mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GitBook: [master] 9 pages and one asset modified
This commit is contained in:
parent
4d1d6880f9
commit
1fa4bfa885
6 changed files with 39 additions and 45 deletions
BIN
.gitbook/assets/image (253) (1) (2) (1) (1) (2).png
Normal file
BIN
.gitbook/assets/image (253) (1) (2) (1) (1) (2).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 40 KiB |
|
@ -139,7 +139,7 @@
|
|||
* [content:// protocol](mobile-apps-pentesting/android-app-pentesting/content-protocol.md)
|
||||
* [Drozer Tutorial](mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md)
|
||||
* [Exploiting Content Providers](mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md)
|
||||
* [Exploiting a debuggable application](mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md)
|
||||
* [Exploiting a debuggeable applciation](mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md)
|
||||
* [Frida Tutorial](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md)
|
||||
* [Frida Tutorial 1](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md)
|
||||
* [Frida Tutorial 2](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md)
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
This is **Carlos Polop**.
|
||||
|
||||
First of all, I want to indicate that **I don't own this entire book**, a lot of **information was copy/pasted from other websites and that content belongs to them** \(this is indicated on the copy/pasted content\).
|
||||
First of all, I want to indicate that **I don't own this entire book**, a lot of **information was copy/pasted from other websites and that content belongs to them** \(this is indicated on the pages\).
|
||||
|
||||
I also wants to say **thanks to all the people that share cyber-security related information for free** on the Internet. Thanks to them I learn new hacking techniques that then I add to Hacktricks.
|
||||
|
||||
|
@ -12,7 +12,7 @@ I also wants to say **thanks to all the people that share cyber-security related
|
|||
|
||||
If for some weird reason you are interested in knowing about my bio here you have a summary:
|
||||
|
||||
* I've worked in different companies as sysadmin, developer and **pentester** \(which is my current role\).
|
||||
* I've worked in different companies as sysadmin, developer and **pentester**.
|
||||
* I'm a **Telecommunications Engineer** with a **Masters** in **Cybersecurity**
|
||||
* Relevant certifications: **OSCP, OSWE**, **CRTP, eMAPT, eWPTXv2** and Professional Drone pilot.
|
||||
* I speak **Spanish** and **English** and little of French \(some day I will improve that\).
|
||||
|
|
|
@ -16,7 +16,7 @@ pip3 install scoutsuite
|
|||
|
||||
### [cs-suite](https://github.com/SecurityFTW/cs-suite)
|
||||
|
||||
AWS, GCP, Azure, DigitalOcean
|
||||
AWS, GCP, Azure, DigitalOcean
|
||||
|
||||
```text
|
||||
git clone https://github.com/SecurityFTW/cs-suite.git && cd cs-suite/
|
||||
|
@ -43,13 +43,13 @@ Take a look to the **network access rules** and detect if the services are corre
|
|||
## Azure
|
||||
|
||||
Access the portal here: [http://portal.azure.com/](http://portal.azure.com/)
|
||||
To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
|
||||
To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
|
||||
|
||||
It is recommended to **install azure-cli** in a **linux** and **windows** virtual machines \(to be able to run powershell and python scripts\): [https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
|
||||
Then, run `az login` to login. Note the **account information** and **token** will be **saved** inside _<HOME>/.azure_ \(in both Windows and Linux\).
|
||||
|
||||
Remember that if the **Security Centre Standard Pricing Tier** is being used and **not** the **free** tier, you can **generate** a **CIS compliance scan report** from the azure portal. Go to _Policy & Compliance-> Regulatory Compliance_ \(or try to access [https://portal.azure.com/\#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/22](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\).
|
||||
__If the company is not paying for a Standard account you may need to review the **CIS Microsoft Azure Foundations Benchmark** by "hand" \(you can get some help using the following tools\). Download it from [**here**](https://www.newnettechnologies.com/cis-benchmark.html?keyword=&gclid=Cj0KCQjwyPbzBRDsARIsAFh15JYSireQtX57C6XF8cfZU3JVjswtaLFJndC3Hv45YraKpLVDgLqEY6IaAhsZEALw_wcB#microsoft-azure).
