Leaderboard

mata-i grasa

Introduction al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar. Download You can download the latest release here. Possible uses You are making an anti-debug plugin and you want to check its effectiveness. You want to ensure that your sandbox solution is hidden enough. Or you want to ensure that your malware analysis environment is well hidden. Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute. Features Anti-debugging attacks IsDebuggerPresent CheckRemoteDebuggerPresent Process Environement Block (BeingDebugged) Process Environement Block (NtGlobalFlag) ProcessHeap (Flags) ProcessHeap (ForceFlags) NtQueryInformationProcess (ProcessDebugPort) NtQueryInformationProcess (ProcessDebugFlags) NtQueryInformationProcess (ProcessDebugObject) NtSetInformationThread (HideThreadFromDebugger) NtQueryObject (ObjectTypeInformation) NtQueryObject (ObjectAllTypesInformation) CloseHanlde (NtClose) Invalide Handle SetHandleInformation (Protected Handle) UnhandledExceptionFilter OutputDebugString (GetLastError()) Hardware Breakpoints (SEH / GetThreadContext) Software Breakpoints (INT3 / 0xCC) Memory Breakpoints (PAGE_GUARD) Interrupt 0x2d Interrupt 1 Parent Process (Explorer.exe) SeDebugPrivilege (Csrss.exe) NtYieldExecution / SwitchToThread TLS callbacks Process jobs Memory write watching Anti-Dumping Erase PE header from memory SizeOfImage Timing Attacks [Anti-Sandbox] RDTSC (with CPUID to force a VM Exit) RDTSC (Locky version with GetProcessHeap & CloseHandle) Sleep -> SleepEx -> NtDelayExecution Sleep (in a loop a small delay) Sleep and check if time was accelerated (GetTickCount) SetTimer (Standard Windows Timers) timeSetEvent (Multimedia Timers) WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo) IcmpSendEcho (CCleaner Malware) CreateWaitableTimer (todo) CreateTimerQueueTimer (todo) Big crypto loops (todo) Human Interaction / Generic [Anti-Sandbox] Mouse movement Total Physical memory (GlobalMemoryStatusEx) Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO) Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes) Mouse (Single click / Double click) (todo) DialogBox (todo) Scrolling (todo) Execution after reboot (todo) Count of processors (Win32/Tinba - Win32/Dyre) Sandbox known product IDs (todo) Color of background pixel (todo) Keyboard layout (Win32/Banload) (todo) Anti-Virtualization / Full-System Emulation Registry key value artifacts HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX) HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU) HARDWARE\Description\System (SystemBiosVersion) (VBOX) HARDWARE\Description\System (SystemBiosVersion) (QEMU) HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX) HARDWARE\Description\System (SystemBiosDate) (06/23/99) HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE) HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE) HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE) Registry Keys artifacts "HARDWARE\ACPI\DSDT\VBOX__" "HARDWARE\ACPI\FADT\VBOX__" "HARDWARE\ACPI\RSDT\VBOX__" "SOFTWARE\Oracle\VirtualBox Guest Additions" "SYSTEM\ControlSet001\Services\VBoxGuest" "SYSTEM\ControlSet001\Services\VBoxMouse" "SYSTEM\ControlSet001\Services\VBoxService" "SYSTEM\ControlSet001\Services\VBoxSF" "SYSTEM\ControlSet001\Services\VBoxVideo" SOFTWARE\VMware, Inc.\VMware Tools SOFTWARE\Wine File system artifacts "system32\drivers\VBoxMouse.sys" "system32\drivers\VBoxGuest.sys" "system32\drivers\VBoxSF.sys" "system32\drivers\VBoxVideo.sys" "system32\vboxdisp.dll" "system32\vboxhook.dll" "system32\vboxmrxnp.dll" "system32\vboxogl.dll" "system32\vboxoglarrayspu.dll" "system32\vboxoglcrutil.dll" "system32\vboxoglerrorspu.dll" "system32\vboxoglfeedbackspu.dll" "system32\vboxoglpackspu.dll" "system32\vboxoglpassthroughspu.dll" "system32\vboxservice.exe" "system32\vboxtray.exe" "system32\VBoxControl.exe" "system32\drivers\vmmouse.sys" "system32\drivers\vmhgfs.sys" Directories artifacts "%PROGRAMFILES%\oracle\virtualbox guest additions\" "%PROGRAMFILES%\VMWare\" Memory artifacts Interupt Descriptor Table (IDT) location Local Descriptor Table (LDT) location Global Descriptor Table (GDT) location Task state segment trick with STR MAC Address "\x08\x00\x27" (VBOX) "\x00\x05\x69" (VMWARE) "\x00\x0C\x29" (VMWARE) "\x00\x1C\x14" (VMWARE) "\x00\x50\x56" (VMWARE) Virtual devices "\\.\VBoxMiniRdrDN" "\\.\VBoxGuest" "\\.\pipe\VBoxMiniRdDN" "\\.\VBoxTrayIPC" "\\.\pipe\VBoxTrayIPC") "\\.\HGFS" "\\.\vmci" Hardware Device information SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE) QEMU VMWare VBOX VIRTUAL HD System Firmware Tables SMBIOS string checks (VirtualBox) ACPI string checks (VirtualBox) Driver Services VirtualBox VMWare Adapter name VMWare Windows Class VBoxTrayToolWndClass VBoxTrayToolWnd Network shares VirtualBox Shared Folders Processes vboxservice.exe (VBOX) vboxtray.exe (VBOX) vmtoolsd.exe(VMWARE) vmwaretray.exe(VMWARE) vmwareuser(VMWARE) vmsrvc.exe(VirtualPC) vmusrvc.exe(VirtualPC) prl_cc.exe(Parallels) prl_tools.exe(Parallels) xenservice.exe(Citrix Xen) WMI SELECT * FROM Win32_Bios (SerialNumber) (VMWARE) SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX) SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX) SELECT * FROM Win32_NTEventlogFile (VBOX) SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC) SELECT * FROM Win32_LogicalDisk (Size) (GENERIC) DLL Exports and Loaded DLLs kernel32.dll!wine_get_unix_file_nameWine (Wine) sbiedll.dll (Sandboxie) dbghelp.dll (MS debugging support routines) api_log.dll (iDefense Labs) dir_watch.dll (iDefense Labs) pstorec.dll (SunBelt Sandbox) vmcheck.dll (Virtual PC) wpespy.dll (WPE Pro) CPU Hypervisor presence using (EAX=0x1) Hypervisor vendor using (EAX=0x40000000) "KVMKVMKVM\0\0\0" (KVM) "Microsoft Hv"(Microsoft Hyper-V or Windows Virtual PC) "VMwareVMware"(VMware) "XenVMMXenVMM"(Xen) "prl hyperv "( Parallels) -"VBoxVBoxVBox"( VirtualBox) Anti-Analysis Processes OllyDBG / ImmunityDebugger / WinDbg / IDA Pro SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns) Wireshark / Dumpcap ProcessHacker / SysAnalyzer / HookExplorer / SysInspector ImportREC / PETools / LordPE JoeBox Sandbox Macro malware attacks Document_Close / Auto_Close. Application.RecentFiles.Count Code/DLL Injections techniques CreateRemoteThread SetWindowsHooksEx NtCreateThreadEx RtlCreateUserThread APC (QueueUserAPC / NtQueueApcThread) RunPE (GetThreadContext / SetThreadContext) Sursa & download: https://github.com/LordNoteworthy/al-khaser

dau MUE gratis https://coinmarketcap.com/currencies/monetaryunit/

