What’s contained in a boarding pass barcode?** |
| **Simplifying the Business Bar Coded Boarding Pass Implementation Guide** |
[OSX Lion User Interface Preservation Analysis](
OS X Forensics Generals](
[The Secret Life of SIM Cards - Defcon21](
* Kam1n0 is a scalable system that supports assembly code clone search. It allows a user to first index a (large) collection of binaries, and then search for the code clones of a given target function or binary file. Kam1n0 tries to solve the efficient subgraph search problem (i.e. graph isomorphism problem) for assembly functions. Given a target function (the middle one in the figure below) it can identity the cloned subgraphs among other functions in the repository (the ones on the left and the right as shown below). Kam1n0 supports rich comment format and has an IDA Pro plug-in to use its indexing and searching capabilities via IDA Pro.
[The big GSM write-up – how to capture, analyze and crack GSM?](
[Attacking the XNU Kernel For Fun And Profit – Part 1](
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple’s OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
* Framework and Tools for Attacking ZigBee and IEEE 802.15.4 networks.
[Debug Methodology Under UEFI](
[A list of IDA Plugins](
[Pandora's Cash Box - The Ghost under your POS - RECON2015](
[Reverse Engineering Windows AFD.sys](
[On Comparing Threat Intelligence Feeds](
[Developing a Open Source Threat Intelligence Program—Edward McCabe](
* What if you could get out in front of common threats such as botnets, scanners and malware? Good news, you can. Learn about one geeks struggle with life on the Internet of (bad) things when it comes to being online, identifying “odd” things, and developing an Open Source Threat Intelligence Program from Open Source Tools and Public Sources.
[No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap - ShmooCon15](
* "In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to de the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers. I'll also be releasing a suite of tools I created to help threat researchers perform tracking and attribution.
[Malware Information Sharing Platform](
* MISP - Malware Information Sharing Platform & Threat Sharing
[Collaborative Research Into Threats](
* CRITs is an open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. It has been in development since 2010 with one goal in mind: give the security community a flexible and open platform for analyzing and collaborating on threat data. In making CRITs free and open source, we can provide organizations around the world with the capability to quickly adapt to an ever-changing threat landscape. CRITs can be installed locally for a private isolated instance or shared among other trusted organizations as a collaborative defense mechanism.
[Collective Intelligence Framework](
* "Our Flagship Project, is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity."
* This is the software component of a software-defined radio receiver. When combined with hardware devices such as the USRP, RTL-SDR, or HackRF, it can be used to listen to a wide variety of radio transmissions, and can be extended via plugins to support even more modes.
[Bootkit Threats: In Depth Reverse Engineering & Defense- Eugene Rodionov&Aleksandr Matrosov](
[Debugging Windows kernel under VMWare using IDA's GDB debugger](
[Intel® System Studio – UEFI BIOS Debugging](
[Debug SPI BIOS after Power Up Sequence](
[Empire - Powershell Post-Exploitation Agent](
* Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.
* JSDetox is a tool to support the manual analysis of malicious Javascript code.
[Attacks on UEFI Security - Rafal Wojtczuk&Corey Kallenberg(
[Attacking and Defending BIOS in 2015](
* Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files
* Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
[Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer](
* On modern Intel based computers there exists two powerful and protected code regions: the UEFI firmware and System Management Mode (SMM). UEFI is the replacement for conventional BIOS and has the responsibility of initializing the platform. SMM is a powerful mode of execution on Intel CPUs that is even more privileged than a hypervisor. Because of their powerful positions, SMM and UEFI are protected by a variety of hardware mechanisms. In this talk, Rafal Wojtczuk and Corey Kallenberg team up to disclose several prevalent vulnerabilities that result in SMM runtime breakin as well as arbitrary reflash of the UEFI firmware.
* JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
* This tool is a modified version of scapy that aims at providing an quick and efficient pentest tool with RF capabilities.
A modified version of scapy that can leverage GNU Radio to handle a SDR card
GNU Radio flow graphs (GRC files) we have build that allows full duplex communication
GNU Radio blocks we have written to handle several protocols
* SecBee is a ZigBee security testing tool developed by Cognosec. The goal is to enable developers and security testers to test ZigBee implementations for security issues.
[Dynamic IDA Enrichment (aka. DIE)](
* DIE is an IDA python plugin designed to enrich IDA`s static analysis with dynamic data. This is done using the IDA Debugger API, by placing breakpoints in key locations and saving the current system context once those breakpoints are hit.
* GPU keylogger PoC by Team Jellyfish
[Blackbox Reversing an Electric Skateboard Wireless Protocol ](
[Elasticsearch: The Definitive Guide The Definitive Guide](
[ARM Documentation](
[CSCI 4974 / 6974 Hardware Reverse Engineering](
[Blackbox Reversing an Electric Skateboard Wireless Protocol ](
* Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable.
* Monit is a small Open Source utility for managing and monitoring Unix systems. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.