|
||||
\_\_If the company is not paying for a Standard account you may need to review the **CIS Microsoft Azure Foundations Benchmark** by "hand" \(you can get some help using the following tools\). Download it from [**here**](https://www.newnettechnologies.com/cis-benchmark.html?keyword=&gclid=Cj0KCQjwyPbzBRDsARIsAFh15JYSireQtX57C6XF8cfZU3JVjswtaLFJndC3Hv45YraKpLVDgLqEY6IaAhsZEALw_wcB#microsoft-azure).
|
||||
|
||||
### Run scanners
|
||||
|
||||
|
@ -94,7 +94,9 @@ azscan #Run, login before with `az login`
|
|||
|
||||
* **Standard tier** is recommended instead of free tier \(see the tier being used in _Pricing & Settings_ or in [https://portal.azure.com/\#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/24](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/24)\)
|
||||
* **Periodic SQL servers scans**:
|
||||
|
||||
_Select the SQL server_ --> _Make sure that 'Advanced data security' is set to 'On'_ --> _Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results_ --> _Click Save_
|
||||
|
||||
* **Lack of App Services restrictions**: Look for "App Services" in Azure \([https://portal.azure.com/\#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites)\) and check if anyone is being used. In that case check go through each App checking for "Access Restrictions" and there aren't rules, report it. The access to the app service should be restricted according to the needs.
|
||||
|
||||
## Office365
|
||||
|
@ -105,7 +107,3 @@ You need **Global Admin** or at least **Global Admin Reader** \(but note that Gl
|
|||
|
||||
Get objects in graph: [https://github.com/FSecureLABS/awspx](https://github.com/FSecureLABS/awspx)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ It's highly recommended to start reading this page to know about the **most impo
|
|||
This is the main tool you need to connect to an android device \(emulated or physical\).
|
||||
It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more.
|
||||
|
||||
Take a look to the following list of [**ADB Commands**](adb-commands.md) ****to learn how to use adb.
|
||||
Take a look to the following list of [**ADB Commands**](adb-commands.md) _\*\*_to learn how to use adb.
|
||||
|
||||
## Smali
|
||||
|
||||
|
@ -54,7 +54,7 @@ Reading the **manifest** you can find **vulnerabilities**:
|
|||
* **Backup**: The **`android:allowBackup`** attribute defines whether application data can be backed up and restored by a user who has enabled usb debugging. If backup flag is set to true, it allows an attacker to take the backup of the application data via adb even if the device is not rooted. Therefore applications that handle and store sensitive information such as card details, passwords etc. should have this setting explicitly set to **false** because by default it is set to **true** to prevent such risks.
|
||||
* `<application android:allowBackup="false"`
|
||||
* **NetworkSecurity:** The application network security can be overwritten the defaults values with **`android:networkSecurityConfig="@xml/network_security_config"`**. A file with that name may be put in _**res/xml.**_ This file will configure important security settings like certificate pins or if it allows HTTP traffic. You can read here more information about all the things that can be configure, but check this example about how to configure HTTP traffic for some domains:
|
||||
* `<domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">formation-software.co.uk </domain></domain-config>`
|
||||
* `<domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">formation-software.co.uk </domain></domain-config>`
|
||||
* **Exported activities**: Check for exported activities inside the manifest as this could be dangerous. Later in the dynamic analysis it will be explained how [you can abuse this behaviour](./#exploiting-exported-activities-authorisation-bypass).
|
||||
* **Content Providers**: If an exported provider is being exposed, you could b able to access/modify interesting information. In dynamic analysis [you will learn how to abuse them](./#exploiting-content-providers-accessing-and-manipulating-sensitive-information).