Domnul @Usr6 mi-a trasat sarcina sa scriu write-up-ul (modul in care am rezolvat problema). Asa ca hai sa incepem. Nivelul 0 Challenge-ul incepe cu o poza, jpeg: TheBodyguard.jpeg si cu un fisier script python (denumit de mine password_encoder.py) Mai intai analizam poza (eu am preferat binwalk) si observam ca are concatenat la sfarsit un fisier zip: Avand in vedere faptul ca avem si un script python ce pare sa codeze parola, putem presupune ca arhiva atasata este parolata. In mod normal binwalk incearca sa dezarhiveze/decomprime arhivele pe care le intalneste, dar in acest caz ne-ar incurca mai mult, asa ca vom rula binwalk --extract --carve TheBodyguard.jpg. Acum avem un dosar _TheBodyguard.jpg.extracted unde vom gasi un fisier 14757.zip (deoarece a fost gasit la offset-ul 0x14757). Daca vom incerca sa dezarhivam acest fisier zip, ne vom lovi de necesitatea unei parole. Nivelul 1 Acum vom analiza script-ul python, pentru a determina parola. La prima vedere pare cam complicat, asa ca vom incerca sa urmarim executia de la capat la inceput. Stim ca avem output-ul "You need this:201,203,165,195,165,191,205,187,181,191,173,187,173,187,193,199,", asa ca vom cauta codul ce genereaza aceasta linie; si il gasim pe ultimul rand al script-ului. Observam ca apeleaza functia enc2 cu avand ca prim parametru parola noastra, iar ca al 2-lea parametru rezultatul functiei enc2. Daca analizam corpul functiei enc2 observam ca aceasta functie concateneaza suma valorilor numerice a caracterelor de cele 2 string-uri primite ca parametrii (t1 si t2). Aici observam ca lungimea lui t1 trebuie sa fie mai mica sau egala cu lugimea lui t2. Altfel vom avea erori. Dar t2 este de fapt parola noastra codata cu enc1. Iar in enc1 observam ca facem ROT+3 (adica "a" devine "d", "b" devine "e", etc), doar daca este o litera mica; altfel sarim peste. Din datele de mai sus deducem ca parola este formata doar din litere mici, mai exact din 16 litere mici. Inarmati cu aceste date vom incerca o implementare in python (ipython mai exact): Mai intai extragem sumele de caractere ca un array de intregi (In [3] in ipython). Apoi generam toate sumele posibile ce pot rezulta din utilizarea functiei enc2 (ne intereseaza doar sumele ca valori numerice; argumentul functiei str din bucla for) si le stocam in dictionarul nostru (declarat in In [4]), impreuna cu literele aferente care au generat suma (o suma poate fi generata cu mai multe litere, cum poate fi observat in Out [8]). La sfarsit generam toate combinatiile posibile si obtinem 8 posibile parole, dar prima pare cea mai promitatoare. O utilizam si ne alegem cu un fisier prng, fara nici o extensie. Nivelul 2 Deoarece fisierul prng nu are nici o extensie, vom apela la utilitarul file pentru a identifica subiectul. Aflam ca este tot o arhiva de tip zip, asa ca il redenumim in prng.zip. In momentul in care incercam sa il dezarhivam, ne lovim de o parola si un indiciu sub forma altui script python: De aceasta data, scriptul se vrea un pseudo random number generator, ce isi genereaza seed-ul dintr-o structura python folosita pentru stocarea datei. Aceasta tip de date (named tuple) este strurata in felul urmator: pozitia 0: anul (accesabil si prin membrul tm_year) pozitia 1: luna (accesabil si prin membrul tm_mon) pozitia 2: ziua lunii (accesabil si prin membrul tm_day) pozitia 3: ora zile in format 24h (accesabil si prin membrul tm_hour) pozitia 4: minutele (accesabil si prin membrul tm_min) pozitia 5: secundele (accesabil si prin membrul tm_sec) pozitia 6: ziua saptamanii (accesabil si prin membrul tm_wday) pozitia 7: ziua din an (accesabil si prin membrul tm_yday) pozitia 8: decalajul aferent orei de vara (accesabil si prin membrul tm_isdst) Noi nu suntem interesati decat de pozitiile 0, 2, 3, 4, 5. Pe de alta parte, analizand functia password_gen, observam ca pozitiile pare din string-ul seed sunt pastrate (deci sunt cifre mereu) iar pozitiile impare sunt inlocuite cu litere din alfabet, aflate la pozitia respectiva (din punct de vedere lexicografic). De aici putem deduce ca parola noastra nu poate fi mai lunga de 27 de caractere (deoarece ultimul caracter poate fi o cifra). In continuare vom face niste supozitii legate de data folosita ca seed, si anume vom presupune ca este data crearii/modificarii fisierului din arhiva (sau foarte aproape). In fond si la urma urmei putem oricand sa facem brute-force pe parola cu un program asemanator John The Ripper, folosind ca masca pentru parola ?db?dc?df?dh?dj?dl?dn?dp?dr?dt?dv?dx?dz?d. Daca listam continutul arhivei (folosind unzip -l prng.zip) nu vom avea decat data, ora si minutele, nu si secundele. Ca atare vom face o listare mai completa a arhivei in speranta ca vom obtine o data completa, folosind comanda unzip -Z -l -v prng.zip: Inarmati cu aceste date, vom incerca un mic script python: Mai intai declaram o functie care va calcula acea variabila seed ce se afla la inceputul script-ului original, folosind un struct_time ca argument. Apoi copiem functia password_gen. In ultimul rand vom crea o variabila timestruct (de tip struct_time) ce va contine data fisierului, folosind functia strptime (adica vom aplica o functie de parsing pe string-ul cu data). Avand aceste detalii, apelam functia password_gen pentru a obtine seed-ul ce serveste ca parola. Din nefericire aceasta parola nu a functionat, dar putem presupune ca suntem pe aproape. Daca presupunem ca nu avem secundele corecte putem genera o lista de parole (unice) pentru fiecare secunda posibila: Incercand aceste variante, descoperim ca "2b1d3f2h" este parola potrivita, si obtimem un fisier ' .64'. Nivelul 3 Fisierul obtinut la pasul anterior nu pare prea darnic in a ne prezenta vre-un indiciu; utilitarul file nu ne poate spune decat ca avem de aface cu un fisier text ASCII cu terminatii de linie CRLF (adica Windows/DOS). La o analiza mai atenta, observam ca avem de aface cu un fisier cu mai multe linii, fiecare linie avand un numar diferit de spatii alble (caracterul ASCII 0x20). Din start am presupus ca avem de aface cu ceva base64 si ca numarul de spatii albe este relevant. Aici m-am blocat din cauza propriei prostii si neatentii, si am pierdut cam o saptamana (adica aproximativ 10 ore distribuite de-a lungul a 7 zile). Cand am inceput challange-ul, cel de-al 2-lea indiciu era deja postat. Asa ca m-am folosit de el. Indiciul decodat ne spune Inarmat cu aceste informatii, e timpul pentru niste experimente. Mai intai citim fisierul, si il spargem in linii de spatii si observam ca avem 12 linii. Acum sa vedem cate spatii albe avem pe fiecare linie (in poza In [5] si Out [6]). Deci nici un numar nu trece de valoarea 64, iar cum fisierul are extensia 64, indiciul a fost codat in base64 si ni s-a si precizat ca indiciul "este 2 indicii", probabil aceste numere sunt indecsii alfabetului base64. Construim o variabila (in poza este denumita alphabet la linia In [7]) in care vom stoca alfabetul base64 (vom folosi alfabetul clasic, A-Za-z0-9+/). Acum folosim sirul de numere de mai sus ca indecsi si... ne-am blocat. Obtinem S3+waDCjc4li, care decodat ne da urmatorul sir de bytes: Problema este extrem de simpla: noi avem niste lungimi de siruri de spatii albe, deci, pornesc de la 1, dar array-urile in python pornesc de la 0. Si asa am pierdul degeaba o saptamana, incercand tot felul de alfabete ezoterice, si cautand alte explicatii. Pana la urma l-am contactat pe @Usr6 care m-a trezit la realitate De indata ce corectam problema index-ului obtinem solutia.

