burp suite idor - autorize
shellcode encoding and decoding - sometimes you need to avoid things like \0 termination. https://www.ired.team/offensive-security/code-injection-process-injection/writing-custom-shellcode-encoders-and-decoders Shellcode generators. What do they do? shellcode database
google dorking Like using google with special commands? Why “dork”? shodan
nmap -A -T4. OS detection
p0f - passive sniffing. fingerprinting
yara - patterns to recognize malware. Byte level patterns? Sigma snort
SIEM IDS - intrusin detection systems https://en.wikipedia.org/wiki/Intrusion_detection_system
shellcode encoder/decoder/generator https://www.msreverseengineering.com/blog/2017/7/15/the-synesthesia-shellcode-generator-code-release-and-future-directions synesthesia
https://github.com/grimm-co/NotQuite0DayFriday exploit examples
Gray Hat Hacking The Shellcoder’s handbook Attacking network Protocols Implementing Effective Code Review
Hacking: http://langsec.org/papers/Bratus.pdf sergey weird machine paper smashing the stack for fun and profit - stacks are no longer executable return to libc https://en.wikipedia.org/wiki/Return-to-libc_attack - libc is very common and you can weave together libc calls. “Solar Designer” https://en.wikipedia.org/wiki/Return-to-libc_attack https://acmccs.github.io/papers/geometry-ccs07.pdf geometry of innocent flesh on the bone. ROP http://phrack.org/issues/61/6.html advanced doug lea malloc hacking https://github.com/sashs/Ropper https://github.com/sashs/filebytes http://www.capstone-engine.org/ - disassembler. converse of key blackhat defcon bluehat ccc https://en.wikipedia.org/wiki/Security_BSides bsides ctf project zero kpaersky blog https://usa.kaspersky.com/blog/ spectre/meltdown https://www.youtube.com/watch?v=b7urNgLPJiQ&ab_channel=PinkDraconian
return oriented programming sounds like my backwards pass. Huh.
https://milianw.de/blog/heaptrack-a-heap-memory-profiler-for-linux.html valgrind massif perf-mem, valgrind massif, and heaptrack
- Volatility https://www.volatilityfoundation.org/
- sleuth kit?
radare2, a binary analysis thingo. rax is useful for conversion of hex
Maybe we should get a docker of all sorts of tools. Kali Linux? https://github.com/zardus/ctf-tools
klee, afl, other fuzzers? valgrind
https://quipqiup.com/ - solve substitution cyphers
https://github.com/openwall/john john the ripper. Brute force password cracker
Best CTFs. I probably don’t want the most prestigious ones? They’ll be too high level? I want the simple stuff
https://ctf101.org/ - check out the heap exploitation github thing
advanced doug lea malloc - phreak post
metasploit, pacu - aws, cobalt strike
and the pwn category of ctf
ROP JOP SROP BOP - block oriented
return 2 libc - a subset of rop?
ryan chapman syscall
privilege escalation - getuid effective id.. Inherit user and group from parent process. switching to user resets the setuid bit. sticky bits id command
shellcode - binary that launchs the shell system call execv(“/bin/sh”, NULL, NULL) - args and env params
intel vs at&t syntax Load up addresses constantrs in binary with .string gcc -static -nostdlib objcopy –section .text=outfile exiting cleanly is smart. Helps know what is screwing up ldd
Trying out shellcode mmap. mprotect? read() deref function pointer
gdb x for eXamine $rsi x/5i $rip gives assembly? x/gx break *0xx040404 n next s step ni si
strace is useful first debugging
system calls set rax to syscall number. call syscall instruction https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/ man yada strace
- brk - program brk. change size of data segment. sbrk by increments. sbrk(0) returns current address of break
stack. rbp, rsp. stack grows down decreasing. Rsp + 0x8 is on stack, rbp - 8 is on stack most systems are little endian calling conventions. rdi rsi rdx rcx r8 r9, return in rax rbx rbp r12 r13 r14 r15 are callee saved. guaranteed not smashed
http://ref.x86asm.net/coder64.html opcode listing https://github.com/yrp604/rappel - assembly repl https://github.com/zardus/ctf-tools
file - tells info about file elf - interpreter, - sections - text, plt/got resolve and siprach library calls, data preinitilize data, rodata, global read only,, bss for uniitialized data. sections are not required to run a binary - symbols - - segments - where to load readelf, objdump, nm - reads symbols, patcheld, objcopy, strip, kaitai struct https://www.intezer.com/blog/malware-analysis/executable-linkable-format-101-part-2-symbols/
https://0xax.gitbooks.io/linux-insides/content/SysCall/linux-syscall-4.html what to load. look for #! or elf magic. /proc/sys/fs/binsmt_misc can match a string there. hand off to elf defined interpeter is dynamically linked.
Then it’s onto ld probably. LD_PRELOAD,, LD_LIBRARY_PATH,, DT_RUNTIME in binary file,, system wide /etc/ld.so.conf, /lib and /usr/lib relocations updated /proc/self/maps https://gist.github.com/CMCDragonkai/10ab53654b2aa6ce55c11cfc5b2432a4 libc is almost always linked. printf, scanf, socket, atoi, amlloc, free
ASLR - Addresses are randomized cat /proc/mem/self ? To look at what actually loaded Also ldd shows were libraries get loaded in memory Stack canaries - set once per binary run, so with forking you can brute force them or maybe leak them?
checksec tells you about which things are enabled.
gcc options -no-pie -no-stack-protection
attaching to gdb and/or a process is really useful. cyclic bytes can let you localize what ends up where in a buffer overflow for example cyclic_find