asdasd

1. Question 1: Read this five part article series: Reverse Engineering a router and answer these questions: What is U-boot? What is Busybox? What is SPI analyzer? What is SquashFS?
2.  
3. Answer 1: U boot is open source, primary boot loader used in embedded devices to package the instructions to boot the device's operating system kernel. It is available for a number of computer architectures, including 68k, ARM, Blackfin, MicroBlaze, MIPS, Nios, SuperH, PPC, RISC-Vand x86. [https://en.wikipedia.org/wiki/Das_U-Boot]
4.  
5. BusyBox is software that provides several stripped-down Unix tools in a single executable file. [https://en.wikipedia.org/wiki/BusyBox]
6.  
7. The SPI Busanalyzer is a powerful tool to analyze your hard- and software developments. It can be used as a master or slave device to record and debug data on your SPI-Interface. [http://www.innesys.com/SPI-bus-protocol-analyzer/?pid=101]
8.  
9. Squashfs is a compressed read-only file system for Linux. Squashfs compresses files, inodes and directories, and supports block sizes up to 1 MB for greater compression. [https://en.wikipedia.org/wiki/SquashFS]
10.  
11. Question 2: Read this blog post: "Malware Reversing - Burpsuite Keygen" and answer these questions: What is RAT? How the malware tries to remain persistent in the system after the initial execution? What the malware was coded to do in the system?
12.  
13. Answer 2: A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. [http://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan]
14.  
15. Malware stays persistent on the system by adding the location of the vbs file to the registry in the key HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DifenderUpdate It then scedules the script at that location to be run on login.
16.  
17. Malware tries to connect to one of the servers listed in $dragon_middle. Whenever the code errors in future it will also do this again (presumably because it thinks that server may be down or blocked) Next it tries to register with the server before accepting and handling commands: reboot reboots the computer:
18.  
19. shutdown shuts down the computer
20.  
21. clean tries to wipe as much as possible from C:\, D:\, E:\ and F:\ before rebooting
22.  
23. screenshot takes a screenshot and sends it to the server
24.  
25. upload transfers a file from the server to the victim [https://0x00sec.org/t/malware-reversing-burpsuite-keygen/5167]
26.  
27. Question 3: Read this article about cracking SIM cards. What is "side-channel attack" and how it was used to crack SIM cards?
28.  
29. Answer 3: Side-channel attacks measure things like power consumption, electromagnetic emissions and heat generation to work out what is going on in a chip. “The move to AES-based encryption algorithms in 3G/4G USIM cards did not systematically take advantage of state-of-the-art countermeasures against side-channel attacks,” Yu Yu. So they used side-channel attack and a oscilloscope to gather data and then used the data to crack the sim cards
30.  
31. Question 4: Describe shortly following security tools/terms/concepts: Answer 4: Disassembler = A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. [https://en.wikipedia.org/wiki/Disassembler]
32.  
33. Shellcode = In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. [https://en.wikipedia.org/wiki/Shellcode]
34.  
35. ASLR = Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities
36.  
37. Data Execution Prevention (DEP) = Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system [https://msdn.microsoft.com/en-us/library/windows/desktop/aa366553(v=vs.85).aspx]
38.  
39. NX bit protection = The NX bit (no-execute) is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (code) or for storage of data, a feature normally only found in Harvard architecture processors. [https://en.wikipedia.org/wiki/NX_bit]
40.  
41. Stack canary = Stack canaries, named for their analogy to a canary in a coal mine, are used to detect a stack buffer overflow before execution of malicious code can occur. [https://en.wikipedia.org/wiki/Stack_buffer_overflow]
42.  
43. Polymorphic code = In computer terminology, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code will not change at all. [https://en.wikipedia.org/wiki/Polymorphic_code]
44.  
45. Overflow vulnerability = A buffer overflow, or buffer overrun, is a common software coding mistake that an attacker could exploit to gain access to your system. [https://www.veracode.com/security/buffer-overflow]
46.  
47. Race condition vulnerability = A race condition exists when changes to the order of two or more events can cause a change in behavior. If the correct order of execution is required for the proper functioning of the program, this is a bug. If an attacker can take advantage of the situation to insert malicious code, change a filename, or otherwise interfere with the normal operation of the program, the race condition is a security vulnerability. [https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Articles/RaceConditions.html]
48.  
49. RCE vulnerability = Most of these vulnerabilities allow the execution of machine codea nd most exploits therefore inject and execute shellcode to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution. [https://en.wikipedia.org/wiki/Arbitrary_code_execution]
50.  
51. Privilege escalation exploit = Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. [https://en.wikipedia.org/wiki/Privilege_escalation]
52.  
53. Process injection = Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process. [https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process]
54.  
55. DLL hijack = In Windows environments when an application or a service is starting it looks for a number of DLL’s in order to function properly. If these DLL’s doesn’t exist or are implemented in an insecure way (DLL’s are called without using a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file. [https://pentestlab.blog/2017/03/27/dll-hijacking/]
56.  
57. Post exploitation pivoting = As the term suggests, post exploitation basically means the phases of operation once a victim's system has been compromised by the attacker. The value of the compromised system is determined by the value of the actual data stored in it and how an attacker may make use of it for
58.  
59. malicious purposes. [https://www.packtpub.com/mapt/book/networking_and_servers/9781782163589/7/ch07lvl1sec34/what-is-post-exploitation%253f]
60.  
61. Data exfiltration = Data exfiltration is sometimes referred to as data extrusion, data exportation, or data theft. All of these terms are used to describe the unauthorized transfer of data from a computer or other device. It can mean manually or from network stolen data. [https://digitalguardian.com/blog/what-data-exfiltration]
62.  
63. Reverse shell = "Basically it is when a machine connects to you instead of you connecting to it. For instance, you run netcat on your localmachine listening on port 6666. Then you run a command (security exploit or some other timed application) on the remote machine that causes it to connect to you on port 6666 giving you a remote shell." Monkyman 2003 [https://arstechnica.com/civis/viewtopic.php?t=636032]
64.  
65. DAST vs SAST = Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). Basically white box testing vs black box testing. White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). [https://www.checkmarx.com/2015/04/29/sast-vs-dast-why-sast-3/]
66.  
67. Fuzzing and American Fuzzy Lop (AFL) = American fuzzy lop is a fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. [https://en.wikipedia.org/wiki/American_fuzzy_lop_(fuzzer)] Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. [https://en.wikipedia.org/wiki/Fuzzing]
68.  
69. IDA PRO = IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment [https://www.hex-rays.com/products/ida/ida-executive.pdf]
70.  
71. Radare2 = Radare2 (also known as r2) is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems. [https://en.wikipedia.org/wiki/Radare2]
72.  
73. WinPE = Windows PE (WinPE) for Windows 10 is a small operating system used to install, deploy, and repair Windows 10 for desktop editions [https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-intro]
74.  
75. ELF Object = The Executable and Linking Format (ELF), originally developed and published by UNIX System Laboratories (USL), is the de-facto binary object file format on a GNU/Linux system. [http://nairobi-embedded.org/004_elf_format.html]
76.  
77. Deobfuscation = To deobfuscate is to convert a program that is difficult to understand into one that is simple, understandable and straightforward. There are tools available to deobfuscate a tough code or program into a simple and understandable form. [https://www.techopedia.com/definition/24827/deobfuscate]