|
||||
* Check for **FileProviders** configurations inside the attribute `android:name="android.support.FILE_PROVIDER_PATHS"`. [Read here to learn more about FileProviders](./#fileprovider).
|
||||
|
@ -87,7 +87,7 @@ android:filterTouchesWhenObscured=** "true"**>
|
|||
```
|
||||
|
||||
You can use [**qark**](https://github.com/linkedin/qark) with the `--exploit-apk` parameter to create a malicious application to test for possible **Tapjacking** vulnerabilities.
|
||||
A example project implementing this kind of feature can be fund in [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp).
|
||||
A example project implementing this kind of feature can be fund in [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp).
|
||||
|
||||
The mitigation is relatively simple as the developer may choose not to receive touch events when a view is covered by another. Using the [Android Developer’s Reference](https://developer.android.com/reference/android/view/View#security):
|
||||
|
||||
|
@ -188,12 +188,12 @@ Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emu
|
|||
|
||||
### Local Dynamic Analysis
|
||||
|
||||
You can use some **emulator** like:
|
||||
You can use some **emulator** like:
|
||||
|
||||
* [**Android Studio**](https://developer.android.com/studio) **\(**You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator\).
|
||||
* If you want to try to **install** an **image** and then you want to **delete it** you can do that on Windows:`C:\Users\<User>\AppData\Local\Android\sdk\system-images\` or Mac: `/Users/myeongsic/Library/Android/sdk/system-image`
|
||||
* This is the **main emulator I recommend to use and you can**[ **learn to set it up in this page**](avd-android-virtual-device.md).
|
||||
* \*\*\*\*[**Genymotion**](https://www.genymotion.com/fun-zone/) ****\(_Free version: **Personal Edition**, you need to **create** an **account**._\)
|
||||
* \*\*\*\*[**Genymotion**](https://www.genymotion.com/fun-zone/) **\*\*\(\_Free version:** Personal Edition**, you need to** create **an** account\*\*.\_\)
|
||||
* \*\*\*\*[Nox](https://es.bignox.com/) \(Free, but it doesn't support Frida or Drozer\).
|
||||
|
||||
{% hint style="info" %}
|
||||
|
@ -204,7 +204,7 @@ As most people will use **Genymotion**, note this trick. To **install google ser
|
|||
|
||||
![](../../.gitbook/assets/image%20%28100%29.png)
|
||||
|
||||
Also, notice that in the **configuration of the Android VM in Genymotion** you can select **Bridge Network mode** \(this will be useful if you will be connecting to the Android VM from a different VM with the tools\).
|
||||
Also, notice that in the **configuration of the Android VM in Genymotion** you can select **Bridge Network mode** \(this will be useful if you will be connecting to the Android VM from a different VM with the tools\).
|
||||
|
||||
Or you could use a **physical** **device** \(you need to activate the debugging options and it will be cool if you can root it\):
|
||||
|
||||
|
@ -214,14 +214,12 @@ Or you could use a **physical** **device** \(you need to activate the debugging
|
|||
4. Press **Build number** 7 times.
|
||||
5. Go back and you will find the **Developer options**.
|
||||
|
||||
|
||||
|
||||
> Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.
|
||||
> Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.
|
||||
> I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so will will be able to **learn how the application works** while MobSF **capture** a lot of **interesting** **data** you can review later on.
|
||||
|
||||
### Unintended Data Leakage
|
||||
|
||||
#### Logging
|
||||
#### Logging
|
||||
|
||||
Often Developers leave debugging information publicly. So any application with `READ_LOGS` permission can **access those logs** and can gain sensitive information through that.
|
||||
While navigating through the application use [**pidcat**](https://github.com/JakeWharton/pidcat)_\(Recommended, it's easier to use and read_\) or [adb logcat](adb-commands.md#logcat) to read the created logs and **look for sensitive information**.