There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide. Table of Contents Windows stack overflows Windows heap overflows Kernel based Windows overflows Windows Kernel Memory Corruption Return Oriented Programming Windows memory protections Bypassing filter and protections Typical windows exploits Exploit development tutorial series Corelan Team Fuzzysecurity Securitysift Whitehatters Academy TheSprawl Expdev-Kiuhnm Tools Windows stack overflows Stack Base Overflow Articles. Win32 Buffer Overflows (Location, Exploitation and Prevention) - by Dark spyrit [1999] Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005] Stack Smashing as of Today - by Hagen Fritsch [2009] SMASHING C++ VPTRS - by rix [2000] Windows heap overflows Heap Base Overflow Articles. Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002] Exploiting the MSRPC Heap Overflow Part 1 - by Dave Aitel (MS03-026) [September 2003] Exploiting the MSRPC Heap Overflow Part 2 - by Dave Aitel (MS03-026) [September 2003] Windows heap overflow penetration in black hat - by David Litchfield [2004] Glibc Adventures: The Forgotten Chunk - by François Goichon [2015] Pseudomonarchia jemallocum - by argp & huku The House Of Lore: Reloaded - by blackngel [2010] Malloc Des-Maleficarum - by blackngel [2009] free() exploitation technique - by huku Understanding the heap by breaking it - by Justin N. Ferguson [2007] The use of set_head to defeat the wilderness - by g463 The Malloc Maleficarum - by Phantasmal Phantasmagoria [2005] Exploiting The Wilderness - by Phantasmal Phantasmagoria [2004] Advanced Doug lea's malloc exploits - by jp Kernel based Windows overflows Kernel Base Exploit Development Articles. How to attack kernel based vulns on windows was done - by a Polish group called “sec-labs” [2003] Sec-lab old whitepaper Sec-lab old exploit Windows Local Kernel Exploitation (based on sec-lab research) - by S.K Chong [2004] How to exploit Windows kernel memory pool - by SoBeIt [2005] Exploiting remote kernel overflows in windows - by Eeye Security Kernel-mode Payloads on Windows in uninformed - by Matt Miller Exploiting 802.11 Wireless Driver Vulnerabilities on Windows BH US 2007 Attacking the Windows Kernel Remote and Local Exploitation of Network Drivers Exploiting Comon Flaws In Drivers I2OMGMT Driver Impersonation Attack Real World Kernel Pool Exploitation Exploit for windows 2k3 and 2k8 Alyzing local privilege escalations in win32k Intro to Windows Kernel Security Development There’s a party at ring0 and you’re invited Windows kernel vulnerability exploitation A New CVE-2015-0057 Exploit Technology - by Yu Wang [2016] Exploiting CVE-2014-4113 on Windows 8.1 - by Moritz Jodeit [2016] Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012] Windows Kernel Exploitation - by Simone Cardona 2016 Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects - by Saif Sherei 2017 Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes - by keen team [2015] Abusing GDI for ring0 exploit primitives - [2016] Windows Kernel Memory Corruption Windows Kernel Memory Corruption Exploit Development Articles. Remote Windows Kernel Exploitation - by Barnaby Jack [2005] windows kernel-mode payload fundamentals - by Skape [2006] exploiting 802.11 wireless driver vulnerabilities on windows - by Johnny Cache, H D Moore, skape [2007] Kernel Pool Exploitation on Windows 7 - by Tarjei Mandt [2011] Windows Kernel-mode GS Cookies and 1 bit of entropy - [2011] Subtle information disclosure in WIN32K.SYS syscall return values - [2011] nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques - [2011] SMEP: What is it, and how to beat it on Windows - [2011] Kernel Attacks through User-Mode Callbacks - by Tarjei Mandt [2011] Windows Security Hardening Through Kernel Address Protection - by Mateusz "j00ru" Jurczyk [2011] Reversing Windows8: Interesting Features of Kernel Security - by MJ0011 [2012] Smashing The Atom: Extraordinary String Based Attacks - by Tarjei Mandt [2012] Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012] Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement - by MJ0011 [2012] MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit - [2013] KASLR Bypass Mitigations in Windows 8.1 - [2013] First Dip Into the Kernel Pool: MS10-058 - by Jeremy [2014] Windows 8 Kernel Memory Protections Bypass - [2014] An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - by Weimin Wu [2014] Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool - [2014] Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit - by Aaron Adams [2015] Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong) - by Dominic Wang [2015] Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit - by Cedric Halbronn [2015] Abusing GDI for ring0 exploit primitives - by Diego Juarez [2015] Duqu 2.0 Win32k exploit analysis - [2015] Return Oriented Programming The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls Blind return-oriented programming Sigreturn-oriented Programming Jump-Oriented Programming: A New Class of Code-Reuse Attack Out of control: Overcoming control-flow integrity ROP is Still Dangerous: Breaking Modern Defenses Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015] Systematic Analysis of Defenses Against Return-Oriented Programming -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013] Return-oriented programming without returns -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010] Jump-oriented programming: a new class of code-reuse attack -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011] Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection - by L. Davi, A. Sadeghi, and D. Lehmann [2014] Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014] Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1 - by Marco Mastropaolo [2005] Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2 - by Marco Mastropaolo [2005] Practical Rop - by Dino Dai Zovi [2010] Exploitation with WriteProcessMemory - by Spencer Pratt [2010] Exploitation techniques and mitigations on Windows - by skape A little return oriented exploitation on Windows x86 – Part 1 - by Harmony Security and Stephen Fewer [2010] A little return oriented exploitation on Windows x86 – Part 2 - by Harmony Security and Stephen Fewer [2010] Windows memory protections Windows memory protections Introduction Articles. Data Execution Prevention /GS (Buffer Security Check) /SAFESEH ASLR SEHOP Bypassing filter and protections Windows memory protections Bypass Methods Articles. Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002] Creating Arbitrary Shellcode In Unicode Expanded Strings - by Chris Anley Advanced windows exploitation - by Dave Aitel [2003] Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server - by David Litchfield Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - by Matt Conover in cansecwest 2004 Safely Searching Process Virtual Address Space - by Matt Miller [2004] IE exploit and used a technology called Heap Spray Bypassing hardware-enforced DEP - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005] Exploiting Freelist[0] On XP Service Pack 2 - by Brett Moore [2005] Kernel-mode Payloads on Windows in uninformed Exploiting 802.11 Wireless Driver Vulnerabilities on Windows Exploiting Comon Flaws In Drivers Heap Feng Shui in JavaScript by Alexander sotirov [2007] Understanding and bypassing Windows Heap Protection - by Nicolas Waisman [2007] Heaps About Heaps - by Brett moore [2008] Bypassing browser memory protections in Windows Vista - by Mark Dowd and Alex Sotirov [2008] Attacking the Vista Heap - by ben hawkes [2008] Return oriented programming Exploitation without Code Injection - by Hovav Shacham (and others ) [2008] Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 - by Cesar Cerrudo [2008] Defeating DEP Immunity Way - by Pablo Sole [2008] Practical Windows XP2003 Heap Exploitation - by John McDonald and Chris Valasek [2009] Bypassing SEHOP - by Stefan Le Berre Damien Cauquil [2009] Interpreter Exploitation : Pointer Inference and JIT Spraying - by Dionysus Blazakis[2010] Write-up of Pwn2Own 2010 - by Peter Vreugdenhil All in one 0day presented in rootedCON - by Ruben Santamarta [2010] DEP/ASLR bypass using 3rd party - by Shahin Ramezany [2013] Bypassing EMET 5.0 - by René Freingruber [2014] Typical windows exploits Real-world HW-DEP bypass Exploit - by Devcode Bypassing DEP by returning into HeapCreate - by Toto First public ASLR bypass exploit by using partial overwrite - by Skape Heap spray and bypassing DEP - by Skylined First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability Exploit codes of bypassing browsers memory protections PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 - by Cesar Cerrudo PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 - by Cesar Cerrudo An exploit works from win 3.1 to win 7 - by Tavis Ormandy KiTra0d Old ms08-067 metasploit module multi-target and DEP bypass PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass SMBv2 Exploit - by Stephen Fewer Microsoft IIS 7.5 remote heap buffer overflow - by redpantz Browser Exploitation Case Study for Internet Explorer 11 - by Moritz Jodeit [2016] Exploit development tutorial series Exploid Development Tutorial Series Base on Windows Operation System Articles. Corelan Team Exploit writing tutorial part 1 : Stack Based Overflows Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode Exploit writing tutorial part 3 : SEH Based Exploits Exploit writing tutorial part 3b : SEH Based Exploits – just another example Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc Exploit writing tutorial part 8 : Win32 Egg Hunting Exploit writing tutorial part 9 : Introduction to Win32 shellcoding Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube Exploit writing tutorial part 11 : Heap Spraying Demystified Fuzzysecurity Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap Chapter 1: Vanilla EIP Part 9: Spraying the Heap Chapter 2: Use-After-Free Part 10: Kernel Exploitation -> Stack Overflow Part 11: Kernel Exploitation -> Write-What-Where Part 12: Kernel Exploitation -> Null Pointer Dereference Part 13: Kernel Exploitation -> Uninitialized Stack Variable Part 14: Kernel Exploitation -> Integer Overflow Part 15: Kernel Exploitation -> UAF Part 16: Kernel Exploitation -> Pool Overflow Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit) Heap Overflows For