* a javascript keylogger included in a gif file This is a PoC
[Hide data inside pointers](]
Network Enumeration and Scanning Cheat sheet
Network Scanning and Mapping
Network Service Discovery
nmap -sSV -vv -PN --send-ip -A -O -oG <address-range>_`date +%Y-%m-%d_%H:%M` <address-range>nmap -A -vv -PN --send-ip -oG <address-range>_`date +%Y-%m-%d_%H:%M` <address-range>
Unicorn Scan
us -H -msf -Iv <address> -p 1-65535
us -H -mU -Iv <address> -p 1-65535
Layer 2 - Arp - netdiscover
netdiscover -i <interface> -r <address-range>
TCPDump Sniffing
tcpdump -s0 -xxXX -vv -i eth0 'host <address> and (dst port <num> or <num> )' | tee <address>_<service>_`date +%Y-%m-%d_%H:%M`.txt
or save the pcap file with additional flag (filename shortcut):
-w <address>_<service>_`date +%Y-%m-%d_%H:%M`.pcap
Locate VLAN Tagstcpdump -vv -i <interface> -s &ltsnap-length> -c <num-packet-count> 'ether[20:2] == 0x2000'
Specific Service Queries
DNS TCP and UDP 53 - DNS walking and Zone transfers
dig <domain> @<dns-server> AXFR | tee dns_<domain>_axfr._`date +%Y-%m-%d_%H:%M`.txt
DNS TCP and UDP 53 - DNS cache poisoning check
dig +short @<dns-server> txt
"<dns-server> is GREAT: 26 queries in 4.4 seconds from 26 ports with std dev 22336"
HTTP Web applications TCP 80,8000
nikto -h -p -C all -Display D -output nikto_<target-server><port>_`date +%Y-%m-%d_%H:%M`.txt -Format txt
cd /pentest/web/dirbuster && java -jar DirBuster-0.12.jar
WFuzz -c -z file,<wordlist> --hc 404 -o <html|magictree> http://<site-url>/FUZZ
./ -c -z file,/pentest/passwords/wordlists/combined --hc 404 -o html http://<site-url>/FUZZ 2> /dev/null
HTTP commands for webserver enumeration
nc <target-address> <port>
IIS 6.0
openssl s_client -connect <target-server>443 -state -debug
SSL_connect:before/connect initialization
... ... ... cut ... ... ...
SSL_connect:SSLv3 write client key exchange A
... ... ... cut ... ... ...
HTTP/1.1 302 Found
Date: Mon 02 Apr 2012 06:53:49 GMT
Server IBM_HTTP_Server/ Apache/2.0.47 (Unix)
... ... ... cut ... ... ...
SNMP commands UDP 161
snmpwalk -c public -v[1|2c] <target-server> | tee <address>_snmp_`date +%Y-%m-%d_%H:%M`.txt
SNMPv2-MIB::sysDescr.0 = STRING: hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (24030770) 2 days, 18:45:07.70
SNMPv2-MIB::sysContact.0 = STRING: System contact unknown at this time
SNMPv2-MIB::sysName.0 = STRING:
SNMPv2-MIB::sysLocation.0 = STRING: System location unknown at this time
SNMPv2-MIB::sysServices.0 = INTEGER: 72
... ... ...
/ public linux.txt
UPTIME... ... ...
HOSTNAME... ... ...
... ... ...
MOUNTPOINTS... ... ...
... ... ...
./onesixtyone -c <dictionary-file> -i <hosts-file> -o <address-range>_snmp_`date`.log -w
./onesixtyone <target-address>
Scanning 1 hosts, 2 communities [public] hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
./ -c <community-name> -v <version 1,2> -t <address-range> v1.8 - SNMP enumerator
Copyright (c) 2005-2011 by Matteo Cantoni (
[*] Try to connect to
[*] Connected to
[*] Starting enumeration at 2011-07-25 10:32:58
[*] System information
Hostname :
Description : hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
Uptime system : 0.00 seconds
Uptime SNMP daemon : 2 days, 18:17:07.01
[*] Network information
... ... ...
[*] Network interfaces
... ... ...
[*] Routing information
... ... ...
[*] Listening TCP ports and connections
... ... ...
