β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Reverse XOR and other code obfuscation methods :
> This like a drog for some hackersπ
[Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware
analysis tool for reversing obfuscation (XOR, ROL, etc) and
more.
de4dot - .NET deobfuscator and
unpacker.
[ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html)
& [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) -
Two tools from Alexander Hanel for working with single-byte XOR encoded
files.
FLOSS - The FireEye Labs Obfuscated
String Solver uses advanced static analysis techniques to automatically
deobfuscate strings from malware binaries.
[NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte
XOR key using frequency analysis.
PackerAttacker - A generic
hidden code extractor for Windows malware.
[unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware
unpacker for Windows malware based on WinAppDbg.
unxor - Guess XOR keys using
known-plaintext attacks.
[VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) -
Reverse engineering tool for virtualization wrappers.
XORBruteForcer -
A Python script for brute forcing single-byte XOR keys.
[XORSearch & XORStrings](https://blog.didierstevens.com/programs/xorsearch/) -
A couple programs from Didier Stevens for finding XORed data.
xortool - Guess XOR key length, as
well as the key itself.
β
>git sources..
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Reverse XOR and other code obfuscation methods :
> This like a drog for some hackersπ
[Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware
analysis tool for reversing obfuscation (XOR, ROL, etc) and
more.
de4dot - .NET deobfuscator and
unpacker.
[ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html)
& [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) -
Two tools from Alexander Hanel for working with single-byte XOR encoded
files.
FLOSS - The FireEye Labs Obfuscated
String Solver uses advanced static analysis techniques to automatically
deobfuscate strings from malware binaries.
[NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte
XOR key using frequency analysis.
PackerAttacker - A generic
hidden code extractor for Windows malware.
[unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware
unpacker for Windows malware based on WinAppDbg.
unxor - Guess XOR keys using
known-plaintext attacks.
[VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) -
Reverse engineering tool for virtualization wrappers.
XORBruteForcer -
A Python script for brute forcing single-byte XOR keys.
[XORSearch & XORStrings](https://blog.didierstevens.com/programs/xorsearch/) -
A couple programs from Didier Stevens for finding XORed data.
xortool - Guess XOR key length, as
well as the key itself.
β
>git sources..
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - de4dot/de4dot: .NET deobfuscator and unpacker.
.NET deobfuscator and unpacker. Contribute to de4dot/de4dot development by creating an account on GitHub.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ #Reverse Engineering Tools
The following are some of the most popular reverse engineering tools:
HOWEVER! GO TO THE REVERSE ENGINEERING SECTION for more references.
[Ghidra](https://ghidra-sre.org/) - a software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate
Interactive Disassembler (IDA Pro) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, IDA Free.
[WDK/WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) - Windows Driver Kit and WinDbg.
OllyDbg - x86 debugger for Windows binaries that emphasizes binary code analysis.
[Radare2](http://rada.re/r/index.html) - Open source, crossplatform reverse engineering framework.
x64dbg - Open source x64/x32 debugger for windows.
[Immunity Debugger](http://debugger.immunityinc.com/) - Powerful way to write exploits and analyze malware.
Evan's Debugger - OllyDbg-like debugger for GNU/Linux.
[Medusa](https://github.com/wisk/medusa) - Open source, cross-platform interactive disassembler.
plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
[peda](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB.
dnSpy - Tool to reverse engineer .NET assemblies.
[binwalk](https://github.com/devttys0/binwalk) - Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
PyREBox - Python scriptable Reverse Engineering sandbox by Cisco-Talos.
[Voltron](https://github.com/snare/voltron) - Extensible debugger UI toolkit written in Python.
Capstone - Lightweight multi-platform, multi-architecture disassembly framework.
[rVMI](https://github.com/fireeye/rVMI) - Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
> git sources
@UndercodeTesting
@undercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ #Reverse Engineering Tools
The following are some of the most popular reverse engineering tools:
HOWEVER! GO TO THE REVERSE ENGINEERING SECTION for more references.
[Ghidra](https://ghidra-sre.org/) - a software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate
Interactive Disassembler (IDA Pro) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, IDA Free.
[WDK/WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) - Windows Driver Kit and WinDbg.
OllyDbg - x86 debugger for Windows binaries that emphasizes binary code analysis.
[Radare2](http://rada.re/r/index.html) - Open source, crossplatform reverse engineering framework.
x64dbg - Open source x64/x32 debugger for windows.
[Immunity Debugger](http://debugger.immunityinc.com/) - Powerful way to write exploits and analyze malware.
Evan's Debugger - OllyDbg-like debugger for GNU/Linux.
[Medusa](https://github.com/wisk/medusa) - Open source, cross-platform interactive disassembler.
plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
[peda](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB.
dnSpy - Tool to reverse engineer .NET assemblies.