Humans 101 Heap Overflows For Humans 102 Heap Overflows For Humans 102.5 Heap Overflows For Humans 103 Heap Overflows For Humans 103.5 Securitysift Windows Exploit Development – Part 1: The Basics Windows Exploit Development – Part 2: Intro to Stack Based Overflows Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules Windows Exploit Development – Part 4: Locating Shellcode With Jumps Windows Exploit Development – Part 5: Locating Shellcode With Egghunting Windows Exploit Development – Part 6: SEH Exploits Windows Exploit Development – Part 7: Unicode Buffer Overflows Whitehatters Academy Intro to Windows kernel exploitation 1/N: Kernel Debugging Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver Intro to Windows kernel exploitation 3/N: My first Driver exploit Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver Backdoor 103: Fully Undetected Backdoor 102 Backdoor 101 TheSprawl corelan - integer overflows - exercise solution heap overflows for humans - 102 - exercise solution exploit exercises - protostar - final levels exploit exercises - protostar - network levels exploit exercises - protostar - heap levels exploit exercises - protostar - format string levels exploit exercises - protostar - stack levels open security training - introduction to software exploits - uninitialized variable overflow open security training - introduction to software exploits - off-by-one open security training - introduction to re - bomb lab secret phase open security training - introductory x86 - buffer overflow mystery box corelan - tutorial 10 - exercise solution corelan - tutorial 9 - exercise solution corelan - tutorial 7 - exercise solution getting from seh to nseh corelan - tutorial 3b - exercise solution Expdev-Kiuhnm WinDbg Mona 2 Structure Exception Handling (SEH) Heap Windows Basics Shellcode Exploitme1 (ret eip overwrite) Exploitme2 (Stack cookies & SEH) Exploitme3 (DEP) Exploitme4 (ASLR) Exploitme5 (Heap Spraying & UAF) EMET 5.2 Internet Explorer 10 - Reverse Engineering IE Internet Explorer 10 - From one-byte-write to full process space read/write Internet Explorer 10 - God Mode (1) Internet Explorer 10 - God Mode (2) Internet Explorer 10 - Use-After-Free bug Internet Explorer 11 - Part 1 Internet Explorer 11 - Part 2 Tools Disassemblers, debuggers, and other static and dynamic analysis tools. angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab. BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework. Binary Ninja - Multiplatform binary analysis IDE supporting various types of binaries and architecturs. Scriptable via Python. binnavi - Binary analysis IDE for reverse engineering based on graph visualization. Bokken - GUI for Pyew and Radare. Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. codebro - Web based code browser using clang to provide basic code analysis. dnSpy - .NET assembly editor, decompiler and debugger. Evan's Debugger (EDB) - A modular debugger with a Qt GUI. GDB - The GNU debugger. GEF - GDB Enhanced Features, for exploiters and reverse engineers. hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols. IDA Pro - Windows disassembler and debugger, with a free evaluation version. Immunity Debugger - Debugger for malware analysis and more, with a Python API. ltrace - Dynamic analysis for Linux executables. objdump - Part of GNU binutils, for static analysis of Linux binaries. OllyDbg - An assembly-level debugger for Windows executables. PANDA - Platform for Architecture-Neutral Dynamic Analysis PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands. pestudio - Perform static analysis of Windows executables. Process Monitor - Advanced monitoring tool for Windows programs. Pyew - Python tool for malware analysis. Radare2 - Reverse engineering framework, with debugger support. SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. strace - Dynamic analysis for Linux executables. Udis86 - Disassembler library and tool for x86 and x86_64. Vivisect - Python tool for malware analysis. X64dbg - An open-source x64/x32 debugger for windows. Sursa: https://github.com/enddo/awesome-windows-exploitation

High-Level Approaches for Finding Vulnerabilities Fri 15 September 2017 This post is about the approaches I've learned for finding vulnerabilities in applications (i.e. software security bugs, not misconfigurations or patch management issues). I'm writing this because it's something I wish I had when I started. Although this is intended for beginners and isn't new knowledge, I think more experienced analysts might gain from comparing this approach to their own just like I have gained from others like Brian Chess and Jacob West, Gynvael Coldwind, Malware Unicorn, LiveOverflow, and many more. Keep in mind that this is a work-in-progress. It's not supposed to be comprehensive or authoritative, and it's limited by the knowledge and experience I have in this area. I've split it up into a few sections. I'll first go over what I think the discovery process is at a high level, and then discuss what I would need to know and perform when looking for security bugs. Finally, I'll discuss some other thoughts and non-technical lessons learned that don't fit as neatly in the earlier sections. What is the vulnerability discovery process? In some ways, the vulnerability discovery process can be likened to solving puzzles like mazes, jigsaws, or logic grids. One way to think about it abstractly is to see the process as a special kind of maze where: You don't immediately have a birds-eye view of what it looks like. A map of it is gradually formed over time through exploration. You have multiple starting points and end points but aren't sure exactly where they are at first. The final map will almost never be 100% clear, but sufficient to figure out how to get from point A to B. If we think about it less abstractly, the process boils down to three steps: Enumerate entry points (i.e. ways of interacting with the app). Think about insecure states (i.e. vulnerabilities) that an adversary would like to manifest. Manipulate the app using the identified entry points to reach the insecure states. In the context of this process, the maze is the application you're researching, the map is your mental understanding of it, the starting points are your entry points, and the end points are your insecure states. Entry points can range from visibly modifiable parameters in the UI to interactions that are more obscure or transparent to the end-user (e.g. IPC). Some of the types of entry points that are more interesting to an adversary or security researcher are: Areas of code that are older and haven't changed much over time (e.g. vestiges of transition from legacy). Intersections of development efforts by segmented teams or individuals (e.g. interoperability). Debugging or test code that is carried forward into production from the development branch. Gaps between APIs invoked by the client vs. those exposed by the server. Internal requests that are not intended to be influenced directly by end-users (e.g. IPC vs form fields). The types of vulnerabilities I think about surfacing can be split into two categories: generic and contextual. Generic vulnerabilities (e.g. RCE, SQLi, XSS, etc.) can be sought across many applications often without knowing much of their business logic, whereas contextual vulnerabilities (e.g. unauthorized asset exposure/tampering) require more knowledge of business logic, trust levels, and trust boundaries. The rule of thumb I use when prioritizing what to look for is to first focus on what would yield the most impact (i.e. highest reward to an adversary and the most damage to the application's stakeholders). Lightweight threat models like STRIDE can also be helpful in figuring out what can go wrong. Let's take a look at an example web application and then an example desktop application. Let's say this web application is a single-page application (SPA) for a financial portal and we have authenticated access to it, but no server-side source code or binaries. When we are enumerating entry points, we can explore the different features of the site to understand their purpose, see what requests are made in our HTTP proxy, and bring some clarity to our mental map. We can also look at the client-side JavaScript to get a list of the RESTful APIs called by the SPA. A limitation of not having server-side code is that we can't see the gaps between the APIs called by the SPA and those that are exposed by the server. The identified entry points can then be manipulated in an attempt to reach the insecure states we're looking for. When we're thinking of what vulnerabilities to surface, we should be building a list of test-cases that are appropriate to the application's technology stack and business logic. If not, we waste time trying test cases that will never work (e.g. trying xp_cmdshell when the back-end uses Postgres) at the expense of not trying test cases that require a deeper understanding of the app (e.g. finding validation gaps in currency parameters of Forex requests). With desktop applications, the same fundamental process of surfacing vulnerabilities through identified entry points still apply but there are a few differences. Arguably the biggest difference with web applications is that it requires a different set of subject-matter knowledge and methodology for execution. The OWASP Top 10 won't help as much and hooking up the app to an HTTP proxy to inspect network traffic may not yield the same level of productivity. This is because the entry points are more diverse with the inclusion of local vectors. Compared to black-box testing, there is less guesswork involved when you have access to source code. There is less guesswork in finding entry points and less guesswork in figuring out vulnerable code paths and exploitation payloads. Instead of sending payloads through an entry point that may or may not lead to a hypothesized insecure state, you can start from a vulnerable sink and work backwards until an entry point is reached. In a white-box scenario, you become constrained more by the limitations of what you know over the limitations of what you have. What knowledge is required? So why are we successful? We put the time in to know that network. We put the time in to know it better than the people who designed it and the people who are securing it. And that's the