mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 06:30:37 +00:00
GitBook: [#3077] No subject
This commit is contained in:
parent
610616190d
commit
090b837f60
8 changed files with 127 additions and 71 deletions
|
@ -1,12 +1,18 @@
|
||||||
# Android Applications Pentesting
|
# Android Applications Pentesting
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="warning" %}
|
||||||
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
|
**Support HackTricks and get benefits!**
|
||||||
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
|
|
||||||
{% endhint %}
|
|
||||||
|
|
||||||
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.**
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
|
|
||||||
|
Discover **The PEASS Family**, our collection of exclusive **NFTs**
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)****
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
## Android Applications Basics
|
## Android Applications Basics
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,18 @@
|
||||||
# Android APK Checklist
|
# Android APK Checklist
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="warning" %}
|
||||||
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
|
**Support HackTricks and get benefits!**
|
||||||
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
|
|
||||||
{% endhint %}
|
|
||||||
|
|
||||||
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.**
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
|
|
||||||
|
Discover **The PEASS Family**, our collection of exclusive **NFTs**
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)****
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
### [Learn Android fundamentals](android-app-pentesting/#2-android-application-fundamentals)
|
### [Learn Android fundamentals](android-app-pentesting/#2-android-application-fundamentals)
|
||||||
|
|
||||||
|
|
|
@ -1,56 +1,62 @@
|
||||||
# iOS Pentesting Checklist
|
# iOS Pentesting Checklist
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="warning" %}
|
||||||
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
|
**Support HackTricks and get benefits!**
|
||||||
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
|
|
||||||
{% endhint %}
|
|
||||||
|
|
||||||
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.**
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
|
|
||||||
|
Discover **The PEASS Family**, our collection of exclusive **NFTs**
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)****
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
### Preparation
|
### Preparation
|
||||||
|
|
||||||
* [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)****
|
* [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)
|
||||||
* [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)****
|
* [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)
|
||||||
* [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application
|
* [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application
|
||||||
|
|
||||||
### Data Storage
|
### Data Storage
|
||||||
|
|
||||||
* [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information.
|
* [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information.
|
||||||
* [ ] ****[**Core Data**](ios-pentesting/#core-data) (SQLite database) can store sensitive information.
|
* [ ] [**Core Data**](ios-pentesting/#core-data) (SQLite database) can store sensitive information.
|
||||||
* [ ] ****[**YapDatabases**](ios-pentesting/#yapdatabase) (SQLite database) can store sensitive information.
|
* [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (SQLite database) can store sensitive information.
|
||||||
* [ ] ****[**Firebase**](ios-pentesting/#firebase-real-time-databases) miss-configuration.
|
* [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) miss-configuration.
|
||||||
* [ ] ****[**Realm databases**](ios-pentesting/#realm-databases) can store sensitive information.
|
* [ ] [**Realm databases**](ios-pentesting/#realm-databases) can store sensitive information.
|
||||||
* [ ] ****[**Couchbase Lite databases**](ios-pentesting/#couchbase-lite-databases) can store sensitive information.
|
* [ ] [**Couchbase Lite databases**](ios-pentesting/#couchbase-lite-databases) can store sensitive information.
|
||||||
* [ ] ****[**Binary cookies**](ios-pentesting/#cookies) can store sensitive information
|
* [ ] [**Binary cookies**](ios-pentesting/#cookies) can store sensitive information
|
||||||
* [ ] ****[**Cache data**](ios-pentesting/#cache) can store sensitive information
|
* [ ] [**Cache data**](ios-pentesting/#cache) can store sensitive information
|
||||||
* [ ] ****[**Automatic snapshots**](ios-pentesting/#snapshots) can save visual sensitive information
|
* [ ] [**Automatic snapshots**](ios-pentesting/#snapshots) can save visual sensitive information
|
||||||
* [ ] ****[**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone.
|
* [ ] [**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone.