[binwalk](https://github.com/devttys0/binwalk) - Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
PyREBox - Python scriptable Reverse Engineering sandbox by Cisco-Talos.
[Voltron](https://github.com/snare/voltron) - Extensible debugger UI toolkit written in Python.
Capstone - Lightweight multi-platform, multi-architecture disassembly framework.
[rVMI](https://github.com/fireeye/rVMI) - Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
> git sources
@UndercodeTesting
@undercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
GitHub
h4cker/reverse_engineering/README.md at master Β· The-Art-of-Hacking/h4cker
This repository is primarily maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), ar...
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Disk Image Creation Tools 2020
* [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems
* [Bitscout](https://github.com/vitaly-kamluk/bitscout) - Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact.
* [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats
* [Guymager](http://guymager.sourceforge.net) - Guymager is a free forensic imager for media acquisition on Linux
* [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.
> git sources
@UndercodeTesting
@undercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Disk Image Creation Tools 2020
* [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems
* [Bitscout](https://github.com/vitaly-kamluk/bitscout) - Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact.
* [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats
* [Guymager](http://guymager.sourceforge.net) - Guymager is a free forensic imager for media acquisition on Linux
* [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.
> git sources
@UndercodeTesting
@undercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Exterro
Exterro - E-Discovery & Information Governance Software
Exterroβs Legal Governance, Risk and Compliance (GRC) solutions enable you to address your privacy, compliance, investigation and litigation risks more effectively and at lower costs.
Forwarded from UNDERCODE SECURITY
[XSS] Re ected XSS Bypass Filter.pdf
290.9 KB
Forwarded from UNDERCODE SECURITY
Toppo_1 _ Vulnhub Walkthrough.pdf
881.6 KB
Forwarded from UNDERCODE SECURITY
XXE OOB exploitation at Java 1.7+.pdf
330.3 KB
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Memory #Analysis Tools topic 2020 :
* [Evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework
* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - Advanced memory analysis for Windows x64 with nested hypervisor support
* [KnTList](http://www.gmgsystemsinc.com/knttools/) - Computer memory analysis tools
* [LiME](https://github.com/504ensicsLabs/LiME) - LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices
* [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - Memoryze by Mandiant is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis
* [Memoryze for Mac](https://www.fireeye.com/services/freeware/memoryze-for-the-mac.html) - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however
* [Rekall](http://www.rekall-forensic.com/) - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples
* [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO is the industry standard physical memory and automated malware analysis solution
* [Volatility](https://github.com/volatilityfoundation/volatility) - An advanced memory forensics framework
* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation
* [VolDiff](https://github.com/aim4r/VolDiff) - Malware Memory Footprint Analysis based on Volatility
* [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory
> git resources
@UndercodeTesting
@UndercodeSecurity
@UndercodeCourses
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Memory #Analysis Tools topic 2020 :
* [Evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework
* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - Advanced memory analysis for Windows x64 with nested hypervisor support
* [KnTList](http://www.gmgsystemsinc.com/knttools/) - Computer memory analysis tools
* [LiME](https://github.com/504ensicsLabs/LiME) - LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices
* [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - Memoryze by Mandiant is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis
* [Memoryze for Mac](https://www.fireeye.com/services/freeware/memoryze-for-the-mac.html) - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however
* [Rekall](http://www.rekall-forensic.com/) - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples
* [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO is the industry standard physical memory and automated malware analysis solution
* [Volatility](https://github.com/volatilityfoundation/volatility) - An advanced memory forensics framework
* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation
* [VolDiff](https://github.com/aim4r/VolDiff) - Malware Memory Footprint Analysis based on Volatility
* [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory
> git resources
@UndercodeTesting
@UndercodeSecurity
@UndercodeCourses
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - JamesHabben/evolve: Web interface for the Volatility Memory Forensics Framework
Web interface for the Volatility Memory Forensics Framework - JamesHabben/evolve
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Network configuration-Prevent users from browsing using external proxiesPrevent users from browsing and using external proxies :
π»π΄π 'π π π π°π π :
1οΈβ£ Some background knowledge:
(1) HTTP/1.0 protocol defines web server and When the client uses a proxy, in the
HTTP request and response headers, use Via: to identify the proxy server used to prevent the
server loop;
(2) snort is an open source IDS (intrusion detection system) that can be used Host or network IDS. With many IDS
rules, it can perform pattern recognition and matching on the captured (ip, tcp, udp, icmp) packets, and can generate corresponding records.
(3) libnet is open source software that can be used as a network protocol/packet generator.
(4) The TCP/IP network is a packet-switched network.