bottom line. — Rob Joyce, TAO Chief The knowledge required for vulnerability research is extensive, changes over time, and can vary depending on the type of application. The domains of knowledge, however, tend to remain the same and can be divided into four: Application Technologies. This embodies the technologies a developer should know to build the target application, including programming languages, system internals, design paradigms/patterns, protocols, frameworks/libraries, and so on. A researcher who has experience programming with the technologies appropriate to their target will usually be more productive and innovative than someone who has a shallow understanding of just the security concerns associated with them. Offensive and Defensive Concepts. These range from foundational security principles to constantly evolving vulnerability classes and mitigations. The combination of offensive and defensive concepts guide researchers toward surfacing vulnerabilities while being able to circumvent exploit mitigations. A solid understanding of application technologies and defensive concepts is what leads to remediation recommendations that are non-generic and actionable. Tools and Methodologies. This is about effectively and efficiently putting concepts into practice. It comes through experience from spending time learning how to use tools and configuring them, optimizing repetitive tasks, and establishing your own workflow. Learning how relevant tools work, how to develop them, and re-purpose them for different use cases is just as important as knowing how to use them. A process-oriented methodology is more valuable than a tool-oriented methodology. A researcher shouldn't stop pursuing a lead when a limitation of a tool they're using has been reached. The bulk of my methodology development has come from reading books and write-ups, hands-on practice, and learning from many mistakes. Courses are usually a good way to get an introduction to topics from experts who know the subject-matter well, but usually aren't a replacement for the experience gained from hands-on efforts. Target Application. Lastly, it's important to be able to understand the security-oriented aspects of an application better than its developers and maintainers. This is about more than looking at what security-oriented features the application has. This involves getting context about its use cases, enumerating all entry points, and being able to hypothesize vulnerabilities that are appropriate to its business logic and technology stack. The next section details the activities I perform to build knowledge in this area. The table below illustrates an example of what the required knowledge may look like for researching vulnerabilities in web applications and Windows desktop applications. Keep in mind that the entries in each category are just for illustration purposes and aren't intended to be exhaustive. Web Applications Desktop Applications Application Technologies Offensive and Defensive Concepts Tools and Methodologies Target Application Thousands of hours, hundreds of mistakes, and countless sleepless nights go into building these domains of knowledge. It's the active combination and growth of these domains that helps increase the likelihood of finding vulnerabilities. If this section is characterized by what should be known, then the next section is characterized by what should be done. What activities are performed? When analyzing an application, I use the four "modes of analysis" below and constantly switch from one mode to another whenever I hit a mental block. It's not quite a linear or cyclical process. I'm not sure if this model is exhaustive, but it does help me stay on track with coverage. Within each mode are active and passive activities. Active activities require some level of interaction with the application or its environment whereas passive activities do not. That said, the delineation is not always clear. The objective for each activity is to: Understand assumptions made about security. Hypothesize how to undermine them. Attempt to undermine them. Use case analysis is about understanding what the application does and what purpose it serves. It's usually the first thing I do when tasked with a new application. Interacting with a working version of the application along with reading some high-level documentation helps solidify my understanding of its features and expected boundaries. This helps me come up with test cases faster. If I have the opportunity to request internal documentation (threat models, developer documentation, etc.), I always try to do so in order to get a more thorough understanding. This might not be as fun as doing a deep-dive and trying test cases, but it's saved me a lot of time overall. An example I can talk about is with Oracle Opera where, by reading the user-manual, I was able to quickly find out which database tables stored valuable encrypted data (versus going through them one-by-one). Implementation analysis is about understanding the environment within which the application resides. This may involve reviewing network and host configurations at a passive level, and performing port or vulnerability scans at an active level. An example of this could be a system service that is installed where the executable has an ACL that allows low-privileged users to modify it (thereby leading to local privilege escalation). Another example could be a web application that has an exposed anonymous FTP server on the same host which could lead to exposure of source code and other sensitive files. These issues are not inherent to the applications themselves, but how they have been implemented in their environments. Communications analysis is about understanding what and how the target exchanges information with other processes and systems. Vulnerabilities can be found by monitoring or actively sending crafted requests through different entry points and checking if the responses yield insecure states. Many web application vulnerabilities are found this way. Network and data flow diagrams, if available, are very helpful in seeing the bigger picture. While an understanding of application-specific communication protocols is required for this mode, an understanding of the application's internal workings are not. How user-influenced data is being passed and transformed within a system is more or less seen as a black-box in this analysis mode, with the focus on monitoring and sending requests and analyzing the responses that come out. If we go back to our hypothetical financial portal from earlier, we may want to look at the feature that allows clients to purchase prepaid credit cards in different currencies as a contrived example. Let's assume that a purchase request accepts the following parameters: fromAccount: The account from which money is being withdrawn to purchase the prepaid card. fromAmount: The amount of money to place into the card in the currency of fromAccount (e.g. 100). cardType: The type of card to purchase (e.g. USD, GBP). currencyPair: The currency pair for fromAccount and cardType (e.g. CADUSD, CADGBP). The first thing we might want to do is send a standard request so that we know what a normal response should look like as a baseline. A request and response to purchase an $82 USD card from a CAD account might look like this: Request Response { "fromAccount": "000123456", "fromAmount": 100, "cardType": "USD", "currencyPair": "CADUSD" } { "status": "ok", "cardPan": 4444333322221111, "cardType": "USD" "toAmount": 82.20, } We may not know exactly what happened behind the scenes, but it came out ok as indicated by the status attribute. Now if we tweak the fromAmount to something negative, or the fromAccount to someone else's account, those may return erroneous responses indicating that validation is being performed. If we change the value of currencyPair from CADUSD to CADJPY, we'll see that the toAmount changes from 82.20 to 8863.68 while the cardType is still USD. We're able to get more bang for our buck by using a more favourable exchange rate while the desired card type stays the same. If we have access to back-end code, it would make it easier to know what's happening to that user input and come up with more thorough test cases that could lead to insecure states with greater precision. Perhaps an additional request parameter that's not exposed on the client-side could have altered the expected behaviour in a potentially malicious way. Code and binary analysis is about understanding how user-influenced input is passed and transformed within a target application. To borrow an analogy from Practical Malware Analysis, if the last three analysis modes can be compared to looking at the outside of a body during an autopsy, then this mode is where the dissection begins. There are a variety of activities that can be performed for static and dynamic analysis. Here are a few: Data flow analysis. This is useful for scouting entry points and understanding how data can flow toward potential insecure states. When I'm stuck trying to get a payload to work in the context of communications analysis, I tweak it in different ways to try get toward that hypothesized insecure state. In comparison with this mode, I can first look into checking whether that insecure state actually exists, and if so, figure out how to craft my payload to get there with greater precision. As mentioned earlier, one of the benefits of this mode is being able to find insecure states and being able to work backwards to craft payloads for corresponding entry points. Static and dynamic analysis go hand-in-hand here. If you're looking to go from point A to B, then static analysis is like reading a map, and dynamic analysis is like getting a live overview of traffic and weather conditions. The wide and abstract understanding of an application you get from static analysis is complemented by the more narrow and concrete understanding you get from dynamic analysis. Imports analysis. Analyzing imported APIs can give insight into how the application functions and how it interacts with the OS, especially in the absence of greater context. For example, the use of cryptographic functions can indicate that some asset is being protected. You can trace calls to figure out what it's protecting and whether it's protected properly. If a