Samba/CIFS/NETBIOS TCP 135,139,445
nbtscan -v -s : -r <address-range> | tee <address-range>_nbtscan_`date +%Y-%m-%d_%H:%M`.txt
SMBClient - Discover and mount shares
smbclient -L \\\<target-address>\\ -U <Username>
smbclient -U <Username> -W <Workgroup> \\\\<target-address>\\\<sharename>
RPC, PortMapper and NFS TCP/UDP:111
rpcinfo -p >target-address> | tee <address>_rpcinfo_`date +%Y-%m-%d_%H:%M`.txt
showmount -e <ip-address>
mount <ip-address>:<exported_path> <local_path>
Tunnelling and Pivoting
SSH Tunnelling and pivoting
ssh -v -f -N -L <localIP>:<local-port>:<dest-ip>:<dest-port> <user>@&ltpivot-host> -i <authentication-key-file>
Verbosity (-v), Background (-f), No command execution (-N), Local port forwarding (-L)
Forward localhost port 25 to the localhost of using ssh DSA key
ssh -v -f -N -L user@ -i /dsa/1024/f1fb2162a02f0f7c40c210e6167f05ca-16858
Proxy Chains
Dual-honed proxies or for proxying some port-scans
Edit the configuration file:
Under the ProxyList section:
http <proxy-server-ip> <port>
Execute with:
proxychains &ltsocket-aware command>
proxychains nmap -sT -vv --send-ip -pT:21,22,25,80,443,445,3389 <target-address>
Posted 22nd February 2012 by Tim Arneaud dfir-information.html)0
Good source for internals section:
* Android app for easy stunnel usage
Defeating Sniffers and Intrustion Detection Systems - Horizon, 12/25/1998
Armouring the ELF: Binary Encryption on the UNIX Platform - grugq, scut, 12/28/2001
Runtime Process Infection - anonymous, 07/28/2002
Polymorphic Shellcode Engine Using Spectrum Analysis - theo detristan et al, 08/13/2003
Next-generation Runtime Binary Encryption using On-demand Function Extraction - Zeljko Vrba, 08/01/2005
Stealth Hooking: Another Way to Subvert the Windows Kernel - mxatone, ivanlef0u, 04/11/2008
Mystifying the Debugger for Ultimate Stealthness - halfdead, 04/11/2008
Binary Mangling with Radare - pancake, 06/11/2009
* The plugin is an integration of Virus Battle API to the well known IDA Disassembler. Virusbattle is a web service that analyses malware and other binaries with a variety of advanced static and dynamic analyses. For more information check out the
[pwndbg - Making debugging suck less](
* A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag.
* Uses capstone as backend.
* binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
[Bug Hunting for the Man on the Street]()
* Finding and discovering bugs has to be one of the most special times in a security researchers life (until you realise that crash you've been searching for and finally found is not actually exploitable). But the process of searching, discovery, understanding and of course some very much needed trial and error, many would say are rewarding and fulfilling themselves (I would of course, prefer to have my exploit cherry on the top)! So this talk will detail some of the aspects required to hunt down and find these coveted security vulnerabilities and bugs and some approaches that have proven to be invaluable (and some not so much). Of course bug hunting principle need to produce bugs so as the cherry there will be a virtual box exploit and Barracuda networks 0 day exploit discussed and demon
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](
[Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](
Getting Started with WindDbg Series - OpenSecurity Research
[Getting Started with WinDbg part 1](
[discover - Kali Scripts](
* For use with Kali Linux - custom bash scripts used to automate various portions of a pentest.
IPv6: Basic Attacks and Defences - Christopher Werny[TROOPERS15]
* [Part 1](
* [Part 2](
[[TROOPERS15] Andreas Lindh - Defender Economics](
Decode Shellcode from cli: cat shellcode | rasm2 -d -
* Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
* DAVOSET - it is console (command line) tool for conducting DDoS attacks on the sites via Abuse of Functionality and XML External Entities vulnerabilities at other sites.
General Section?
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](
[Detecting DLL Hijacking on Windows](
MS Assessment Deployment Toolkit - Measure boot times among other things
* Python Parser for Nessus Output
* [Examples](
[Generalizing Data Flow Information](
* Generalizing information is a common method of reducing the quantity of data that must be considered during analysis. This fact has been plainly illustrated in relation to static data flow analysis where previous research has described algorithms that can be used to generalize data flow information. These generalizations have helped support more optimal data flow analysis in certain situations. In the same vein, this paper describes a process that can be employed to generalize and persist data flow information along multiple generalization tiers. Each generalization tier is meant to describe the data flow behaviors of a conceptual software element such as an instruction, a basic block, a procedure, a data type, and so on. This process makes use of algorithms described in previous literature to support the generalization of data flow information. To illustrate the usefulness of the generalization process, this paper also presents an algorithm that can be used to determine reachability at each generalization tier. The algorithm determines reachability starting from the least specific generalization tier and uses the set of reachable paths found to progressively qualify data flow information for each successive generalization tier. This helps to constrain the amount of data flow information that must be considered to a minimal subset.
[A Brief Examination of Hacking Team’s Crypter: core-packer.](
[twittor - twitter based backdoor](
* A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.
[Evading IDS/IPS by Exploiting IPv6 Features - Antonios Atlasis, Rafael Schaefer](
[List of hacker sites](
[Advice From A Researcher: Hunting XXE For Fun and Profit](
Cull the interesting papers
Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techiques developed for traditional Java applications.
Check under research section
Go through
Compare resources against what power-view can grab
Compare against sysmon service for scaling, setting it as service with scripting