|
||||||
* [ ] In summary, just **check for sensitive information saved by the application in the filesystem**
|
* [ ] In summary, just **check for sensitive information saved by the application in the filesystem**
|
||||||
|
|
||||||
### Keyboards
|
### Keyboards
|
||||||
|
|
||||||
* [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)?
|
* [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)?
|
||||||
* [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache)****
|
* [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache)
|
||||||
|
|
||||||
### **Logs**
|
### **Logs**
|
||||||
|
|
||||||
* [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs)****
|
* [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs)
|
||||||
|
|
||||||
### Backups
|
### Backups
|
||||||
|
|
||||||
* [ ] ****[**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
|
* [ ] [**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
|
||||||
* [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**
|
* [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**
|
||||||
|
|
||||||
### **Applications Memory**
|
### **Applications Memory**
|
||||||
|
|
||||||
* [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data)****
|
* [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data)
|
||||||
|
|
||||||
### **Broken Cryptography**
|
### **Broken Cryptography**
|
||||||
|
|
||||||
* [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography)****
|
* [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography)
|
||||||
* [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data
|
* [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data
|
||||||
* [ ] ****[**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography)****
|
* [ ] [**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography)
|
||||||
|
|
||||||
### **Local Authentication**
|
### **Local Authentication**
|
||||||
|
|
||||||
|
@ -60,26 +66,26 @@ If you want to **share some tricks with the community** you can also submit **pu
|
||||||
|
|
||||||
### Sensitive Functionality Exposure Through IPC
|
### Sensitive Functionality Exposure Through IPC
|
||||||
|
|
||||||
* ****[**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)****
|
* [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)
|
||||||
* [ ] Check if the application is **registering any protocol/scheme**
|
* [ ] Check if the application is **registering any protocol/scheme**
|
||||||
* [ ] Check if the application is **registering to use** any protocol/scheme
|
* [ ] Check if the application is **registering to use** any protocol/scheme
|
||||||
* [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
|
* [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
|
||||||
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
|
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
|
||||||
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
|
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
|
||||||
* ****[**Universal Links**](ios-pentesting/#universal-links)****
|
* [**Universal Links**](ios-pentesting/#universal-links)
|
||||||
* [ ] Check if the application is **registering any universal protocol/scheme**
|
* [ ] Check if the application is **registering any universal protocol/scheme**
|
||||||
* [ ] Check the ** `apple-app-site-association` ** file
|
* [ ] Check the `apple-app-site-association` file
|
||||||
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
|
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
|
||||||
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
|
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
|
||||||
* ****[**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)****
|
* [**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)
|
||||||
* [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
|
* [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
|
||||||
* ****[**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)****
|
* [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)
|
||||||
* [ ] Check if the application if **copying anything to the general pasteboard**
|
* [ ] Check if the application if **copying anything to the general pasteboard**
|
||||||
* [ ] Check if the application if **using the data from the general pasteboard for anything**
|
* [ ] Check if the application if **using the data from the general pasteboard for anything**
|
||||||
* [ ] Monitor the pasteboard to see if any **sensitive data is copied**
|
* [ ] Monitor the pasteboard to see if any **sensitive data is copied**
|
||||||
* ****[**App Extensions**](ios-pentesting/ios-app-extensions.md)****
|
* [**App Extensions**](ios-pentesting/ios-app-extensions.md)
|
||||||
* [ ] Is the application **using any extension**?
|
* [ ] Is the application **using any extension**?
|
||||||
* [**WebViews**](ios-pentesting/ios-webviews.md)****
|
* [**WebViews**](ios-pentesting/ios-webviews.md)
|
||||||
* [ ] Check which kind of webviews are being used
|
* [ ] Check which kind of webviews are being used
|
||||||
* [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
|
* [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
|
||||||
* [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
|
* [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
|
||||||
|
@ -89,9 +95,9 @@ If you want to **share some tricks with the community** you can also submit **pu
|
||||||
|
|
||||||
* [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities.