process is being created, you can look into determining whether user-input can influence that. Understanding how the software interacts with the OS can give insight on entry points you can use to interact with it (e.g. network listeners, writable files, IOCTL requests). Strings analysis. As with analyzing imports, strings can give some insights into the program's capabilities. I tend to look for things like debug statements, keys/tokens, and anything that looks suspicious in the sense that it doesn't fit with how I would expect the program to function. Interesting strings can be traced for its usages and to see if there are code paths reachable from entry points. It's important to differentiate between strings that are part of the core program and those that are included as part of statically-imported libraries. Security scan triage. Automated source code scanning tools may be helpful in finding generic low-hanging fruit, but virtually useless at finding contextual or design-based vulnerabilities. I don't typically find this to be the most productive use of my time because of the sheer number of false positives, but if it yields many confirmed vulnerabilities then it could indicate a bigger picture of poor secure coding practices. Dependency analysis. This involves triaging dependencies (e.g. open-source components) for known vulnerabilities that are exploitable, or finding publicly unknown vulnerabilities that could be leveraged within the context of the target application. A modern large application is often built on many external dependencies. A subset of them can have vulnerabilities, and a subset of those vulnerabilities can "bubble-up" to the main application and become exploitable through an entry point. Common examples include Heartbleed, Shellshock, and various Java deserialization vulnerabilities. Repository analysis. If you have access to a code repository, it may help identify areas that would typically be interesting to researchers. Aside from the benefits of having more context than with a binary alone, it becomes easier to find older areas of code that haven't changed in a long time and areas of code that bridge the development efforts of segmented groups. Code and binary analysis typically takes longer than the other modes and is arguably more difficult because researchers often need to understand the application and its technologies to nearly the same degree as its developers. In practice, this knowledge can often be distributed among segmented groups of developers while researchers need to understand it holistically to be effective. I cannot overstate how important it is to have competency in programming for this. A researcher who can program with the technologies of their target application is almost always better equipped to provide more value. On the offensive side, finding vulnerabilities becomes more intuitive and it becomes easier to adapt exploits to multiple environments. On the defensive side, non-generic remediation recommendations can be provided that target the root cause of the vulnerability at the code level. Similar to the domains of knowledge, actively combining this analysis mode with the others helps makes things click and increases the likelihood of finding vulnerabilities. Other Thoughts and Lessons Learned This section goes over some other thoughts worth mentioning that didn't easily fit in previous sections. Vulnerability Complexity Vulnerabilities vary in a spectrum of complexity. On one end, there are trivial vulnerabilities which have intuitive exploit code used in areas that are highly prone to scrutiny (e.g. the classic SQLi authentication bypass). On the other end are the results of unanticipated interactions between system elements that by themselves are neither insecure nor badly engineered, but lead to a vulnerability when chained together (e.g. Chris Domas' "Memory Sinkhole"). I tend to distinguish between these ends of the spectrum with the respective categories of "first-order vulnerabilities" and "second-order vulnerabilities", but there could be different ways to describe them. The modern exploit is not a single shot vulnerability anymore. They tend to be a chain of vulnerabilities that add up to a full-system compromise. — Ben Hawkes, Project Zero Working in Teams It is usually helpful to be upfront to your team about what you know and don't know so that you can (ideally) be delegated tasks in your areas of expertise while being given opportunities to grow in areas of improvement. Pretending and being vague is counterproductive because people who know better will sniff it out easily. If being honest can become political, then maybe it's not an ideal team to work with. On the other hand, you shouldn't expect to be spoon-fed everything you need to know. Learning how to learn on your own can help you become self-reliant and help your team's productivity. If you and your team operate on billable time, the time one takes to teach you might be time they won't get back to focus on their task. The composition of a team in a timed project can be a determining factor to the quantity and quality of vulnerabilities found. Depending on the scale and duration of the project, having more analysts could lead to faster results or lead to extra overhead and be counterproductive. A defining characteristic of some of the best project teams I've been on is that in addition to having good rapport and communication, we had diverse skill sets that played off each other which enhanced our individual capabilities. We also delegated parallelizable tasks that had converging outcomes. Here are some examples: Bob scouts for entry points and their parameters while Alice looks for vulnerable sinks. Alice fleshes out the payload to a vulnerable sink while Bob makes sense of the protocol to the sink's corresponding entry point. Bob reverses structs by analyzing client requests dynamically while Alice contributes by analyzing how they are received statically. Bob looks for accessible file shares on a network while Alice sifts through them for valuable information. Overall, working in teams can increase productivity but it takes some effort and foresight to make that a reality. It's also important to know when adding members won't be productive so as to avoid overhead. Final Notes Thanks for taking the time to read this if you made it this far. I hope this has taken some of the magic out of what's involved when finding vulnerabilities. It's normal to feel overwhelmed and a sense of impostor syndrome when researching (I don't think that ever goes away). This is a constant learning process that extends beyond a day job or what any single resource can teach you. I encourage you to try things on your own and learn how others approach this so you can aggregate, combine, and incorporate elements from each into your own approach. I'd like to thank @spookchop and other unnamed reviewers for their time and contributions. I am always open to more (critical) feedback so please contact me if you have any suggestions. The following tools were used for graphics: GIMP, WordItOut, draw.io, and FreeMind. @Jackson_T Sursa: http://jackson.thuraisamy.me/finding-vulnerabilities.html

[h=2]Awesome Penetration Testing[/h] A collection of awesome penetration testing resources, tools, books, confs, magazines and other shiny things Online Resources Penetration Testing Resources Shell Scripting Resources Linux Resources Shellcode development Social Engineering Resources Lock Picking Resources [*] Tools Penetration Testing Distributions Basic Penetration Testing Tools Vulnerability Scanners Network Tools Hex Editors Crackers Windows Utils DDoS Tools Social Engineering Tools Anonimity Tools Reverse Engineering Tools [*] Books Penetration Testing Books Hackers Handbook Series Network Analysis Books Reverse Engineering Books Malware Analysis Books Windows Books Social Engineering Books Lock Picking Books [*]Vulnerability Databases [*]Security Courses [*]Information Security Conferences [*]Information Security Magazines [*]Awesome Lists [*]Contribution [*]License [h=3][/h][h=3]Online Resources[/h] [h=4]Penetration Testing Resources[/h] Metasploit Unleashed - Free Offensive Security metasploit course PTES - Penetration Testing Execution Standard OWASP - Open Web Application Security Project OSSTMM - Open Source Security Testing Methodology Manual [h=4]Shell Scripting Resources[/h] LSST - Linux Shell Scripting Tutorial [h=4]Linux resources[/h] Kernelnewbies - A community of aspiring Linux kernel developers who work to improve their Kernels [h=4][/h][h=4]Shellcode development[/h] Shellcode Tutorials - Tutorials on how to write shellcode Shellcode examples - Shellcodes database [h=4][/h][h=4]Social Engineering Resources[/h] Social Engineering Framework - An information resource for social engineers [h=4][/h][h=4]Lock Picking Resources[/h] Schuyler Towne channel - Lockpicking videos and security talks [h=3][/h][h=3]Tools[/h] [h=4][/h][h=4]Penetration Testing Distributions[/h] Kali - A Linux distribution designed for digital forensics and penetration testing NST - Network Security Toolkit distribution Pentoo - security-focused livecd based on Gentoo BackBox - Ubuntu-based distribution for penetration tests and security assessments [h=4]Basic Penetration Testing Tools[/h] Metasploit - World's most used penetration testing software Burp - An integrated platform for performing security testing of web applications [h=4]Vulnerability Scanners[/h] Netsparker - Web Application Security Scanner Nexpose - Vulnerability Management & Risk Management Software Nessus - Vulnerability, configuration, and compliance assessment Nikto - Web application vulnerability scanner OpenVAS - Open Source vulnerability scanner and manager OWASP Zed Attack Proxy - Penetration testing tool for web applications w3af - Web application attack and audit framework Wapiti - Web application vulnerability scanner [h=4][/h][h=4]Networks Tools[/h] nmap - Free Security Scanner For Network Exploration & Security Audits tcpdump/libpcap - A common packet analyzer that runs under the command line Wireshark - A network protocol analyzer for Unix and Windows Network Tools - Different network tools: ping, lookup, whois, etc netsniff-ng - A Swiss army knife for for network sniffing Intercepter-NG - a multifunctional network toolkit [h=4]SSL Analysis