|
||||
|
@ -261,7 +259,7 @@ Drozer is s useful tool to **exploit exported activities, exported services and
|
|||
### Exploiting exported Activities
|
||||
|
||||
\*\*\*\*[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)
|
||||
****Also remember that the code of an activity starts with the `onCreate` method.
|
||||
_\*\*_Also remember that the code of an activity starts with the `onCreate` method.
|
||||
|
||||
#### Authorisation bypass
|
||||
|
||||
|
@ -296,15 +294,15 @@ Content providers are basically used to **share data**. If an app has available
|
|||
### **Exploiting Services**
|
||||
|
||||
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)
|
||||
****Remember that a the actions of a Service start in the method `onStartCommand`.
|
||||
_\*\*_Remember that a the actions of a Service start in the method `onStartCommand`.
|
||||
|
||||
As service is basically something that **can receive data**, **process** it and **returns** \(or not\) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...
|
||||
As service is basically something that **can receive data**, **process** it and **returns** \(or not\) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...
|
||||
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)\*\*\*\*
|
||||
|
||||
### **Exploiting Broadcast Receivers**
|
||||
|
||||
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)
|
||||
****Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
|
||||
_\*\*_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
|
||||
|
||||
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.
|
||||
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
|
||||
|
@ -339,7 +337,7 @@ Every time you find a deep link check that i**t's not receiving sensitive data \
|
|||
|
||||
#### Parameters in path
|
||||
|
||||
You **must check also if any deep link is using a parameter inside the path** of the URL like: `https://api.example.com/v1/users/{username}` , in that case you can force a path traversal accessing something like: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .
|
||||
You **must check also if any deep link is using a parameter inside the path** of the URL like: `https://api.example.com/v1/users/{username}` , in that case you can force a path traversal accessing something like: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .
|
||||
Note that if you find the correct endpoints inside the application you may be able to cause a **Open Redirect** \(if part of the path is used as domain name\), **account takeover** \(if you can modify users details without CSRF token and the vuln endpoint used the correct method\) and any other vuln. More [info about this here](http://dphoeniixx.com/2020/12/13-2/).
|
||||
|
||||
#### More examples
|
||||
|
@ -366,7 +364,7 @@ It's recommended to **apply SSL Pinning** for the sites where sensitive informat
|
|||
First of all, you should \(must\) **install the certificate** of the **proxy** tool that you are going to use, probably Burp. If you don't install the CA certificate of the proxy tool, you probably aren't going to see the encrypted traffic in the proxy.
|
||||
**Please,** [**read this guide to learn how to do install a custom CA certificate**](android-burp-suite-settings.md)**.**
|
||||
|
||||
For applications targeting **API Level 24+ it isn't enough to install the Burp CA** certificate in the device. To bypass this new protection you need to modify the Network Security Config file. So, you could modify this file to authorise your CA certificate or you can ****[**read this page for a tutorial on how to force the application to accept again all the installed certificate sin the device**](make-apk-accept-ca-certificate.md)**.**
|
||||
For applications targeting **API Level 24+ it isn't enough to install the Burp CA** certificate in the device. To bypass this new protection you need to modify the Network Security Config file. So, you could modify this file to authorise your CA certificate or you can **\*\*\[**read this page for a tutorial on how to force the application to accept again all the installed certificate sin the device**\]\(make-apk-accept-ca-certificate.md\)**.\*\*
|
||||
|
||||
#### SSL Pinning
|
||||
|
||||
|
@ -395,15 +393,13 @@ If you want to pentest Android applications you need to know how to use Frida.**
|
|||
|
||||
### **Android Application Analyzer**
|
||||
|
||||
This tool could help you managing different tools during the dynamic analysis: [https://github.com/NotSoSecure/android\_application\_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
|
||||
This tool could help you managing different tools during the dynamic analysis: [https://github.com/NotSoSecure/android\_application\_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
|
||||
|
||||
### Intent Injection
|
||||
|
||||
This vulnerability resembles **Open Redirect in web security**. Since class `Intent` is `Parcelable`, **objects belonging to this class** can be **passed** as **extra** **data** in another `Intent` object.