|
* [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities.
|
||||||
* [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked
|
* [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked
|
||||||
* [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning)****
|
* [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning)
|
||||||
|
|
||||||
### **Misc**
|
### **Misc**
|
||||||
|
|
||||||
* [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms
|
* [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms
|
||||||
* [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties)****
|
* [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties)
|
||||||
|
|
|
@ -1,12 +1,18 @@
|
||||||
# iOS Pentesting
|
# iOS Pentesting
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="warning" %}
|
||||||
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
|
**Support HackTricks and get benefits!**
|
||||||
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
|
|
||||||
{% endhint %}
|
|
||||||
|
|
||||||
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.**
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
|
|
||||||
|
Discover **The PEASS Family**, our collection of exclusive **NFTs**
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)****
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
## iOS Basics
|
## iOS Basics
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,18 @@
|
||||||
# Pentesting Network
|
# Pentesting Network
|
||||||
|
|
||||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
{% hint style="warning" %}
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks\*\*]\(https://github.com/carlospolop/hacktricks) **that will be reflected in this book.**\
|
**Support HackTricks and get benefits!**
|
||||||
**Don't forget to** give ⭐ on the github to motivate me to continue developing this book.
|
|
||||||
|
Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.**
|
||||||
|
|
||||||
|
Discover **The PEASS Family**, our collection of exclusive **NFTs**
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)****
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
## Discovering hosts from the outside
|
## Discovering hosts from the outside
|
||||||
|
|
||||||
|
@ -284,7 +294,7 @@ In modern switches this vulnerability has been fixed.
|
||||||
|
|
||||||
#### Dynamic Trunking
|
#### Dynamic Trunking
|
||||||
|
|
||||||
Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to **emulate a switch and receive traffic across all VLANs**. The tool [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) **** can sniff an interface and **reports if switch is in Default mode, trunk, dynamic, auto or access mode** (this is the only one that would avoid VLAN hopping). The tool will indicate if the switch is vulnerable or not.
|
Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to **emulate a switch and receive traffic across all VLANs**. The tool [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) \*\*\*\* can sniff an interface and **reports if switch is in Default mode, trunk, dynamic, auto or access mode** (this is the only one that would avoid VLAN hopping). The tool will indicate if the switch is vulnerable or not.
|
||||||
|
|
||||||
If it was discovered that the the network is vulnerable, you can use _**Yersinia**_ to launch an "**enable trunking**" using protocol "**DTP**" and you will be able to see network packets from all the VLANs.
|
If it was discovered that the the network is vulnerable, you can use _**Yersinia**_ to launch an "**enable trunking**" using protocol "**DTP**" and you will be able to see network packets from all the VLANs.
|
||||||
|
|
||||||
|
@ -336,7 +346,7 @@ ifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up
|
||||||
|
|
||||||
#### Automatic VLAN Hopper
|
#### Automatic VLAN Hopper
|
||||||
|
|
||||||
The discussed attack of **Dynamic Trunking and creating virtual interfaces an discovering hosts inside** other VLANs are **automatically performed** by the tool: [**https://github.com/nccgroup/vlan-hopping---frogger**](https://github.com/nccgroup/vlan-hopping---frogger)****
|
The discussed attack of **Dynamic Trunking and creating virtual interfaces an discovering hosts inside** other VLANs are **automatically performed** by the tool: [**https://github.com/nccgroup/vlan-hopping---frogger**](https://github.com/nccgroup/vlan-hopping---frogger)\*\*\*\*
|
||||||
|
|
||||||
#### Double Tagging
|
#### Double Tagging
|
||||||
|
|
||||||
|
@ -419,7 +429,7 @@ You could also use [scapy](https://github.com/secdev/scapy/). Be sure to install
|
||||||
|
|
||||||
Although intended for use by the employees’ Voice over Internet Protocol (VoIP) phones, modern VoIP devices are increasingly integrated with IoT devices. Many employees can now unlock doors using a special phone number, control the room’s thermostat...