Tools[/h] SSLyze - SSL configuration scanner [h=4]Hex Editors[/h] HexEdit.js - Browser-based hex editing [h=4]Crackers[/h] John the Ripper - Fast password cracker Online MD5 cracker - Online MD5 hash Cracker [h=4]Windows Utils[/h] Sysinternals Suite - The Sysinternals Troubleshooting Utilities Windows Credentials Editor - security tool to list logon sessions and add, change, list and delete associated credentials [h=4]DDoS Tools[/h] LOIC - An open source network stress tool for Windows JS LOIC - JavaScript in-browser version of LOIC [h=4]Social Engineering Tools[/h] SET - The Social-Engineer Toolkit from TrustedSec [h=4]Anonimity Tools[/h] Tor - The free software for enabling onion routing online anonymity I2P - The Invisible Internet Project [h=4]Reverse Engineering Tools[/h] IDA Pro - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger WDK/WinDbg - Windows Driver Kit and WinDbg OllyDbg - An x86 debugger that emphasizes binary code analysis [h=3]Books[/h] [h=4]Penetration Testing Books[/h] The Art of Exploitation by Jon Erickson, 2008 Metasploit: The Penetration Tester's Guide by David Kennedy and others, 2011 Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014 Rtfm: Red Team Field Manual by Ben Clark, 2014 The Hacker Playbook by Peter Kim, 2014 The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013 Professional Penetration Testing by Thomas Wilhelm, 2013 Advanced Penetration Testing for Highly-Secured Environments by Lee Allen,2012 Violent Python by TJ O'Connor, 2012 Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene, Pedram Amini, 2007 [h=4]Hackers Handbook Series[/h] The Shellcoders Handbook by Chris Anley and others, 2007 The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011 iOS Hackers Handbook by Charlie Miller and others, 2012 Android Hackers Handbook by Joshua J. Drake and others, 2014 The Browser Hackers Handbook by Wade Alcorn and others, 2014 [h=4]Network Analysis Books[/h] Nmap Network Scanning by Gordon Fyodor Lyon, 2009 Practical Packet Analysis by Chris Sanders, 2011 Wireshark Network Analysis by by Laura Chappell, Gerald Combs, 2012 [h=4]Reverse Engineering Books[/h] Reverse Engineering for Beginners by Dennis Yurichev (free!) The IDA Pro Book by Chris Eagle, 2011 Practical Reverse Engineering by Bruce Dang and others, 2014 Reverse Engineering for Beginners [h=4]Malware Analysis Books[/h] Practical Malware Analysis by Michael Sikorski, Andrew Honig, 2012 The Art of Memory Forensics by Michael Hale Ligh and others, 2014 [h=4]Windows Books[/h] Windows Internals by Mark Russinovich, David Solomon, Alex Ionescu [h=4]Social Engineering Books[/h] The Art of Deception by Kevin D. Mitnick, William L. Simon, 2002 The Art of Intrusion by Kevin D. Mitnick, William L. Simon, 2005 Ghost in the Wires by Kevin D. Mitnick, William L. Simon, 2011 No Tech Hacking by Johnny Long, Jack Wiles, 2008 Social Engineering: The Art of Human Hacking by Christopher Hadnagy, 2010 Unmasking the Social Engineer: The Human Element of Security by Christopher Hadnagy, 2014 [h=4][/h][h=4]Lock Picking Books[/h] Practical Lock Picking by Deviant Ollam, 2012 Keys to the Kingdom by Deviant Ollam, 2012 [h=3]Vulnerability Databases[/h] NVD - US National Vulnerability Database CERT - US Computer Emergency Readiness Team OSVDB - Open Sourced Vulnerability Database Bugtraq - Symantec SecurityFocus Exploit-DB - Offensive Security Exploit Database Fulldisclosure - Full Disclosure Mailing List MS Bulletin - Microsoft Security Bulletin MS Advisory - Microsoft Security Advisories Inj3ct0r - Inj3ct0r Exploit Database Packet Storm - Packet Storm Global Security Resource SecuriTeam - Securiteam Vulnerability Information CXSecurity - CSSecurity Bugtraq List Vulnerability Laboratory - Vulnerability Research Laboratory ZDI - Zero Day Initiative [h=3][/h][h=3]Security Courses[/h] Offensive Security Training - Training from BackTrack/Kali developers SANS Security Training - Computer Security Training & Certification Open Security Training - Training material for computer security classes CTF Field Guide - everything you need to win your next CTF competition [h=3]Information Security Conferences[/h] DEF CON - An annual hacker convention in Las Vegas Black Hat - An annual security conference in Las Vegas BSides - A framework for organising and holding security conferences CCC - An annual meeting of the international hacker scene in Germany DerbyCon - An annual hacker conference based in Louisville PhreakNIC - A technology conference held annually in middle Tennessee ShmooCon - An annual US east coast hacker convention CarolinaCon - An infosec conference, held annually in North Carolina HOPE - A conference series sponsored by the hacker magazine 2600 SummerCon - One of the oldest hacker conventions, held during Summer Hack.lu - An annual conference held in Luxembourg HITB - Deep-knowledge security conference held in Malaysia and The Netherlands Troopers - Annual international IT Security event with workshops held in Heidelberg, Germany Hack3rCon - An annual US hacker conference ThotCon - An annual US hacker conference held in Chicago LayerOne - An annual US security conerence held every spring in Los Angeles DeepSec - Security Conference in Vienna, Austria SkyDogCon - A technology conference in Nashville [h=3][/h][h=3]Information Security Magazines[/h] 2600: The Hacker Quarterly - An American publication about technology and computer "underground" Hakin9 - A Polish online, weekly publication on IT Security [h=3]Awesome Lists[/h] SecTools - Top 125 Network Security Tools C/C++ Programming - One of the main language for open source security tools .NET Programming - A software framework for Microsoft Windows platform development Shell Scripting - Command-line frameworks, toolkits, guides and gizmos Ruby Programming by @SiNdresorhus - JavaScript in command-line Node.js Programming by @vndmtrx - JavaScript in command-line Python tools for penetration testers - Lots of pentesting tools are written in Python Python Programming by @svaksha - General Python programming Python Programming by @vinta - General Python programming Andorid Security - A collection of android security related resources Awesome Awesomness - The List of the Lists [h=3][/h][h=3]Contribution[/h] Your contributions and suggestions are heartily? welcome. (????) [h=3][/h][h=3]License[/h] This work is licensed under a Creative Commons Attribution 4.0 International License Sursa: https://github.com/enaqx/awesome-pentest

Pentru cei carora le place sa citeasca, si se descurca cu engleza, ofer gratuit capitole sau urmatoarele (255) carti intregi in format PDF de pe CRCnetBASE, majoritatea nu pot fi gasite pe torrente sau site-uri de ebooks grauite. Din anumite motive bine intemeiate, imi rezerv dreptul de a trimite aceste carti doar anumitor persoane. Tinand cont ca e un proces manual si trebuie sa imi iau niste masuri de siguranta, e posibil sa dureze ceva daca doriti multe carti sau am un backlog de cereri. Pentru a vedea un rezumat/abstract al cartii inainte sa o cereti, si pentru a salva timpul meu si al vostru, recomand mai intai sa dati un search pe pagina aceasta la titlul cartii in acest field si in dreapta va aparea un pdf gratuit cu rezumatul/abstractul/contents: Cererile doar prin mesaj privat, aici doar intrebari/nelamuriri/probleme va rog. Thx. UPDATE: Va rog pentru inceput sa cereti doar cate putin, cat cititi odata, nu la gramada tot ce pare fain, ca sa pot servi pe toata lumea. Cand terminati mai trimit - nu plec niciunde. Thx. Lista completa a cartilor: 802.1X Port-Based Authentication A Practical Guide to Security Assessments A Practical Guide to Security Engineering and Information Assurance A Technical Guide to IPSec Virtual Private Networks Adaptive Security Management Architecture Advances in Biometrics for Secure Human Authentication and Recognition Algebraic and Stochastic Coding Theory Algebraic Curves in Cryptography Algorithmic Cryptanalysis An Introduction to Cryptography, Second Edition Android Malware and Analysis Android Security, Attacks and Defenses Anonymous Communication Networks, Protecting Privacy on the Web Architecting Secure Software Systems Assessing and Managing Security Risk in IT Systems, A Structured Methodology Asset Protection and Security Management Handbook Asset Protection through Security Awareness Audit and Trace Log Management, Consolidation and Analysis Authentication Codes and Combinatorial Designs Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks Building A Global Information Assurance Program Building an Effective Information Security Policy Architecture Building an Information Security Awareness Program Building and Implementing a Security Certification and Accreditation Program, OFFICIAL (ISC)2 GUIDE to the CAPcm CBK Business Resumption Planning Call Center Continuity Planning Case Studies in Intelligent Computing, Achievements and Trends Case Studies in Secure Computing, Achievements and Trends CISO Soft Skills, Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives CISO's Guide to Penetration Testing, A Framework to Plan, Manage, and Maximize Benefits Complete Book of Remote Access, Connectivity and Security Complete Guide to CISM Certification Complete Guide to Security and Privacy Metrics, Measuring Regulatory Compliance, Operational Resilience, and ROI Computer Security Literacy, Staying Safe in a Digital World Conducting Network Penetration and Espionage in a Global Environment Conflict and Cooperation in Cyberspace, The Challenge to National Security Core Software Security, Security at the Source Critical Incident Management Critical Infrastructure System Security and Resiliency Critical Infrastructure, Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies Cryptanalysis of RSA and Its Variants Cultural Property Security, Protecting Museums, Historic Sites, Archives, and Libraries Curing the Patch Management Headache Cyber Crime Investigator's Field Guide, Second Edition Cyber Forensics, A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes Cyber Forensics, A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition Cyber Fraud, Tactics, Techniques and Procedures Cyber Power, Crime, Conflict and Security in Cyberspace Cyber Security Essentials Cybersecurity for Industrial Control Systems, SCADA, DCS, PLC, HMI, and SIS Cybersecurity, Public Sector Threats and