|
||||
Many developers make **use** of this **feature** and create **proxy** **components** \(activities, broadcast receivers and services\) that **take an embedded Intent and pass it to dangerous methods** like `startActivity(...)`, `sendBroadcast(...)`, etc.
|
||||
This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`.
|
||||
|
||||
|
||||
This vulnerability resembles **Open Redirect in web security**. Since class `Intent` is `Parcelable`, **objects belonging to this class** can be **passed** as **extra** **data** in another `Intent` object.
|
||||
Many developers make **use** of this **feature** and create **proxy** **components** \(activities, broadcast receivers and services\) that **take an embedded Intent and pass it to dangerous methods** like `startActivity(...)`, `sendBroadcast(...)`, etc.
|
||||
This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`.
|
||||
|
||||
### Android Client Side Injections and others
|
||||
|
||||
|
@ -433,7 +429,7 @@ docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
|
|||
Notice that MobSF can analyse **Android**\(apk\)**, IOS**\(ipa\) **and Windows**\(apx\) applications \(_Windows applications must be analyzed from a MobSF installed in a Windows host_\).
|
||||
Also, if you create a **ZIP** file with the source code if an **Android** or an **IOS** app \(go to the root folder of the application, select everything and create a ZIPfile\), it will be able to analyse it also.
|
||||
|
||||
MobSF also allows you to **diff/Compare** analysis and to integrate **VirusTotal** \(you will need to set your API key in _MobSF/settings.py_ and enable it: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`\). You can also set `VT_UPLOAD` to `False`, then the **hash** will be **upload** instead of the file.
|
||||
MobSF also allows you to **diff/Compare** analysis and to integrate **VirusTotal** \(you will need to set your API key in _MobSF/settings.py_ and enable it: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`\). You can also set `VT_UPLOAD` to `False`, then the **hash** will be **upload** instead of the file.
|
||||
|
||||
### Assisted Dynamic analysis with MobSF
|
||||
|
||||
|
@ -483,7 +479,7 @@ receivers
|
|||
**HTTP tools**
|
||||
|
||||
When http traffic is capture you can see an ugly view of the captured traffic on "**HTTP\(S\) Traffic**" bottom or a nicer view in "**Start HTTPTools**" green bottom. From the second option, you can **send** the **captured requests** to **proxies** like Burp or Owasp ZAP.
|
||||
To do so, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> press "**Send to Fuzzer**" --> _select the proxy address_ \(http://127.0.0.1:8080\).
|
||||
To do so, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> press "**Send to Fuzzer**" --> _select the proxy address_ \([http://127.0.0.1:8080\](http://127.0.0.1:8080\)\).
|
||||
|
||||
Once you finish the dynamic analysis with MobSF you can press on "**Start Web API Fuzzer**" to **fuzz http requests** an look for vulnerabilities.
|
||||
|
||||
|
@ -565,7 +561,7 @@ StaCoAn is a **crossplatform** tool which aids developers, bugbounty hunters and
|
|||
|
||||
The concept is that you drag and drop your mobile application file \(an .apk or .ipa file\) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.
|
||||
|
||||
Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
|
||||
Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
|
||||
|
||||
```text
|
||||
./stacoan
|
||||
|
@ -614,7 +610,7 @@ Useful to detect malware: [https://koodous.com/](https://koodous.com/)
|
|||
|
||||
## Obfuscating/Deobfuscating code
|
||||
|
||||
Note that depending the service and configuration you use to obfuscate the code. Secrets may or may not ended obfuscated.
|
||||
Note that depending the service and configuration you use to obfuscate the code. Secrets may or may not ended obfuscated.
