whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
Stefan Etringer 2023-02-14 21:05:04 +01:00
parent 9314a67e15
commit 1f7ac58e3f
5 changed files with 50 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Enumeration/SNMP.md
View File

@ -21,8 +21,16 @@ chmod 775 snmpcheck-<version>.rb
onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
``` ```
## snmpwalk
* Query users * Query users
``` ```
snmpwalk -v2c -c <community_string> $TARGET_IP 1.3.6.1.4.1.77.1.2.25 snmpwalk -v2c -c <community_string, e.g. internal or public> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
``` ```
## snmpbulkwalk
* Query for login data
```sh
snmpbulkwalk -v2c -c internal $TARGET_IP | grep login
```

33
Forensics/Malware.md
View File

@ -2,8 +2,37 @@
## Tools ## Tools
[Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy) ### Detect is Easy
* [Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy)
* Analyze signatures with [capa](https://github.com/mandiant/capa) via
```sh
capa <binary>
```
* Analyze with `capa <binary>`
* Unpack with `upx` * Unpack with `upx`
* Re-analyze after deleting the cache `del <binary>.viv` * Re-analyze after deleting the cache `del <binary>.viv`
### Strings
Tools for String searching and deobfuscations are
* [Floss](https://github.com/mandiant/flare-floss/)
### Lab Setup
* [REMnux](https://github.com/REMnux)
* [FlareVM for Windows](https://github.com/mandiant/flare-vm)
### Fuzzy Hashing
Splits the file into pieces and generates a hash from that to provide hashes of partial binaries.
This can be done via [ssdeep](https://ssdeep-project.github.io/ssdeep/index.html), maybe in recursive mode.
## Resources
* [MalAPI.io](https://malapi.io) provides an overview of functions used by malware
* [Extracting obfuscated strings](https://www.mandiant.com/resources/blog/automatically-extracting-obfuscated-strings)
* [Abuse's Bazaar](https://bazaar.abuse.ch)
* [Malware Behavior Catalog](https://github.com/MBCProject/mbc-markdown)

4
Forensics/References.md
View File

@ -5,3 +5,7 @@
[volatility](https://github.com/volatilityfoundation/volatility.git) [volatility](https://github.com/volatilityfoundation/volatility.git)
[volatility3](https://github.com/volatilityfoundation/volatility3.git) [volatility3](https://github.com/volatilityfoundation/volatility3.git)
## PEstudio
* [pestudio](https://www.winitor.com/download)

2
Post Exploitation/Pivoting.md
View File

@ -130,7 +130,7 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
* Reverse Proxy * Reverse Proxy
* Bind port on attacker * Bind port on attacker
```sh ```sh
./chisel server -p <ListeningPort> --reverse & ./chisel server --reverse --port <ListeningPort> &
``` ```
* Reverse port on target/proxy * Reverse port on target/proxy
```sh ```sh

5
Reverse Engineering/Deobfuscation.md
View File

@ -96,3 +96,8 @@ nm <binary>
* Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator * Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator
* In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__ * In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__
* Another alternative is [dnSpy](https://github.com/0xd4d/dnSpy) * Another alternative is [dnSpy](https://github.com/0xd4d/dnSpy)
* Use [Floss](https://github.com/mandiant/flare-floss/) for string deobfuscation via
```sh
floss --no-static-strings $BINARY_FILE
```