bump
This commit is contained in:
parent
ae0f060b03
commit
bed4ce36cf
|
@ -3,6 +3,7 @@
|
|||
Search through collected volatile memory dumps, volume and VM images.
|
||||
Volatility and Volatility 3 have a different syntax. The older one has
|
||||
higher malware hunting abilities.
|
||||
Always check both of the versions if you are not sure about how the file was dumped.
|
||||
|
||||
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
|
||||
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
|
||||
|
@ -27,6 +28,18 @@ volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
|
|||
```sh
|
||||
volatility -f <file.iso> --profile <OSprofile> shellbags
|
||||
```
|
||||
* Scan network
|
||||
```sh
|
||||
volatility -f <file.iso> --profile <OSprofile> netscan
|
||||
```
|
||||
* Scan files
|
||||
```sh
|
||||
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
|
||||
```
|
||||
* Dump files
|
||||
```sh
|
||||
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
|
||||
```
|
||||
|
||||
### Volatility3
|
||||
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
# Exploit Mitigation
|
||||
|
||||
> All User Input is Evil
|
||||
|
||||
## Web Mitigations
|
||||
|
||||
### Uploads
|
||||
|
||||
* Validate the following
|
||||
* Content-Type
|
||||
* File Extension
|
||||
* Magic File Number
|
||||
* Maximum File Size
|
||||
* Rename the file randomly
|
||||
* Scan for Malware
|
||||
* Use Path objects instead of Strings
|
||||
* Save uploads outside of the web root
|
||||
|
||||
### Database SQLi
|
||||
|
||||
* Typecasting of variables inserted
|
||||
* Prepared Statements
|
||||
|
||||
### HTML5 Input & Forms
|
||||
|
||||
* An `<input>` field can provide a pattern which checks for regex. In a free text field regex is not sufficient, therefore whitelist allowed characters.
|
||||
* Use `type` attribute of `<input>` to set the type of the values
|
||||
* Requirements on the inputs can be done in the following ways of `required <attributes>`:
|
||||
* `minlength`
|
||||
* `maxlength`
|
||||
* `size`
|
||||
* `min`
|
||||
* `max`
|
||||
* `pattern`
|
||||
|
||||
### PHP Input Backend
|
||||
|
||||
* `htmlentities()` escapes characters
|
||||
```sh
|
||||
$name = htmlentities($_GET['name'], ENT_QUOTES | ENT_HTML5, "UTF-8")
|
||||
```
|
||||
* Use HTMLPurifier
|
||||
* Use `intval()` to typecast, e.g. ids
|
||||
```
|
|
@ -0,0 +1,30 @@
|
|||
# Sigma Rules
|
||||
|
||||
An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
|
||||
* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
|
||||
|
||||
|
||||
## Fields
|
||||
|
||||
A minimal configuration should contain at least the following fields
|
||||
* title
|
||||
* id
|
||||
* status
|
||||
* description
|
||||
* logsource
|
||||
* detection
|
||||
|
||||
Additional fields may be
|
||||
* falsePostivives
|
||||
* levels
|
||||
* tags
|
||||
|
||||
## Transform Modifiers
|
||||
|
||||
A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
|
||||
|
||||
## Tools
|
||||
|
||||
* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
|
||||
* [pySigma](https://github.com/SigmaHQ/pySigma)
|
||||
* [Uncoder.io](https://uncoder.io/)
|
|
@ -1,6 +1,7 @@
|
|||
# Reversing Firmware
|
||||
|
||||
## Tools
|
||||
|
||||
* binwalk
|
||||
* unlzma
|
||||
* tar
|
||||
|
@ -10,15 +11,30 @@
|
|||
./fat.py <firmware>
|
||||
```
|
||||
* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
|
||||
* Squashfs
|
||||
|
||||
## Usage
|
||||
|
||||
* Check image via `strings`
|
||||
* Check CRC via `cksum -a crc <image>`
|
||||
* Use `binwalk` to extract. There are to methods
|
||||
* `-e` extract by offset
|
||||
* `--dd=".*"` by file extension
|
||||
|
||||
### Mount Squashfs
|
||||
|
||||
Extract the filesystem of a firmware image
|
||||
|
||||
* Use `squashfs-tools`
|
||||
* Extract via binwalk and
|
||||
```sh
|
||||
unsquashfs <SquashFS image>
|
||||
mksquashfs squashfs-root filesystem.squashfs
|
||||
mount filesystem.squashfs /mtn/squash
|
||||
```
|
||||
|
||||
### Mount JFFS2 File
|
||||
|
||||
* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
|
||||
```sh
|
||||
rm -rf /dev/mtdblock0
|
||||
|
@ -32,4 +48,5 @@ mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
|
|||
```
|
||||
|
||||
## Tips & Tricks
|
||||
|
||||
* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)
|
||||
|
|
Loading…
Reference in New Issue