|
||||
|
||||
### [ProGuard](https://en.wikipedia.org/wiki/ProGuard_%28software%29)
|
||||
|
||||
|
@ -650,7 +646,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
|
|||
|
||||
### OWASP
|
||||
|
||||
{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" %}
|
||||
{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" caption="" %}
|
||||
|
||||
### Git Repos
|
||||
|
||||
|
|
|
@ -88,8 +88,8 @@ Moreover, don't forget that if the users use **any web portal to access their ma
|
|||
|
||||
You can download it from [https://github.com/gophish/gophish/releases/tag/v0.11.0](https://github.com/gophish/gophish/releases/tag/v0.11.0)
|
||||
|
||||
Download and decompress it inside `/opt/gophish` and execute `/opt/gophish/gophish`
|
||||
You will be given a password for the admin user in port 3333 in the output. Therefore, access that port and use those credentials to change the admin password. You may need to tunnel that port to local:
|
||||
Download and decompress it inside `/opt/gophish` and execute `/opt/gophish/gophish`
|
||||
You will be given a password for the admin user in port 3333 in the output. Therefore, access that port and use those credentials to change the admin password. You may need to tunnel that port to local:
|
||||
|
||||
```bash
|
||||
ssh -L 333:127.0.0.1:3333 <user>@<ip>
|
||||
|
@ -119,7 +119,7 @@ cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" /opt/gophish/ssl_keys/key.crt
|
|||
|
||||
#### Mail configuration
|
||||
|
||||
Start installing: `apt-get install postfix`
|
||||
Start installing: `apt-get install postfix`
|
||||
|
||||
Then add the domain to the following files:
|
||||
|
||||
|
@ -129,12 +129,12 @@ Then add the domain to the following files:
|
|||
|
||||
**Change also the values of the following variables inside /etc/postfix/main.cf**
|
||||
|
||||
`myhostname = <domain>
|
||||
`myhostname = <domain>
|
||||
mydestination = $myhostname, <domain>, localhost.com, localhost`
|
||||
|
||||
Finally modify the files **`/etc/hostname`** and **`/etc/mailname`** to your domain name and **restart your VPS.**
|
||||
|
||||
Now, create a **DNS A record** of `mail.<domain>` pointing to the **ip address** of the VPS and a **DNS MX** record pointing to `mail.<domain>`
|
||||
Now, create a **DNS A record** of `mail.<domain>` pointing to the **ip address** of the VPS and a **DNS MX** record pointing to `mail.<domain>`
|
||||
|
||||
Now lets test to send an email:
|
||||
|
||||
|
@ -242,7 +242,7 @@ service gophish stop
|
|||
### Wait
|
||||
|
||||
The older a domain is the less probable it's going to be caught as spam. Then you should wait as much time as possible \(at least 1week\) before the phishing assessment.
|
||||
Note that even if you have to wait a week you can finish configuring everything now.
|
||||
Note that even if you have to wait a week you can finish configuring everything now.
|
||||
|
||||
### Configure Reverse DNS \(rDNS\) record
|
||||
|
||||
|
@ -356,7 +356,7 @@ I would recommend to **send the test emails to 10min mails addresses** in order
|
|||
```markup
|
||||
<html>
|
||||
<head>
|
||||
<title></title>
|
||||
<title></title>
|
||||
</head>
|
||||
<body>
|
||||
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">Dear {{.FirstName}} {{.LastName}},</span></p>
|
||||
|
@ -374,7 +374,7 @@ WRITE HERE SOME SIGNATURE OF SOMEONE FROM THE COMPANY
|
|||
</html>
|
||||
```
|
||||
|
||||
Note that **in order to increase the credibility of the email**, it's recommended to use some signature from an email from the client. Suggestions:
|
||||
Note that **in order to increase the credibility of the email**, it's recommended to use some signature from an email from the client. Suggestions:
|
||||
|
||||
* Send an email to a **non existent address** and check if the response has any signature.
|
||||
* Search for **public emails** like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
|
||||
|
|
Loading…
Reference in a new issue