Anti Disassembly Techniques

Definitions Anti-Debugging Techniques to compromise debuggers and/or the debugging process Anti-Disassembly Techniques to compromise disassemblers and/or the disassembling process Obfuscation Techniques to make the signatures creation more difficult and the disassembled code harder to be analyzed by a professional Anti-VM Techniques to detect and/or compromise virtual maschnies Anti-disassembly techniques API obfuscation API obfuscation changes the names of identifies (class names, method names, field names) to random names so that the reader of the code doesn’t know what the code is doing.

GDB CheatSheet

Simple Sample Code #include <stdio.h> #include <stdlib.h> void unreachableFunction(void) { printf("\nI'm hacked! I'm a hidden function! :-)\n"); exit (0); } int main(void) { printf("Hello World!"); printf("01234567890 ..."); return 0; } Compile with Debug Info, 32Bit and 64Bit gcc -m32 -ggdb -o eipExample_32 eipExample.c gcc -ggdb -o eipExample_64 eipExample.c run gdb eipExample_32 Intel Syntax (gdb) set disassembly-flavor intel Run Programm (gdb) r Starting program: /home/hacker/test_gdb/eipExample_32 Hello World!01234567890 ...[Inferior 1 (process 4775) exited normally] Set Breakpoint at main (gdb) b main Breakpoint 1 at 0x1205: file eipExample.

Reverse Basics

Binary Stuff 4 Bit -> Nibble 8 Bit = 1 Byte 16 Bit = 2 Byte -> Word 32 Bit = 4 Byte -> Double Word 64 Bit = 8 Byte -> Quad Word Hex 0xffffd040 is 4 bytes and is a double word CPU 4 Parts 1) Control Unit Retrieves and decodes instructions from the CPU and then storing and retrieving them to and from memory 2) Execution Unit Where the execution of fetching and retrieving instructions occurs 3) Registers Internal CPU memory locations used a temporary data storage 4) Flags Indicate events when execution occurs Registers EIP: Instruction Pointer contains the address of the next instruction to be fetched from memory and then executed General-purpose Registers EAX: Main register used in arithmetic calculations.

Day 8

Webhacking 1/2 XSS Attacks Stored XSS injected Script is permanently stored on the target server Reflected XSS need to construct a malicious URL DOM based XSS vulnerability is in the client-side code rather rhan the server-side code Stored XSS Angreifer sendet JS Code an Server. Wird dort gespeichert in DB, File, was auch immer ein Opfer geht später auf die Website und der JS Code wird injected skaliert gut, alles Clients werden infisziert und der JS Code auf Client Site / Victim Browser ausgeführt

Day 7

Disk & Network Forensics 6 * W - Questions Who did it ? What happened ? When did it happen ? Where did it happen ? Why was it done ? How did it happen ? Linux File ID Fulltime ls -lih --full-time total 113M 1226 -rw-r--r-- 1 root root 113M 2022-01-27 09:40:41.000000000 +0100 checkmk.deb 1442 drwx------ 2 root root 4.0K 2022-02-11 11:21:35.821224899 +0100 ssh-TfT7oxzck4 786 drwx------ 3 root root 4.


URL Notes to Assembly Sections data bss text Data for declaring initialized data or constants BSS Declaring Variables Text Contains the actual Code CPU Registers RAX: Akkumulator RBX: Base Register RCX: Counter RDX: Data Register RSI: Source Index RDI: Destination Index RBP: Base Pointer # Don't touch RSP: Stack Pointer # Don't touch RIP: Instruction Pointer -> contains the address of the command to be loaded next RFLAGS: Status Register -> contains PSW (Processor Status Word) Move mov rax, 43 -> Konstante to Register mov rax, rcx -> Register to Register mov rax, [0xb8000] -> Speicher to Register mov [0xb8000 + 4], rax -> Register to Speicher Stack pop rax -> Stack -> Register mov rax, [rsp] add rsp, 8 push rax -> Register -> Stack sub rsp, 8 mov [rsp], rax Check Args section .

Day 4

Gaining Access Thomas and 3 Guest Speakers, was really cool and from TLP:WHITE till TLP:AMBER. sha256: 282a248093ba223dd37dbfcdb23670d17b378db83ae1e656ffb1e19be2281628


Little XmaSS Challenge provided by Compass Security. Why not take the Chance and learn some XSS Stuff ;) Level1: <script>alert("alert(1)")</script> sha256: 3fe9f4ba6acdcae794b6dd201f8a159b223438d736ffc46c9b07a260e0b5e915


JavaScript Guide Comments // a one line comment /* this is a longer, * multi-line comment */ Declarations # Declare variable, optionally initialize it to a value var a = 1; # Declares a block-scoped, local variable, optionally initializing it to a value. let b = 2; # Declares a block-scoped, read-only named constant. const c = 3; A JavaScript identifier must start with a letter, underscore (_), or dollar sign ($).


Learning Json Takeing some failed SSH Password Attemps on a Honeypot and learn so Json :) RAW Data cat <<EOF > data.json {"_etime":"2021-03-31T15:10:03+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"external","username":"external","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:17:14+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"support","username":"support","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:17:51+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"ambilogger","username":"ambilogger","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:07+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"passwd1234","username":"root","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:16+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"guest","username":"Guest","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:32+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"qwertyu","username":"test","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:36+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"sh123456","username":"root","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:44+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"Root12345!","username":"root","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:55+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"wq","username":"wq","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:19:24+02:00","_host":"","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"daemon","username":"daemon","version":"SSH-2.0-libssh-0.6.3"} EOF Questions I take a bigger File with 1000 Entries What SSH Agents are in use ? How many ? $ cat data1000.json |jq -r .version |sort |uniq -c |sort -rn |head -10 445 SSH-2.0-libssh-0.6.3 43 SSH-2.0-libssh2_1.4.3 30 SSH-2.

JSON sha256: 082211b482c5b0c5ad0c74415126620e89b6489a070899ddb566bc255defde32


Cross-Origin Resource Sharing (CORS) What requests use CORS? This cross-origin sharing standard can enable cross-site HTTP requests for: Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be loaded cross-site and used by web sites that are permitted to do so. WebGL textures. Images/video frames drawn to a canvas using drawImage(). CSS Shapes from images. Simple Requests Some requests don’t trigger a CORS preflight.

Same Origin Policy

Intro SOP restricts how a document or script loaded from one origin can interact with resource from another origin (cross domain traffic) Implemented in the Browser Policies are applied in the Background without User interaction required Restrict access to: DOM Cookies WebStorage Local Storage Session Storage IndexedDB Restrict Components Javascript API XMLhttpRequest (XHR), Fetch API Flash (t 2020) … Applets, Silverlight, XDomainRequest How it Works SOP = Protocol = https = Hostname = www.


What is a HTTP Cookie? An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with later requests to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

Http Basics

Takeaway from http basics always send sensitive data over post (and not get request!) always send a redirect after sucessful login (so the data get’s flushed out of the client memory) always create a new session after sucessful login (Session Fixation) sha256: b98a2764ae1ac790fee3451f8e70f147420578c159d179332b8b29cbd7239e75