bump

2023-02-14 21:05:04 +01:00 · 2023-02-14 21:05:04 +01:00 · 1f7ac58e3f
parent 9314a67e15
commit 1f7ac58e3f
5 changed files with 50 additions and 4 deletions
--- a/Enumeration/SNMP.md
+++ b/Enumeration/SNMP.md
@ -21,8 +21,16 @@ chmod 775 snmpcheck-<version>.rb
 onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
 ```

+## snmpwalk
+
 * Query users
 ```
-snmpwalk -v2c -c <community_string> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
+snmpwalk -v2c -c <community_string, e.g. internal or public> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
 ```

+## snmpbulkwalk
+
+* Query for login data
+```sh
+snmpbulkwalk -v2c -c internal $TARGET_IP | grep login
+```
--- a/Forensics/Malware.md
+++ b/Forensics/Malware.md
@ -2,8 +2,37 @@

 ## Tools

-[Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy)
+### Detect is Easy
+
+* [Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy)
+
+* Analyze signatures with [capa](https://github.com/mandiant/capa) via
+```sh
+capa <binary>
+```

-* Analyze with `capa <binary>`
 * Unpack with `upx`
+
 * Re-analyze after deleting the cache `del <binary>.viv`
+
+### Strings
+
+Tools for String searching and deobfuscations are 
+* [Floss](https://github.com/mandiant/flare-floss/)
+
+### Lab Setup
+
+* [REMnux](https://github.com/REMnux)
+* [FlareVM for Windows](https://github.com/mandiant/flare-vm)
+
+### Fuzzy Hashing
+
+Splits the file into pieces and generates a hash from that to provide hashes of partial binaries.  
+This can be done via [ssdeep](https://ssdeep-project.github.io/ssdeep/index.html), maybe in recursive mode.
+
+## Resources
+
+* [MalAPI.io](https://malapi.io) provides an overview of functions used by malware
+* [Extracting obfuscated strings](https://www.mandiant.com/resources/blog/automatically-extracting-obfuscated-strings)
+* [Abuse's Bazaar](https://bazaar.abuse.ch)
+* [Malware Behavior Catalog](https://github.com/MBCProject/mbc-markdown)
--- a/Forensics/References.md
+++ b/Forensics/References.md
@ -5,3 +5,7 @@
 [volatility](https://github.com/volatilityfoundation/volatility.git)
 [volatility3](https://github.com/volatilityfoundation/volatility3.git)

+## PEstudio
+
+* [pestudio](https://www.winitor.com/download)
+
--- a/Exploitation/Pivoting.md
+++ b/Exploitation/Pivoting.md
@ -130,7 +130,7 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
 * Reverse Proxy
    * Bind port on attacker
    ```sh
-    ./chisel server -p <ListeningPort> --reverse &
+    ./chisel server --reverse --port <ListeningPort> &
    ```
    * Reverse port on target/proxy
    ```sh
--- a/Engineering/Deobfuscation.md
+++ b/Engineering/Deobfuscation.md
@ -96,3 +96,8 @@ nm <binary>
 * Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator 
 * In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__
 * Another alternative is [dnSpy](https://github.com/0xd4d/dnSpy)
+
+* Use [Floss](https://github.com/mandiant/flare-floss/) for string deobfuscation via
+```sh
+floss --no-static-strings $BINARY_FILE 
+```