SecWiki周刊(第145期)
2016/12/05-2016/12/11
安全资讯
[新闻]  乌云社区-临时版?
http://zone.drops.wiki/
[其它]  Top 6 breach response best practices for 2017
https://www.helpnetsecurity.com/2016/12/06/breach-response-best-practices/
[新闻]  国外购买泄露数据的9大途径
http://www.freebuf.com/news/122418.html
[新闻]  Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers
http://motherboard.vice.com/read/hacker-claims-to-push-malicious-firmware-update-to-32-million-home-routers
[观点]  走近科学:“爱因斯坦”(EINSTEIN)计划综述
http://www.arkteam.net/?p=1218
[人物]  安司密信刘林:掌握你发出的每条信息
http://weibo.com/ttarticle/p/show?id=2309404051148104407941
[新闻]  中国教授离王健林的小目标有多远
http://blog.sciencenet.cn/blog-414166-1019093.html
安全技术
[Web安全]  Blasting_dictionary: 各种爆破字典集合
https://github.com/rootphantomer/Blasting_dictionary
[Web安全]  Cobalt Strike 3.6 – 提权之路
http://www.mottoin.com/93482.html
[Web安全]  一个不错的线上XSS 训练网站 【需翻墙】
https://public-firing-range.appspot.com/address/index.html
[比赛]  JarvisOJ:CTF在线答题系统
https://www.jarvisoj.com/about
[Web安全]  Burpsuite 1.7破解版本 Cracked 2017/12/3
https://www.ohlinge.cn/tool/burpsuite_1-7_cracked.html
[Web安全]  Burp Suite 官方文档中文版
https://yw9381.gitbooks.io/burp_suite_doc_zh_cn/content/
[其它]  HCTF 2016网络攻防大赛官方Writeup
http://www.freebuf.com/articles/web/121778.html
[Web安全]  论文:神经网络来检测钓鱼帖,你将不会相信接下来发生的一切
https://arxiv.org/pdf/1612.01340v1.pdf
[移动安全]  Android:Native层文件解析漏洞分析
http://yaq.qq.com/blog/18
[Web安全]  BurpSuite 实战指南
https://pan.baidu.com/s/1eS2w8z4
[文档]  OWASP 2016 上海区域沙龙 —安全 Fun 享会
http://www.owasp.org.cn/OWASP_Events/owasp1203
[Web安全]  phpvulhunter: PHP源码扫描开源工具
https://github.com/OneSourceCat/phpvulhunter
[事件]  委内瑞拉军方网站被入侵
http://www.mottoin.com/93136.html
[文档]  【PPT下载】SyScan360上海站精彩演讲内容汇总
http://bobao.360.cn/news/detail/3818.html
[运维安全]  OSINT Framework 相关工具总结
http://osintframework.com/
[Web安全]  使用Anonsurf在Kali实现匿名访问
http://www.mottoin.com/93529.html
[无线安全]  Pyxiewps python编写的爆破WPS PIN码的脚本
https://github.com/jgilhutton/pyxiewps_WPShack-Python
[恶意分析]  Webshells - Every Time the Same Story…(Part 2)
https://dfir.it/blog/2016/01/18/webshells-every-time-the-same-story-dot-dot-dot-part2/
[恶意分析]  基于静态分析的机器学习方式检测恶意软件
https://sentinelone.com/blogs/detecting-malware-pre-execution-static-analysis-machine-learning/
[恶意分析]  Now Mirai Has DGA Feature Built in
http://blog.netlab.360.com/new-mirai-variant-with-dga/
[运维安全]  IPsec VPN 服务器一键安装脚本
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md
[Web安全]  urlfuzzing:高级的URL Fuzzing和whois信息查询python脚本
https://github.com/zayedaljaberi/urlfuzzing
[恶意分析]  使用Powershell和PNG在Imgur上投毒
http://www.mottoin.com/93127.html
[数据挖掘]  吴恩达 NIPS 2016:利用深度学习开发人工智能应用的基本要点
http://weibo.com/ttarticle/p/show?id=2309351000224050014816084383&u=3216881963&m=4050101346842427&cu=3216881963&ru=2118746300&rm=4050079864019949
[文档]  安全高风险用户:独立和不对等的信息对抗
https://www.johnscottrailton.com/security-for-the-high-risk-user/
[Web安全]  在线MySQL 密码生成/反查攻击