|
Although intended for use by the employees’ Voice over Internet Protocol (VoIP) phones, modern VoIP devices are increasingly integrated with IoT devices. Many employees can now unlock doors using a special phone number, control the room’s thermostat...
|
||||||
|
|
||||||
The tool [**voiphopper**](http://voiphopper.sourceforge.net) **** mimics the behavior of a VoIP phone in Cisco, Avaya, Nortel, and Alcatel-Lucent environments. It automatically discovers the correct VLAN ID for the voice network using one of the device discovery protocols it supports, such as the Cisco Discovery Protocol (CDP), the Dynamic Host Configuration Protocol (DHCP), Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), and 802.1Q ARP.
|
The tool [**voiphopper**](http://voiphopper.sourceforge.net) \*\*\*\* mimics the behavior of a VoIP phone in Cisco, Avaya, Nortel, and Alcatel-Lucent environments. It automatically discovers the correct VLAN ID for the voice network using one of the device discovery protocols it supports, such as the Cisco Discovery Protocol (CDP), the Dynamic Host Configuration Protocol (DHCP), Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), and 802.1Q ARP.
|
||||||
|
|
||||||
**VoIP Hopper** supports **three** CDP modes. The **sniff** mode inspects the network packets and attempts to locate the VLAN ID. To use it, set the **`-c`** parameter to `0`. The **spoof** mode generates custom packets similar to the ones a real VoIP device would transmit in the corporate network. To use it, set the **`-c`** parameter to **`1`**. The spoof with a **pre-madepacket** mode sends the same packets as a Cisco 7971G-GE IP phone. To use it, set the **`-c`** parameter to **`2`**.
|
**VoIP Hopper** supports **three** CDP modes. The **sniff** mode inspects the network packets and attempts to locate the VLAN ID. To use it, set the **`-c`** parameter to `0`. The **spoof** mode generates custom packets similar to the ones a real VoIP device would transmit in the corporate network. To use it, set the **`-c`** parameter to **`1`**. The spoof with a **pre-madepacket** mode sends the same packets as a Cisco 7971G-GE IP phone. To use it, set the **`-c`** parameter to **`2`**.
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,18 @@
|
||||||
# 80,443 - Pentesting Web Methodology
|
# 80,443 - Pentesting Web Methodology
|
||||||
|
|
||||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass)**, or follow me on Twitter 🐦**[**@carlospolopm**](https://twitter.com/carlospolopm).\
|
{% hint style="warning" %}
|
||||||
**If you want to** share some tricks with the community **you can also submit** pull requests **to** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **that will be reflected in this book.**\
|
**Support HackTricks and get benefits!**
|
||||||
**Don't forget to** give ⭐ on the **github** to motivate me to continue developing this book.
|
|
||||||
|
Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.**
|
||||||
|
|
||||||
|
Discover **The PEASS Family**, our collection of exclusive **NFTs**
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)****
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
## Basic Info
|
## Basic Info
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,18 @@
|
||||||
# Active Directory Methodology
|
# Active Directory Methodology
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="warning" %}
|
||||||
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
|
**Support HackTricks and get benefits!**
|
||||||
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
|
|
||||||
{% endhint %}
|
|
||||||
|
|
||||||
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.**
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
|
|
||||||
|
Discover **The PEASS Family**, our collection of exclusive **NFTs**
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)****
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
## Basic overview
|
## Basic overview
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,18 @@
|
||||||
# Windows Local Privilege Escalation
|
# Windows Local Privilege Escalation
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="warning" %}
|
||||||
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
|
**Support HackTricks and get benefits!**
|
||||||
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
|
|
||||||
{% endhint %}
|
|
||||||
|
|
||||||
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.**
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
|
|
||||||
|
Discover **The PEASS Family**, our collection of exclusive **NFTs**
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)****
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
|
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue