diff --git a/Enumeration/SNMP.md b/Enumeration/SNMP.md index e81377e..2646add 100644 --- a/Enumeration/SNMP.md +++ b/Enumeration/SNMP.md @@ -21,8 +21,16 @@ chmod 775 snmpcheck-.rb onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt ``` +## snmpwalk + * Query users ``` -snmpwalk -v2c -c $TARGET_IP 1.3.6.1.4.1.77.1.2.25 +snmpwalk -v2c -c $TARGET_IP 1.3.6.1.4.1.77.1.2.25 ``` +## snmpbulkwalk + +* Query for login data +```sh +snmpbulkwalk -v2c -c internal $TARGET_IP | grep login +``` diff --git a/Forensics/Malware.md b/Forensics/Malware.md index 957dfda..903116c 100644 --- a/Forensics/Malware.md +++ b/Forensics/Malware.md @@ -2,8 +2,37 @@ ## Tools -[Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy) +### Detect is Easy + +* [Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy) + +* Analyze signatures with [capa](https://github.com/mandiant/capa) via +```sh +capa +``` -* Analyze with `capa ` * Unpack with `upx` + * Re-analyze after deleting the cache `del .viv` + +### Strings + +Tools for String searching and deobfuscations are +* [Floss](https://github.com/mandiant/flare-floss/) + +### Lab Setup + +* [REMnux](https://github.com/REMnux) +* [FlareVM for Windows](https://github.com/mandiant/flare-vm) + +### Fuzzy Hashing + +Splits the file into pieces and generates a hash from that to provide hashes of partial binaries. +This can be done via [ssdeep](https://ssdeep-project.github.io/ssdeep/index.html), maybe in recursive mode. + +## Resources + +* [MalAPI.io](https://malapi.io) provides an overview of functions used by malware +* [Extracting obfuscated strings](https://www.mandiant.com/resources/blog/automatically-extracting-obfuscated-strings) +* [Abuse's Bazaar](https://bazaar.abuse.ch) +* [Malware Behavior Catalog](https://github.com/MBCProject/mbc-markdown) diff --git a/Forensics/References.md b/Forensics/References.md index ec7930a..c99919d 100644 --- a/Forensics/References.md +++ b/Forensics/References.md @@ -5,3 +5,7 @@ [volatility](https://github.com/volatilityfoundation/volatility.git) [volatility3](https://github.com/volatilityfoundation/volatility3.git) +## PEstudio + +* [pestudio](https://www.winitor.com/download) + diff --git a/Post Exploitation/Pivoting.md b/Post Exploitation/Pivoting.md index 95c7293..6f71cf1 100644 --- a/Post Exploitation/Pivoting.md +++ b/Post Exploitation/Pivoting.md @@ -130,7 +130,7 @@ echo y | &.\plink.exe -ssh -l -pw -R ::1 * Reverse Proxy * Bind port on attacker ```sh - ./chisel server -p --reverse & + ./chisel server --reverse --port & ``` * Reverse port on target/proxy ```sh diff --git a/Reverse Engineering/Deobfuscation.md b/Reverse Engineering/Deobfuscation.md index f31c611..f173bba 100644 --- a/Reverse Engineering/Deobfuscation.md +++ b/Reverse Engineering/Deobfuscation.md @@ -96,3 +96,8 @@ nm * Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator * In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__ * Another alternative is [dnSpy](https://github.com/0xd4d/dnSpy) + +* Use [Floss](https://github.com/mandiant/flare-floss/) for string deobfuscation via +```sh +floss --no-static-strings $BINARY_FILE +```