http://www.mysql-password.com/
[漏洞分析]  Exploiting 64-bit IE on Windows 8.1 – The Pwn2Own Case Study
https://vimeo.com/album/3553614/video/190996672
[恶意分析]  黑客通过收集的SSH keys 进行传播攻击
https://www.ssh.com/malware/
[漏洞分析]  Safari浏览器JavaScript引擎JavaScriptCore的漏洞利用技术
http://drops.wiki/index.php/2016/12/10/jscpwn/
[运维安全]  一种被动的Tor网络去匿名化方法
http://www.arkteam.net/?p=1414
[运维安全]  运维军团独家原创DDos防护工具
http://mp.weixin.qq.com/s/a1PQSrRDTGojudZQkTsXFQ
[杂志]  SecWiki周刊(第144期)
https://www.sec-wiki.com/weekly/144
[恶意分析]  Webshells - Every Time the Same Purpose, Every Time a Different Story (Part 1)
https://dfir.it/blog/2015/08/12/webshell-every-time-the-same-purpose/
[恶意分析]  Webshells: Rise of the Defenders (Part 4)
https://dfir.it/blog/2016/12/07/webshells-rise-of-the-defenders-part-4/
[恶意分析]  通过EVENTVWR.EXE和注册表劫持绕过UAC
http://www.mottoin.com/93412.html
[工具]  PortEx:分析PE文件的java库
http://www.mottoin.com/93561.html
[恶意分析]  Eventvwr无文件UAC绕过在Cobalt Strike 中的实现
http://www.mottoin.com/93433.html
[Web安全]  roundcube command execution via email
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
[漏洞分析]  Roundcube v1.2.2命令执行漏洞分析
https://lightrains.org/roundcube-remote-command-execution/
[论文]  带你走进维也纳版的CCS2016(现场报告点评六)
https://www.inforsec.org/wp/?p=1567#more-1567
[移动安全]  [0day] Bypassing Apple's System Integrity Protection
https://objective-see.com/blog/blog_0x14.html
[Web安全]  暴力发现GET/POST参数脚本
https://github.com/mak-/parameth
[数据挖掘]  谈一谈朴素贝叶斯作为基分类器的Adaboost算法
http://dataunion.org/26453.html
[工具]  FireAway:下一代防火墙Bypass工具
http://www.mottoin.com/93473.html
[Web安全]  RIPS平台的漏洞分析核心技术详解
https://blog.ripstech.com/2016/introducing-the-rips-analysis-engine/
[运维安全]  GitMiner: Tool for advanced mining for content on Github
https://github.com/UnkL4b/GitMiner
[移动安全]  12月Android安全补丁风险评估
http://appscan.360.cn/blog/?p=178
[Web安全]  Linux下常见命令及部分安全软件使用命令列表
https://github.com/andrewjkerr/security-cheatsheets
[工具]  基于Ubuntu的BlackBox Linux 4.7版本发布
http://www.mottoin.com/93356.html
[其它]  Windows System Information 6.1.7601 – XML External Entity Vulnerability
http://zwx.fr/2016/12/windows-system-information-6-1-7601-xml-external-entity-vulnerability/
[Web安全]  通过反射型XSS绕过配合form-action绕过CSP
http://www.mottoin.com/93211.html
[设备安全]  0day可导致成千上百万的网络摄像头沦为僵尸网络
https://www.cybereason.com/zero-day-exploits-turn-hundreds-of-thousands-of-ip-cameras-into-iot-botnet-slaves/
[运维安全]  hunter:调用 Windows API 枚举用户登录信息
http://www.mottoin.com/93286.html
[恶意分析]  Webshells - Every Time the Same Story…(Part 3)
https://dfir.it/blog/2016/07/06/webshells-every-time-the-same-story-dot-dot-dot-part-3/
[Web安全]  ssrfDetector: Server-side request forgery detector
https://github.com/JacobReynolds/ssrfDetector
[Web安全]  利用 XML Signature 攻击绕过 SAML 2.0 单点登录
http://www.mottoin.com/93405.html
-----微信ID:SecWiki-----
SecWiki,10年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第145期)