(5) Snort also has the function of generating IP packets using the libnet library. You can interrupt the TCP connection by issuing a TCPRESET packet.
2οΈβ£Prerequisites:
(1) Snort runs on the route (linux) or through the port mirror function of the switch, runs on the same
network segment of the route
3οΈβ£ Implementation:
(1) compile snort with flexresp(flex response) feature
(2) Define snort rules:
alert tcp $HOMENET any <> $EXTERNET 80 (msg: "block proxy"; uricontent:"Via:"; resp: rstall;)
4οΈβ£ Effect:
Internal network users can browse external websites normally. If the internal userβs browser is configured with an external proxy, the
HTTP REQUEST and RESPONSE headers will include Via: ... characters, and snort rules will capture this connection, and then
Send RST packets to client and server sockets. In this way, the TCP connection is terminated.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Network configuration-Prevent users from browsing using external proxiesPrevent users from browsing and using external proxies :
π»π΄π 'π π π π°π π :
1οΈβ£ Some background knowledge:
(1) HTTP/1.0 protocol defines web server and When the client uses a proxy, in the
HTTP request and response headers, use Via: to identify the proxy server used to prevent the
server loop;
(2) snort is an open source IDS (intrusion detection system) that can be used Host or network IDS. With many IDS
rules, it can perform pattern recognition and matching on the captured (ip, tcp, udp, icmp) packets, and can generate corresponding records.
(3) libnet is open source software that can be used as a network protocol/packet generator.
(4) The TCP/IP network is a packet-switched network.
(5) Snort also has the function of generating IP packets using the libnet library. You can interrupt the TCP connection by issuing a TCPRESET packet.
2οΈβ£Prerequisites:
(1) Snort runs on the route (linux) or through the port mirror function of the switch, runs on the same
network segment of the route
3οΈβ£ Implementation:
(1) compile snort with flexresp(flex response) feature
(2) Define snort rules:
alert tcp $HOMENET any <> $EXTERNET 80 (msg: "block proxy"; uricontent:"Via:"; resp: rstall;)
4οΈβ£ Effect:
Internal network users can browse external websites normally. If the internal userβs browser is configured with an external proxy, the
HTTP REQUEST and RESPONSE headers will include Via: ... characters, and snort rules will capture this connection, and then
Send RST packets to client and server sockets. In this way, the TCP connection is terminated.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Installing a USRP Device-driver on Linux ?
(used for cellular-pentesting)
1) sudo add-apt-repository ppa:ettusresearch/uhd
2) sudo apt-get update
3) sudo apt-get install libuhd-dev libuhd003 uhd-host
4) uhd_find_devices
5) cd /usr/lib/uhd/utils/
6) ./uhd_images_downloader.py
7) sudo uhd_usrp_probe
8) sudo uhd_usrp_probe
π¦STARTING :
[INFO] [UHD] linux; GNU C++ version 7.4.0; Boost_106501; UHD_3.14.1.1-release
[INFO] [B200] Detected Device: B*****
[INFO] [B200] Operating over USB 3.
[INFO] [B200] Initialize CODEC control...
[INFO] [B200] Initialize Radio control...
[INFO] [B200] Performing register loopback test...
[INFO] [B200] Register loopback test passed
[INFO] [B200] Setting master clock rate selection to 'automatic'.
[INFO] [B200] Asking for clock rate 16.000000 MHz...
[INFO] [B200] Actually got clock rate 16.000000 MHz.
_________________________________________________
/
| Device: B-Series Device
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Installing a USRP Device-driver on Linux ?
(used for cellular-pentesting)
1) sudo add-apt-repository ppa:ettusresearch/uhd
2) sudo apt-get update
3) sudo apt-get install libuhd-dev libuhd003 uhd-host
4) uhd_find_devices
5) cd /usr/lib/uhd/utils/
6) ./uhd_images_downloader.py
7) sudo uhd_usrp_probe
8) sudo uhd_usrp_probe
π¦STARTING :
[INFO] [UHD] linux; GNU C++ version 7.4.0; Boost_106501; UHD_3.14.1.1-release
[INFO] [B200] Detected Device: B*****
[INFO] [B200] Operating over USB 3.
[INFO] [B200] Initialize CODEC control...
[INFO] [B200] Initialize Radio control...
[INFO] [B200] Performing register loopback test...
[INFO] [B200] Register loopback test passed
[INFO] [B200] Setting master clock rate selection to 'automatic'.
[INFO] [B200] Asking for clock rate 16.000000 MHz...
[INFO] [B200] Actually got clock rate 16.000000 MHz.
_________________________________________________
/
| Device: B-Series Device
β β β ο½ππ»βΊπ«Δπ¬πβ β β β