From bed4ce36cfb9686e292c6aa50e99c47e617db1ef Mon Sep 17 00:00:00 2001 From: whx Date: Tue, 20 Dec 2022 01:06:22 +0100 Subject: [PATCH] bump --- Forensics/Volatility.md | 15 +++++++++- Miscellaneous/Exploit Mitigation.md | 44 +++++++++++++++++++++++++++++ Miscellaneous/Sigma Rules.md | 30 ++++++++++++++++++++ Reverse Engineering/Firmware.md | 17 +++++++++++ 4 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 Miscellaneous/Exploit Mitigation.md create mode 100644 Miscellaneous/Sigma Rules.md diff --git a/Forensics/Volatility.md b/Forensics/Volatility.md index fc08f46..107585d 100644 --- a/Forensics/Volatility.md +++ b/Forensics/Volatility.md @@ -2,7 +2,8 @@ Search through collected volatile memory dumps, volume and VM images. Volatility and Volatility 3 have a different syntax. The older one has -higher malware hunting abilities. +higher malware hunting abilities. +Always check both of the versions if you are not sure about how the file was dumped. * [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf) * [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples) @@ -27,6 +28,18 @@ volatility -f --profile dlllist -p ```sh volatility -f --profile shellbags ``` +* Scan network +```sh +volatility -f --profile netscan +``` +* Scan files +```sh +volatility -f --profile filescan | grep +``` +* Dump files +```sh +volatility -f --profile dumpfiles -Q -D . +``` ### Volatility3 diff --git a/Miscellaneous/Exploit Mitigation.md b/Miscellaneous/Exploit Mitigation.md new file mode 100644 index 0000000..30025ce --- /dev/null +++ b/Miscellaneous/Exploit Mitigation.md @@ -0,0 +1,44 @@ +# Exploit Mitigation + +> All User Input is Evil + +## Web Mitigations + +### Uploads + +* Validate the following + * Content-Type + * File Extension + * Magic File Number + * Maximum File Size +* Rename the file randomly +* Scan for Malware +* Use Path objects instead of Strings +* Save uploads outside of the web root + +### Database SQLi + +* Typecasting of variables inserted +* Prepared Statements + +### HTML5 Input & Forms + +* An `` field can provide a pattern which checks for regex. In a free text field regex is not sufficient, therefore whitelist allowed characters. +* Use `type` attribute of `` to set the type of the values +* Requirements on the inputs can be done in the following ways of `required `: + * `minlength` + * `maxlength` + * `size` + * `min` + * `max` + * `pattern` + +### PHP Input Backend + +* `htmlentities()` escapes characters +```sh +$name = htmlentities($_GET['name'], ENT_QUOTES | ENT_HTML5, "UTF-8") +``` +* Use HTMLPurifier +* Use `intval()` to typecast, e.g. ids +``` diff --git a/Miscellaneous/Sigma Rules.md b/Miscellaneous/Sigma Rules.md new file mode 100644 index 0000000..79dcd8e --- /dev/null +++ b/Miscellaneous/Sigma Rules.md @@ -0,0 +1,30 @@ +# Sigma Rules + +An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ... +* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git) + + +## Fields + +A minimal configuration should contain at least the following fields +* title +* id +* status +* description +* logsource +* detection + +Additional fields may be +* falsePostivives +* levels +* tags + +## Transform Modifiers + +A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`. + +## Tools + +* [sigma-cli](https://github.com/SigmaHQ/sigma-cli) +* [pySigma](https://github.com/SigmaHQ/pySigma) +* [Uncoder.io](https://uncoder.io/) diff --git a/Reverse Engineering/Firmware.md b/Reverse Engineering/Firmware.md index faaee1d..11e2d8b 100644 --- a/Reverse Engineering/Firmware.md +++ b/Reverse Engineering/Firmware.md @@ -1,6 +1,7 @@ # Reversing Firmware ## Tools + * binwalk * unlzma * tar @@ -10,15 +11,30 @@ ./fat.py ``` * [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git` +* Squashfs ## Usage + * Check image via `strings` * Check CRC via `cksum -a crc ` * Use `binwalk` to extract. There are to methods * `-e` extract by offset * `--dd=".*"` by file extension +### Mount Squashfs + +Extract the filesystem of a firmware image + +* Use `squashfs-tools` +* Extract via binwalk and +```sh +unsquashfs +mksquashfs squashfs-root filesystem.squashfs +mount filesystem.squashfs /mtn/squash +``` + ### Mount JFFS2 File + * Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10` ```sh rm -rf /dev/mtdblock0 @@ -32,4 +48,5 @@ mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/ ``` ## Tips & Tricks + * Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)