Responses Cybervetting, Internet Searches for Vetting, Investigations, and Open-Source Intelligence, Second Edition Data Governance, Creating Value from Information Assets Data Mining and Machine Learning in Cybersecurity Data Mining Tools for Malware Detection Data Privacy for the Smart Grid Data Protection, Governance, Risk Management, and Compliance Database and Applications Security, Integrating Information Security and Data Management Data-driven Block Ciphers for Fast Telecommunication Systems Defense against the Black Arts, How Hackers Do What They Do and How to Protect against It Developing and Securing the Cloud Digital Forensics for Handheld Devices Digital Privacy, Theory, Technologies, and Practices Discrete Dynamical Systems and Chaotic Machines, Theory and Applications Disruptive Security Technologies with Mobile Code and Peer-to-Peer Networks Distributed Networks, Intelligence, Security, and Applications Effective Surveillance for Homeland Security, Balancing Technology and Social Issues Effective Use of Teams for IT Audits Elliptic Curves, Number Theory and Cryptography, Second Edition Group Theoretic Cryptography Handbook of Applied Cryptography Handbook of Elliptic and Hyperelliptic Curve Cryptography Handbook of Financial Cryptography and Security Handbook of Finite Fields Handbook of Surveillance Technologies, Third Edition Hardware Security, Design, Threats, and Safeguards Homeland Security and Private Sector Business, Corporations' Role in Critical Infrastructure Protection Homeland Security Handbook How to Develop and Implement a Security Master Plan Industrial Espionage, Developing a Counterespionage Program Information Assurance Architecture Information Security Architecture, An Integrated Approach to Security in the Organization Information Security Architecture, An Integrated Approach to Security in the Organization, Second Edition Information Security Cost Management Information Security Fundamentals, Second Edition Information Security Governance Simplified, From the Boardroom to the Keyboard Information Security Management Handbook on CD-ROM, 2006 Edition Information Security Management Handbook, Fifth Edition, Volume 3 Information Security Management Handbook, Four Volume Set Information Security Management Handbook, Fourth Edition, Volume 4 Information Security Management Handbook, Sixth Edition Information Security Management Handbook, Sixth Edition, Volume 2 Information Security Management Handbook, Sixth Edition, Volume 3 Information Security Management Handbook, Sixth Edition, Volume 4 Information Security Management Handbook, Sixth Edition, Volume 5 Information Security Management Handbook, Sixth Edition, Volume 6 Information Security Management Handbook, Volume 2 Insider Computer Fraud, An In-depth Framework for Detecting and Defending against Insider IT Attacks Intelligent Network Video, Understanding Modern Video Surveillance Systems Intelligent Video Surveillance, Systems and Technology Investigations in the Workplace, Second Edition Investigator's Guide to Steganography Iris Biometric Model for Secured Network Access IT Auditing and Sarbanes-Oxley Compliance, Key Strategies for Business Improvement IT Security Governance Guidebook with Security Program Metrics on CD-ROM Lattice Basis Reduction, An Introduction to the LLL Algorithm and Its Applications Machine Learning Forensics for Law Enforcement, Security, and Intelligence Malicious Bots, An Inside Look into the Cyber-Criminal Underground of the Internet Managing A Network Vulnerability Assessment Managing an Information Security and Privacy Awareness and Training Program Managing an Information Security and Privacy Awareness and Training Program, Second Edition Managing Risk and Security in Outsourcing IT Services, Onshore, Offshore and the Cloud Managing the Insider Threat, No Dark Corners Managing Trust in Cyberspace Mechanics of User Identification and Authentication, Fundamentals of Identity Management Multilevel Modeling of Secure Systems in QoP-ML Multilevel Security for Relational Databases Multimedia Content Encryption, Techniques and Applications Multimedia Encryption and Authentication Techniques and Applications Multimedia Security Handbook Multimedia Security, Watermarking, Steganography, and Forensics Multimedia Watermarking Techniques and Applications Multiple-Base Number System, Theory and Applications Network and Application Security, Fundamentals and Practices Network Anomaly Detection, A Machine Learning Perspective Network Attacks and Defenses, A Hands-on Approach Network Perimeter Security, Building Defense In-Depth Network Security Technologies New Directions of Modern Cryptography Noiseless Steganography, The Key to Covert Communications Official (ISC)2 Guide to the CISSP CBK Official (ISC)2 Guide to the CISSP CBK, Second Edition Official (ISC)2 Guide to the CISSP CBK, Third Edition Official (ISC)2 Guide to the CISSP Exam Official (ISC)2 Guide to the CSSLP Official (ISC)2 Guide to the CSSLP CBK, Second Edition Official (ISC)2 Guide to the HCISPP CBK Official (ISC)2 Guide to the SSCP CBK Official (ISC)2 Guide to the SSCP CBK, Second Edition Official (ISC)2® Guide to the CAP® CBK®, Second Edition Official (ISC)2® Guide to the CCFP CBK Official (ISC)2® Guide to the ISSAP® CBK Official (ISC)2® Guide to the ISSAP® CBK, Second Edition Official (ISC)2® Guide to the ISSEP® CBK®, Second Edition Official (ISC)2® Guide to the ISSMP® CBK® Optical Coding Theory with Prime Oracle Identity Management, Governance, Risk, and Compliance Architecture, Third Edition PCI Compliance, The Definitive Guide Pearls of Discrete Mathematics Physical Security and Safety, A Field Guide for the Practitioner Practical Cryptography, Algorithms and Implementations Using C++ Practical Hacking Techniques and Countermeasures Practical Risk Management for the CIO PRAGMATIC Security Metrics, Applying Metametrics to Information Security Privacy-Aware Knowledge Discovery, Novel Applications and New Techniques Profiling Hackers, The Science of Criminal Profiling as Applied to the World of Hacking Protocols for Secure Electronic Commerce, Second Edition Public Key Infrastructure, Building Trusted Applications and Web Services Quantum Communications and Cryptography RC4 Stream Cipher and Its Variants Responsive Security, Be Ready to Be Secure RSA and Public-Key Cryptography Secure and Resilient Software Development Secure and Resilient Software, Requirements, Test Cases, and Testing Methods Secure Computers and Networks, Analysis, Design, and Implementation Secure Data Provenance and Inference Control with Semantic Web Secure Internet Practices, Best Practices for Securing Systems in the Internet and e-Business Age Secure Java, For Web Application Development Secure Semantic Service-Oriented Systems Securing and Controlling Cisco Routers Securing Cloud and Mobility, A Practitioner's Guide Securing Converged IP Networks Securing E-Business Applications and Communications Securing Systems, Applied Security Architecture and Threat Models Securing Windows NT/2000, From Policies to Firewalls Security and Policy Driven Computing Security and Privacy in Smart Grids Security De-Engineering, Solving the Problems in Information Risk Management Security for Service Oriented Architectures Security for Wireless Sensor Networks using Identity-Based Cryptography Security in an IPv6 Environment Security in Distributed, Grid, Mobile, and Pervasive Computing Security in RFID and Sensor Networks Security Management, A Critical Thinking Approach Security of Mobile Communications Security Patch Management Security Software Development, Assessing and Managing Security Risks Security Strategy, From Requirements to Reality Security without Obscurity, A Guide to Confidentiality, Authentication, and Integrity Smart Grid Security, An End-to-End View of Security in the New Electrical Grid Software Deployment, Updating, and Patching Software Test Attacks to Break Mobile and Embedded Devices Standard for Auditing Computer Applications, Second Edition Statistical Methods in Computer Security Strategic Information Security Surviving Security, How to Integrate People, Process, and Technology Testing Code Security The ABCs of LDAP, How to Install, Run, and Administer LDAP Services The CISO Handbook, A PRACTICAL GUIDE TO SECURING YOUR COMPANY The Complete Book of Data Anonymization, From Planning to Implementation The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules The Ethical Hack, A Framework for Business Value Penetration Testing The Hacker's Handbook, The Strategy Behind Breaking into and Defending Networks The Laws of Software Process, A New Model for the Production and Management of Software The Practical Guide to HIPAA Privacy and Security Compliance The Practical Guide to HIPAA Privacy and Security Compliance, Second Edition The Privacy Papers, Managing Technology, Consumer, Employee and Legislative Actions The Security Risk Assessment Handbook, A Complete Guide for Performing Security Risk Assessments The Security Risk Assessment Handbook, A Complete Guide for Performing Security Risk Assessments, Second Edition The State of the Art in Intrusion Prevention and Detection The Total CISSP Exam Prep Book, Practice Questions, Answers, and Test Taking Tips and Techniques Trade Secret Theft, Industrial Espionage, and the China Threat Unauthorized Access, The Crisis in Online Privacy and Security Understanding Surveillance Technologies, Spy Devices, Privacy, History & Applications, Second Edition Understanding Surveillance Technologies, Spy Devices, Their Origins & Applications UNIX Administration, A Comprehensive Sourcebook for Effective Systems & Network Management Using the Common Criteria for IT Security Evaluation Vein Pattern Recognition, A Privacy-Enhancing Biometric Verification of Computer Codes in Computational Science and Engineering Visual Cryptography and Secret Image Sharing Vulnerability Management Watermarking Systems Engineering, Enabling Digital Assets Security and Other Applications Web Security, A WhiteHat Perspective What Every Engineer Should Know About Cyber Security and Digital Forensics Windows Networking Tools, The Complete Guide to Management, Troubleshooting, and Security Wireless Crime and Forensic Investigation Wireless Multimedia Communication Systems, Design, Analysis, and Implementation Wireless Security